Security Pro
CompTIA Security+ SY0-601
"1.1. Compare and contrast different types of social engineering techniques
802.1x
"802.1x is an authentication method used on a LAN to allow or deny access based on a port or connection to the network.802.1x is used for port authentication on switches and authentication to wireless access points.
Hardware Security Module (HSM)
"A Hardware Security Module (HSM) is a piece of hardware and associated software/firmware that is connected to a computer system to provide cryptographic functions such as:Generate and store encryption keys
Storage area network (SAN)
"A SAN is a special network composed of high-speed storage that is shared by multiple servers. A SAN is typically a separate network that only file servers attach to. Security for a SAN is provided by the following:Logical Unit Number (LUN) masking identifies devices that are allowed to attach to a logical unit.
Backdoors
"A backdoor is an unprotected access method or pathway. Backdoors:Include hard-coded passwords and hidden service accounts
Backdoor
"A backdoor is an unprotected access method or pathway. Backdoors:Include hard-coded passwords and hidden service accounts.
Checkout policy
"A checkout policy ensures that hardware does not leave the organization's premises without a manager's approval. Checkout policies can include the following details:Acceptable use is limited to business-specific activities on the device.
Collision attack
"A collision attack tries to find two inputs that produce the same hash value. This type of attack is often used on digital signatures.If a hacker wanted to get User2 to sign a document by making it seem like it came from User1, the hacker would generate two documents that generate the same hash.
Use configuration baselines
"A configuration baseline is a set of consistent requirements for a workstation or server. A security baseline is a component of the configuration baseline that ensures that all workstations and servers comply with the security goals of the organization. Use configuration baselines as follows:Identify common configuration baselines that should be applied to all, or a group, of systems.
Demilitarized zone
"A demilitarized zone (DMZ) is a network that contains publicly accessible resources. The DMZ is located between the private network and an untrusted network (such as the internet) and is protected by a firewall.
Dictionary
"A dictionary attack is a type of brute-force attack. The hacker uses a list of words and phrases to try to guess the decryption key.Dictionary attacks work well if weak passwords are used.
Digital Signature
"A digital signature is a combination of asymmetric encryption and hashing values. A signature provides confidentiality, integrity validation, strong authentication, and non-repudiation.
Downgrade attack
"A downgrade attack forces the system to use an older, less secure communication protocol.SSL exploitation is a common implementation of this attack. A hacker can set up their computer to only use SSL so that when the request is sent to the server, the server downgrades from TLS to SSL to communicate. This then allows the hacker to launch SSL-based attacks on the server.
Fixed
"A fixed system is part of a building and typically combines fire detectors with fire-suppression technology. Fixed fire suppression systems usually use water or gas to extinguish fire.Deluge sprinklers have open sprinklers. The pipes are dry until the fire alarm causes the deluge valve to open and send water to all the sprinklers.
Hierarchical model
"A hierarchical model looks like a tree.The first CA created is the root CA. It is a self-signed certificate and is used to validate additional subordinate CAs.
Hotfix
"A hotfix is a quick fix for a problem. Normally, you install a hotfix only if you have the specific problem it is intended to fix. Hotfixes are:Typically made to address a specific customer situation and possibly may not be distributed outside that customer organization.
Hypervisor
"A hypervisor is a thin layer of software that resides between the guest operating system and the hardware. A hypervisor allows virtual machines to interact with the hardware without going through the host operating system. There are two types of hypervisors.A Type I hypervisor is often called a native hypervisor or bare-metal hypervisor. A hypervisor in a dedicated appliance is called an embedded hypervisor. A Type I hypervisor is like a thin operating system that directly interfaces with the computer hardware. Examples of Type I hypervisors are:VMware ESX and ESXi
Malicious user/hacker
"A malicious user can use the protocol analyzer to find the same information as the network administrator and SecOps teams.
Network administrator
"A network administrator can use the protocol analyzer to assist in the management of the network and employee usage. The protocol analyzer can help to:Monitor and log network traffic as it is transmitted over the network.
(stateless)"
"A packet filtering firewall makes decisions about which network traffic to allow by examining information in the IP packet header, such as source and destination addresses, ports, and service protocols. A packet filtering firewall:Operates up to OSI Layer 3 (the Network layer)
Patch
"A patch is also a quick fix, but generally more thoroughly tested than a hotfix and designed for a wider deployment. Patches:Include previous hotfixes that the manufacturer has thoroughly tested for mass deployment.
Proxy server
"A proxy server is a type of firewall that stands as an intermediary between clients requesting resources from other servers. A proxy server is often called an application-level gateway because it performs filtering at the Application layer. Proxies can be configured to:Restrict users on the inside of a network from getting out to the internet.
Rogue access points (AP)
"A rogue AP is any unauthorized AP added to a network. Rogue APs can allow the unauthorized capture of credentials and other sensitive information. Attackers also use this type of attack to conduct phishing and man-in-the-middle attacks.An example of a rogue AP is an employee with access to the wired network installing a wireless AP on a free port. The employee may do this because of poor signal strength. This rogue AP provides access to the network. If the AP has not been secured to the same standards as an official AP, it is likely to be targeted by an attacker.
Root Certificate
"A root certificate is the first certificate that a Certificate Authority creates. Root certificates are:Self-signed certificates. These certificates go through a different validation process which varies depending on the certificate and organization.
Third-party libraries and software development kits (SDKs)
"A third-party library is a library where the code is not maintained in house. A software development kit (SDK) is a set of software development tools that can be installed as one unit. Both can provide code frameworks or code snippets to help development go faster. Though they can be very helpful, there are risks involved. For example:Anytime code comes from an outside source there is risk that it may contain flaws and vulnerabilities
(VLAN)"
"A virtual LAN (VLAN) is a logical grouping of computers based on switch ports.VLAN membership is configured by assigning a switch port to a VLAN.
Wireless access point (WAP)
"A wireless access point broadcasts information and data over radio waves.
Wireless bridge
"A wireless bridge connects two wireless networks together.
(AES)"
"AES, also known as the Rijndael cipher, was developed by Jaon Daemen and Vincent Rijmen in 2001 as part of a NIST competition held to find a replacement for DES.AES has essentially replaced all other types of symmetric encryption.
Authentication Header (AH)
"AH provides authenticity, non-repudiation, and integrity.AH:
The Address Resolution Protocol (ARP) poisoning
"ARP is used to translate IP addresses into MAC addresses. ARP was designed for speed, not security. It can be exploited by an attacker using ARP poisoning, also referred to as an ARP spoofing attack.To perform an ARP poisoning attack, the attacker does the following:
ARP spoofing/poisoning
"ARP spoofing/poisoning associates the attacker's MAC address with the IP address of victim's device.When computers send an ARP request for the MAC address of a known IP address, the attacker's system responds with its MAC address.
Access cards
"Access cards can be used to secure a facility, room, or cabinet.Barcode readers require a barcode to be scanned using infrared technology.
Account Lockout Policies
"Account lockout disables a user account after a specified number of incorrect login attempts. Account lockout policies include:Account lockout duration - Specifies the number of minutes a locked-out account remains locked out before automatically becoming unlocked. When set to 0, an administrator must unlock the account.
Account Monitoring
"Account monitoring can help you detect unusual or risky behavior. You should monitor for the following:Login activity.
Password Policies
"Account policies help you control the composition and use of passwords. Password policies include:Enforce password history - This determines the number of unique new passwords that have to be used before an old password can be reused. This helps to prevent users from reusing any recent passwords.
Account Restrictions
"Account restrictions place restrictions on the use of a user account for login. For example, you can:Prohibit multiple concurrent logins
Administrator
"Administrators have complete control of the system and can perform tasks such as:Change global settings
Airflow
"Airflow is an important factor in controlling temperature. Be aware that:Fans are a critical component in preventing hot spots in a computer room. There are two types of fans, fans inside the computer equipment and room fans, which circulate air in the room.
Single trust model
"All CAs start with a single trust model. This is the simplest model to setup. The single trust model has the following characteristics:There is only one CA that issues and distributes certificates.
(GCM)"
"All other modes of operation are unauthenticated forms of encryption. The Galois Counter Mode provides both encryption and authentication.GCM works just like Counter Mode except the ciphertext is combined with a special hash.
All-in-one security appliances
"All-in-one security appliances combine many security functions into a single device. All-in-one security appliances are also known as unified threat security devices or web security gateways. This type of device may be the best choice for:A small company without the budget to buy individual components.
Application
"An Application layer firewall (also referred to as an Application level gateway or proxy) makes security decisions based on information contained within the data portion of a packet. An Application level gateway:Operates up to OSI Layer 7 (the Application layer)
Application-aware devices
"An application-aware device has the ability to analyze and manage network traffic based on the Application layer protocol that created it. Some of these devices can also apply quality of service (QoS) and traffic-shaping rules based on the application that created network traffic. Consider the following examples:An application-aware firewall can enforce security rules based on the application that is generating network traffic instead of the traditional port and protocol.
Initialization vector (IV) attack
"An initialization vector is a seed value used in encryption. The seed value and the key are used in an encryption algorithm to generate additional keys or to encrypt data.Wired Equivalent Privacy (WEP) encryption reuses initialization vectors. The reuse of IVs make it easy for attackers crack them. This is known as an IV attack. Be aware that:
Insider
"An insider could be a customer, a janitor, or even a security guard; but most of the time, it's an employee. Employees pose one of the biggest threats to any organization. There are many reasons why an employee might become a threat. The employee could:Be motivated by a personal vendetta because they are disgruntled.
Internet content filter
"An internet content filter is software used to monitor and restrict content delivered across the web to an end user. Companies, schools, libraries, and families commonly use content filters to restrict internet access, block specific websites, or block specific content.Two types of configurations are commonly used, which are:Allow all content except for the content you have identified as restricted.
Organizational unit (OU)
"An organizational unit is like a folder that subdivides and organizes network resources within a domain. An organizational unit:Is a container object
Use anti-spoofing rules
"Anti-spoofing rules counter spoofing attacks where IP packets have a source address that does not belong to the sender. Anti-spoofing rules analyze the IP packet and match the router interface and direction from which the packet is received. An inbound packet that comes to the external interface must not have a source address that match the internal network or the router itself.A typical anti-spoofing rule will be configured as follows:
Accuracy
"Are the results accurate? Accuracy is extremely critical in a biometric system. Most devices can be configured for increased or reduced sensitivity. Note the following as it relates to biometric accuracy:False rejection (or false negative) occurs when a person who should be allowed access is denied access. The false rejection rate (FRR) is a measure of the probability that a false negative will occur.
Hybrid warfare
"As it refers to technology, hybrid warfare employs political warfare and blends conventional warfare with cyberwarfare. Its goal is to influence others with things such as fake news, diplomacy, lawfare, and foreign electoral intervention.Examples include:
passwd
"Assign or change a password for a user.passwd (without a user name or options) changes the current user's password.
Nation state
"Attacks from nation states have several key components that make them especially powerful. Typically, nation state attacks:Are highly targeted.
(ABAC)"
"Attribute-based access control restricts access by assigning attributes to resources.Attributes can be things like a user's role, position, or current project.
Authentication Applications
"Authentication applications are third-party tools that organizations use to authenticate their users, especially those working remotely. An authenticator app, typically installed on a smartphone, provides a new six-to-eight digit code every 30 seconds. This passcode, along with your username and password, provides additional verification that you are who you say you are. Another similar method that you may have used is a one-time password. Some banks use this method to allow ATM withdrawals without using a debit card. An application or token creates a one-time password. This password only works for a single login. After that, the password expires. There are two different methods for creating one-time passwords:HMAC-based one-time password (HOTP): This type of one-time password uses a mathematical algorithm to create a new password based on the previous password that was generated.
(FTP)"
"Be aware of the following when using FTP:Anonymous login (also known as blind or anonymous FTP) allows unrestricted access to the FTP server. Disable anonymous login to control access based on username.
Test patches
"Be sure to test patches before applying patches within your organization. A common strategy is to:Apply and test patches in a lab environment.
TPM chip
"BitLocker utilizes the computer's Trusted Platform Module (TPM) chip. The TPM chip is built onto the motherboard and generates and stores encryption keys to protect boot files. If the hard drive is moved to another computer, the encryption keys won't match and the data on the drive cannot be accessed. (The TPM chip must be at least version 1.2 for BitLocker to use it.)
Blowfish
"Blowfish was developed in 1993 by Bruce Schneier. It was meant to be a replacement for DES.Blowfish is unpatented so that it can be used freely by anyone.
CAST
"CAST is a family of ciphers that now consists of CAST-128 (CAST5) and CAST-256 (CAST6).CAST5 is the most widely used CAST cipher. It replaced IDEA in PGP 3.0 and is also an option in all versions of Open PGP.
(CBC)"
"CBC is similar to ECB except this mode uses an initialization vector (IV).The IV is a starting variable that is XORed with the plaintext of the current block to encrypt the data.
(CFB)"
"CFB also uses an IV, but instead of using it on the plaintext, the IV is encrypted first. That output is then XORed with the plaintext to create the block of ciphertext.This is the equivalent of using a one-time pad to encrypt the data.
Certificates
"Certificates are issued by a certificate authority and verify identity by providing the following:Public keys
hange factory defaults
"Change default settings on the router to increase security.Change the default manufacturer's username and password and encrypt the new password. Use a complex password instead of passwords that are easy to guess or crack. Complex passwords are typically over eight characters; contain a mix of character types (numbers and symbols); and are not words, variations of words, or derivatives of the username.
gpasswd
"Changes a group password.groupname prompts for a new password.
Code reuse
"Code reuse is simply using the same code multiple times. Reusing code is a good idea if the programmer writes the same code at least three times. Code reuse:Can create a shared library for others that use the same code
Code signing
"Code signing is the process of digitally signing (encrypting) executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity.Code signing:
Column-level encryption
"Column-level encryption allows the administrator to encrypt each column separately.Each column is encrypted using a different key, which increases security.
Computer Configuration
"Computer policies are enforced for the entire computer and are initially applied when the computer boots. Computer policies are in effect regardless of the user logging into the computer. Computer policies include:Software that should be installed on a specific computer
Conditional access
"Conditional access is a way to enforce access control while also encouraging users to be productive wherever they are. Conditional access isn't intended to be the first point of security. Instead, it steps in after the first-factor authentication has been granted. Conditional access policies work by asking a user to complete an action in order to access a resource. Depending on the level of security of the requested resource, the user may be required to complete more actions. For policy decisions, conditional access can be configured to consider many different factors including:Implement control at the user or group level.
5
"Control Your Network
(User Access)"
"Control Your Network (User Access) ensures network security but restricts user access. It accomplishes the following:Limits a user to the least privilege required for the user's job
eradd
"Create a user account. The following options override the settings as found in /etc/default/useradd:-c adds a description for the account in the GECOS field of /etc/passwd.
groupadd
"Creates a new group. The following options override the settings as found in the /etc/login.defs file:- g defines the group ID (GID).
Credential harvesting
"Credential harvesting, also known as password harvesting, is the process of gathering the usernames, passwords, email addresses, and other information through breaches and other activities. Hackers can then sell personal and financial data on the dark web, use the information to gain access to a company network for illegal purposes.Hackers might use cloned websites, such as Google, Amazon, eBay, and so on. When a user attempts to log in, they inadvertently send their credentials to the hackers. Hackers will also use phishing emails. Users must stay vigilant when receiving emails and be sure not to click on any unknown or unusual links. This could cause infected programs to download and install that you did not intend.
Curl and wget
"Curl and wget are two common command line programs that can be used to download or upload files. An example of using these tools is to download an entire website for offline analysis.
Digital Signature Algorithm (DSA)
"DSA was proposed in 1991 by NIST and became the government standard in 1993DSA is only used for creating digital signatures.
Secure data destruction
"Data is an important resource for any organization. All digital data and paper data should be protected. Any paperwork containing sensitive information should be securely destroyed. The following are some of the options for secure data destruction:Burning
Discretionary access control (DAC)
"Discretionary access control assigns access directly to subjects based on the owner's discretion.Objects have a discretionary access control list (DACL) with entries for each subject.
Distinguished Encoding Rules
"Distinguished encoding rules (DER), is one of the older formats used. DER characteristics are:DER is a set of rules that defines how data must be encoded in a file.
Domain Validation
"Domain validation is the lowest level of validation. With domain validation:A CA issues a domain-validated certificate to anyone listed as an administrator on the WHOIS record.
Active accounts
"During the life of an account:Modify access rights as job roles and circumstances change.
Data recovery
"During the process of enabling BitLocker, Windows generates the recovery key. The recovery key is different from the user-generated password that is created during the setup process. This is a randomly generated key that can be used to recover data in the following instances:Moving the hard drive to a new system
(EAP)"
"EAP allows the client and server to negotiate the characteristics of authentication.An EAP authentication scheme is called an EAP type. Both the client and authenticator have to support the same EAP type for authentication to function.
(ECB)"
"ECB is the simplest mode of operation.Each block of plaintext data is encrypted separately.
Encapsulating Security Payload (ESP)
"ESP provides all the security of AH plus confidentiality.ESP:
Eavesdropping
"Eavesdropping is the act of covertly listening in on a communication between other people. This can include:
Electro-magnetic interference (EMI)
"Electro-magnetic interference is caused by noise between the hot wire and the ground or neutral wires in a circuit. This burst of energy is known as an electromagnetic pulse (EMP.) It can disrupt the signal in a data cable. Common causes of EMI are:Motors
Elliptic Curve Cryptography (ECC)
"Elliptic Curve Cryptology is one of the newer methods being implemented. It was originally introduced in 1985. It did not enter wide usage until 2004.ECC is able to generate smaller keys that are more secure than most other methods.
Confidentiality
"Encrypting data or obfuscating data provides data confidentiality. Obfuscation is different than encryption, but is a form of cryptography.Encryption is the process of transforming readable data into something unreadable. This is called ciphertext.
Encryption keys
"Encryption keys are used to encrypt and decrypt data. The key is a string of bits that is randomly generated using a specific cipher, such as Advanced Encryption Standard (AES). There are two types of encryption methods used with keys: symmetric and asymmetric.
Weakness in keys
"Encryption keys can be a weakness depending on how they are utilized.Reuse - Reusing keys is a major concern. The more a key is reused, the more likely it is that it will be cracked. For best security, a key should be used only one time.
Implement physical security
"Ensure physical security by keeping network devices in a locked room. If someone can gain access to the physical device they can easily bypass any configured passwords. Passwords are useless if physical access is not controlled. Implement the following physical security measures:Perimeter barriers
Extended Validation
"Extended validation is the highest level of validation offered by a CA. With extended validation:The purchaser needs to prove they are a domain administrator and the CA will also validate all information on the organization.
Fuzz testing
"Fuzz testing (also known as fuzzing) is a software testing technique that exposes security problems by providing invalid, unexpected, or random data to the inputs of an application. Fuzzing program types are:Mutation-basedMutate existing data samples to create data
Gait
"Gait recognition analyzes the way that people walk. Each person has a unique way of walking. Several factors determine your gait, including:Height, weight, and body proportions
Hacker
"Generally speaking, a hacker is any threat actor who uses technical knowledge to bypass security, exploit a vulnerability, and gain access to protected information. Types of hackers include:Those motivated by bragging rights, attention, and the thrill.
(HMAC)"
"HMAC is a type of message authentication code. Like a digital signature, HMAC allows a user to verify that a file or message is legitimate.The message sender provides a secret key that is used with a hash function, such as MD5 or SHA, to create a message authentication code.
Hardware locks
"Hardware locks prevent the theft of computers or components.Keep servers and other devices inside locked cabinets or locked rooms.
File Integrity
"Hashes are often used to prove the integrity of downloaded files. When a file is uploaded to a site, a hash can be generated. When the recipient downloads the file, they can create a hash of that file. If the recipient's hash matches the hash of the original file, you know that:The downloaded file is complete (no missing parts).
Secure logon credential exchange
"Hashes can be used to secure logon credentials during an exchange. The password is used as the key to perform a hash on a text value, and only the hashed value is passed (not the password). The receiving host uses the same method to compare the hashes to verify the identity of the user. Examples of protocols that use this method are:Challenge-Handshake Authentication Protocol (CHAP)
Hashing
"Hashing is the process of converting one value into another using a mathematical algorithm like MD5 or SHA. This fixed length of data is called the hash.Hashing is used on data that does not need to be decrypted, such as a password.
Hashing
"Hashing is the process of using an algorithm, like MD5 or SHA, on data and generating a fixed-length key called a hash. The three main hashing algorithms used today are:SHA-1, which generates a 160-bit key
Temperature
"Heat reduces the life span and reliability of computer equipment.Keep in mind the following about temperature:Fans and cooling systems on users' desktop, laptop, and notebook computers are usually adequate to keep those types of equipment sufficiently cool.
Power Conditions
"Here is a list of power conditions that you should be aware of:A surge or spike in power is a sudden rise in voltage. It can be caused by a lightning strike; a power plant coming online or going off-line; or even equipment inside the facility.
Humidity
"Humidity is an important consideration for server rooms.Humidity should be kept within a range of 40 to 65 percent. Too much humidity results in condensation. Too little humidity results in electrostatic discharge (ESD). Depending on the naturally occurring humidity level of your area and the season, you may have to add or decrease humidity.
HTTPS
"HyperText Transfer Protocol Secure is a secure form of HTTP that uses either SSL or TLS to encrypt sensitive data before it is transmitted. HTTPS:Is stateful, which means that it keeps track of the client. To do this, the client must communicate with the same HTTPS server for the duration of the session. Load balancing is not possible during the connection and is available only to initially determine which server will handle the client's session.
(IDEA)"
"IDEA was first developed in 1991 by James Massey and Xuejia Lai.IDEA was used in Pretty Good Privacy (PGP) 2.0 and is an optional algorithm in the OpenPGP standard.
IP scanners
"IP scanners are special tools that allow a network administrator to scan the entire network to find all connected devices and their IP addresses. Advanced scans can also display information such as:Routes
Identification
"Identification is the act of claiming an identity, such as telling someone your name. Important facts to know about identification include:In the computer world, a username is a form of identification.
Digital Envelope
"In addition to digital signatures, data can be protected by using secure data transmission. This protects the message from hackers by using asymmetric encryption to secure the message before sending it to the recipient. Secure data transmission uses the following process:The sender requests a copy of the recipient's public key.
Application-level encryption
"In application-level encryption, the program that is used to create or modify the data is responsible for encrypting the data.Data is encrypted before it goes into the database.
Mesh model
"In the mesh model, multiple CAs are setup to issue certificates to each other. No CAs are configured in a subordinate relationship.If a CA is compromised, certificates can still be trusted because multiple CAs have authenticated them.
Instant messaging (IM)
"Instant messaging (IM) provides real-time text messaging communication and supports picture, music, and document exchange. Some examples of instant messaging are: Google Talk, Skype, iMessage, Facebook Messenger, Internet Relay Chat (IRC), and Slack. Although it offers a quick way to communicate, IM has the following problems:Use of peer-to-peer networking makes IM clients less secure than other communication methods.
Counter Mode (CTR)
"Instead of using an initialization vector, CTR uses a nonce combined with a counter that is encrypted.A nonce is a random string that is used for all blocks during the encryption process.
Internet Protocol Security
"Internet Protocol Security (IPsec) provides authentication and encryption, and it can be used in conjunction with L2TP or by itself as a VPN solution. IPsec includes two protocols that provide different features.Authentication Header (AH) provides authentication features. Use AH to enable authentication with IPsec.
Job rotation
"Job rotation is a technique where users are cross-trained in multiple job positions. Responsibilities are regularly rotated between personnel. Job rotation:Cross trains staff in different functional areas in order to detect fraud.
Kerberos
"Kerberos is used for both authentication and authorization services. It is the default authentication method used by computers that are a part of an Active Directory domain. Kerberos grants tickets, also called a secure tokens, to authenticated users and to authorized resources. The process of using tickets to validate permissions is called delegated authentication. Kerberos uses the following components:An authentication server (AS) accepts and processes authentication requests.
Layer 2 Forwarding
"Layer 2 Forwarding (L2F) is a VPN technology developed by Cisco that:Operates at the Data Link layer (Layer 2)
Layer 2 Tunneling
"Layer 2 Tunneling Protocol (L2TP) is an open standard for secure multi-protocol routing.L2TP does the following:
(LWAP)"
"Lightweight access points are used in conjunction with the wireless controller.LWAPs contain very little technology and rely on the WLC to handle everything including client connections, authentication, updating configurations, etc.
Generic container
"Like OUs, generic containers are used to organize Active Directory objects. Generic container objects:Are created by default
ulimit
"Limits computer resources used for applications launched from the shell. Limits can be hard or soft limits. Soft limits can be temporarily exceeded up to the hard limit setting. Users can modify soft limits, but only the root user can modify hard limits. Options include:-c limits the size of a core dump file. The value is in blocks.
MAC flooding
"MAC flooding is an attack against the network switch. Network switches maintain a MAC table. The MAC table is a list of the MAC addresses for each connected device and the port each device is connected to. The MAC table allows the switch to send data packets to only the intended recipient.In a MAC flooding attack, the attacker sends a large number of Ethernet frames with different MAC addresses. The switch begins adding these new MAC addresses to the MAC table. Eventually, the MAC table gets overloaded causing the switch to dump the MAC table. During this time, the switch begins sending packets to all ports, just like a hub.
MAC flooding
"MAC flooding overloads the switch's MAC forwarding table to make the switch function like a hub. MAC flooding is performed using the following method:The attacker floods the switch with packets, each containing a different source MAC address.
MAC spoofing
"MAC spoofing is changing the source MAC address on frames. The attacker's system sends frames with the spoofed MAC address. The switch reads the source address contained in the frames and associates the MAC address with the port where the attacker is connected. MAC spoofing can be used to:Bypass 802.1x port-based security.
(MD5)"
"MD5 was developed by Ron Rivest in 1991.MD5 generates a 128-bit message digest.
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
"MS-CHAP is Microsoft's version of CHAP.MS-CHAP encrypts the shared secret on each system so that it is not saved in cleartext.
6
"Manage Your Network
7
"Manage Your Network
(Patch Management)"
"Manage Your Network Part I (Patch Management) establishes an update-management process for all software on your network.
(Baseline Management)"
"Manage Your Network Part II (Baseline Management) provides rules for establishing a baseline for all systems.
Mandatory access control (MAC)
"Mandatory access control uses labels for both subjects (users who need access) and objects (resources with controlled access, such as data, applications, systems, networks, and physical space). Every operation performed is tested against a set of authorization policies to determine if the operation is allowed.Classification labels, such as secret or top secret, are assigned to objects by their owner, who is usually a managerial or governmental entity.
Captive Portal
"Many open networks implement a captive portal. Captive portals force a user to view and interact with them before accessing a network. A hotel network is a good example captive portal use. When using a captive portal:The user connects to the wireless network but is redirected to a captive portal page before internet access is granted.
2
"Map Your
Network"
"Map Your Network ensures that you are aware of all the components of the network and that you know where the physical devices are. The steps are:
Memory management
"Memory management is a resource-management process applied to computer memory. It allows your computer system to assign portions of memory called blocks to various running programs that optimize overall system performance.
usermod
"Modifies group membership for the user account. Be aware of the following options:- g assigns a user to a primary group.
groupmod
"Modifies the existing group. Be aware of the following options:groupname prompts for a new password.
Multi-Factor Authentication
"Multi-Factor Authentication is the process of using more than one way to verify identity. In the computer world, Multi-Factor Authentication is achieved by requiring two or more methods that only the user can provide. Five categories of computer system authentication include:Something you are, such as biometric information (e.g., fingerprint or retina scan).
Trees and forests
"Multiple domains are grouped together in the following relationship:A tree is a group of related domains that share the same contiguous DNS namespaces.
Network attached storage (NAS)
"NAS is a standalone storage device or appliance that acts as a file server. Be aware of the following:The NAS device is connected to the same network as all other network devices. Therefore, it is exposed to attacks from all network hosts.
NTFS
"NTFS permissions:Can be set on drives, folders, and files.
Need to know
"Need to know describes the restriction of data that is highly sensitive and is usually referenced in government and military context. Important facts about the need to know include:Even if an individual is fully cleared, the information will not be divulged unless the person has a need to know the information to perform official duties.
(NAC)"
"Network Access Control (NAC) controls access to the network by not allowing computers to access network resources unless they meet certain predefined security requirements.NAC attempts to unify endpoint security by defining the security measures that must be in place for a computer requesting access to the network.
Normalization
"Normalization is data reorganized in a relational database with the intent to eliminate redundancy by having all related data stored in one place. Normalization:Increases performance by reducing disk space
Code obfuscation/code camouflage
"Obfuscation is the deliberate act of creating source or machine code that is difficult for humans to understand. In other words, the code is camouflaged.Programmers use roundabout expressions to compose statements that deliberately obfuscate code to conceal its purpose or its logic.
Windows
"On Windows hosts, you can use Credential Manager to manage authentication credentials. Credential Manager stores account credentials for network resources, such as file servers and websites. Credential Manager:Saves authentication credentials in the Windows Vault.
Check network connections
"Open network connections (open sockets) on a computer create a security risk. A socket is an endpoint of a bi-directional communication flow across a computer network. Use the following netstat (network statistics) or ss (socket statistics) options to identify the open network connections on Linux systems:-a lists both listening and non-listening sockets.
Locate open ports
"Open ports can provide information about which operating system a computer uses. Also, they can provide entry points or information about ways to formulate an attack. To locate open ports:Install the nmap utility if it is not already installed.
Open-source intelligence (OSINT)
"Open-source intelligence is any data that is collected from publicly available sources. The goal is to gather as much personal identifiable information (PII) as possible. This includes information found from resources such as:
Privacy-Enhanced Email (PEM)
"PEM certificates are the most common certificates in use. PEM was originally created to securely encode emails, but S/MIME and PGP quickly replaced it. The format PEM uses is perfect for encoding certificates.PEM certificates are base64 DER formatted. This means the binary information is encoded into ASCII text.
Packet sniffing
"Packet sniffing is the process of capturing data packets that are flowing across the network and analyzing them for important information. Modern networks should have good protection against network sniffing attacks, but there are occasional circumstances that allow an attacker to gather sensitive information from the data packets.
Use patch management activities
"Patch management activities include:Determining the patches that are needed on the system.
Peer-to-peer (P2P)
"Peer-to-peer (P2P) software allows users to share content and access content shared by other users without using centralized servers or centralized access control. P2P software uses ad hoc connections that allow peers to connect and disconnect at will. A common example of P2P file sharing software is BitTorrent. The latest version of Windows also has a built-in peer-to-peer component for distributing operating system updates.Security considerations for P2P software include the following:
Pharming
"Pharming involves the attacker executing malicious programs on the target's computer so that any URL traffic redirects to the attacker's malicious website. This attack is also called phishing without a lure. The attacker is then privy to the user's sensitive data, like IDs, passwords, and banking details. Pharming attacks frequently come in the form of malware such as Trojan horses, worms, and similar programs. Pharming is commonly implemented using DNS cache poisoning or host file modification.In DNS cache poisoning, the attacker launches the attack on the chosen DNS server. Then, in the DNS table, the attacker changes the IP address of a legitimate website to a fake website. When the user enters a legitimate URL, the DNS redirects the user to the fake website controlled by the attacker.
ping
"Ping is a command line tool that is used to perform a connection test between two network devices. Ping works by sending ICMP packets to a specified device on the network and waiting for a response. This shows if there is a connection issue or not. The syntax for the ping command is:ping <target IP address or hostname>
Malicious flash drive
"Plugging an infected USB flash drive to a host system or network can be a major risk. These USB drives can be infected with malware which later can be used to disrupt the operation of a business.
Point-to-Point Tunneling
"Point-to-Point Tunneling Protocol (PPTP) was one of the first VPN protocols and was developed by Microsoft.
Port authentication (802.1x)
"Port authentication is provided by the 802.1x protocol and allows only authenticated devices to connect to the LAN through the switch. Authentication uses user names and passwords, smart cards, or other authentication methods.When a device first connects, the port is set to an unauthorized state. Ports in unauthorized states can be used only for 802.1x authentication traffic.
Portable
"Portable systems are fire extinguishers that can be used to suppress small fires. When using a portable fire extinguisher, be aware of the following facts:A pin is inserted in the handle of most fire extinguishers to prevent the extinguisher from being accidentally triggered. Remove the pin to use the fire extinguisher.
Privilege escalation
"Privilege escalation allows a user to take advantage of a software bug or design flaw in an application to gain access to system resources or additional privileges that aren't typically available to that user. Examples of privilege escalation include:A user accessing a system with a regular user account that is able to access functions reserved for higher-level user accounts (such as administrative features).
Privilege escalation
"Privilege escalation allows a user to take advantage of a software bug or design flaw in an application to gain access to system resources or additional privileges that aren't typically available to that user. Examples of privilege escalation include:A user who accesses a system with a standard user account but is able to access functions reserved for higher-level user accounts such as administrative features.
3
"Protect Your Network
(Network Architecture)"
"Protect Your Network (Network Architecture) identifies the following steps to protect your network:
(RIPEMD)"
"RIPEMD (RACE Integrity Primitives Evaluation Message Digest, or RIPE Message Digest) is a family of cryptographic hash functions that was first developed in 1992 as part of the EU's RIPE project.
(RSA)"
"RSA was developed by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA was released shortly after Diffie-Hellman in 1977.RSA is still one of the most commonly used algorithms and helped defined the process of using a public key to encrypt data and a private key to decrypt the data.
4
"Reach Your Network
(Device Accessibility)"
"Reach Your Network (Device Accessibility) helps to ensure that all of the devices on your network can be easily accessed while still maintaining the device's security. Accessibility includes physical access as well as remote access. Important considerations include:
Water or Gas
"Recommendations for water and gas focus on the ability to turn them off in the event of a broken pipe, fire, or another type of emergency. These recommendations are:Identify the location of a master shut-off valve.
Diffie-Hellman
"Released in 1976 by Whitfield Diffie and Martin Hellman. Its purpose was to allow two users who have never met to safely create a shared key over a public channel such as the internet.Diffie-Hellman is used as follows:The two users agree on two numbers, a prime number (P) and a generator (g). These numbers can be shared publicly.
userdel
"Remove the user from the system. Be aware of the following options:userdel [username] (without options) removes the user account.
Evil twin attack
"Rogue APs placed by an attacker can be used to run a evil twin attack. In this attack:
(RBAC)"
"Role-based access control allows access based on a role in an organization; it is not user specific. Role-based access control is also known as non-discretionary access control.Roles are defined by job description or security access level.
Rule-based access control
"Rule-based access control uses rules applied to characteristics of objects or subjects to restrict access.Access control entries identify a set of characteristics that are examined for a match.
Scan/enumerate
"Running scans on the target is the second phase. During this phase, the ethical hacker is actively engaged with the target.Enumeration is part of the scanning phase. Enumeration uses scanning techniques to extract information such as:
Subject Alternative Name (SAN)
"SAN certificates allow an organization to cover multiple domains with one certificate. For example, TestOut could cover the following domains in a single SAN certificate:TestOut.com
(SHA)"
"SHA is a family of hashes.SHA is a government standard.
Secure Shell
"SSH allows for secure interactive control of remote systems.SSH uses RSA public key cryptography for both connection and authentication.
S-HTTP
"Secure HyperText Transfer Protocol (S-HTTP) is an alternate protocol that is not widely used because it is not as secure as HTTPS. S-HTTP :Is connectionless, unlike SSL, which is connection oriented.
Secure Sockets Layer
"Secure Socket Layer secures messages being transmitted on the internet.SSL:
Email Certificate
"Secure, encrypted emails are sent using the S/MIME Protocol.Senders need to know the recipient's public key when sending a secure email. The public key is found in email certificates.
Self-Signed Certificate
"Self-signed certificates are certificates that have not been validated or signed by a CA.Self-signed certificates are easy and free to make.
Sensitive data exposure
"Sensitive data exposure involves unintended exposure of personal and confidential data. This can come from:Weak or missing encryption
Separation of duties
"Separation of duties is the concept of having more than one person required to complete a task. This is a preventive principle primarily designed to reduce conflicts of interest. It also prevents insider attacks because no one person has end-to-end control and no one person is irreplaceable. Important facts to know about separation of duties include:System users should have the lowest level of rights and privileges necessary to perform their work and should have those privileges only for the shortest length of time possible.
chage
"Set user passwords to expire. Be aware of the following options:-M sets the maximum number of days before the password expires.
Share
"Share permissions control access through a network connection with the file server.If files are accessed locally, share permissions do not control access.
Something you exhibit
"Something that you exhibit could include a personality trait or a habit. For example:The time of day you usually log on.
Something you have
"Something you have, also called token-based authentication, bases authentication on something physical you have in your possession. Examples of something you have authentication controls include:Swipe cards (similar to credit cards) with authentication information stored on the magnetic strip.
Something you know
"Something you know authentication requires you to provide a password or some other data that you know. This is the weakest type of authentication, but also the most commonly used. Examples of something you know authentication controls are:Passwords, codes, or IDs.
Dead code
"Sometimes dead code refers to code that is non-executable at runtime
Somewhere you are
"Somewhere you are (also known as geolocation) uses physical location to verify your identity. Examples of implementations include:A desktop system configured to allow authentication requests only if you have passed through the building's entrance using your ID card. If your are not in the building, your account is locked.
Standard User
"Standard users have limited permission. For example, standard users can:Use applications (but they cannot install them)
Stored procedures
"Stored procedures are one or more database statements stored as a group in a database's data dictionary. When called, these procedures execute all the statements in the collection. Stored procedures:Centralize the code and eliminate the need to reproduce it
Strong Artificial Intelligence
"Strong artificial intelligence systems are systems that carry out human-like tasks, which are typically complex. Strong AI include the ability to reason, make judgments, solve puzzles, learn, plan, and communicate. It is also sometimes referred to as Full AI.Examples include:
Transparent Data Encryption (TDE)
"TDE encrypts the entire database and all backups.Encrypts data at rest, which is data not being currently used.
/etc/default/useradd
"The /etc/default/useradd file contains default values used by the useradd utility when creating a user account, including:Group ID
/etc/login.defs
"The /etc/login.defs file contains:Values used for the group and user ID numbers
/etc/passwd
"The /etc/passwd file contains the user account information. Each user's information is stored in a single line on this file. There are two types of accounts in a Linux system:Standard accounts (these are user accounts).
/etc/shadow
"The /etc/shadow file contains the users' passwords in an encrypted format. The shadow file is linked to the /etc/passwd file. There are corresponding entries in both files, and they must stay synchronized. There are password and user management utilities provided by the system that allow you to edit the files and keep them synchronized. You can use the following commands to identify errors and synchronize the files:pwck verifies each line in the two files and identifies discrepancies.
/etc/skel
"The /etc/skel directory contains a set of configuration file templates that are copied into a new user's home directory when it is created, including the following files:.bashrc
(DES)"
"The DES family of ciphers was first developed in the early 1970s by IBM.DES was heavily used through the 1990s until hackers figured out how to brute-force the keys.
Online Certificate Status Protocol (OCSP)
"The Online Certificate Status Protocol (OCSP) is a protocol that web browsers can use to quickly check the status of a certificate. The purpose of OCSP is to replace the need for the CRL. OCSP is commonly implemented using:OCSP StaplingOCSP stapling can be used to help with performance. Stapling means that the server holding the certificate also provides revocation information. This server sends a query to the OCSP responder at set intervals to verify the status of it's certificate. The server will attach, or staple, the response to it's certificate.
(PKCS #12)"
"The PKCS #12 standard is also used to format certificates. It has the following characteristics:Is also known as the Personal Information Exchange Syntax Standard.
(PKCS #7)"
"The PKCS #7 standard is used to format certificates and has the following characteristics:Is also known as the Cryptographic Message Syntax (CMS) standard.
(RC)"
"The RC family of algorithms were developed by Ron Rivest in 1987.RC4 was once the most used cipher. However, many vulnerabilities have since been found and it is no longer supported.
Change default service set identification (SSID) and broadcast
"The SSID can be a maximum of 32 bytes in length. Since many manufacturers use a default SSID, it's important to change the SSID from the default. The SSID should be unique, but should not contain identifiable information (address, last name, etc.).The SSID broadcast can also be disabled. This is known as SSID suppression or cloaking.
Secure Sockets Layer
"The Secure Sockets Layer (SSL) Protocol has long been used to secure traffic generated by other IP protocols, such as HTTP, FTP, and email. SSL can also be used as a VPN solution, typically in a remote-access scenario.SSL does the following:
Transport Layer Security
"The Transport Layer Security (TLS) Protocol works in a similar way to SSL, even though they are not interoperable. When securing a connection with a VPN, TLS:Authenticates the server to the client, using public key cryptography and digital certificates
arp
"The arp command is used in both Windows and Linux. ARP stands for Address Resolution Protocol and is used to match IP addresses to MAC addresses. The arp command displays, adds, and removes arp information from network devices. Some of the common switches used with the arp command are:-a displays current ARP entries.
Bridge model
"The bridge model is a hybrid model that connects the hierarchical models of two organizations.Clients in both organizations will trust certificates issued by CAs of either organization.
Environment
"The environment the attacker chooses for conducting an interview and interrogation is essential to setting the mood.The location should not be overly noisy or overly crowded.
Door locks
"The first line of defense in protecting computer systems is to control access to the location where the computers are located.Many businesses use cubicles, which leave computers in plain sight and easily accessible to anyone. Controlling access to the building is critical to prevent unauthorized people from gaining access to computers.
Account Maintenance
"The following list provides best practices for account maintenance:Delete an employee#39;s account when the employee leaves the organization.
Limit Remote Access
"The following precautions should be taken when administering remote access:Allow remote access to the network only for those users who need it to perform their duties (not standard for all users).
Cumulative permissions
"The following suggestions will help you plan permissions and mitigate issues related to cumulative permissions:Identify the users and their access needs (the actions each user needs to be able to perform).
ipconfig/ifconfig
"The ipconfig command (Windows) and the ifconfig command (Linux) are used to display the IP configuration on the local computer. Information such as the following can be shown using these commands:Adapter name
Security operations
"The network SecOps team can use the protocol analyzer during a vulnerability assessment. The protocol analyzer can help the SecOps team to:Identify frames that might cause errors. For example, the network administrator can:Determine which flags are set in a TCP handshake
nmap
"The nmap utility is a network security scanner. Use nmap to scan an entire network or specific IP addresses to discover all sorts of information such as:Open ports
nslookup/dig
"The nslookup and dig commands are used to view and modify DNS settings. These tools can be used to look up DNS server information and also give IP addresses and domain names for a network server.nslookup is used in Windows.
Organization Validation
"The organization validation is one step up from the domain validation. With organization validation:The purchaser needs to prove they are a domain administrator and also prove the organization is legitimate.
Principle of least privilege
"The principle of least privilege states that users or groups are given only the access they need to do their jobs and nothing more. Common methods of controlling access include:Implicit deny denies access to users or groups who are not specifically given access to a resource. Implicit deny is the weakest form of privilege control.
Root account
"The root account has all system privileges and no barriers. It is also referred to as superuser. To prevent accidental damage to the system, an administrator using root must precisely and expertly perform tasks on the system. Also, the administrator should be the only one using the root account. Because there's no safety net when using root, it's important to make backups of any files or directories you're working with.
Rules of engagement
"The rules of engagement document defines exactly how the penetration test will be carried out. The following should be defined in the rules of engagement:Type of test - whether the test will be a white box, black box, or gray box test.
Scope of work
"The scope of work is a very detailed document that defines exactly what is going to be included in the penetration test. This document is also referred to as the statement of work. This document should answer the:Who - specific IP ranges, servers, applications, etc. should be explicitly listed.
Stateful
"The stateful inspection firewall (also known as circuit-level proxy or gateway) makes decisions about which traffic to allow based on virtual circuits or sessions. The firewall is considered stateful because it keeps track of the state of a session. A stateful inspection firewall:Operates up to OSI Layer 5 (the Session layer)
Watering hole attack
"The term ""watering hole attack"" is derived from predators in the natural world who wait for an opportunity to attack their prey near watering holes. A watering hole is a passive computer attack technique in which an attacker anticipates or observes the websites an organization uses often and infects them with malware. Members of the targeted group can then become infected. Hackers could be looking for specific information to narrow their attacks from users that come from a specific IP address.A watering hole attack has five main steps:
tracert/traceroute
"The tracert tool shows the path a packet takes to reach its destination. Every device the packet passes through is known as a hop. Use tracert to locate network devices that are down or causing latency issues.tracert is the Windows version and sends ICMP packets.
Linux
"There are a variety of credential management systems available for Linux systems. One commonly used package is KWalletManager, which stores account credentials for network resources, such as file servers and websites. KWalletManager:Saves the account credentials in a secure ""wallet.""
Proxies
"There are several types of proxies that are used to prevent web threats.Transparent proxies are located between a user and the internet, and they can redirect requests without changing the request. These can be used for web filtering.
Birthday attack
"This attack combines a collision attack and brute-force attack. The name is taken from the birthday probability math problem.
Something you can do
"This requires you to perform a particular action to verify your identity. Here are a few examples of an action that can be used:Supply a handwritten sample that's analyzed against a baseline sample for authentication.
Manage software
"Tips for managing software include:Check that all software has up-to-date licenses. A license compliance violation may open your organization to legal actions and may cause a vital application to cease its functions.
DNS hijacking
"To carry out a DNS hijacking attack, the attacker needs to gain access to the DNS records of a website. A variety of techniques can be used to gain access. These include:
Control login
"To control login and access to a system, you can:Limit privileges, especially administrative privileges.
App
"To create a local account on a computer not joined to a domain:Right-click Start, select Settings, and then choose Accounts.
Computer Management
"To create a local account:Right-click Start and then select Computer Management.
Transport Layer Security
"Transport Layer Security is the successor to SSL 3.0.TLS and SSL are similar but not interoperable, although most applications can use both SSL and TLS.
(TPM)"
"Trusted Platform Module (TPM) is a hardware chip on the motherboard that can generate and store cryptographic keys. TPM version 2.0 was released in 2014. Beginning with Windows 10 version 1607, Microsoft required that TPM 2.0 be enabled by default on all new computers.A TPM is required to check the integrity of startup files and components in BitLocker implementations.The TPM generates a hash of the startup files to verify the integrity of those files.
Twofish
"Twofish was one of the five finalists for the AES contest but ultimately was not chosen.Twofish uses keys up to 256 bits in size.
Typo squatting
"Typo squatting, also called URL hijacking, relies on mistakes, such as typos made by users inputting a website address into a web browser. When a user enters an incorrect website address, the squatter may lead them to any URL.
Check for unnecessary network services
"Unnecessary network services waste computer resources and increase the system's attack service. To remove unnecessary network services:Find all installed services and determine which are not needed: DNS, SNMP, DHCP and others.
Remove unnecessary software
"Unnecessary software occupies disk space and could introduce security flaws. To remove unnecessary software:Enter one of the following commands:
Use secure protocols
"Use encrypted protocols when managing the device. The protocols function as follows:Secure Shell (SSH) allows for secure interactive control of remote systems.SSH uses RSA public key cryptography for both connection and authentication.
Use patch management software
"Use patch management software to simplify the patch distribution and management process. Windows Software Update Services (WSUS) is a patch management tool that allows clients on a network to download software updates from a WSUS server internal to their organization.The WSUS server receives a list of available updates from Microsoft.
netstat
"Use the netstat command to display a variety of network statistics in both Windows and Linux, including:Connections for different protocols
usermod
"Used to modify an existing user account; usermod uses several of the same switches as useradd. Be aware of the following switches:-c changes the description for the account.
User Configuration
"User policies are enforced for specific users and are applied when the user logs on. User Policy settings include:Software that should be installed for a specific user
Vein
"Vein recognition scanners use infrared light to determine the vein pattern in your palm. Like a fingerprint, this pattern differs from one person to the next and does not change. The scanner converts the collected data into a code that is encrypted and assigned to you. The benefits of vein biometrics are:Veins are internal so they cannot be altered or covered as easily as hands or a face could be.
(WPA2)"
"WPA2 is the implementation name for wireless security that adheres to the 802.11i specifications. It was first introduced in 2004 and is still heavily used in today's networks. There are two version of WPA2 available:WPA2-Personal is also known as WPA2-PSK (pre-shared key). This version uses a pre-shared key, or passphrase, to protect the network. WPA2-PSK:Uses Advanced Encryption Standard with Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP)as the encryption algorithm to encrypt all data. AES-CCMP uses a 128-bit key and a 128-bit block size.
Weak Artificial Intelligence
"Weak artificial intelligence is usually designed to perform one particular job. It is also sometimes referred to as Narrow AI.Examples include:
Web threat filtering
"Web threat filtering prevents a user from visiting websites with known malicious content.
Website/URL content filtering
"Website and content filtering prevents a user from visiting restricted websites.
Old accounts
"When an account is no longer needed, take appropriate actions to:Delete accounts that will no longer be used.
Cloud-based and third-party systems
"When dealing with cloud-based or other third-party systems, you need to make special provisions. If an organization is using a cloud-based system, that means the organization doesn't own the system and cannot legally provide permission for a penetration test to be carried out on that system. The penetration tester must make sure to get the explicit permission of the cloud provider before performing any tests.
Multifactor Authentication
"When possible, multifactor authentication should be used. This means using more than one method to authenticate your users. End users can be authenticated using three types of factors:Something you know
artitions/volumes
"When setting up BitLocker, the hard disk must be configured with two partitions - the System and Boot.The system partition (system volume) contains the boot loader. This is a piece of software responsible for booting the operating system. This partition holds the boot sector and is marked active.
Encryption options
"When setting up BitLocker, you can choose how much of the drive should be encrypted. Options include:Encrypt used disk space only - Introduced with Windows 10, this option only encrypts the portion of the drive that is currently in use. As data is written to the drive, it is encrypted. This method speeds up the encryption process and is recommended for new drives.
(WPS)"
"Wi-Fi Protected Setup works only on a network that uses a PSK and WPA2. WPS allows a device to securely connect to a wireless network without typing in the PSK. To do this, you:
Wildcard Certificate
"Wildcard certificates are similar to SAN certificates. But instead of covering multiple domains, the organization can cover one domain and multiple subdomains. For example, TestOut could cover the following in one certificate:quiz.testout.com
Disassociation/deauthentication attack
"Wireless devices are vulnerable to deauthentication (deauth) and disassociation attacks because the 802.11 standard allows devices to be authenticated with multiple APs at once. When a device connects to a wireless network, special unencrypted management packets are sent back and forth. Deauthentication and disassociation attacks take advantage of these packets to disconnect devices from a network. Be aware that:
MAC filtering/port security
"With switch port security, the devices that can connect to a switch through the port are restricted.Port security uses the MAC address to identify allowed and denied devices.
Jamming attack
"With wireless networks, interference is a signal that corrupts or destroys the wireless signal sent by APs and other wireless devices. Non-malicious interference includes the following:Electromagnetic interference (EMI) is interference caused by motors, heavy machinery, and fluorescent lights.
Object
"Within Active Directory, each resource is identified as an object. Common objects include:Users
Allow SMTP mail on port 25
"sudo iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Allow HTTP traffic on port 80
"sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Allow HTTPS traffic on port 443"
"sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
theHarvester
"theHarvester is a passive reconnaissance tool that is used to gather information from a variety of public sources. The tool gathers emails, names, subdomains, IPs, and URLs using multiple public data sources. These sources include search engines, social media sites, and Shodan.
TestOut Security Pro
5.0 Audit and Security Assessment5.2 Assessment Techniques
(DMZ)"
A DMZ provides enhanced security by isolating your publicly accessible network from your privately accessible network.
daemon
A Linux or UNIX program that runs as a background process, rather than being under the direct control of an interactive user.
MAC spoofing
A MAC spoofing attack starts with the attacker scanning the network for valid MAC addresses. The attacker spoofs the MAC address to match the gateway's and overwrites the switch's CAM table with this new mapping.All data that would normally go to the gateway is sent to the attacker's computer.
Trust model
A PKI uses a trust model to establish trust between two communicating entities. Depending on the number of CAs being implemented and the use, there are a few configurations that can be used to setup certificate authorities.
Use a Trusted Operating System (TOS)
A TOS is an operating system that comes hardened and validated to a specific security level as defined in the Common Criteria for Information Technology Security Evaluation (CC). Many TOSs provide sufficient support for multilevel security, a system in which multiple levels of classified data reside within the same system, but users are not permitted to access data at different classification levels. Additionally, all personnel must have access approval on a need-to-know basis.
(WLC)"
A Wireless LAN controller is used in a enterprise environment to manage multiple access points. The WLC is placed in the networking closet and connected to a switch. The controller is able to communicate with and manage the wireless access points.The WLC is also able to manage client connects and access point loads. This allows the WAPs to operate and work together as a single system instead of each device working in isolation.
Turnstile
A barrier that permits entry in only one direction.
Supply Chains
A blockchain could be used to track the movement of product such as food. The ability to follow and see every stop the product has made on its way to the consumer would provide assurances of the product's safety.
Demilitarized zone (DMZ)
A buffer network (or subnet) that is located between a private network and an untrusted network, such as the internet.
Cold aisle
A cold aisle is created by having the front of the equipment face toward the center of the aisle. Typically, cold aisles face air conditioner output ducts.
Service pack
A collection of patches, hotfixes, and system enhancements that have been tested by the manufacturer for wide deployment.
Milestone
A component of a manageable network plan that indicates an action or event.
Web filter
A content filter that prevents users from visiting restricted websites.
Identity theft
A crime in which an attacker commits fraud by using someone else's name or existing accounts to obtain money or to purchase items.
Blockchain
A decentralized and distributed ledger of transactions between two or more parties. Blockchain uses cryptography to keep sensitive data secure.
Ad hoc
A decentralized network that allows connections without a traditional base station or router. It allows users to connect two or more devices directly to each other for a specific purpose.
Demilitarized zone (DMZ) or Screened Subnet
A demilitarized zone, also called a screened subnet, provides enhanced security by isolating your publicly accessible network from your privately accessible network. Basically, you're using a firewall to creating two separate networks.
Screened host gateway
A device residing within the DMZ that requires users to authenticate in order to access resources within the DMZ or the intranet.
Application-aware devices
A device that has the ability to analyze and manage network traffic based on the application-layer protocol.
Firewall
A device, or software running on a device, that inspects network traffic and allows or blocks traffic based on a set of rules.
Digital signature
A digital signature is a combination of asymmetric encryption and hashing values. A signature provides confidentiality, integrity validation, strong authentication, and non-repudiation.
Directional
A directional antenna focuses its radiation and absorption of signals in a specific direction. Some directional antennae allow you to vary the beam from relatively wide to very narrow. The narrower the beam, the higher the gain and the longer the range.
Discretionary access control list (DACL)
A discretionary access control list is an implementation of discretionary access control (DAC). Owners add users or groups to the DACL for an object and identify the permissions allowed for that object.
Rules of engagement
A document that defines exactly how the penetration test will be carried out.
Domain controller
A domain controller is a server that holds a copy of the Active Directory database that can be written to. Replication is the process of copying changes to Active Directory between the domain controllers. In contrast, member servers are servers in the domain that do not have the Active Directory database.
Domain controller
A domain controller is a server that holds a copy of the Active Directory database. The copy of the Active Directory database on a domain controller can be written to.
Domain
A domain is an administratively-defined collection of network resources that share a common directory database and security policies. The domain is the basic administrative unit of an Active Directory structure.
Domain
A domain is an administratively-defined collection of network resources that share a common directory database and security policies. The domain is the basic administrative unit of an Active Directory structure. Depending on the network structure and requirements, the entire network might be represented by a single domain with millions of objects, or the network might require multiple domains.
Double-entry door
A double-entry door has two doors that are locked from the outside but have crash bars on the inside that allow easy exit.
(PPTP)"
A early tunneling protocol developed by Microsoft.
Python
A easy to read and understand programming language.
disk (VHD)"
A file that is created within the host operating system and simulates a hard disk for the virtual machine.
Web threat filter
A filter that prevents users from visiting websites with known malicious content.
Duel-homed gateway
A firewall device that typically has three network interfaces. One interface connects to the internet, one interface connects to the public subnet, and one interface connects to the private network.
Stateful firewall
A firewall that allows or denies traffic based on virtual circuits of sessions. A stateful firewall is also known as a circuit-level proxy or circuit-level gateway.
Stateless firewall
A firewall that allows or denies traffic by examining information in IP packet headers.
Network firewall
A firewall that is used to regulate traffic in and out of an entire network.
Patch
A fix that is more thoroughly tested than a hotfix and designed for a wider deployment.
Shared folder
A folder whose contents are available over the network.
Forest
A forest is a collection of related domain trees. The forest establishes the relationship between trees that have different DNS namespaces.
Hash
A function that converts a variable-length string into a compressed, fixed-length value known as a message digest or hash.
Guest
A guest network at an organization often grants internet access only for guest users, but it also has some type of firewall to regulate that access. There could be limited internal resources made available on a guest network. Normally, it is just a way for guests to access the internet without being allowed on the intranet or internal network.
(HSM)"
A hardware security module (HSM) is a piece of hardware and associated software/firmware that is connected to a computer system to provide cryptographic functions.
Hash collision
A hash collision occurs when two files generate the same hash.
Scalability
A hierarchical database lets you grow the Active Directory to meet the needs of your environment.
High-gain
A high-gain antenna usually has a gain rating of 12 dBi or higher.
Honeynet
A honeynet is a special network created to trap potential attackers. Honeynets have vulnerabilities that lure attacks so that you can track their actions and protect your real network. Honeynets can generate extremely useful security information.
Hybrid cryptosystem
A hybrid cryptosystem combines the efficiency of symmetric encryption with the convenience of asymmetric encryption.
Memory leak
A leak that happens when dynamic memory is allocated in a program, but no pointers are connected to it causing it to never be returned when requested.
Third-party libraries
A library where the code is not maintained in-house.
Access list
A list of personnel who are authorized to enter a secure facility
Common Vulnerabilities and Exposures (CVE)
A list of standardized identifiers for known software vulnerabilities and exposures.
Access control list (ACL)
A list that identifies users or groups who have specific security assignments to an object.
Virtual LAN (VLAN)
A logical collection of devices that belong together and act as if they are connected to the same wire or physical switch.
API attacks
A malicious use of an API (application programming interface).
Protected cable distribution
A metal cabinet that locks away all the networking cables and prevents any type of emissions. PDSs also keep attackers from physically removing cables or plugging in additional cables. PDSs are most commonly used by utility companies.
Multifactor authentication
A method of confirming identity by using two or more pieces of evidence (or factors) to an authentication mechanism.
Network Address Translation
A method used by routers to translate multiple private IP addresses into a single registered IP address.
Promiscuous mode
A mode in which the NIC processes every frame it sees, not just those addressed to it.
Router
A network device that transmits data from one network to another.
Demilitarized zone
A network that contains publicly accessible resources and is located between the private network and an untrusted network, such as the internet. It is protected by a firewall.
Wireless network
A network that does not require a physical connection.
Guest network
A network that grants internet access only to guest users. A guest network has a firewall to regulate guest user access.
Normal-gain
A normal-gain antenna usually has a gain rating between 2 and 9 dBi.
Parabolic
A parabolic antenna uses a parabolic-shaped reflector dish. It is highly directional, concentrating the radio waves transmitted from the sender into a very narrow beam. When the receiver uses a parabolic antenna, it can receive a signal only from one specific direction. It supports very high-gain radio signals that can be transmitted over long distances, but it requires a clear line of sight (LOS) between the sender and the receiver.
Permission
A permission controls the type of access that is allowed or denied for an object.
Physical machine
A physical machine, also known as the host operating system, has the hardware, such as the hard disk drive(s), optical drive, RAM, and motherboard.
Policy
A policy is a set of configuration settings applied to users or computers.
(BYOD)"
A policy that allows an employee to use a personal device, such as a laptop computer or phone, to connect to the organization's network to accomplish daily work tasks.
Network access control
A policy-driven control process that allows or denies network access to devices connecting to a network.
(PSK)"
A pre-shared key is a passphrase that is used to access the wireless network. This is probably the most commonly used access method.
Intranet zone
A private network that employs internet information services for internal use only.
Extranet
A privately-controlled network distinct from but located between the internet and a private LAN.
Manageable network plan
A process created by the National Security Agency (NSA) to assist in making a network manageable, defensible, and secure.
Command shell
A program that provides an interface to give users access to operating system functions and services.
(TLS)"
A protocol that evolved from SSL and provides privacy and data integrity between two communicating applications.
Remote Authentication Dial-In User Service
A protocol used to authenticate users in a enterprise environment to a wireless network.
(FEK)"
A pseudo-random number used with the AES encryption algorithm to encrypt files and folders in EFS.
Internet
A public network that includes all publicly available web servers, FTP servers, and other services.
Hotfix
A quick fix for a specific software problem.
Rainbow table
A rainbow table is a table of passwords and their generated hashes.
Virtual Private Network
A remote access connection that uses encryption to securely send data over an untrusted network.
and Exposures (CVEs)"
A repository of vulnerabilities hosted by MITRE Corporation.
Memory management
A resource management process applied to computer memory. It allows your computer system to assign portions of memory, called blocks, to various running programs to optimize overall system performance.
Retina
A retina is the back portion of the eye that is sensitive to light. Numerous capillaries move blood to the retina and these capillaries create a unique pattern. A retinal scanner shines infrared light into an eye and measures the amount of reflection. The vessels in the retina absorb infrared light so that the reflection pattern can be stored for future identification.
Access control list (ACL)
A router filter that controls which network packets are permitted (forwarded) or denied (dropped) in or out of a network.
SSH Keys
A secure shell (SSH) key is an access credential. It operates like usernames and passwords but is mostly used to implement single sign-on and other automated processes.
Air gap
A security method that physically isolates a portion of the network (such as a computer, a server, or a small network of computers) from the internet or any other unsecured networks.
Initialization vector (IV)
A seed value used in encryption. The seed value and the key are used in an encryption algorithm to generate additional keys or encrypt data.
Race conditions
A sequence of events with dependencies that a system is programmed to run in a certain order which can lead to a time-of-check to time-of-use bug vulnerability.
Service pack (SP)
A service pack (SP) is a collection of patches, hotfixes, and other system enhancements that have been tested by the manufacturer for wide deployment. A service pack includes all previously released bug fixes. If you install the service pack, you do not need to install individual patches. Installing a service pack also includes all previous service packs.
Threat feed
A service that tracks cyber threats across the world and provides real-time updates with IP addresses, URLs, and other relevant information regarding the threats.
(IPsec)"
A set of protocols that provides security for Internet Protocol (IP) that can be used in conjunction with L2TP or to set up a VPN solution.
Software Development Kits (SDKs)
A set of software development tools that can be installed as one unit.
Interference
A signal that corrupts or destroys a wireless signal. Interference can affect communication of access points and other wireless devices.
Privilege escalation
A software bug or design flaw in an application that allows an attacker to gain access to system resources or additional privileges that aren't typically available.
Virtual machine
A software implementation of a computer that executes programs like a physical machine.
Network DLP
A software or hardware solution that is typically installed near the network perimeter that analyzes network traffic in an attempt to detect transmission of sensitive data in violation of an organization's security policies.
Cloud DLP
A software solution that analyzes traffic to and from cloud systems in an attempt to detect sensitive data that is being transmitted in violation of an organization's security policies.
Fuzz testing
A software testing technique that exposes security problems by providing invalid, unexpected, or random data to the inputs of an application.
Zero-day vulnerability
A software vulnerability that is unknown to the vendor that can be exploited by attackers.
Security Orchestration, Automation and Response
A solution stack of compatible software programs that collect data about security threats from multiple sources and respond to low-level security events without human assistance.
(DDF)"
A special location in a EFS encrypted file's header that stores the FEK.
Storage area network (SAN)
A special network composed of high-speed storage that is shared by multiple servers.
Honeynet
A special zone or network created to trap potential attackers.
Mantrap
A specialized entrance with two locking doors that create a security buffer zone between two areas.
storage (NAS)"
A standalone storage device or appliance that acts as a file server.
Encryption key
A string of bits randomly generated using a specific cipher. An encryption key is used to encrypt or decrypt data.
Screened subnet
A subnet protected by two firewalls; an external firewall is connected to the internet and an internal firewall is connected to a private network.
Port mirroring
A switch mode in which all frames sent to all other switch ports will be forwarded on the mirrored port.
System access control list (SACL)
A system access control list is used by Microsoft for auditing in order to identify past actions performed by users on an object.
Rights management
A system of data protection at the file level that uses various forms of permissions, rules, and security policies.
Data loss prevention (DLP)
A system that attempts to detect and stop breaches of sensitive data within an organization.
Common Vulnerability Scoring System
A system that ranks vulnerabilities based on severity.
Targeted
A targeted attack is much more dangerous. A targeted attack is extremely methodical and is often carried out by multiple entities that have substantial resources. Targeted attacks almost always use unknown exploits, and the attackers go to great lengths to cover their tracks and hide their presence. Targeted attacks often use completely new programs that are specifically designed for the target. This attack type is typically used by an organized crime group.
Load balancing
A technique that disperses a workload between two or more computers or resources to achieve optimal resource utilization, throughput, or response time.
Hypervisor
A thin layer of software that resides between the guest operating system and the hardware. It creates and runs virtual machines.
Tokens
A token is a device or a file used to authenticate. A hardware token, such as a key fob, serves as something you have. A software token, also known as a soft token, is stored in devices such as laptops, desktops, or mobile phones. These tokens are specific to the device, and cannot be altered or duplicated.
Tree
A tree is a group of related domains that share the same contiguous DNS namespace.
(L2F)"
A tunneling protocol developed by Cisco to establish virtual private network connections over the internet.
Proxy server
A type of firewall that stands as an intermediary between clients requesting resources from other servers.
(SSID)"
A unique name that identifies a wireless network.
Simple
A username and password are required. Normally, the username and password are passed in cleartext. LDAP uses ports 389 and 636 by default.
Scope of work
A very detailed document that defines exactly what is going to be included in the penetration test. This document is also referred to as the statement of work.
Virtual hard disk (VHD)
A virtual hard disk (VHD) is a file created within the host operating system and simulates a hard disk for the virtual machine.
Virtual machine
A virtual machine, also known as the guest operating system, is a software implementation of a computer. The virtual machine executes programs in the same way a physical machine executes programs. The virtual machine appears to be a self-contained and autonomous system.
Web of trust
A web of trust is typically used with Pretty Good Privacy encryption (PGP). Instead of implementing a CA, everyone is considered a trusted authority. For example, if User1 trusts User2 and User2 trusts User3, User1 will also trust User3.
(SSL)"
A well-established protocol to secure IP protocols, such as HTTP and FTP.
(WAP)"
A wireless access point broadcasts information and data over radio waves.
Wireless
A wireless zone is a broadcasted network connection used within an organization. Users don't need a physical connection to a network port to connect to the intranet or internal resources. Instead they use a wireless connection on their device to connect to a wireless access point.
Wireless
A wirelessly broadcasted network is used on most internal networks so that internal users do not require a physical connection to a router or switch.
Models
AI can unintentionally discriminate against a protected class of people. AI can be used for facial recognition and mistake the gender or race or misidentify people.
Smart card
Access cards that have encrypted access information. Smart cards can be contactless or require contact.
Access control
Access control is the ability to permit or deny access to resources on a network or computer.
Effective permissions
Access rights (permissions) are cumulative. If you are a member of two groups with different permissions, you have the combined permissions of both groups (this is known as effective permissions). Effective permissions are the combination of inherited permissions and explicit permissions.
Interaction with humans
Accidents and injuries can occur when humans fail to take action or recognize when AI fails. For example, humans can rely on self-driving cars only to be involved in accidents for situations that AI is not able to deal with.
Advisories and bulletins
Advisories and bulletins provide detailed updates on cyber threats. They are usually updated weekly.
Domain objects
All network resources, such as users, groups, computers, and printers are stored as objects in Active Directory.
Accept
Allows the connection.
Reconnaissance
Also known as footprinting. This is the process of gathering information about a target before beginning any penetration test or security audit.
Heuristic-based detection
Also referred to as behavior, anomaly, or statistical-based detection. This detection method first defines a baseline of normal network traffic and then monitors traffic looking for anything that falls outside that baseline.
Signature-based detection
Also referred to as pattern matching, dictionary recognition, or misuse-detection (MD-IDS). This detection method looks for patterns in network traffic and compares them to known attack patterns called signatures.
System ACL (SACL)
An ACL Microsoft uses for auditing to identify past actions users have performed on an object.
Access control policy
An access control policy defines the steps and measures that are taken to control access to objects.
Access control system
An access control system includes policies, procedures, and technologies that are implemented to control access to objects.
Ad hoc
An ad hoc network is a decentralized network that allows connections without a traditional base station or router. It allows users to connect two or more devices directly to each other for a specific purpose.
Air gap
An air gap is a security method in which a computer, a server, or a small network of computers is physically isolated from the internet or other unsecured networks. This means that only individuals authorized to access that computer or network can access it. It can be accessed only in person, not over the internet, not even from another internetwork within the organization.
security appliance"
An appliance that combines many security functions into a single device.
Application firewall
An application firewall is typically installed on a workstation and used to protect a single device. An application firewall is also known as a host-based firewall.
Pass the hash
An attack in which an attacker obtains a hashed password and uses it to gain unauthorized access.
Active attack
An attack in which perpetrators attempt to compromise or affect the operations of a system in some way.
Passive attack
An attack in which perpetrators gather information without affecting the targeted network's flow of information.
Man-in-the-middle (MITM) attack
An attack in which the hacker intercepts communications between two devices.
External attack
An attack in which unauthorized individuals try to breach a network from outside the network.
Inside attack
An attack initiated by authorized individuals inside the network's security perimeter who attempt to access systems or resources to which they're not authorized.
Buffer overflow
An attack that exploits an operating system or an application that does not properly enforce boundaries for inputting data such as the amount of data or the type of data.
Resource exhaustion
An attack that focuses on depleting the resources of a network to create a denial of service to legitimate users.
Driver manipulation
An attack that focuses on device drivers. The attack uses refactoring or shimming.
SSL stripping
An attack that focuses on stripping the security from HTTPS-enabled websites.
Replay attack
An attack that happens when network traffic is intercepted by an unauthorized person who then delays or replays the communication to its original receiver, acting as the original sender. The original sender is unaware of this occurrence.
Distributed denial of service (DDoS)
An attack that is designed to bombard the target with more data than it can handle, causing it to shut down.
Pointer/object dereferencing
An attack that retrieves a value stored in memory that can be exploited through a NULL pointer dereference.
DNS attack
An attack that targets DNS services.
Denial of service (DOS)
An attacker blocks radio signals or jams the system with interfering noise.
Cloning and spoofing
An attacker creates a copy of an existing tag and uses the fake tag to gain access to a secure system.
Man-in-the-middle (MTM)
An attacker intercepts a signal from an RFID tag, then manipulates the signal before sending it to the intended recipient. This kind of attack is frequently used to take down a system.
Being a good listener
An attacker may approach a target and carefully listen to what the target has to say, validate any feelings the target expresses, and share similar experiences, which may be real or fabricated. The point is to be relatable and sympathetic. As the target feels more connected to the attacker, barriers go down and trust builds. This leads the target to share more information.
Compliments
An attacker may give a target a compliment about something the target did. The attacker waits for the target to take the bait and elaborate on the subject. Even if the target downplays the skill or ability involved, talking about it might give the attacker valuable information.
Threatening
An attacker may try to intimidate a target with threats to make the target comply with a request. This is especially the case when when moral obligation and innate human trust tactics are not effective.
Eavesdropping
An attacker uses an RFID reader to listen to conversations between a tag and the intended reader.
Moral obligation
An attacker uses moral obligation and a sense of responsibility to exploit the target's willingness to be helpful.
(EAP)"
An authentication framework that uses a set of interface standards. EAP allows various authentication methods to be used.
Spam filter
An email filter that prevents the delivery of irrelevant or inappropriate email known as spam.
Entry point
An entry point is a location or device that allows network access and is vulnerable to attacks.
False negative
An error that occurs when a person who should be allowed access is denied access.
False positive
An error that occurs when a person who should be denied access is allowed access.
(PAT)"
An extension of NAT that associates a port number with a request from a private host.
Extranet
An extranet is a privately controlled network distinct from the intranet but located between the internet and a private LAN. An extranet is often used to grant resource access to business partners, suppliers, and even customers outside of the organization.
(IdP)"
An identity provider is an online service that manages identity information for other organizations. The IdP creates records from an organization's existing data and policies. These records are used to authenticate user requests.
Discretionary ACL (DACL)
An implementation of discretionary access control (DAC) in which owners add users or groups to the DACL for an object and identify the permissions allowed for that object.
Intranet
An intranet is a private network (LAN) that employs internet information services for internal use only. For example, your company network might include web servers and email servers that are used by company employees.
Security Principal
An object such as a user account, computer account, and security group account that can be given permissions to an object.
Omnidirectional
An omnidirectional antenna radiates and absorbs signals equally in every direction around the antenna. Because it spreads its gain in a 360 degree pattern, the overall range of an omnidirectional antenna is typically much less than that of a directional antenna.
Open Network
An open network has no authentication at all and allows anyone to connect to the network. This access method should be used only in public places that want to offer free wireless access.
(L2TP)"
An open standard for secure multi-protocol routing.
Opportunistic
An opportunistic attack is typically automated and involves scanning a wide range of systems for known vulnerabilities. Known vulnerabilities can include old software, exposed ports, poorly secured networks, and default configurations. When a vulnerability is found, the hacker will exploit the vulnerability, steal whatever is easy to obtain, and get out. This type of attack is typically used by a single hacker.
(SAN)
An optional field. The SAN allows the organization to have multiple host names covered in one certificate.
Intermediate CA
An organization can choose to setup and configure an intermediate CA whose sole purpose is to maintain and update the CRL.
Organizational unit
An organizational unit is similar to a folder. It subdivides and organizes network resources within a domain.
Backdoor
An unprotected and usually lesser known access method or pathway that may allow attackers access to system resources.
Vault
Another way you can secure networking devices is to keep them in a locked cage, or a vault. You can do this in addition to a locked room or you can place the vault inside a locked room. Obviously, combining the two physical security measures is best, but make sure to have at least one.
Anti-phishing software
Anti-phishing software scans content to identify and dispose of phishing attempts, preventing outside attempts to access confidential information.
Open-Source Intelligence (OSINT)
Any data that is collected from publicly available sources such as social media, search engines, company websites, media sources, or public government sources.
Bastion or sacrificial host
Any host that is exposed to attack and has been hardened or fortified against attack.
Rogue access points
Any unauthorized access point added to a network.
Authenticity
Applying a digital signature proves that the file is authentic and comes from the correct person.
Non-repudiation
Applying a digital signature provides non-repudiation. This means that the sender cannot later deny having sent the file.
/etc/group
As with Active Directory, groups can be used to simplify user access to network resources. The /etc/group file contains information about each group.
MAC flooding
Attack against a network switch in which the attacker sends a large number of Ethernet frames with various MAC addresses, overwhelming the switch. The switch is overloaded and sends traffic to all ports.
MAC spoofing
Attack in which the hacker spoofs the MAC address of the gateway. This results in the spoofed address overwriting the gateway's MAC address in the switch's CAM table.
ARP poisoning
Attack targeting the ARP protocol. The attacker changes the ARP cache by spoofing the IP address of a target.
Feigning ignorance
Attackers might make a wrong statement and then admit to not knowing much about the subject. The intent is to get the target to not only correct the attacker, but also explain in detail why the attacker is wrong. The explanation might help the attacker learn, or at least have a chance to ask questions without looking suspicious.
Innate human trust
Attackers often exploit a target's natural tendency to trust others. The attacker wears the right clothes, has the right demeanor, and speaks words and terms the target is familiar with so that the target will comply with requests out of trust.
Attributes
Attributes can be your role, position, or current project. This information can be used to determine policy and permission.
Auditing
Auditing, also referred to as accounting, is maintaining a record of the activity within the information system.
Authentication
Authentication is the process of validating identity. It includes the identification process, a user providing input to prove identity, and the system accepting that input as valid.
Authentication
Authentication is the process of validating user credentials that prove user identity.
Authority and fear
Authority techniques rely on power to get a target to comply without questioning the attacker. The attacker pretends to be a superior with enough power that the target will comply right away without question. The attacker could also pretend to be there in the name of or upon the request of a superior. Authority is often combined with fear. If an authority figure threatens a target with being fired or demoted, the target is more likely to comply without a second thought.
Authorization
Authorization is granting or denying access to an object based on the level of permissions or the actions allowed with the object.
Availability loss
Availability loss occurs when an attacker performs a malicious act to make the network so busy that the system goes down. This is also referred to as denial of service. When this happens, employees are unable to accomplish their tasks. Also, customers are unable to access the company's services. Loss of availability can be accomplished with malware.
Availability
Availability of data is one of the goals of Information Security. Since encryption can hinder the availability of data, it is important to measure the level of security against the availability of a resource. The more secure data is made, the more difficult (less available) it becomes for a user to access.
Azure Active Directory
Azure AD is Microsoft's cloud-based identity and access management service. It helps employees sign in and access resources.
Public key
Before filling out the CSR, the organization needs to generate a key pair. The public key will be included here.
Biometric Locks
Biometric locks increase security by using fingerprints or iris scans. They reduce the threat from lost keys or cards.
BitLocker
BitLocker is used to encrypt an entire volume. All data on the volume is protected even if the hard drive is moved to another computer.
Blue team
Blue team members are the defense of the system. This team is responsible for stopping the red team's advances.
Bollard
Bollards are short, sturdy posts used to prevent a vehicle from crashing into a secure area.
Digital signatures
By combining a user's private encryption key and a hash of the data, a user can create a digital signature. A digital signature verifies that the data is legitimate and provides non-repudiation. This means that the sender cannot deny having sent the file.
Challenge Handshake Authentication Protocol (CHAP)
CHAP uses a challenge/response (three-way handshake) mechanism to protect passwords. CHAP is the only remote access authentication protocol that ensures that the same client or system exists throughout a communication session by repeatedly and randomly re-testing the validated system.
Circumvention
Can the attribute be easily circumvented?
Card cloning
Card cloning is the process of making copies of smart cards. Lost, misplaced, or stolen cards can be copied, if there is not cryptographic protection on them.
Skimming
Card skimming is when there is a card reader placed in order to copy the credentials of a users smart card. Once the cards details are copied, it can be used to create counterfeit cards.Proximity cards can also be copied. These transmit the credentials and can be captured with portable RFID reader.
Certificate authorities
Certificate authorities are reputable organizations that are responsible for issuing public certificates to companies or organizations that want to securely communicate over the internet.
Certificate chaining
Certificate authorities are usually setup in a hierarchy of multiple CAs to increase security. This structure is known as certificate chaining or the chain of trust.
Avalanche effect
Changing any bit of data will result in a completely different hash.
City/locality
City where the organization is located.
Dead code
Code that is non-executable at run-time, or source code in a program that is executed but is not used in any other computation.
Macros
Code that is used to perform a series of steps or functions inside a specific application.
Code Signing Certificate
Code-signing certificates are used by app developers to prove that their application is legitimate.If a user tries to run an app that does not have a certificate, they will receive an error stating that the app cannot be trusted. The user can decide to close the app or run it.
Common ground and shared interest
Common ground and shared interest work because sharing a hobby, life experience, or problem instantly builds a connection and starts forming trust between two parties.
Tunneling
Communication method that encrypts packet contents and encapsulates them for routing though a public network.
Integrity
Creating a hash of a file can be used to validate that the file has not been altered. This validates the integrity of the file.
Endpoint DLP
DLP Software that runs on end-user workstations and servers.
File-level DLP
DLP software that is used to identify sensitive files in a file system and then to embed the organization's security policy within the file so that it travels with the a moved or copied file.
Data breach
Data breach occurs when confidential or protected data is exposed. Examples of confidential information include Social Security numbers, bank account numbers, credit card numbers numbers, health information, passwords, and email. Data breach allows criminals to access sensitive information and profit from it. It can be intentional or accidental.
Data
Data could be retracted from some data, but not others. For example, a patient's medical records may have the patient record retracted in one part of the record, but their name could be listed in another.
Wi-Fi signal strength
Data emanation is a significant security problem. By default, the radio signals used by a wireless network are broadcasting omni-directionally and can travel quite a distance from the WAP. An attacker sitting outside the building may be able to connect to the wireless network if the signal is traveling outside.This can be limited by manipulating the WAP antenna placement. Some WAPs also allow the signal strength to be adjusted. Using these settings, reduce the signal strength so the signal stays inside the building.
Data exfiltration
Data exfiltration occurs when information or files are transferred from a computer without authorization. It can be done manually, if the attacker has physical access to the computer; or, it can be automated over a network by an attacker using malware. A common tactic attackers use for data exfiltration is DNS tunneling.
Data loss
Data loss is often caused by a virus or malware. Data loss is particularly problematic because it's hard to detect the extent of the loss and it's costly for businesses to repair damaged files.
Data loss prevention
Data loss prevention are types of software that protects sensitive data from being exposed.
Normalization
Data reorganized in a relational database to eliminate redundancy by having all data stored in one place and storing all related items together.
Default accounts and passwords
Default accounts and passwords are factory defaults that already exist when a new network device is configured at installation. Default account names and passwords should be changed immediately when hardware or software is turned on for the first time.
Default accounts and passwords
Default accounts and passwords are factory defaults that are pre-configured for a new network device. Default account names and passwords should be changed immediately when hardware or software is turned on for the first time.
Defense-in-depth
Defense-in-depth is an access control principle which implements multiple access control methods instead of relying on a single method. Multiple defenses make it harder to bypass security measures.
Delegation
Delegation allows you to assign users to manage portions of the Active Directory database without giving all users rights to the entire database. For example, you can assign an administrator to manage the sales department in North America and enable this administrator to create user accounts, remove user accounts, and change passwords. However, this sales administrator won't be allowed to access the accounting or development departments. As another example, you can allow an administrator to manage all departments in Europe, but none in North American or Asia.
Deny permissions
Deny permissions always override Allow permissions. For example, if a user belongs to two groups and a specific permission is allowed for one group and denied for the other, the permission is denied. However, the exception to this rule comes with inherited permissions. If an object has an explicit Allow permission entry, inherited Deny permissions do not prevent access to the object. Explicit permissions override inherited permissions, including Deny permissions.
Database Encryption Method
Description
Hashing Algorithm
Description
Key Backup Method
Description
Standard
Description
Trust model
Description
Type
Description
Validation Level
Description
Detection
Detection is identifying that a security breach has happened or is happening.
Active Directory
Developed by Microsoft, Active Directory is a centralized database that contains user accounts and security information. It is included in most Windows Server operating systems as a set of processes and services.
Intrusion detection system
Device or software that monitors, logs, and detects security breaches, but takes no action to stop or prevent the attack.
Intrusion prevention system
Device that monitors, logs, detects, and can also react to stop or prevent security breaches.
groups
Displays the primary and secondary group membership for the specified user account.
Dnsenum
Dnsenum is a program that performs DNS enumeration and can find the DNS servers and entries for an organization. This information can help find other information such as usernames, computer names, IP addresses, and more.
8
Document Your Network "Document Your Network is the step in which you create the documentation for your network.Processes
Documentation
Document all network assets in your organization and create a suitable network diagram that you can use as a reference. This is probably one of the most important components of knowing your system. If you don't know the underlying infrastructure of your network, then you can't adequately secure it. Proper network documentation and diagrams not only help you identify a weak network architecture or design, but protect against system sprawl and unknown systems.
Universal
Does each person have the physical attribute being measured?
Drop
Drops the connection. For example, an IP address in a rule with a drop action pings your system; the request is dropped. No response is sent to the user.
Observation
During these interviews and interrogations, the hacker pays attention to every change the target displays. This allows the attacker to discern the target's thoughts and topics that should be investigated further. Every part of the human body can give a clue about what is going on inside the mind. Most people don't realize they give many physical cues, nor do they recognize these cues in others. A skilled observer pays close attention and puts these clues together to confirm another person's thoughts and feelings.
Extensible Authentication Protocol (EAP)
EAP allows the client and server to negotiate the characteristics of authentication. When a connection is established, the client and server negotiate the authentication type that will be used based on the allowed or required authentication types configured on each device. EAP allows authentication using a variety of methods, including passwords, certificates, and smart cards.
Encrypting File System
EFS provides a easy and seamless way for users to encrypt files on Windows computers. EFS is used to encrypt only individual files and folders.
Object
Each resource within Active Directory is identified as an object.
Eavesdropping
Eavesdropping is an unauthorized person listening to private conversations between employees or other authorized personnel when sensitive topics are being discussed.
Class C
Electrical equipment, circuits, wires Halon or CO2
Electro-magnetic interference (EMI)
Electro-magnetic interference is caused by noise between the hot wire and the ground or neutral wires in a circuit. This burst of energy is known as an electromagnetic pulse (EMP.) It can disrupt the signal in a data cable.
Elliptic Curve Cryptography (ECC)
Elliptic Curve Cryptography is one of the newer methods being implemented. ECC is able to generate smaller keys that are more secure than most other methods. Many websites today use ECC to secure connections and data transmissions.
Hoax
Email hoaxes are often easy to spot because of the bad spelling and terrible grammar. However, hoax emails use a variety of tactics to convince the target they're real.
Encryption
Encryption causes data, such as the content of an email, to be unintelligible except to those who have the proper key to decrypt it.
Resources
Encryption is done through advanced algorithms and mathematical operations. This requires a large amount of CPU power and resources.
Enable MAC address filtering
Every network device has a unique media access control (MAC) address. By specifying the MAC addresses that are allowed to connect to the network, unauthorized MAC addresses can be prevented from connecting to the WAP. Configuring a MAC address filtering system is very time consuming and demands upkeep.Attackers can still use tools to capture packets and retrieve valid MAC addresses. An attacker can spoof a wireless adapter's MAC address and circumvent the filter.
(FTPS)"
FTPS adds SSL or Transport Layer Security (TLS) to FTP in order to secure logon credentials and encrypt data transfers. FTPS requires a server certificate.
Facial
Facial scanning creates a map of 80 points on an individual's face. The distances measured on this map can be used to identify the person in the future. Measurements could include the distance between eyes, the shape of a nose, the size of the cheekbones, etc.
Faraday cage
Faraday cages are designed to block all electromagnetic emissions.
Faraday cage
Faraday cages are designed to block all electromagnetic emissions. Faraday cages are used to protect against attackers who collect electronic emissions from electronic devices. The technique of collecting electronic emissions is known as Van Eck phreaking. It is a form of eavesdropping.
ingerprints
Fingerprints are made up of patterns of ridges and valleys. Fingerprint scanners analyze these patterns and convert them into a numerical format that can be stored for future comparison.
Application flaws
Flaws in the validation and authorization of users present the greatest threat to security in transactional applications. When you assess this type of vulnerability, evaluate deployment and communication between the server and client. It is imperative to develop tight security through user authorization and validation. You can use both open-source and commercial tools for this assessment.
GNU Privacy Guard
GPG is an encryption tool that encrypts emails, digitally signs emails, and encrypts documents.
Gateway email spam filters
Gateway email spam filters prevent spam emails from reaching your network, servers, and computers. Spam filters can be configured to block specific senders, emails containing threats (such as false links), and emails containing specific content.
Quick and efficient
Generating the hash should be quick and not use too many resources. The hash should also be generated using the entire message or data, not just a small piece of it.
Hypertext Transport Protocol Secure (HTTPS)
HTTPS uses HTTP over Secure Socket Layer (SSL). It has replaced S-HTTP as the method of securing HTTP (web) traffic. It is a session-based encryption technology, meaning that the keys used for that session are valid for that session only. HTTPS is used predominantly throughout the internet. HTTPS operates over TCP port 443.
Security
Hackers can exploit the data that companies collect for AI. This can cause issues such as identity fraud.
Protocol analyzer
Hardware or software used for monitoring and analyzing digital traffic over a network. Protocol analyzers go by other names, such as packet sniffers, packet analyzers, network analyzers, network sniffers, or network scanners.
Digital signature
Hashes are a critical piece of a digital signature. The creator combines a hash of the data along with their private key to generate the digital signature.
Someone you know
Having someone who can vouch for you can go a long way in establishing relationships and building trust. The same is true with authentication. Certificates and attestation are examples of this attribute.
Organization
Hierarchical databases let you sort and organize your user accounts by location, function, and department.
Hot aisle
Hot aisles have the back of the equipment face the aisle. Typically hot aisles face air conditioner return ducts.
Collectible
How easy is it to acquire this measurable attribute?
Permanent
How well does the specified attribute hold up to aging?
hping
Hping is a security tool that can check connectivity and also analyze the target to gather information. Hping can send ICMP, TCP. UDP, and RAW-IP packets. Hping is primarily designed for Linux but can be installed in Windows.
Engine
IDS component that analyzes sensor data and events; generates alerts; and logs all activity
Sensor
IDS component that passes data from the source to the analyzer.
Network baseline
Identify a network baseline. This means that you need to know your systems' normal activity, such as regular traffic patterns, data usage, network activity, server load, and anything system-related. Mainly, you need to know what your network looks like in normal day-to-day usage. Knowing this allows you to identify unusual or atypical activity that can indicate an attack in progress or a compromised network. To identify a network baseline, you can use network tools that monitor network traffic and create a graphical representation of the collected data.
Inherent vulnerabilities
Identify inherent vulnerabilities or systems that lack proper security controls. For example, if your organization needs to use an older version of Windows for a particular application, then you should identify that system as a vulnerability. IoT and SCADA devices are both systems that lack proper security controls and must be dealt with appropriately.
Inherent vulnerabilities
Identify inherent vulnerabilities or systems that lack proper security controls. For example, if your organization needs to use an older version of Windows for a particular application, you need to identify that system as a vulnerability. Internet of Things (IoT) and Supervisory Control and Data Acquisition (SCADA) devices are both systems that lack proper security controls and therefore must be dealt with appropriately.
Identity theft
Identity theft refers to an attacker accessing information to commit fraud. Examples of fraud include creating false credentials, opening new accounts in someone else's name, or using someone's existing accounts. Many attackers use data breach to get the information they need to commit identity theft. There are several types of identity theft such as criminal, medical, tax, and child identity theft.
Secure configuration file
If possible, store the router configuration file in an encrypted form and back up the file to a secure location.
Ignorance
Ignorance means the target is not educated in social engineering tactics and prevention, so the target doesn't recognize social engineering when it is happening. The attacker knows this and exploits the ignorance.
Impersonation
Impersonation is pretending to be trustworthy and having a legitimate reason for approaching the target to ask for sensitive information or access to protected systems.
Organizational unit (OU)
In Active Directory, an organizational unit is a way to organize such things as users, groups, computers, etc. It is also referred to as a container object.
SMS phishing
In SMS phishing (smishing), the attacker sends a text message with a supposedly urgent topic to trick the victim into taking immediate action. The message usually contains a link that either installs malware on the victim's phone or extracts personal information.
Key archival
In key archival, the key is backed up by the CA. To do this, the user sends the private key in a secure transmission to the CA to back it up. This method is often used in an organization that manages its own CA.If keys are lost, they will be readily available and easily accessed. However, if the CA is breached, all private keys will be compromised.
Spear phishing
In spear phishing, an attacker gathers information about the victim, such as the online bank. The attacker then sends a phishing email to the victim that appears to be from that bank. Usually, the email contains a link that sends the user to a site that looks legitimate, but is intended to capture the victim's personal information.
Exploitation
In the exploitation phase, the attacker takes advantage of the relationship with the target and uses the target to extract information, obtain access, or accomplish the attacker's purposes in some way. Some examples include disclosing password and username; introducing the attacker to other personnel, thus providing social credibility for the attacker; inserting a USB flash drive with a malicious payload into a organization's computer; opening an infected email attachment; and exposing trade secrets in a discussion.If the exploitation is successful, the only thing left to do is to wrap things up without raising suspicion. Most attackers tie up loose ends, such as erasing digital footprints and ensuring no items or information are left behind for the target to determine that an attack has taken place or identify the attacker. A well-planned and smooth exit strategy is the attacker's goal and final act in the exploitation phase.
Interview vs interrogation
In the interview phase, the attacker lets the target do the talking while the attacker mostly listens. In this way, the attacker has the chance to learn more about the target and how to best extract information. Then the attacker leads the interview phase into an interrogation phase. It's most effective when done smoothly and naturally, and when the target feels a connection and trusts the attacker. In the interrogation phase, the attacker talks about the target's statements. The attacker is mostly leading the conversation with questions and statements that will flow in the direction the attacker needs to obtain information.
Research
In the research phase, the attacker gathers information about the target organization. Attackers use a process called footprinting, which takes advantage of all resources available to gain information. Footprinting includes going through the target organization's official websites and social media; performing dumpster diving; searching sources for employees' names, email addresses, and IDs; going through a tour of the organization; and other kinds of onsite observation.Research may provide information for pretexting. Pretexting is using a fictitious scenario to persuade someone to perform an unauthorized action such as providing server names and login information. Pretexting usually requires the attacker to perform research to create a believable scenario. The more the attacker knows about the organization and the target, the more believable a scenario the attacker can come up with.
Infrastructure
Infrastructure refers to the systems that support the site. Infrastructure components include AC, power, heating, ventilation, air conditioning systems (HVAC), gas, and water.
Spam
Irrelevant or inappropriate email sent to a large number of recipients.
Unique
Is the physical attribute distinctive enough that it can be used to distinguish between individuals?
newgrp
Is used to change the current group ID during a login session. If the optional - flag is given, the user's environment will be reinitialized as though the user had logged in. Otherwise, the current environment, including current working directory, remains unchanged. You can use this when working in a directory in which all the files must have the same group ownership.
Technology
Issues with technology can cause AI to fail. For example, if not all data is looked at by AI, the results could have a negative feedback.
Malicious universal serial bus (USB) cable
It is common now to find USB charging stations in public places, such as airports, hotels, and restaurants. It is possible that these could be used to copy data from a users device. Users can protect themselves by using USB data blockers. These are used to prevent data transfers to USB drives. This device is connected between the USB charging port and your charging cable and helps to protect access to your data.
Key escrow
Key escrow is a common method of key archival. With this method, keys are sent to a trusted 3rd party instead of a CA. This is often done for security and legal purposes. Legal action might be required to access the keys. This is done by design to ensure security and safety of the keys.
Likeability
Likeability works well because humans tend to do more to please a person they like as opposed to a person they don't like.
Availability loss
Loss of access to computer resources due to the network being overwhelmed or crashing.
Update the firmware
Manufacturers release updates to the firmware on a regular basis to address known issues. It is important to regularly check for updates and apply them to prevent the system from being exposed to known bugs and security vulnerabilities.While it is extremely important to keep devices up-to-date, it's just as important to properly test new updates before pushing them out to the entire network. Proper testing will reduce the number of new bugs or problems on a live network that the update may have introduced.
Social media
Many attackers are turning to applications such as Facebook, Twitter, Instagram, to steal identities and information. Also, many attackers use social media to scam users. These scams are designed to entice the user to click a link that brings up a malicious site the attacker controls. Usually, the site requests personal information and sensitive data, such as an email address or credit card number.
Transactions
Many transactions that currently rely on a paper-based system could benefit from blockchain. For example, a car or house title could be transferred over the blockchain. Because the transactions are transparent, this would create a clear picture of legal ownership.
Member servers
Member servers are servers in the domain that do not have the Active Directory database.
Purple team
Members of the purple team work on both offense and defense. This team is a combination of the red and blue teams.
groupdel
Modifies the system account files by deleting all entries that refer to the specified group. The named group must exist.You cannot remove the primary group of any existing user. You must remove the user before you remove the group.
Use a Standard Operating Environment (SOE)
Most organizations maintain a Standard Operating Environment which is implemented as a standard disk image or master image. This disk image is used when deploying new computers to the network. Automation is used when deploying the master image and when running configuration scripts, to give the computer a name, to join a domain, and during any other customizations.The use of a master image and automation can reduces security risks by ensuring that security standards are consistent throughout the network. Master images should be based on a TOS and be fully patched.
Enable the WAP firewall
Most wireless APs come with a built-in firewall that connects the wireless network to a wired network. This should be enabled to help prevent unauthorized access to the network.
Mutual authentication
Mutual authentication is when two communicating entities authenticate each other before exchanging data. It requires not only the server to authenticate the user, but the user to authenticate the server. This makes mutual authentication more secure than traditional, one-way authentication.
(NFC)"
NFC allows two-way communication between two devices. The devices must be within a few centimeters of each other. NFC is a newer technology that is built on RFID.
Nessus
Nessus is a proprietary vulnerability scanner that is developed by Tenable. Nessus can be used to scan the target for any known vulnerabilities, which can be exploited to gain access to the target.
Network segmentation
Network segmentation is the division of a network into smaller networks or pieces for performance or security reasons.
Objects
Objects are data, applications, systems, networks, and physical space.
Offering something for very little to nothing
Offering something for very little to nothing refers to an attacker promising huge rewards if the target is willing to do a very small favor. The small favor can include sharing what the target thinks is a very trivial piece of information for something the attacker offers.
Class K
Oil, solvents, electrical wires Halon, CO2, or soda acid
normal-gain"
Omnidirectional, normal-gain antennae are the most common type of antennae used in wireless equipment because they work reasonably well in a variety of situations.
Maintain Access
Once the pentester has gained access, maintaining that access becomes the next priority. This can be done by installing backdoors, rootkits, or Trojans.
Update firmware
One of the first things you should do when setting up a new router is update the firmware. The updates to the firmware fix any vulnerabilities that have been resolved by the manufacturer in the past.
Stored procedures
One or more database statements stored as a group in a database's data dictionary, which when called, executes all the statements in the collection.
Anonymous
Only a user name (no password) is required to authenticate.
(OAuth)"
Open Authorization (OAuth) is an open standard for token-based authentication and authorization on the internet. It allows access tokens to be issued to third-party clients by an authorization server with the approval of the resource owner. The third party uses the access token to access the protected resources hosted by the resource server. This mechanism is used by companies like Google, Facebook, Microsoft, and Twitter, to permit users to share information about their accounts with third-party applications or websites.OAuth specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. It is designed to work with the Hypertext Transfer Protocol (HTTP). OAuth is a service that is complementary to and distinct from OpenID.
OpenID
OpenID is an open standard and decentralized authentication protocol. It allows users to be authenticated by co-operating sites using a third-party service and allowing users to log in to multiple unrelated websites without having a separate identity and password for each. Users create accounts by selecting an OpenID identity provider and using those accounts to sign on to any website that accepts OpenID authentication.The OpenID protocol does not rely on a central authority to authenticate a user's identity. Because neither services nor the OpenID standard mandates how to authenticate users, authentication methods range from passwords to smart cards and biometrics.
Pretty Good Privacy
PGP is a commercial encryption program that is now owned by NortonLifeLock (previously Symantec). PGP is used by products that protect laptops, desktops, USB drives, optical media, and smart phones.
(PHE)"
PHE allows only select simple math functions (such as addition) to be performed. This means that only one math function can be performed an unlimited number of times on the encrypted values.
(PKI)"
PKI is an environment in which public encryption keys can be created and managed throughout the key lifecycle.
Point-to-Point Protocol (PPP)/Point-to-Point Protocol over Ethernet (PPPoE)
PPP and PPPoE use the data link layer. PPP is less common because it typically uses dial-up connections. PPPoE normally requires a static IP from the ISP and sometimes a username and a password to authenticate with the ISP.
Public Switch Telephone Network (PSTN)
PSTN uses modems to connect to a remote access server. This, however, is an outdated method because of slow connection speeds.
Black box test
Penetration test in which the ethical hacker has no information regarding the target or network. This type of test best simulates an outside attack and ignores the insider threats.
White box test
Penetration test in which the ethical hacker is given full knowledge of the target or network. This test allows for a comprehensive and thorough test, but is not very realistic.
Gray box test
Penetration test in which the ethical hacker is given partial information of the target or network, such as IP configurations, email lists, etc. This test simulates the insider threat.
Class B
Petroleum, oil, solvent, alcohol CO2 or FM200
Physical security
Physical security is the protection of corporate assets from threats such as unauthorized entry, theft or damage.
Security zone
Portions of the network or system that have specific security concerns or requirements.
Preloading
Preloading is used to set up a target by influencing the target's thoughts, opinions, and emotions.
1
Prepare to Document "Prepare to Document means establishing the process you will use to document your network. A useful document:
Pretexting
Pretexting is conducting research and information gathering to create convincing identities, stories, and scenarios to be used on selected targets.
Prevention
Prevention is taking the steps necessary to avert unauthorized access, theft, damage, or other type of security breach.
Proximity card
Proximity cards, also known as radio frequency identification (RFID) cards, are a subset of smart cards that use the 125 kHz frequency to communicate with proximity readers.
Push Notifications
Push notifications can also be used to grant access to an account. Whenever you log into your account, you enter your username. But instead of a password, you receive an access request notification on your mobile device. You can choose to either approve or decline this request.
Radio frequency identification
RFID uses radio waves to transmit data from small circuit boards called RFID tags to special scanners.
Instant messaging
Real-time text messaging communication that supports picture, music, and document exchange.
Entry points
Recognize all vulnerabilities and entry points for possible attacks. This includes public-facing servers, workstations, Wi-Fi networks, and personal devices. You must account for anything that connects to the network as a possible entry point.
Recovery
Recovery is the process of returning a system to a functional state and repairing any damage.
Locked network closet
Regardless of the size of your organization, networking components should always be inside of a locked room that only specific individuals have access to. Make sure the lock to this room has some sort of access logging. For example, many key card locking mechanisms track the time, date, and individual who opens the door. This can be helpful when identifying the source of an attack.
Reject
Rejects the connection, but will send a response back. This lets the sender know that the traffic reached a system, but was rejected.
Remote access policies
Remote access policies are used to restrict access. The policies identify authorized users, conditions, permissions, and connection parameters such as time of day, authentication protocol, caller id, etc.
Replication
Replication is the process of copying changes to Active Directory on the domain controllers.
(ACLs)"
Router access control lists (ACLs) can be configured to increase security and limit traffic much like a firewall, but on the router level. ACLs filter the traffic and determine if the data should be blocked or forwarded.
Security Layer (SASL)"
SASL is an extensible mechanism for protecting authentication.
(SCP)"
SCP uses Secure Shell version 1 (SSH1) to secure file transfers and login credentials.
(SFTP)"
SFTP is a file transfer protocol that uses Secure Shell version 2 (SSH2) to secure data transfers. SFTP is not FTP that uses SSH, but rather a secure transfer protocol that is different from FTP.
(SHE)"
SHE allows more complex math (such as multiplication) to occur. But it can only be performed a limited number of times.
Simple Network Management Protocol Version 3(SNMPv3)
SNMPv3 is a protocol used to monitor and manage devices on a network. SNMPv3 provides authentication and encryption.
Salt
Salt, or salting the hash, means that a random number of characters are added to the password before the hash is created.For example, if the password to be hashed was p@ssw0rd, a salt, such as E1343135E119C253, may be added. Therefore, the string to be hashed would be p@ssw0rdE1343135E119C253. Since the salt is randomly generated each time, even if the same password is used and is of varying lengths, it's virtually impossible to create a database containing all the possible salted passwords.
False negative
Scan results that indicate no vulnerability when a vulnerability exists.
False positive
Scan results that indicated a vulnerability, but there is none.
Scarcity
Scarcity appeals to the target's greed. If something is in short supply and will not be available, the target is more likely to fall for it.
Secure FTP
Secure FTP (also known as FTP over SSH) tunnels FTP traffic through an SSH tunnel.
Shodan
Shodan is a popular search engines for internet-connected devices. Users are able to search for specific types of devices and locations. This information can be used to see if a target has any online devices without proper security.
Short Message Service (SMS)
Short Message Service (SMS) authentication uses SMS messaging to send a one-time code or password to a known user of an account in order to verify their identity. This requirement can be requested at every login, at every time the user signs into a new device or browser, or at timed intervals.
Shoulder surfing
Shoulder surfing involves looking over someone's shoulder while that person works on a computer or reviews documents. This attack's purpose is to obtain usernames, passwords, account numbers, or other sensitive information.
Smart cards
Similar in appearance to credit cards, smart cards have an embedded memory chip that contains encrypted authentication information. These cards are used for authentication.
Phone Call
Similar to SMS, the user receives a phone call with the one-time code or password.
Sn1per
Sn1per is a automated scanner that can be used to enumerate and scan for vulnerabilities. Sn1per combines the functions of many tools and can be used to find information such as DNS information, open ports, running services, and more.
Class D
Sodium, potassium Dry powders
Peer-to-peer (P2P) software
Software that allows users to share content without centralized servers or centralized access control.
control"
Software that controls access to the network by not allowing computers to access network resources unless they meet certain predefined security requirements.
Anti-phishing software
Software that scans content to identify and dispose of phishing attempts.
Internet content filter
Software used to monitor and restrict content delivered across the web to an end user.
Something you are
Something you are authentication uses a biometric system. A biometric system attempts to identify you based on metrics or a mathematical representation of a biological attribute, such as eye or fingerprint. This is the most expensive and least accepted but is generally considered to be the most secure form of authentication.
IP scanners
Special tools that allow a network administrator to scan the entire network to find all connected devices and their IP addresses.
Security information and event management
Special tools that gather network information and aggregate it into a central place. SIEM systems can actively read the network information and determine if there is a threat.
Speed
Speed is one of the biggest limitations of encryption. The encryption process can take a long time, especially with the large file sizes in use today. For example, BitLocker encrypts 500 megabytes in approximately 1 minute. A 2TB drive would take approximately 67 hours to encrypt.
802.1x
Standard for local area networks that is used to authenticate users to a wireless network. It was created by The Institute of Electrical and Electronics Engineers Standards Association (IEEE-SA).
State/county/region
State where the organization is located. This should not be abbreviated.
Steganography
Steganography is the technique of hiding or concealing a file, message, image, or video within another file, message, image, or video. Special programs are often used to hide messages in media files. If a hacker intercepts the message, all they see is the media. They don't know that there is a hidden message.
Subjects
Subjects are users, applications, or processes that need access to objects.
(DTP)"
Switches have the ability to automatically detect trunk ports and negotiate the trunking protocol used between devices. The Dynamic Trunking Protocol is not secure and allows unauthorized devices to possibly modify configuration information. You should disable the DTP services on the switch's end user (access) ports before implementing the switch configuration into the network.
(TFTP)"
TFTP provides no authentication, encryption, or error detection. In addition, TFTP uses UDP instead of TCP. TFTP might be faster than FTP, but it does not perform error detection, so it could result in file errors.
Trusted Platform Module
TPM is a hardware chip on the motherboard that can generate and store cryptographic keys.
Replication
The Active Directory database can be replicated to other systems. This eliminates the need to manually recreate user accounts on every system to which a user may need to access.
Data Recovery Agent
The DRA is an account that has been granted the right to decrypt files and folders on a EFS.
OSINT framework
The OSINT framework is a collection of resources and tools that are separated by common categories. The OSINT Framework makes it easy to gather all sorts of information, making the initial reconnaissance process much more efficient. Documentation can be found at https://osintframework.com/
Packet sniffing
The act of capturing data packets transmitted across the network and analyzing them for important information.
Eavesdropping
The act of covertly listening in on a communication between other people.
War driving
The act of driving around with a wireless device looking for open vulnerable wireless networks.
War flying
The act of using drones or unmanned aerial vehicles to find open wireless networks.
Dissolvable
The agent is downloaded, or a temporary connection is established. It is removed once the user is done with it. The user has to download or connect to the agent again if needed.
Agentless
The agent is on the domain controller. When the user logs into the domain, it authenticates with the network. Agentless NAC is often used when there is limited disk space, such as for Internet of Things (IoT) devices.
Permanent
The agent resides on a device permanently. This is the most convenient agent since it does not have to be renewed and can always run on the device. It is also known as a persistent agent.
Code obfuscation
The deliberate act of creating source or machine code that is difficult for humans to understand. In other words, the code is camouflaged.
Development
The development phase involves two parts: selecting individual targets within the organization being attacked and forming a relationship with the selected targets. Usually, attackers select people who not only will have access to the desired information or object, but who also show signs of being frustrated, overconfident, arrogant, or somehow easy to extract information from. Once a target is selected, the attacker will start forming a relationship with the target through conversations, emails, shared interests, and so on. The relationship helps build the target's trust in the attacker, allowing the targets to be comfortable, relaxed, and more willing to help.
Email address
The email address for the person managing the certificate in the organization.
Ciphertext
The encrypted form of a message that is readable only by those for whom the message is intended.
Black box
The ethical hacker has no information regarding the target or network. This type of test best simulates an outside attack and ignores insider threats.
White box
The ethical hacker is given full knowledge of the target or network. This test allows for a comprehensive and thorough test, but is not very realistic.
Gray box
The ethical hacker is given partial information of the target or network, such as IP configurations, email lists, etc. This test simulates the insider threat.
Privilege escalation
The exploitation of a misconfiguration, a bug, or design flaw to gain unauthorized access to resources.
Data breach
The exposure of confidential or protected data, either accidentally or through malicious acts.
Report
The final phase is generating the test results and supporting documentation. After any penetration test, a detailed report must be compiled. Documentation provides extremely important protection for both the penetration tester and the organization.
Perform reconnaissance
The first phase in the pentesting process is reconnaissance, also known as footprinting. In this phase, the pentester begins gathering information on the target. This can include gathering publicly available information, using social engineering techniques, or even dumpster diving.
Common name
The fully qualified domain name (FQDN) of the website.
Email hijacking
The hacker compromises the target's email account and is able to monitor and gather information.
DNS spoofing
The hacker modifies a website's address in the DNS server. The user attempts to go to that website, but instead is redirected to the hacker's malicious site.
IP address spoofing
The hacker modifies an IP address in a communication. The recipient intends to send information to the originally specified IP address, but the packets go to the hacker instead.
SSL hijacking
The hacker passes forged authentication keys to both the user and application/server. The user and application/server are talking directly to each other, but all communication is going through the hacker.
HTTPS spoofing
The hacker uses a website name that looks similar to a real site. For example, www.testout.com could be replaced with www.test0ut.com.
One-way
The hash cannot be reverse engineered.
Threat hunting
The human-based, methodical search and monitoring of the network, systems, and software in order to detect any malicious or suspicious activity that has evaded the automated tools.
Identification
The initial process of confirming the identity of a user requesting credentials. This occurs when a user enters a user ID at logon.
Wireless interface
The interface in a device, such as a laptop or smart phone, that connects to the wireless access point.
Internet
The internet is a public network that includes all publicly available web servers, FTP servers, and other services. The internet is public because access is largely open to everyone.
Iris
The iris is the colorful portion of the eye around the pupil. Infrared light lights up the iris, and the scanner captures images of its unique patterns.
Improper input handling
The lack of validation, sanitization, filtering, decoding, or encoding of input data.
Organization
The legal name of the organization. The name cannot be abbreviated and any suffixes, such as LLC, must be included.
Data loss
The loss of files and documents either accidentally or through malicious acts.
(WPA)"
The most commonly used cryptographic protocol in use for wireless networks. WPA2 and WPA3 are the two versions in use.
netcat
The netcat security tool can read and write data across both TCP and UDP network connections. It opens a TCP connection between two devices and can be used to send packets, scan for open ports, and listen in on connections to specific ports. You can download netcat from the internet.
Network baseline
The network baseline is the normal network activity including typical traffic patterns, data usage, and server loads. Activity that deviates from the baseline can indicate an attack.
Processing rate
The number of subjects or authentication attempts that can be validated.
pathping
The pathping Windows command line tool combines the tracert and ping tools. Use pathping to locate network devices that are down or causing latency issues.
Physical machine
The physical computer with hardware, such as the hard disk drive(s), optical drive, RAM, and motherboard.
Crossover error rate
The point at which the number of false positives matches the number of false negatives in a biometric system.
Steganography
The practice of concealing a file, message, image, or video within another file, message, image, or video.
Misconfigurations
The primary cause of misconfiguration is human error. Web servers, application platforms, databases, and networks are all at risk for unauthorized access. Areas to check include outdated software, unnecessary services, incorrectly authenticated external systems, security settings that have been disabled, and debug enabled on a running application.
Internal address
The private IP address that is translated to an external IP address by NAT.
Internal network
The private network where devices use private IP addresses to communicate with each other.
Error handling
The procedures in a program that respond to irregular input or conditions.
Microprobing
The process of accessing a smart cards chip surface directly to observe, manipulate, and interfere with the circuit.
Vulnerability scan
The process of capturing and analyzing packets to identify any security weaknesses in a network, computer system, local applications, and even web applications.
Encryption
The process of changing plain text through an algorithm into unreadable ciphertext.
Authorization
The process of controlling access to resources, such as computers, files, or printers.
Decryption
The process of converting data from ciphertext into plaintext.
Code signing
The process of digitally signing (encrypting) executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed.
Passive reconnaissance
The process of gathering information about a target with no direct interaction with the target.
Active reconnaissance
The process of gathering information by interacting with the target in some manner.
Tokenization
The process of replacing original data with a randomly generated alphanumeric character set called a token.
Masking
The process of replacing sensitive data with realistic fictional data.
Hardening
The process of securing devices and software by reducing the security exposure and tightening security controls.
Encryption
The process of using an algorithm or cipher to transform data from cleartext to ciphertext in order to protect the confidentiality, integrity, and authenticity of the message.
Hashing
The process of using an algorithm to convert data to a fixed-length key called a hash.
Cipher/algorithm
The process or formula used to encrypt a message or otherwise hide the message's meaning.
External address
The public IP address that NAT uses to communicate with the external network.
External network
The public network that a NAT device connects to with a single public IP address.
Plaintext
The readable form of a message.
Red team
The red team members are the ethical hackers. This team is responsible for performing the penetration tests.
route
The route command is used in both Windows and Linux to show the routing table and to make manual changes to the table.
Screening router
The router that is most external to the network and closest to the internet.
Deterministic
The same data always generates the same hash.
Cryptography
The science and study of concealing information.
Intelligence fusion
The sharing of information between multiple government agencies and private security firms.
X.509
The standard that defines the format of certificates.
Gain access
The third phase takes all of the information gathered in the reconnaissance and scanning phases to exploit any discovered vulnerabilities in order to gain access.After gaining access, the pentester can perform lateral moves, pivoting to other machines on the network. The pentester will begin trying to escalate privileges with the goal of gaining administrator access.
Country
The two-letter code for the country where the organization is located.
Data exfiltration
The unauthorized transfer of information or files from a computer.
Authentication
The verification of the issued identification credentials. It is usually the second step in the identification process and establishes that you are who you say you are.
White team
The white team members are the referees of cybersecurity. This team is responsible for managing the engagement between the red and blue teams. This group typically consists of the managers or team leads.
Wireless interface
The wireless interface in a device, such as a laptop or smart phone, connects to the wireless access point.
(RFID)"
The wireless, non-contact use of radio frequency waves to transfer data.
Bug bounties
These unique tests are programs that are setup by organizations such as Google, Facebook, and many others.The organization sets strict guidelines and boundaries for ethical hackers to operate within. Any discovered vulnerabilities are reported and the ethical hacker is paid based on the severity of the vulnerability.
Bug bounty
These unique tests are setup by organizations such as Google, Facebook, and others. Ethical hackers can receive compensation by reporting bugs and vulnerabilities they discover.
Perfect Forward Secrecy
This cryptography method is used quite often in messaging apps. Instead of the same key being used for an entire conversation or session on a website, each transmission is encrypted with a different unique key.
Fragmented Packets
This feature blocks the sending of fragmented IP packets.
ICMP Notification
This feature can silently block the sending of ICMP notifications. Some protocols may require these notifications.
TCP Flood
This feature drops all invalid TCP packets. This protects your network from SYN flood attacks.
UDP Flood
This feature helps prevent UDP flood attacks by metering the number of simultaneous, active UDP connections from a single computer on the internal network.
Block ping to WAN
This feature helps prevent attackers from discovering your network through ICMP Echo (ping) requests.
ICMP Flood Detect Rate
This feature monitors non-ping ICMP packets. Too many cause the firewall to determine that a ICMP flood is occurring and trigger the appropriate response.
Stealth Mode
This feature prevents the response to port scans from the WAN. This protects against port floods.
Wi-Fi eavesdropping
This is also known as a evil-twin attack. The hacker tricks users into connecting to a malicious wireless network in order to monitor and manipulate the data packets flowing across the wireless network.
Browser cookie theft
This is also known as session hijacking. When a user logs into a website, a session cookie is
Organizational unit
This is the division that is handling the certificate.
(FHE)"
This method can handle both simple and advanced math functions (such as addition and multiplication) being performed an unlimited number of times on the encrypted values.FHE is still in the developmental stage.
(OFB)"
This mode is identical to CFB except for the IV used after the first round.The output of the IV encryption is used as the next block's ciphertext.
Urgency
To create a sense of urgency, an attacker fabricates a scenario of distress to convince an individual that action is immediately necessary.
SYN Flood Detect Rate
To help prevent SYN floods, this feature monitors the rate of SYN packets during a configuration time period. Too many SYN packets cause the firewall to determine that a SYN flood is occurring and to trigger the appropriate response.
Echo Storm Detect Rate
To help prevent ping floods, this feature monitors the rate of echo pings during a configuration time period. Too many pings cause the firewall to determine that a ping flood is occurring and to trigger the appropriate response.
(WPA3)"
To support the vulnerabilities inherent in the WPA2 handshake and to support newer technologies, WPA3 was implemented. First introduced in 2018, WPA3 implements the Simultaneous Authentication of Equals (SAE) standard instead of using the pre-shared key.SAE uses a 128-bit key and Perfect Forward Secrecy (PFS) to authenticate users. Perfect forward secrecy is a cryptography method that generates a new key for every transmission. This makes the handshake much more secure from hackers. If any portion of the handshake is intercepted, the key is still uncrackable.
Collision resistant
Two different pieces of data should not generate the same hash.
Data exposure
Unintended exposure of personal and confidential data.
User and Computer Certificate
User and computer certificates are used in a network environment to identify and validate specific users or computers.When a user or computers logs into a network, their certificate is sent to the server for validation. This provides extra security to the network.
Multifactor authentication
Using more than one method to authenticate users.
Misinformation
Using the misinformation tactic, the attacker makes a statement with the wrong details. The attacker's intent is for the target to provide the accurate details that the attacker wants to confirm. The more precise the details given by the attacker, the better the chance that the target will take the bait.
Code reuse
Using the same code multiple times.
Virus scanners
Virus scanners identify infected content and dispose of it. They are often coupled with email scanners.
Vishing
Vishing is like phishing, but instead of an email, the attacker uses Voice over IP (VoIP) to gain sensitive information. The term is a combination of voice and phishing.
Voice
Voice recognition systems analyzes a person's voice for things like pitch, intensity, and cadence. These systems can be text dependent or text independent. Text-dependent authentication requires a specific phrase to be spoken. This could be a pre-determined phrase, or it could be randomly generated. Text-independent authentication uses any speech content.
Change default login credentials
WAPs typically come configured with a default administrator username and password. Because the administrator username and password is used to configure WAP settings, it's important to reset the defaults. This prevents outsiders from guessing the default username and password and breaking into the system.
Weak passwords
Weak passwords are passwords that are blank, too short, dictionary words, or simple. In other words, they are passwords that can be quickly identified using password cracking tools. Password cracking is the process of recovering secret passwords from data that has been stored in or transmitted by a computer system.To avoid this vulnerability enforce complex password requirements. Complex passwords are typically over eight characters and a mix of character types (letters, numbers and symbols). Also require that the passwords are not words, variations of words, or derivatives of the user name.
Weak passwords
Weak passwords are passwords that are blank, too short, dictionary words, or simple. In other words, they are passwords that can be quickly identified using password cracking tools. Password cracking is the process of recovering secret passwords from data that has been stored in, or transmitted by, a computer system.Enforce complex passwords to reduce the risks of weak passwords. Complex passwords require passwords of a certain length (typically over 8 characters) and a mix of character types (numbers and symbols) along with requirements that the passwords are not words, variations of words, or derivatives of the username.
Whaling
Whaling is another form of phishing. It targets senior executives and high-profile victims.
Account creation
When an account is created, apply the appropriate access rights based on the job role as implemented in the access control system. Use the principle of least privilege and grant only the minimum privileges required to perform the duties of the position.
USB and keyloggers
When on site, a social engineer also has the ability to steal data through a USB flash drive or a keystroke logger. Social engineers often employ keystroke loggers to capture usernames and passwords. As the target logs in, the username and password are saved. Later, the attacker uses the username and password to conduct an exploit.
Spam and spim
When using spam, the attacker sends an email or banner ad embedded with a compromised URL that entices a user to click it. Spim is similar, but the malicious link is sent to the target using instant messaging instead of email.
(WPS)"
Wireless access method that allows a device to securely connect to a wireless network without typing the PSK.
Captive portal
Wireless access method that forces a user to view and interact with it before accessing a network.
Open network
Wireless access method that has no authentication.
(PSK)"
Wireless access method that utilizes a passphrase for users to connect.
Social proof
With a social proof technique, the attacker uses social pressure to convince the target that it's okay to share or do something. In this case, the attacker might say, "If everybody is doing it, then it's okay for you to do it, too."
Class A
Wood, paper, cloth, plastics Water or soda acid
Zero-day vulnerability
Zero-day is a software vulnerability that is unknown to the vendor.
iptables
iptables is a firewall command line utility for Linux operation systems that uses three policy chains to allow or block network traffic.
scanless
scanless is used for port scanning. Instead of scanning ports from the hacker machine, scanless uses exploitation websites to perform port scans. This means the attacker is able to maintain anonymity while scanning the target.
Save iptables changes (Ubuntu)
sudo /sbin/iptables-saveThe command may be different on other Linux systems.
Drop all incoming traffic
sudo iptables -A INPUT -j DROP
Block connections from 192.168.0.254
sudo iptables -A INPUT -s 192.168.0.254 -j DROP
Block SMTP mail on port 25
sudo iptables -A OUTPUT -p tcp --dport 25 -j REJECT
Clear current rules
sudo iptables -F
List current rules
sudo iptables -L
