CompTIA Security+ 601 - Vocabulary

ANSI

(American National Standards Institute) - Organization the development of technology standards in the US.

ATM

(Asynchronous Transfer Mode) it's a telecommunications standard defined as ANSI and ITU for digital transmission of multiple types of traffic including voice, data and video signals in one network without the use of separate overlay networks.

BSSID

(Basic Service Set ID) the MAC address of a base station, used to identify it to host stations. SSID is associated to the MAC address on a wireless access point and is known as a BSSID

DMZ

(Demilitarized Zone) two routers on the outside. One regular one and one gateway router, both with firewalls. This way we can insert servers in between the two routers to secure them.

DNS

(Domain Name System) The Internet's system for converting alphabetic names into numeric IP addresses.

Open-Source Sources

(Explicit Knowledge) US-CERT UK's NCSC AT&T Security (OTX) MISP (Malware Information Source Project) VirusTotal Spamhaus SANS ISC Suspicious Domains (Implicit Knowledge - from a professional in the field for a while)

FTP

(File Transfer Protocol) - a group of rules that govern how computers transfer files between systems over the internet. (Port 20 and 21). it's not secure

HTTPS

(Hypertext Transfer Protocol Secure) providing a secure connection between a web browser and a server. Port 443

ITU

(International Telecommunication Union) - Agency of the United Nations (UN) to coordinate telecommunication operations and services throughout the world.

IPSec

(Internet Protocol Security) - A integrity security mechanism that ensures that a sent message (packet) has been received intact, by the intended receiver. - uses IPSec for tunneling and encrypting - UDP ports 500, 4500 - great for IPv6

IP

(Internet Protocol) - numeric label assigned to each device connected to a computer network

LDAP

(Lightweight Directory Access Protocol) is an open and cross platform protocol used for directory services authentication. LDAP provides the communication language that applications use to communicate with other directory services servers port 389

LAN

(Local Area Network) - collection of devices connected together in one physical location, such as a building, office or home. It can be small ranging from home network to and enterprise of thousands of users in an office or school.

MAC

(Media Access Control) assigned to NIC (Network Interface Controller). It is assigned by the manufacturer also known as the burned-in address, Ethernet hardware address, hardware address, or physical address.

NAT

(Network Address Translation) - Translates the IP addresses of computers to a single IP address. This address is often used by the router that connects the computer to the Internet.

NIC

(Network Interface Controller) - also known as network adapter, LAN adapter, network interface card, or physical network interface. It's a computer hardware component that connects a computer to a computer network.

NTP

(Network Time Protocol) - for clock synchronization

Port 5004

(RTP) Real-time Transport Protocol (TCP/UDP)

RTP

(Real-Time Payments) - a system from the Clearing House, first new core payments infrastructure in the US. Available to financial institutions that hold 70% of US demand deposit accounts (DDAs)

RAS

(Remote Access Server) - a server that authenticates remote users before they have access to corporate network resources when working from home. Provides a suite of services to remotely connected users over a network or the internet.

RSA

(Rivest-Shamir-Adleman) An asymmetric algorithm, so it has a private and a public key. Oldest since 1977

RIP

(Routing Information Protocol) - Operating at Layer 3 of the OSI model that determines the path to a different network.

SHA-1

(Secure Hash Algorithms) - A family of cryptographic functions designed to keep data secured by transforming data using a hash function

SSH

(Secured Shell Protocol) - establishes a secure tunnel over an unsecured network, port 22

SIP

(Session Initiation Protocol) - Signaling protocol used for initiating, maintaining, modifying and terminating real-time sessions that involve video, voice, messaging and other communications applications and services between two or more endpoints on IP networks.

SMTP

(Simple Mail Transfer Protocol) - electronic mail transmission port 25

STP (switch)

(Spanning Tree Protocol) - builds a loop-free logical topology of Ethernet networks. Basic function is to prevent bridge loops

TCP

(Transmission Control Protocol) - Standard to maintain a network conversation. The Three-way handshake. Connection oriented and sends lots of packets

VLAN

(Virtual Local Area Network) - Broadcast domain that provides layer 2 separation of networks. They are setup in routers and switches. It can be separated in different zones for different departments ex.

NSLOOKUP

(from name server lookup) is a network administration command-line tool for querying the Domain Name System (DNS) to obtain domain name or IP address mapping, or other DNS records.

Netstat

(network statistics) is a command-line network utility that displays network connections for Transmission Control Protocol (both incoming and outgoing), routing tables, and a number of network interface (network interface controller or software-defined network interface) and network protocol statistics.

SOHO network

(small office home office network) A network that provides connectivity and resource sharing for a small office or home office.

tracert command

(tracerout) can help see what routers are being hit, both internal and external.

Memory/Buffer Vulnerability

*Memory Leak:* - Unused memory is not properly released - Begins to slowly grow in size - Eventually uses all available memory - System crashes *Integer Overflow:* - Huge number in a small allocation *Buffer Overflow:* - Overwriting a buffer of memory - Spills over into other memory areas *NULL Pointer Deference:* - Programming techniques that references a portion of memory - What happens if that interface points to nothing? - Application crash, debug information displayed (DoS) *DLL Injections:* - Attacker don't write the application - They write an external library and manipulate the OS or application to run the library

Forensic Data Acquisition

- Capture the system image - Network traffic and logs - Capture video - Take Hashes - Take screenshots -Interview witnesses - Track man hours

Static Hosts Hardening

- Change default passwords - Turn off unnecessary services - Monitor security and firmware updates

Mobile Device Management (MDM)

- Content Management: Applications management, databases - Geolocation: knows the location of that device - Geofencing: this is geolocation with geographic trigger - Push notifications services - Passwords and PINS - Biometrics - Screen locks - Remote wipe - Context-aware authentication: where are they right now, what time of day - Storage Segmentation

Data Security

- Data integrity - speed/quick access - high availability use RAID to secure data which is cheaper.

Chain of Custody Process

- Define the evidence - Document collection method - Date/time collected - Person(s) handling the evidence - Function of person handling evidence - All locations of the evidence

Physical Controls

- Deterrent Physical Controls: lighting, signage, security guards - Preventative Physical Controls: fence, barricades, K rating fences stop vehicles 30m/h, man trap - Cabling systems: Air gaps between cables, safe, locked cabinets, faraday cages, locks with key management, cable locks, screen filters - Detective Physical Controls: alarms, cameras, motion detectors, log files, - Compensating & corrective controls: having a guard sitting there while fence is fixed

Host Hardening

- Disable Unnecessary Services - Default Passwords for small devices such as thermostat, lights, cameras. - Disable Unnecessary User Accounts on the network for user privileges - Patch Management: monitor, test, evaluate, deploy patch, document - Anti-Malware: training for users, procedures, monitoring, intrusion detection systems (IDS), third-party anti-malware tools - Host Firewalls: running on application-level basis, white list or black list applications

Contingency Planning

- Disaster Recovery - Business Continuity - Distance & Location - Legal Issue

Data Roles

- Owner: legal responsibility, ex. corporation - Steward/Custodian: maintain the accuracy and integrity of data - Privacy Officer: ensure data adheres to privacy, policies and procedures

Order of Restortion

- Power - Wired LAN - ISP Link - Active Directory/DNS/DHP servers - Accounting servers - Sales & accounting workstations - Video production servers - Wireless - Peripherals (printers)

VPN Setup Steps

- Protocol to set up tunnel = Protocol to handle authentication and encryption

Memorandum of Understanding (MOU)

- Purpose of interconnection - Relevant authorities - Specify the responsibilities: downtime, billing - Define the terms of the agreement: cost - Termination/ authorization

Hardening 802.11 Networks

- Survey installation issues: survey tools - hardware or software - Maintaining existing wireless networks - Monitor wireless networks - Define how to defend wireless clients

OpenVPN

- Unique Tunnel - Encryption based on SSL/TLS protocol - TCP port 1194, but can be changed easily

Protecting Our Assets

- Use secure protocol on unsecure networks - Use https on Web sites that collect information - Use VPN in non-secure environments

User Roles

- Users: Assigned permissions to complete task - Privileged Users: increased access and control relative to a user - Executive users: set policy on data and incident response actions.

Compiled vs. runtime code

- compiled is when you write code and it goes through a compiler to execute it. - runtime is when it's interpreted by a client that is using it. ex. read java script to read on a website.

Virtualization Hardening

- remove remnant data - make good policies - define user privileges - patch everything - Cloud Access Security Brokers (CASB): a device that is in between the cloud and your VM's

Secure DevOps

- security automation tools: always look for vulnerabilities - change management/ version control: organization, authorization, documentation, continuous integration - baselining security objectives, encryption, input validation - Consider immutable systems: has interchangeable parts, embedded devices, virtual machine - infrastructure as code: create present definition files

Physical Risk Vectors

-Access control vestibules (mantraps) -server room access locks

Virus characteristics

-Attach to other files -Propagate -Spread to other devices -active

Threat intelligence sources

-Closed/proprietary - File/code repositories ex. GitHub -Vulnerability databases ex. Common Vulnerabilities and Exposures (CVEs) -Dark Web/dark net

Risk Vector

-Mission-critical IT systems ex. payment processing, human resources, emergency (911) -Sensitive data ex. do we know what we have and where it is -Third-party access

Hackers

-White Hat (non-malicious, pen testers, hired by the company) -Black Hat (malicious intent) -Gray Hat (try to hack in to see if they can do it) -Blue Hat (free-lance hacker)

White, Black, Grey Hats

-White Hats: Operate with permission and good intent. - Black Hats: Operate Illegally with malicious intent -Grey Hats: Operate without permission but with good intent

Offboarding

-disable accounts - return credentials - exit interview - knowledge transfer

Disabling ports (Securing SOHO Network)

-disable physical ports • Conference rooms or break rooms -Administratively disable unused ports which would prevent someone going into a wiring closet and connecting to the network • More to maintain, but more secure -Network Access Control (NAC) • 802.1X controls • You can't communicate unless you are authenticated

Threat Intelligence

-facilitate risk management -hardening can reduce incident response time -provide cybersecurity insight

Cryptography components

1) Algorithm 2) Key for encryption

Attack Model

1) White box: attackers have extensive knowledge about the target, more likely trusted insiders, cheapest and fastest. 2) Black Box: attached know nothing about the target, attackers are more like strangers, external hacking, potentially expensive and slow. 3) Gray box: we may know where the server is but don't know the passwords.

DES

168-Bit

TCP Model

4. Applications - emails, FTP, telnet 3. Transport - does assembly and dis-assembly 2. Internet - IP Addresses, routers 1. Network Interface - physical cables, mac address, network cards

OSI Model

7. Application - the smarts in the applications that allow us to see other applications such as word and excel 6. Presentation - convert data so you can see applications such as word and excel 5. Session - deciding if it's an email, folder or website 4. Transport - data get dis-assembled and assembled from packets 3. Network - logical layer with routers for IP addresses 2. Data Link - network cards, switches 1. Physical - cables

CNAME

A Canonical Name record (abbreviated as CNAME record) is a type of resource record in the Domain Name System (DNS) that maps one domain name (an alias) to another (the canonical name).

PTR

A DNS pointer record (PTR for short) provides the domain name associated with an IP address. A DNS PTR record is exactly the opposite of the 'A' record, which provides the IP address associated with a domain name. DNS PTR records are used in reverse DNS lookups.

hosted applications

A category of cloud computing in which a customer pays for the use of applications that run on a service provider's network; also called software as a service (SaaS).

CPU

A central processing unit (CPU), also called a central processor, main processor or just processor, is the electronic circuitry that executes instructions comprising a computer program. The brain of the computer.

Dynamic Code Analysis

A code analysis that is done using a running application

Cluster

A computer hard disk is divided into small segments called clusters.

logic bomb

A computer program or part of a program that lies dormant until it is triggered by a specific logical event.

VPN Tunnel

A connection over the Internet between a client and a server; the VPN tunnel enables the client to access remote resources as if they were local, securely.

NoSQL

A database that provides a mechanism for storage and retrieval of data. They are document, key-value, graph or wide-column stores. Different types of graphics. It is a nonrelational database and does not use SQL. It is therefore not vulnerable to SQL injection attacks but is vulnerable to similar injection-type attacks.

TwoFish

A derivation of the Blowfish algorithm that is considered to be strong.

Agile Model

A development model that emphasizes continuous feedback and cross-functional teamwork. vs waterfall model. It's a code development framework.

Media Converter

A device that enables networks or segments using different media to interconnect and exchange signals. easily connects two different types of networks, or devices, together. While connecting copper and fiber networks is the common application, Fiber Media Converters also enable users to join together two multimode networks or link multimode to single mode for longer data transmission distances.

Hot site

A disaster recovery site that can get a business up and running right away. It is the most expensive but shortest recovery time.

rubber duck

A disguised USB device used to steal data, run scripts, emulate, etc upon insertion.

Shimming

A driver manipulation method. It uses additional code to modify the behavior of a driver.

Spam Filter

A filter that is used to detect unsolicited and unwanted email. It looks for certain criteria on which it bases judgment.

MITRE ATT&CK Framework

A knowledge base and framework of different attack techniques to understand and defend against an attacker.

Third Party Libraries

A library where the code is not maintained in-house.

Cloud Controls Matrix (CCM)

A list of security controls and principles appropriate for the cloud environment, cross-referenced to other control frameworks such as COBIT, ISO standards, and NIST pubs.

MX

A mail exchanger record (MX record) specifies the mail server responsible for accepting email messages on behalf of a domain name. It is a resource record in the Domain Name System (DNS).

MX Record

A mail exchanger record (MX record) specifies the mail server responsible for accepting email messages on behalf of a domain name. It is a resource record in the Domain Name System (DNS).

Watering Hole Attack

A malicious attack that is directed toward a small group of specific individuals who visit the same website.

Splunk software

A market-leading big data information gathering and analysis tool that can import machine-generated data via a connector or visibility add-on

Multimeter

A measuring instrument for current, voltage, and resistance

RAID-6: Dual parity

A method of protecting against multiple storage drive failures by creating two sets of parity data on an array of hard disks. Six total drives, five actual data drives. The drives are striped with parity interleaved to optimize performance.

Framework

A methodology or a process that helps you organize risk management

Kill Chain

A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion. Reconnaissance (methods of getting to know their network), Weaponization (add code), Delivery (email, drive), Exploitation (execution, ex.email), Installation (run a remote control), Command & Control (C2) (establish an outbound server connection) Actions on Objectives (do what they want to do)

Nessus

A network-vulnerability scanner available from Tenable Network Security.

Cloud Security Alliance (CSA)

A nonprofit organization with a mission to promote best practices for using cloud computing securely.

Key Stretching

A password hashing algorithm that requires significantly more time than standard hashing algorithms to create the digest. A technique is PBKDF2 or bcrypt

Network Tap

A physical device that allows you to intercept the traffic between two points on the network

Web Proxy Server

A piece of software installed on a system that is designed to intercept all traffic between the local web browser and the web server.

802..1x

A port-based authentication protocol. Makes a strong robust network.

Secure Boot

A process that checks and validates system files during the boot process. A TPM typically uses a secure boot process.

Honeypot

A security tool used to lure attackers away from the actual network. A decoy

Waterfall Model

A series of steps in which a software system trickles down from analysis to design to implementation. vs. agile model

Proxies/Proxy Server

A server application or appliance that acts as an intermediary for requests from clients seeking resources from other servers that provide those resources. Also used to log all user internet activity when configured to to log all web traffic to a syslog server

Broadcast Domain

A set of all devices that receive broadcast frames originating from any device within the set. Devices in the same VLAN are in the same broadcast domain.

Sprint

A set period of time, normally two to four weeks, during which specific work must be completed and made ready for review when using Scrum methods

Remote Access VPN

A single computer that is trying to connect to a home network.

Layer 3 switch

A switch capable of interpreting Layer 3 data and works much like a router in that it supports the same routing protocols and makes routing decisions. Can segment the network into multiple broadcast domains.

Buffer Overflow

A technique for crashing by sending too much data to the buffer in a computer's memory. ex. an application developer, implemented error and exception handling alongside input validation. An attack would be when a customer is trying to download a pdf document and it says an application has encountered an unexpected issue and must be shut down.

Spyware

A type of Malware that locates and saves data from users without them knowing about it.

Cat5 cable

A type of UTP cable that can carry data at up to 100 Mbps.

Layer 2 switch

A type of switch that switches packets based on the MAC address. (or Data Link layer switching) is the process of using devices' MAC addresses to decide where to forward frames. Switches and bridges are used for Layer 2 switching. They break up one large collision domain into multiple smaller ones. In a typical LAN, all hosts are connected to one central device

Zero-day exploit

A vulnerability that is exploited before the software creator/vendor is even aware of its existence.

System Sprawl

A vulnerability that occurs when an organization has more systems than it needs. and systems it owns are underutilized. Compare with VM sprawl.

PKCS-7

A way to store certificates as individual files

Evil Twin

A wireless network router with the same name as another wireless access point. Users unknowingly connect to the evil twin; hackers monitor the traffic looking for useful information.

802.11i

A wireless standard that added security features.

Thin client

AP hardware mounted on the ceiling

AUP

Acceptable Use Policy - Defines what a person can or can not do when using company assets

Bluesnarfing Attack

Access a Bluetooth-enabled device and transfer data

ACL

Access control list. A list of rules used to grant access to a resource. How to get access to data and resources. ex. how to use fobs or smart cards.

Proper input validation

Accounting for errors such as incorrect user input.

Log evens on shared applications/resources

Activity on web servers Activity on a firewall

Scalability

Add extra servers if you need it for higher demand traffic ex. selling concert tickets

Injection Attck

Add something into an application that does harmful things. ex. Code injection, Command Injection,

ARP

Address Resolution Protocol - is a communication protocol that lets us resolve a ethernet mac address from an IP address

ARP spoofing

Address Resolution Protocol - spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker's MAC address with the IP address of a legitimate computer. ARP spoofing can enable malicious parties to intercept, modify or even stop data in-transit.

AES cipher

Advanced Encryption Standard. Came after DES because it's still un-hackable. It uses the same key to encrypt and decrypt. It's a Block Cipher, 128-bit Block Size, Rounds 10, 12, or 14, Key Size: 128, 192 or 256-bits. Automatically used in WPA2

APT

Advanced Persistent Threat - highly trained and funded groups of hackers that get into a system and they stay there mostly to gain government intelligence

Threat

Adversarial: hacker or someone that is doing intentional harm. Accidental: a user reformats a hard drive with a lot of data on it. Structural: power supply on the router dies, equipment or software failure Environmental: fires, earthquakes

TTP

Adversary Tactics, Techniques and Procedures for Threat Intelligence Sources

Aircrack-ng

Aircrack can be used to grab WEP Keys. command airmon-ng in command prompt

Port 5060

Allowed to provide access to certain VoIP applications.

USB OTG (USB on the go)

Allows other usb devices to connect to a smart phone and pass information between the two devices

RAID 01 (0+1)

Also called a nested RAID. Minimum of 4 drives. Described as two striped sets of mirrored drives.

ESP

An Encapsulating Security Payload (ESP) is a protocol within the IPSec for providing authentication, integrity and confidentially of network packets data/payload.

Authentication Header (AH)

An IPSec component that provides integrity

IPS

An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability

SNMP Walk

An SNMP application that uses SNMP GETNEXT requests to query a network entity for a tree of information.

Downgrade Attack

An attack in which the system is forced to abandon the current higher security mode of operation and fall back to implementing an older and less secure mode.

Brute force attack

An attack on passwords or encryption that tries every possible password or encryption key.

Session Hijacking

An attack that attempts to impersonate a user by capturing and using a session ID. Session IDs are stored in cookies.

Smurf Attack

An attack that broadcasts a ping request to computers yet changes the address so that all responses are sent to the victim.

SSL Stripping

An attack that focuses on stripping the security from HTTPS-enabled websites. Also known as Replay attack

XML injection

An attack that injects XML tags and data into a database.

cross-site request forgery (XSRF)

An attack that uses the user's Web browser settings to impersonate the user.

Replay Attack

An attack where the data is captured and replayed. Attackers typically modify data before replaying it

802.1x authentication

An authentication standard that uses username/passwords, certificates, or devices such as smart cards to authenticate clients.

tone generator

An electronic device that sends an electrical signal through one set of UTP cables.

FTPS (File Transfer Protocol Secure)

An extension of FTP that uses SSL or TLS encrypt FTP traffic. Some implementations of FTPS use ports 20 and 21

Split Horizon DNS

An implementation of DNS where internal and external DNS queries are handled by different DNS servers or by a single DNS server that is specially configured to keep internal and external DNS zones separate. Example: Only users outside the internal network can reach the site.

Misconfiguration

An incorrectly configured device.

Application Whitelisting

An inventory of applications that have been pre-approved and authorized to be active and present on the device.

ALE

Annualized Loss Expectancy = SLE x ARO

ARO

Annualized Rate of Occurrence - How often does a incident (flood or fire) happen annually

hardware root of trust

Anyone that wants to inject the system has to have a certificate

Wireshark

Application that captures and analyzes network packets

data sensitivity labeling

Applying the correct category to data to ensure proper data handling. 1) Public Data: no restrictions 2) Confidential Data: limited to authorized viewing as agreed on by the parties involved 3) Private: limited to the individual to whom the information is shared, PII (Personally Identifiable Information) 4) Proprietary: like private but at corporate level 5) PHI (Protected Health Information) HIPPA

Risk Management

Assets, likelihood, threat actors,

Dictionary attack

Attempt to break a password by trying all possible words.

Intrusive Vulnerability Scan

Attempts to actually penetrate the system to perform a simulated attack. Non is not doing anything to the system.

Rainbow Table Attack

Attempts to discover the password from the hash.

802.1X

Authentication standard that allows us to make connections between client and network. (it will be through a physical authenticator. It will then connect to an authentication server which makes a RADIUS.

AAA

Authentication, Authorization (granted access) and Accounting (tracking of data)

AIS

Automated Indicator Sharing - exchange of cybersecurity intelligence (CI) between entities

Onboarding

Background check of a person, sign a NDA, SOP's, rules and behaviors

Incremental backup

Backup that copies only the changed data since the last backup.

BOOTP

Bootstrap Protocol - is a computer networking protocol used in Internet Protocol networks to automatically assign an IP address to network devices from a configuration server. The BOOTP was originally defined in RFC 951

BYOD

Bring Your Own Device service agreement, makes it possible for users to be free to use their personal devices to access a corporate or a campus network

BIA: basic theory

Business Impact Analysis: -Determine mission process -Identification of critical systems -Single point-of-failure -Identify resource requirements -Identify recovery priorities

BPA

Business partners agreement. - Primary entities - Time frame - Financial Issues - Management

Mobile Deployment Options

COBO - Corporate owned, business only: company owned, company devices what to do with that device, what encryption is used, what applications are on that device. COPE - Corporate owned, personally enabled: everyone has the same advice, learning curve CYOD - Choose your own device: users get to choose their device BYOD - Bring your own device: very heavy device management

Band selection/width

Can choose between 2.4 GHz and 5 GHz depending on which 802.11 protocol is being used.

netstat command

Can detect what hosts are connected to you and all ports that are open to see what ports are listening. used to find out who you are talking to and who is listening to you

Wireless Networks

Can plug in Wireless access point (WAP) switch that then broadcasts SSID's (Service Set Identifiers that identifies the wifi name when searching for wireless networks.

CIS

Center for Internet Security standards

CA

Certificate Authority - (ex. godaddy)is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A root certificate is part of a public key infrastructure (PKI) scheme

CRL

Certificate Revocation List - When employees that use certificates leave the company they should be added to this list. It is comprised of Public Keys. Starting to fade to OCSP

CA Certificate

Certification Authority - issues digital certificates. In a hierarchical trust model, also known as a tree, a root CA at the top provides all of the information. The intermediate CAs are next in the hierarchy, and they trust only information provided by the root CA. The root CA also trusts intermediate CAs that are in their level in the hierarchy and none that aren't.

chmod

Change Mode - a command in command prompt mode that changes permissions. Old version is using bits and bytes with 0's and 1's. There is a diagram. chod and passwd both require SUDO user

CSU/DSU

Channel Service Unit/Data Service Unit - a device used to connect data terminal equipment (DTE) such as router, to a digital circuit, such as Digital Signal 1 (DS1) T1 line.

File integrity check (FIC)

Checks that a file is in good order and it's ready to run. It's not corrupted, virus free.

CBC

Cipher Block Chaining

fire extinguisher

Class A - wood Class B - liquids and gases Class C - energized electrical equipment Class D - Combustible metals Class K - Kitchen oils

Hybrid attack

Combination of dictionary and brute force

Remote Shell (RSH)

Command-line program that executes shell commands across a network in an unsecured manner through Telnet on port 23

CLF

Common Log Format - standard type of logs that every webserver generates

CVE

Common Vulnerabilities and Exposures - Uniquely numbered and identified threat internationally (cve website)

CAPTCHA

Completely Automated Public Turing Test To Tell Computers and Humans Apart

Security Policy

Complexity - length of character requirements Expiration - reset and time triggers Password History - Re-usage and retention

CIRT

Computer (Cyber) Incident Response Team that include IT security team, IT department, Human Resources, Legal and PR

CERT

Computer Emergency Response Team

CIA Triad

Confidentiality (encrypting with public and private keys), Integrity (no modifications were done without authority), Availability (data is stored and protected). Also included are Auditing & Accountability & Non-Repudiation (Can't deny made some form of communication)

Physical Security Controls

Control actions in the real world such as gates, guards, keys and man traps

Administrative Security Control/Management Control

Control actions towards IT security such as laws, policies, guidelines, best practices. Controls what people do.

Technical Security Control

Controls actions IT systems towards IT security such as computer stuff, firewalls, password links, authentication, encryption

Ceaser Cipher

Convert plain text into code when encrypting

Port Mirroring/Spanning

Copies the traffic from one, a group, or all ports to a single port and disallows bidirectional traffic on that port. Used to view traffic on other ports in a switched environment.

CCMP

Counter Mode with Cipher Block Chaining Message Authentication Code Protocol

CCM mode

Counter with Chain Block Message Authentication Code. It is an authenticated encryption algorithm designed to provide both authentication and confidentiality.

XSS

Cross Site Scripting - a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

XSRF

Cross-Site Request Forgery - a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts. When you get a message from a website that you made the purchase.

Data Sensitivity and Classification Policies

Data Classification define the importance or nature of the data

DES

Data Encryption Standard - symmetric-key algorithm for encryption. It's a Block Cipher, 64-bit Block Size, 16 rounds and Key Size is 56-bit

DEP

Data Execution Prevention. A security feature in some operating systems. It helps prevent an application or service from executing code from a nonexecutable memory region

Data at rest

Data stored on the hard drive or on a thumb drive

system administrator

Day-to-Day administration of a system, implement security controls

DBI

Decibels-isotropic. Identifies the gain of an antenna and is commonly used with omnidirectional antennas. It references an isotropic antenna that can theoretically transmit the signal equally in all directions. Higher numbers indicate the antenna can transmit and receive over greater distances.

Network Baseline

Defines a point of reference for measuring network performance when problems begin to occur on the network.. When a technician notices that the network traffic to one of the servers is extremely high.

X.509 standard

Defines specific items that must be part of any certificate for use on the Internet.

Data owner

Defines the sensitivity of the data Defines the protection of the data Works with the system owner to protect data Defines access to the data

purge

Degauser is a massive magnet that wipes the hard drive but destroys the actual drive itself

DoS

Denial-of-Service Attack: -Volume Attack -Protocol Attack -Application Attack

deauthentication attack

Denial-of-service (DoS) strike that disconnects a wireless host from WAP, so that the victim is forced to reconnect and exchange the wireless key multiple times; an attacker can then perform an offline brute-force cracking of the password.

Antivirus

Designed to detect and destroy computer viruses.

Security Control Functions

Deterrent: deters the actor from attempting the threat Preventative: deters the actor from performing the threat Detective: recognizes an actor's threat Corrective: mitigates the impact of a manifested threat Compensating: provides alternative fixes to any of the above functions

Port Scanner

Different services use different ports. When a service is enabled on a computer, a network port is opened for that service, ex. During a security assessment, an administrator wishes to see which services are running on a remote server

Digital Certificate

Digital Signatures is used to validate the integrity of the message and the sender. Digital certificates refer to cryptography which is mainly concerned with Confidentiality, Integrity, Authentication, Nonrepudiation and Access Control. Nonrepudiation prevents one party from denying actions they carried out. It has the public key, 3rd party key and the other persons private key. Includes at least one pubic key and one digital signature.

DAC

Discretionary Access Control - owner of the data defines access such as the security team

DDoS Attack

Distributed Denial of Service Attack. Typically a virus installed on many computers (thousands) activate at the same time and flood a target with traffic to the point the server becomes overwhelmed.

DDS

Distributed Denial-of-Service attack

Separation of Duties

Dividing responsibilities between two or more people to limit fraud and promote accuracy of accounting records.

DNS

Domain Name System - The internet's system for converting alphabetical names into numeric IP addresses. port 53

DNSSEC

Domain Name System Security Extension - an authentication tool not encryption to verify the private key. popular on DNS servers.

Sideloading

Downloading an app from an unofficial third-party website.

BitLocker Drive Encryption

Drive encryption software offered in high-end versions of Windows. BitLocker requires a special chip to validate hardware status and to ensure that the computer hasn't been hacked.

DHCP

Dynamic Host Configuration Protocol. A service used to dynamically assign TCP/IP configuration information to clients. DHCP is often used to assign IP addresses, subnet masks, default gateways, DNS server addresses, and much more. port 67 & 68

EAP-FAST

EAP-Flexible Authentication via Secure Tunneling (EAP-FAST). A Cisco-designed replacement for Lightweight EAP (LEAP). EAP-FAST supports certificates, but they are optional.

EAP-PSK

EAP-PSK (pre-shared key) uses pre-determined symmetric keys, similar to WPA and WPA-2 Most popular form of authentication used in wireless networks.

Mitigation

Effort to reduce the impact of risk

EMI

Electromagnetic Interference; occurs when two signals in close proximity interfere with each other

ECB block encryption mode

Electronic Code Book - not used anymore. They will output the same results with the same input. It leaves a pattern in the ciphertext.

ESD

Electrostatic discharge (ESD) is the sudden flow of electricity between two electrically charged objects cause by contact an electrical short, or dielectric breakdown.

ECC

Elliptical Curve Cryptography. Used when minimal overhead is necessary for a mobile device. It is the most suitable PKC (Public-key cryptography) to use in a constrained environment. Part of Asymmetric Algorithm. Less keys than RSA and faster

Macro Virus

Embedded into a document and is executed when the document is opened by the user ex. word doc or excel

Dark Web/Dark Net

Encrypted anonymous connections. Tor network/Tor web browser. You can get to not indexed by search engine websites. It hides your IP address

Symmetric Block Modes

Encrypting with the same key over and over again where you can still make out the photo or voice message even though it's been encrypted

Algorithm

Encryption standards that every needs to understand and they have to have a key that has to be kept secret

Tunnel Mode (IPSec)

Encrypts the entire IP packet used in the internal network, and is the mode used with VPN's transmitted over the internet.

Disk encryption

Encrypts the entire contents of a hard drive.

ERM software

Enterprise Risk Management Software - helps businesses identify and monitor financial, strategic and operational risks.

broadcast storm

Excessive amounts of broadcasts

XOR Encryption

Exclusive OR

ESSID

Extended Service Set Identifier

EAP

Extensible Authentication Protocol - came after PPP designed to handle authentication

EAP-TLS

Extensible Authentication Protocol-Transport Layer Security - Can handle an entire TLS, needs server and client certificates

EAP-TLS

Extensible Authentication Protocol-Tunneled Transport Layer Security - uses the TLS exchange method, only the server has a certificate

XML

Extensible Markup Language - a set of codes, or tags, that describes the text in a digital document. The most famous markup language is hypertext markup language (HTML), which is used to format Web pages.

Port 20

FTP Data Transfer. When downloading a file from a remote FTP server, an error is received that a connection cannot be opened. Error port 20 is open.

RAID 5 - Striping with Parity

File blocks are striped along with a parity block. This requires at least three disks. Efficient use of disk space as files aren't duplicated, but space is still used for parity. High redundancy Data is available after drive failure but parity calculation may affect performance.

Router / Layer-3 Switch

Filter and Forward based on IP address. They have their own firewall.

Site Survey Tools

Find SSID's - finds MAC addresses - Bands, channels, and signals for 802.11

Firesheep

Firesheep is a free, open-source Firefox browser extension introduced in late 2010

DevOps

For Code: Plan, Create, Verify, Package, Release, Configure, Monitor

FDE

Full Disk Encryption - ex BitLocker that is built-in Windows Utility Drive Encryption too. must have recovery key to access the data.

Full Tunneling

Full tunnel is when the connection goes through home office router then google and back the same way.

GDPR

General Data Protection Regulation - protects EU citizens' private data

Unsigned Certificate

Generating my own certificate without 3rd party signature

GRE

Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links or point-to-multipoint links over an Internet Protocol network. It encapsulates layer protocols such as IPX and WAN.

GPS Tracking

Global Positioning System - When focus is on equipment recovery, this is used when there are concerns that employees will lose their company provided smartphones.

Maintenance of 802.11

Good Documentation: - SSIDs - Mac addresses associated to WAPS, ASP locations, Heatmaps - Good practice: AP isolation enabled

GPA

Group Policy Objects - a policy that we can apply to domains, individual sites, groups, organizational units and it can apply to an entire directory

Port 80

HTTP (Hypertext Transfer Protocol)

HSTS

HTTP Strict Transport Security - browsers require you to switch to HTTP instead of HTTPS

Hacktivists

Hackers who are driven by a cause like social change, political agendas, or terrorism

Network Events for logs

Happen between a host and the network

HSM

Hardware Security Module. A hardware card

Asset

Hardware, data, employee or company reputation, services

SNMPv1

Has limited command set and no encryption

HMAC

Hashed Message Authentication Code- provides message integrity, requires each side of the conversation to have the same key, It has a AH first, then TCP, then DATA, then IP address.

Credentialed Vulnerability Assessment

Having user names and passwords. Non is without user names and passwords

HIPPA

Health Insurance Portability and Accountability Act

HVAC

Heating, Ventilation and Air Conditioning

Loopback adapter

Helps to verify the configuration of the router. Plugs into a port and crosses over the transmit line to the receive line so that outgoing signals can be redirected into the computer for testing. is required if you are installing on a non-networked computer to connect the computer to a network after the installation. When you install a loopback adapter, the loopback adapter assigns a local IP address for your computer

HBA

Host Bus Adapter - Looks like a network card and it's couple thousand to buy

HIPS

Host-based Intrusion Prevention System - an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host

HTTP

Hypertext Transfer Protocol - an application-layer protocol for transmitting hypermedia documents, such as HTML. Designed for communication between web browsers and web servers. Using port 80 for unsecure websites

IRP

Identity Registration Protocol

Key Escrow

If a key need to be recovered for legal purposes the key escrow can be used. Key escrow addresses the possibility that a third party may need to access keys, such as the government.

Recovery Agent

If an employee leaves and we need access to data he has encrypted, we can use the key recovery agent to retrieve his decryption key.

Crypto-erase

If the hard drive is encrypted without the keys

Implicit Deny

Implicit deny says that if you aren't explicitly granted access or privileges for a resource, you're denied access by default. ex. users report that they are unable to access network printing services.

Transport Mode

In IPSec, an encryption method in which only a packet's IP data is encrypted, not the IP headers themselves; this method allows intermediate nodes to read the source and destination addresses.

encapsultion

In computer networking, encapsulation is a method of designing modular communication protocols in which logically separate functions in the network are abstracted from their underlying structures by inclusion or information hiding within higher-level objects

MIMO (multiple input-multiple output)

In the context of 802.11n wireless networking, the ability for access points to issue multiple signals to stations, thereby multiplying the signal's strength and increasing their range and data-carrying capacity. Because the signals follow multipath propagation, they must be phase-adjusted when they reach their destination.

Session Key

In-Band - Sending the key with the encrypted data. Out of Band - not provide the key with the encrypted data.

Script Kiddies

Individuals that have very little skill who want to break into computers to create damage that create some simple scripts. They are easily blocked

ICS

Industrial Control Systems - HVAC

IaaS

Infrastructure as a Service. A cloud computing technology useful for heavily utilized systems and networks. Organizations can limit their hardware footprint and personnel costs by renting access to hardware such as servers. Compare to PaaS and SaaS.

Tarpitting

Intentionally slow down the server conversation with spam emails

Network Sniffing

Intercepting packages on a wireless or wired network and viewing the contents of these packages. the process of capturing and analyzing the packets sent between systems on the network. A network sniffer is also known as a Protocol Analyzer.

ISA

Interconnection Security Agreement taken from NIST 800-47 - Statement of Requirements: why are we interconnecting, who is interconnecting - System security considerations: what information is interconnecting, where is the information is going, what services are involved, what encryption is needed - Topological drawing - Signature authority

Data Users

Internal and external stakeholders (customers, suppliers, and employees) who interact with information in support of their organization's planning and operations.

ISO/IEC

International Organization for Standardization/International Electrotechnical Commission

IMAP

Internet Message Access Protocol - mail uses port 143

IPVPN

Internet Protocol Virtual Private Network - is separated from the public internet, travelling via a private connection to each remote site.

ISAKMP

Internet Security Association and Key Management Protocol - between two hosts if they want to talk IPSec -Uses negotiation protocol - initial authentication through certificates, preshared keys, key exchange,

ISP

Internet Service Provider

iSCSI

Internet Small Computer System Interface - connect to other devices on top of the network ones. You will always have an initiator and a target.

IPX

Internetwork Packet Exchange (IPX) is the network layer protocol in the IPX/SPX protocol suite. IPX is derived from Xerox Network Systems' IDP. It may act as a transport layer protocol as well.

IDS

Intrusion Detection System - Tends to be on the inside of the network and it watches bad activity on the network and sends alerts on suspicious activity.

IPS (IDPS)

Intrusion Prevention System - also known as Active IDS. It's usually close to the edge of the network, an action to prevent will occur at the IPS device. Routers can have IPS and so can firewalls. Firewall filters, IDS notifies and IPS acts to stop.

Block cipher

Is a encryption method that applies a deterministic algorithm along with a symmetric key to encrypt and block of text rather than encrypting one bit at a time as in stream cipher.

False Positive

It identifies it as a problem but it's not real problem that won't make the system vulnerable

Ransomware/Crypto-malware

It locks it until you pay someone money.

digital signature

It's a hash of data I am looking at that says it came from a private key

SystemFileChecker (SFC)

It's a program that is used in command prompt

802.11 jammer

It's illegal in the US and it can be used to program to jam 2.4gh signal, can be programmed on channel 6

KDC

Key Distribution Center. Part of the Kerberos protocol used for network authentication. The KDC issues time-stamped tickets that expire.

Diffie-Hellman

Key generation algorithm, key exchange agreement, that is asymmetric, defines the size or type of key structure to use, can have very large keys. The benefit is only to the 2nd party, who only needs to know a color. Considered low overhead.

Attack Frameworks

Kill Chain MITRE ATT&CK Diamond Model of Intrusion Analysis

L2TP

Layer 2 Tunneling Protocol: - Cisco proprietary - Similar to PPTP - L2TP tunnel -IPsec encryption (so fast) - UDP ports 500, 4500

defense in depth (DiD)

Layering of security controls is more effective and secure than relying on a single control

LDAP

Lightweight Directory Access Protocol - Structured language that allows one computer to go to someone else's directory and update it. Uses TCP and UDP port 389

LDAP injection

Lightweight Directory Access Protocol - is an attack against a directory service. Just as SQL injection attacks take statements that are input by users and exploit weaknesses within, an LDAP injection attack exploits weaknesses in LDAP (Lightweight Directory Access Protocol) implementations. This can occur when the user's input is not properly filtered, and the result can be executed commands, modified content, or results returned to unauthorized queries. from X.500

LEAP

Lightweight Extensible Authentication Protocol - Cisco's high security tunnel but not used anymore. Replaced with EAP-FAST

Backup

Local backup, offsite backup, cloud backup

Business Continuity Plan

Long-term strategy for extended outages.

Shoulder Surfing

Looking over someone's shoulder to see info

Authorization Models

MAc,

Hash Types

MD5, SHA, RIPEMD. Hash is a digital signature.

Diffusion

Make it a little bit less visible when encrypting

Refactoring

Make it appear different each time: add NOP instructions Loops, pointless code strings.

Proper Error Handling

Making sure errors don't crash the system, allow for elevated privileges or expose unintended information.

Malware

Malicious Software a general term for any type of malicious software. Allows employees to surf the web unrestricted from their work computers.

Virus

Malicious code that runs on a machine ex, download software. 10 viruses: Boot sector Macro Program Multipartite Encrypted Polymorphic Metamorphic Stealth Armored Hoax

Polymorphic Malware

Malware code that completely changes from its original form whenever it is executed.

MIM

Man-in-the-Middle - A security attack in which network communication is intercepted in an attempt to obtain key data

MIB

Management Information Base - A database that we query using SNMP

SNMP MIB browser selection

Management Information Base. It needs to be added to the network management tool to allow it to interpret the new device and control it using SNMP. This option is in the Tools menu from any network map on the NNM

System Owner

Management level, maintains security of the system, defines a system administrator, works with all data owners to ensure data security

Firewall

Manages traffic using a rule or a set of rules. Should be configured on the outermost part of the network.

MAC

Mandatory Access Control. It has labels such as Top Secret for government info.

Personnel Management Controls

Mandatory Vacations Job Rotation Separation of Duties

MTTF

Mean time to failure. The length of time you can expect a device to remain in operation before it fails. It is similar to MTBF (Mean Time Before Failure), but the primary difference is that the MTBF metric indicates you can repair the device after it fails. The MTTF metric indicates that you will not be able to repair a device after it fails.

WiFi Direct/Ad hoc

Means for wireless devices to connect directly to each other without a wireless access point.

Memory Vulnerabilities

Memory leak. Buffer overflow. Integer overflow. Pointer dereference. DLL injection

MD5

Message Digest 5 - algorithm is a widely used hash function producing a 128-bit hash value.ex. The security manager must store a copy of a sensitive document and needs to verify at a later point that the document has not been altered

Directory Traversal

Method of accessing unauthorized directories by moving through the directory structure on a remote server

MAN

Metropolitan Area Network; a geographic network that covers a larger geographic area such as a city or community; may be used to connect computers in libraries, government agencies, etc. together - no more than 30 miles in size

MS-CHAP

Microsoft's variation of the Challenge Handshake Authentication Protocol that uses a slightly more advanced encryption protocol. Client sends a key and server sends a challenge question plus a hash.

Diamond Model of Intrusion Analysis

Model for analyzing incidents through Adversary > Infrastructure > Capability > Victim with Meta-Features such as Timestamp, phase, result, direction, methodology & resources

Maas

Monitoring as a Service - company helps monitor logs

Bluetooth

Most mobile phones and Bluetooth headsets are class 2 range upto 33'

MPLS

Multiprotocol Label Switching (MPLS) is a routing technique in telecommunications networks that directs data from one node to the next based on short path labels rather than long network addresses, thus avoiding complex lookups in a routing table and speeding traffic flows.

Federated Transient Trust

My computer will trust the computer that they trust other computers to

Get query

NMS sending a Get to a managed response from a device communication between a computer and ex. printer)

PCIDSS compliance package

National Compliance

NIST

National Institute of Standards and Technology - has a list of high to low vulnerabilities in the SP 800-30/37

NFC

Near field communication; a short-range, wireless communication standard. NFC is being used to support contactless payment and transactions over NFC-equipped mobile devices.

NAC

Network Access Control: - Wireless Network - Remote Access (your own dedicated T3 line) - VPN access

NAT

Network Address Translation

NAS

Network Attached Storage - A Specialized file server that is designed and dedicated to support only data storage needs. For file level.

NMS

Network Management System (ex. cacti, nagios, zabbix, spiceworks web interface)

NIC driver

Network interface card (NIC) drivers are computerized instructions and information that are required for a NIC card to be operational after it is installed into or connected to a computer. ... These drivers not only enable the hardware card to function, they also are intricately involved in configuring the settings for i

Mesh

Network topologu in which all nodes have point to point connections to all other nodes

NIDS

Network-based intrusion detection system. It detects malicious traffic on a network. Passive detection system

NIPS Detection

Network-based intrusion prevention system - monitors the entire network for suspicious traffic by analyzing protocol activity. - Blocks from router - detection methods: behavioral/anomaly, signature-based, rule-based, heuristic (combines anomaly & signature). In band

Managed Device

Networking devices, such as routers and advanced switches, that must be configured to use.

NTFS permissions for a folder

New Technology File System permission - when sharing a file on one computer by others ex. E drive. Set up groups rather than individuals and individual files. Folder: Full Control: do anything you want. Modify: read, write & delete files and subfolders Read/Execute: See contents and Run Programs List Folder Contents: See contents of folders and subfolders Read: view contents and open data files Write: write to files and create new files and folders

NTFS permissions for a file

New Technology File System permission: Full Control: Anything you want Modify: read, write and delete the file Read/Execute: open and run the file Read: open the file Write: open and write to the file

NTLM

New Technology LAN Manager

NDA

Non-Disclosure Agreement

Security events for logs

Non-Network Events: Logons, logon success and failures. ex. Date, Time, Process/Sources, Account, Event number, Event Description

Operating system events for logs

Non-Network Events: Host starting, Host shutdown, Reboot, Services starting, stopping, and failing Operating system updates

Application events in logs

Non-network events: Application installation, Application starts, stops or crashes

Cipher Locks

Numbered key pad to open doors

Risk Transference

Offload the risk ex. use cloud web based server

Vigenere Cipher Encryption

Offset letters and numbers in a bingo like square. Not good for encrypting pictures or credit cards.

OCSP

Online Certificate Status Protocol - similar to CRL but it's real time to check if a certificate is real.

OSINT

Open Source Intelligence - information you can get from Social Media, government reports, academic reports. Closed/proprietary (you will need to sign up ex. GitHub)

Non-Network Events

Operating System Events:

Blowfish

Part of symmetric encryption. It has 65-bit Block Size, 16 Rounds, Key Size minimum 32 and as high as 448 bit

PAP

Password Authentication Protocol - authentication protocol that does not encrypt the data and sends the password and username to the authentication server as plain text.

Attack Vector

Pathways to gain access to infrastructure: -weak configurations -open firewalls ports -lack of user security awareness -MFA (multifactor authentication) -missing patches (Equifax hack) -infected USB thumb drivers (stuxnet worm) -supply-chain attack: manufacturers, contractors, implementers, outsourced software development (right-to-audit clause)

PCI-DSS

Payment Card Industry Data Security Standard

PCI DSS

Payment Card Industry Data Security Standard - credit cards

Exposure Factor

Percentage of an asset that's lost as the result of an incident (flooding, fire)

PII

Personally Identifiable Information, ex. SSN, personal email address, drivers' license number

Mitigating Threats

Physical Controls, Technical Controls, Administrative Controls

DoS Volumetrick Attack

Ping Flood - hacker can keep sending ping and overwhelms it. UDP Flood - hacker sending out various UDP requests that can overwhelm the machine

POTS

Plain Old Telephone Service - telephone system for voice-grade telephone service employing analog signal transmission over copper loops.

PaaS

Platform as a Service. Provides cloud customers with an easy-to-configure operating system and on-demand computing capabilities. Compare to IaaS and SaaS.

PPP

Point-to-Point Protocol: - Transport Layer Protocol -Initiate connection - get address information. It had very basic authentication mechanisms. It could only do passwords.

PPTP

Point-to-Point Tunneling Protocol: - Oldest VPN protocol - Uses PPP for tunnel - Password only - TCP port 1723 - easily hacked

Administrative controls (Managerial Controls)

Policies, procedures, security awareness training, contingency planning, and disaster recovery plans, legal

PAT

Port Address Translation (PAT) - allows for many internal devices to share one public IP address. Is an extension to network address translation (NAT) that permits multiple devices on a local area network (LAN) to be mapped to a single public IP address. The goal of PAT is to conserve IP addresses.

PUP

Potentially Unwanted Program - Software installed as an add on while installing another software ex. browser bar

Incident Response Process

Preparation Reporting Identification Containment Eradication - clean up Recovery Lessons Learned

PGP/GPG

Pretty Good Protocol(Privacy)/Gnu Privacy Guard - encryption program most popular for email encryption. PGP encrypts a message with the public key, the message is decrypted with the private key. GPG is free and used to encrypt file and disks.

Technical Control

Preventing unauthorized access to PC's. ex. screen savers that lock the PC after five minutes of inactivity

Pop-up blocker

Prevents websites from opening new browser windows without the users consent.

PIA

Privacy Impact Assessment - how would it impact the company if private info go out.

PTA

Privacy Threshold Assessment - A privacy threshold assessment (PTA) is a process that a company uses to analyze how personal information is protected within an IT system. This process reviews how the information is collected, manipulated, transferred, or transmitted.

RunMe

Program that lets the admin change rights

Adware

Programs that put ads up that pop up while on the web

PEAP

Protected Extensible Authentication Protocol - Microsoft's version of EAP. Designed for access control protocols. Not used anymore.

PDUs

Protocol Data Units - These hold the control information attached to the data at each layer of the model. They're usually attached to the header in front of the data field but can also be in the trailer, or end, of it.

Identification

Proves to the system who I am

nslookup

Provides info on the DNS server about the name or IP address of a device

Least Privilege

Providing only the minimum amount of privileges necessary to perform a job or function.

PKCS

Public Key Cryptography Standards

PKI

Public Key Infrastructure - encryption that protects communications between the server (your website) and the client (the users). Based on hierarchy where a company (Certificate Authority) issues a certificate, then it goes through intermediate authority to take the load off.

Asymmetric encryption

Public key only used to encrypt and private key to decrypt. Used to send a secure session key. It is slow, but very useful in exchanging session keys.

RIPEMD

RACE Integrity Primitives Evaluation Message Digest - not very common, 128, 160, 256, 320 bit hash

RF Signal

Radio Frequency Signal

RFI

Radio frequency interference. Interference from RF sources such as AM or FM transmitters. RFI can be filtered to prevent data interference, and cables can be shielded to protect signals from RFI.

Jamming

Radio jamming is the deliberate jamming, blocking or interference with wireless communications. ex. malicious student is blocking mobile devices from connecting to the internet when other students are in the classroom.

RO command

Read Only setting you put in SNMP command prompt

RTO

Recover Time Objection - minimum time before getting back up online

RPO

Recovery Point Objective. A Recovery Point Objective identifies a point in time where data loss is acceptable. It is related to the RTO and the BIA often includes both RTOs and RPOs.

RAID

Redundant Array of Independent Disks - is a way of storing the same data in different places on multiple hard disks or solid-state drives to protect data in the case of a drive failure.

RAID controller

Redundant Array of Independent Disks - using multiple hard drives to provides integrity and improve access

RADIUS

Remote Authentication Dial-In User Service - supports dial-in networking

RCP

Remote Copy Protocol - a command used in UNIX operating systems to remotely copy one or more files between machines.

RDP

Remote Desktop Protocol port 3389

RPC

Remote Procedure Call (RPC) is a programming interface that allows a remote computer to run programs on a local machine.

RAT

Remote access Trojan. Malware that allows an attacker to take control of a system from a remote location. The attacker has to start it up.

Log events to the OS/system via network

Remote logons (fail or not)

SNMP Get

Request to query for information on a network entity.

Reservations

Reservations assure that a specified hardware device on the subnet can always use the same IP address. For example, if you have defined the range 192.168.1.11 through 192.168.1.254 as your DHCP scope, you can then reserve the IP address 192.168.1.100.

Rights and Privileges

Rights (also called privileges) are the entitlements, or permissions, granted to a user or role for a system level - for example, the right to modify particular data, or to authorize a change.

RMF

Risk Management Frameworks - Categorize, Select, Implement, Assess, Authorize, Monitor

RC4

Rivest Cipher 4. A Streaming Cipher, encrypts 1 bit at a time, 1 round, Key Size: 40-2048 bits. It's automatically used in WPA

RBAC

Role-based Access Control - Access to resources is defined by a set of rules. Establish groups so you can assign rights and permissions easier

Port 25

SMTP (Simple Mail Transfer Protocol)

Port 22

SSH (Secure Shell) - a port that is used to provide secure shell sessions over the web by default. Used to securely transfer files between remote UNIX systems.

DoS Protocol Attack

SYN Flood/TCP SYB Attack - client keeps sending a SYN signal and ignoring the SYN Ack response from the server

Email Address Harvesting

Searches for valid addresses to attack

SCP

Secure Copy Protocol. Used to securely transfer computer files between a local host and a remote host, or between two remote hosts. It uses SSH for data transfer, and uses the same authentication and provides the same security as SSH. It will as for passwords or passphrases if they are needed for authentication. Port 22

SSL

Secure Sockets Layer. Used to encrypt traffic on the wire. SSL is used with HTTPS to encrypt HTTP traffic on the Internet using both symmetric and asymmetric encryption algorithms. SSL uses port 443 when encrypting HTTPS traffic.

SSL/TLS

Secure Sockets layer / Transport Layer Security - An encryption layer of HTTP that uses public key cryptography to establish a secure connection. - TCP port 443 -Often works within a web browser - TUN/TAP (virtual network driver) tunnel - TLS encryption SSL is older. TLS is newer. ***FOUR main aspects: encryption, key exchange, authentication and HMAC

SAML

Security Assertions Markup Language. Used in website applications - allows us to log into different devices that are on the VPN through the IP (Identity Provider)

SIEM

Security Information and Event Management - takes monitors and puts it together in a single packages. - aggregate and correlate data, allowing you to organize them into valuable information -you can get to the time sequence of an event in all the logs quickly - have alerts and the ability to notify you based on configurable trigger

Port security

Security control that identifies when an organizational system has been plugged in. It is also provides the ability to supply automated notifications.

SED

Self-encrypting drive

Data in transit

Sending a text message that is moving in transit

OS Types

Server OS: Built-in functionality, connections Workstation: Desktop version, workhorse Embedded systems: appliances, own OS Kiosk: limited function Mobile OS: apple, android

SLA

Service Level Agreement - Service to be provided - Minimum up-time - Response time (contacts) - Strat and end date

SSID

Service Set Identifier. It lists or hides your LAN or WLAN

SATCOM (Satellite Communications)

Services such as voice and video calling, Internet access, faxing, and television and radio broadcasting.

USB port

Short for Universal Serial Bus, an external bus standard that supports data transfer rates of 12 Mbps. A single USB port can be used to connect up to 127 peripheral devices, such as mice, modems, and keyboards

CSMA/CA

Short for carrier sense multiple access with collision avoidance. It is used as a method for multiple hosts to communicate on a wireless network and AppleTalk.

SNMP

Simple Network Management Protocol - Notifies the status and creates reports on network devices

SLE

Single Loss Expectancy = Asset Value x Exposure Factor

SSO

Single Sign-On - go to each computer and connect it to the domain cmputer

SCSI

Small Computer System Interface - is a set of standards for physically connecting and transferring data between computers and peripheral devices. The SCSI standards define commands, protocols, electrical, optical and logical interfaces.

SFP

Small Form-factor Pluggable - a compact, hot-pluggable network interface module used for both telecommunication and data communications applications.

Technical Controls

Smart cards, encryption, access control lists (ACLs), intrusion detection systems, and network authentication

Non-persistence

Snapshots - second copy of what you were working on Known State - ex. uninstall updates and go back to the previous state Rollback driver - go back to the previous version

Ettercap

Software Program - a sniffing and spoofing tool. It's a pen test tool that will attack the network, finds the person's user name and password. Used for ARP poisoning

SaaS

Software as a service - allows for on-demand online access to specific software applications or suites without having to install it locally. It's a subscription based license. This will allow the data center to continue providing network and security services. ex. Office 365

Agent

Software on ex. printer

Authentication Factors

Something you know (password, pin, CAPTCHA, security questions), something you have (smart card or RSA key), and something you are (biometrics - retinal scan)

Authentication

Something you know, you are, you have, you do, somewhere you are. Proving I have rights to that system ex. passwords, smart cards, retinal scanners

SPIM

Spam over Internet Messaging ex. skype messaging

Whaling

Spear phishing the CEO

CybOX ( Cyber Observable expression)

Standard categorization for security organization when explaining them to other people

Stateful vs Stateless Firewall

Stateless firewall will filter and block no matter what situation by defined IP address(s), port access & URL addresses. Stateful firewall doesn't have ACL and looks at what's going on and makes a decision of what it will do.

SSAE SOC

Statements on Standards for Attestation Engagements Service Organization Control ex. financial statement integrity, internal controls, Type I and II

SAN

Storage Area Network. A specialized network of high-speed storage devices. Provides block-level storage using fiber channel or iSCSI

Boot Sector Virus

Stored in the first sector of a hard drive and loaded into memory upon boot up. Hard to detect as it will show up when you boot up your computer

SQL Injection

Structured Query Language Injection. Its a language with commands such as: inner join, insert into, select from

SQL

Structured Query Language. Used to communicate with a database. It is the standard language for relational database management system. More graphs and spreadsheets.

STIX

Structured Threat Information eXpression - format that packages threat intelligence - form of AIS

Substitution

Substitute the plain text, the message, with different letters. Rotating it 2 back is ROT2

SCADA

Supervisory Control and Data Acquisition - they need a cellular WAN connection

Transport Protocols

TCP, UDP, ICMP

Data in process

Take database that are sitting in a CPU and we think about where we will be encrypting that data

Obfuscation

Take something that makes sense and hide it so it doesn't make sense to the casual outside observer

TKIP

Temporal Key Integrity Protocol - wireless security technology that continuously supplies new keys for WEP. is an encryption protocol included as part of the IEEE 802.11i standard for wireless LANs (WLANs). It is a suite of algorithms that works as a wrapper to WEP where it wraps additional code at the beginning and end to encapsulate and modify it.

Ephemeral Key

Temporary encryption key. Provides perfect forward secrecy. ex. if someone cracked the code from 6 months ago, the key will no longer be valid.

TACACS+

Terminal Access Controller Access Control System Plus - manages multiple devices such as routers and switches. It decouples the authorization from the authentication. Uses TCP port 49. Does auditing for log files

ICMP

The Internet Control Message Protocol - used to determine whether or not data is reaching its intended destination in a timely manner. supporting protocol, handling ARP and ping

IPv4

The Internet Protocol version 4 is the dominant protocol for routing traffic on the Internet, specifying "to" and "from" addresses using a dotted decimal such as "122.45.255.0". - starts with 10 is a private address, 172-173 as well, and 192.168

IPv6

The Internet Protocol version 6 provides a large number of new addresses to route Internet traffic, using "from" and "to" addresses written as colon-hexadecimal notation, such as "fe80::42:acff:feaa:1bf0".

MSDS

The Material Safety Data Sheet lists the hazardous ingredients of a product, its physical and chemical characteristics (e.g. flammability, explosive properties), its effect on human health, the chemicals with which it can adversely react, handling precautions, the types of measures that can be used to control exposure, emergency and first

Layer 1

The Physical layer. To troubleshoot, an engineer flips the laptop's wireless switch to resolve the issue. Ex. computer can not reach the Internet.

Elasticity

The ability to scale down the servers when you don't need them for the demand

Subnetting

The act of dividing a network into smaller logical subnetworks.

hot and cold aisles

The aisles in a server room or data center that circulate cold air into the systems and hot air out of them. Usually, the systems and cabinets are supported by a raised floor. keep an air gap in the server room

Risk Avoidance

The combination of likelihood of impact that I don't want to deal with it so I will avoid having certain data about customers so I don't get in trouble

Transport Encryption

The concept of rendering data passing between two points over an IP based network impervious to all but the most sophisticated advanced persistent threats

Risk Acceptance

The cost of the risk is cheaper than trying to mitigate it or prevent it

Asset Value

The hardware plus the cost of how many hours it will take to set up and if the company lost any business time by replacing it

Load Balancer (DDoS Mitigator)

The methodical and efficient distribution of network or application traffic across multiple servers in a server farm. Each load balancer sits between client devices and backend servers, receiving and then distributing incoming requests to any available server capable of fulfilling them. It's a proxy service.

Scrum

The most common framework for Agile Development.

RTS/CTS

The optional mechanism used by the 802.11 wireless networking protocol to reduce frame collisions introduced by the hidden node problem.

Order of Volatility

The order in which volatile data should be recovered from various storage locations and devices following a security incident. 1) Memory 2) Data on the Disc 3) Remotely logged data 4) Backups

Inheritance

The owner who set up the folder gives permissions to everyone in the folder that he adds a person to. Checkmarks are gray, Check the Deny box as it's stronger than allow

Normalization

The process of applying rules to a database design to ensure that information is divided into the appropriate tables.

code signing

The process of assigning a certificate to code. The certificate includes a digital signature and validates the code.

Model Verification and Validation

The process of confirming that the model is correctly implemented as the conceptual model intended.

Cryptanalysis

The process of decrypting a message without knowing the cipher or key used to encrypt it.

Key Exchange

The process of sending and receiving secure cryptographic keys.

Tethering

The process of sharing an Internet connection from one mobile device to another

Unmatched key pairs

The send and the receiver must have a matching key in order for the receiver to decrypt data.

Heatmap

The signal strength within the office environment

mobile application management (MAM)

The tools and services responsible for distributing and controlling access to apps. Also called application control.

Default/generic Accounts

There might be too many. Disable them or delete them.

Shared Accounts

They are a bad thing without segregating people into groups

Switch

They filter & forward data based on MAC address. Some switches can also forward data at the network layer (layer 3) by additionally incorporating routing functionality. Such switches are commonly known as layer-3 switches or multilayer switches.[2]

Spear Phishing Attack

They get your full name in the sent email

Split Tunnel

They increase performance creating a split in traffic using both VPN or std internet traffic

collectors

Those who use RSS feeds to collect information and vote for Web sites online

TGT

Ticket Granting Ticket. Used with Kerberos. A KDC (or TGT server) issues timestamped tickets that expire after a certain time period.

RAID 0 (striping)

To increase that you can get data but it doesn't provide data integrity

Removable media control

Tools that can be used to restrict which removable media, such as USB flash drives, can be attached to a system.

Exploiting the Target

Tools: Metasploit, Kali Linux

Dark Web

Tor browser to Tor network entry point to Tor relay servers throughout the world to Tor network exit point to Origin Tor browser IP address unknown

Vulnerability Assessment Tools

Tracerout, port scanner, Advanced IP scanner, nmap, baseline security analyzer, Nessus, Nexpose, OpenVAS.

TLS

Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).

SNMP Trap

Trap messages are the main form of communication between SNMP monitoring tools - an SNMP Agent and an SNMP Manager.

3DES

Triple Digital Encryption Standard. It is a Block Cipher, 64-bit Block Size, 16 Rounds, Key Size is 168 keys

TFTP

Trivial File Transfer Protocol - is a simple lockstep File Transfer Protocol which allows a client to get a file from or put a file onto a remote host. One of its primary uses is in the early stages of nodes booting from a local area network. runs on UDP port 69

TAXII

Trusted Automated eXchange of Intelligence Information - like RSS feed for threats - real-time cyber intelligence feeds

TPM

Trusted Platform Module - a chip that has a public and a private key that you can't encrypt. (PTT is when it's turned on)

Channel Bonding

Two channels that do not overlap are used together in an effort to double the connection speed

RAID 1 (mirroring)

Two drives are used in unison, and all data is written to both drives, giving you a mirror or extra copy of the data, in the case that one drive fails

Binary Block

Type of Encryption - plain text converted into 16-bit, 64-bit, or 128-bit binary ciphertext

URL

Uniform Resource Locator - a reference to a resource that specifies the location of the resource located on the Internet; a Web address

Airgap

Unplug different networks from other networks for protection.

Multiple Accounts

Use different user name and passwords for each user

NT LAM Manager

Used for Authentication where each computer challenges the other with a challenge question and a hash

SubKey

Used in encryption. it has 48 bits

Redundancy in Security Control

Used the same type of security over and over again. ex. applying anti-malware to a computer, a network, ACL or a firewall.

URL Filter

Used to block access to a site based on all or part of the URL. It's a reference to a resource that specifies the location of the resource. A URL filter is used to block access to a site based on all or part of a URL.

KERBEROS

Used when authenticating windows domain controllers

UDP

User Datagram Protocol. Used instead of TCP when guaranteed delivery of each packet is not necessary. UDP uses a best-effort delivery mechanism.

Open-Source Intelligence

Uses public information: Security websites, vulnerability database, news media, social media, dark web, information sharing centers, file repositories, file repositories, code repositories, security researchers.

SNMPv3

Uses robust TLS encryption. Different versions of SNMP can communicate together.

Diversity in Security Control

Using different types of security measures. ex. use different providers/vendors for malware intrusion

VTP

VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol that propagates the definition of Virtual Local Area Networks (VLAN) on the whole local area network. To do this, VTP carries VLAN information to all the switches in a VTP domain. VTP advertisements can be sent over 802.1Q, and ISL trunks.

EAP-MD5

Very simple version of EAP which uses only MD5 hashes for transfer and authentication credentials. It is weak and the least used of all versions of EAP.

VDE

Virtual Desktop Environment. accessing a remote physical desktop

VDI

Virtual Desktop Infrastructure. The actual virtualized environment in the cloud.

Virtualization Zones

Virtual Network example VM machines in the cloud

Virtualization

Virtualization allows a single set of hardware to host multiple virtual machines ex. A corporation is looking to expand their data center but has run out of physical space in which to store hardware. They want the ability to expand while keeping their current data center operated by internal staff.

VoIP

Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet.

IV attack

WEP Initialization Vector attack is vulnerable to cracking, use command airdump

infrared waves

Waves that are longer than visible light waves

WAF

Web application firewall. A firewall specifically designed to protect a web application, such as a web server. A WAF inspects the contents of traffic to a web server, can detect malicious content, and block it.

ProtonMail

Web interface that is fully encrypted (competition is gmail)

Typosquatting/URL hijacking

Websites with names similar to real websites; users making typographical errors are sent to a site filled with malware.

Permission

What are the resources that are assigned to you that you can do

Authorization

What rights do I have to the system once I have been authenticated

Data Exposure

What type(s) of data is exposed if unexpected inputs crash the system or cause an unintended result. What errors are returned if incorrect data is entered, etc.

Entrapment

When a law enforcement officer or a government agent encourages or induces a person to commit a crime when the potential criminal expresses a desire not to go ahead.

API Attack (Application Programming Interface)

When an attacker tries to manipulate the application programming interface of an application, to gain access to data that would not normally be available.

Integer Overflow

When arithmetic operations attempt to create a numeric value that is too big for the available memory space.

Network Diagrams

When half of the office is unable to access a shared resource, this should be used to troubleshoot the issue.

Read only mode

When performing a forensics examination but the required hardware is missing. This will allow the examination have minimal impact on the potential evidence.

Utilization

When users are reporting extreme slowness across the network, utilization needs to review this first.

WPA

Wi-Fi Protected Access - a certification program to secure wireless networks. Uses a 4-way handshake. It is vulnerable to a dictionary attack which is collecting the personal data of the person and trying it out as passwords randomly

Spatial Streams

Wi-Fi Spatial streaming or multiplexing (often shortened to SM or SMX) is a transmission technique used in MIMO wireless communication to transmit independent and separately coded data signals, so called streams, from each of the multiple transmit antennas.

WPS

WiFi Protected Setup - where you sink the router to the computer or the printer using WPA2 personal shared encryption by pressing a button. Weakness only has 8 digit key and one of those digits is redundancy check for the other seven digits so too easy to crack. WPS capable access points can detect an attack and shut off. It's best to turn off WPS for security.

WAN

Wide Area Network - needs to have at least 1 LAN and two routers

WEP

Wired Equivalence Protocol. Wireless network encryption system. is vulnerable to man-in-the-middle attacks by NOT using end to end TLS encryption. uses 64bit or 128bit key. can be easily hacked

WAP

Wireless Access Point

WIDS

Wireless Intrusion Detection System - looks for things on the ISM bands 2.4gh and 5gh. -Monitors wireless radios - Watches for rogue access points - Knows MAC address of authorized equipment - Watch working protocol It can get expensive It will start with sensors outside the office that are listening for things that shouldn't be there.

WLAN

Wireless Local Area Network - is a wireless computer network that links two or more devices using wireless communication to form a local area network (LAN) within a limited area such as a home, school, computer laboratory, campus, or office building.

WORM

Write Once Read Many - log files archived

Forward Proxy Server

a box/piece of software running on a computer acts as an intermediary between two different devices having a session. It hides the clients from the server by forwarding the message to the server. ex. school forwards it to the proxy. It can block, ads or certain websites like young students going to an inappropriate website.

PuTTy

a client (software) that connects SSH

Light meter

a device to measure light intensity

frame

a digital data transmission unit in computer networking and telecommunication. In packet switched systems, a frame is a simple container for a single network packet. In other telecommunications systems, a frame is a repeating structure supporting time-division multiplexing.

Parity

a drive dedicated for it

Clean Glass

a fire suppression system that minimizes IT system recovery period in the event of a fire.

ip addr command

a linux IP command to get info on your computer

Keylogger

a malicious program that records keystrokes.

Extranet

a network configuration that allows selected outside organizations to access internal information systems

Intranet

a network designed for the exclusive use of computer users within an organization that cannot be accessed by users outside the organization

Typosquatting

a problem that occurs when someone registers purposely misspelled variations of well-known domain names

Trojan Horse

a program that appears desirable but actually contains something harmful in the background

Bot

a program that performs a repetitive task on a network. Robot

Thick/Fat client

a regular desktop computer or a router device that you have to configure by itself.

TCP/IP

a set of protocols for the transfer of data over the Internet.

Web of Trust

a simple trust model that relies on each user creating and signing their own certificate. It's not as popular because it requires a lot of maintenance

Correlation Engine

a software component used to collect and analyze event log data from various systems within the network by aggregating the data

Worm

a software program able to replicate itself without user interaction

Patch Management

a system which all workstations on the network will receive security updates on the same schedule.

Cross-Site Scripting (XSS)

a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites

Containers on VM's

a type of virtualization that allows for shared operating systems for more resource savings and faster execution. One OS and run applications that are isolated from each other.

Vishing

a voice-based phishing solicitations requesting information about you that is confidential

cPanel

a web based hosting control panel provided by many hosting providers to website owners allowing them to manage their websites from a web based interface. (n)

rogue access point

a wireless access point that gives unauthorized access to secure networks. Ex. employee brings in a router to get better signal

Unauthorized Access

access to computer without the consent of the owner

SNMPv2

added basic encryption and slightly more commands

TTP

adversary tactics, techniques and procedures - hackers use to crash the system

Clustering

allows an organization to group large numbers of servers together in order to deliver a common service but they have to update each other. It's expensive

MAC Filtering

an access control method where MAC address assigned to each network card is used to determine access to the network.

Correlation

analyze data and show the data in a way we can make sense of it. - Alerts for notifications if something goes bad triggering exceeding thresholds

static code analyzer

analyzes source code to detect unsafe conditions

Wet Pipe Sprinkler System

are designed for use in applications where the temperature is maintained above freezing. In such systems, the entire piping network is fully pressurized so that water is discharged from a sprinkler head immediately after actuation.

DoS (application/service attacks)

attacker keeps sending messages and the Apatche server responds but doesn't hear back

Social Engineering Principles

authority, intimidation, consensus/social proof, scarcity, urgency, familiarity/liking, and trust

Differential backup

backup from the full backup

Benchmark

baseline values the system seeks to attain

Walk query (SNMPWalk)

batch of Gits

Link Key

bluetooth pairing creates a shared link key to encrypt the connection. ex. cell phone with car.

Windows Local Security Policy

built in policy in windows that you can set as an administrator

Clearing for data destruction

can be done with commands such as erase, format and delete. These methods are not final.

Mobile device management tools

can turn off cameras or voice off any mobile devices I own at once.

Server-side vs. client-side execution

client fills in personal info and server has to process it

Aggregation

collecting data and storing it.

Ethernet Patch Panel

collection of many wall ports on one panel, witch each of the ports connected via a patch cable to anther port elsewhere in the house.

CRC

colorectal cancer

Proprietary Sources

commercial service that you pay for

system failure

computer crashes

tracert

computer network diagnostic commands for displaying possible routes (paths) and measuring transit delays of packets across an Internet Protocol (IP) network. When a user cannot reach a particular website, this command would provide the Best information about the path taken across the network to this website.

Vulnerability

could be a code flaw, or firewall weakness

Elite Hacker

create their own tools to hack that people will use eventually to hack into systems. references the skill level of attacker

Bottleneck

data become limited due to insufficient computer or network resources.

Closed-Source threat intelligence

data taken from us using apps or websites

WIDS server

dedicated box to take information to log data of the WIDS intrusions. It will text you or email you of intrusions

weak configuration

default configuration ex. passwords

Cryptosystem

defines key properties, communication requirements for the key exchange and the actions taken through encryption and decryption process

Threat Hunting

detect presence of threats that have not been discovered by normal security monitoring -Establish a Hypothesis (who might harm us and how) -Profiling Threat Actors & Activities (what TTP's will they use and what their objectives are) ACTIONS: -Analyze network traffic -analyze the executable process list -analyze other infected hosts -identify how the malicious process was executed BENEFITS: -improve detection capabilities -integrate intelligence -reduce attack surface -block attack vectors -identify critical assets

VPN

directly connects into the network from a remote location, fully functional. Is much slower than being in the local area network.

Transparent Proxy

does not require any configuration on the user's computer

802.11 Infrastructure Mode

doesn't have any authentication or encryption

polymorphic virus

encrypted virus that changes itself every time it is executed by altering the decryption module to avoid detection

Streaming Ciphers

encrypts each bit at a time

Network event (logs)

event that deals with the communication between the host and something on the network

false positive

events that are mistakenly flagged and are not really events to be concerned about. This causes a significant administrative overhead because the reporting is what results in the false positives.

Non-network events (logs)

events that happen on a host even though it's not connected to a network

Amplification Attack

ex. Smurf Attack, one packet gets all computers to respond

Vulnerable business processes

ex. storing unnecessary customer info.

Biometrics

eye scan, finger print, facial recognition

nmap software

finds several networks/systems. Zenmap is the graphical version

multipartite virus

first it attaches itself to the boot sector and system files before attacking other files

RADIUS Server

for remote access ex. Open Radius brand, Steel Belted server, etc. Security Policy: Radius is used for network access, radius can use up to 4 different ports: 1812,1813,1645,1646

ELK software

free to help you gather data and show reports on data

RADIUS Client

gateway for separation

SFTP (Secure File Transfer Protocol)

great security runs on port 22

Threat Actors

hacker, hactivists, script kiddies, insider, competitors, shadow IT (unofficially adding hardware), criminal syndicates, state actors, advanced persistent threat (APT)

Patch graphic antenna

half of an omni directional antenna

Script Kiddie

has just enough knowledge to hack into a system, not as sophisticated as a hacker

Executive User

has read only privilege

Armored Virus

have a layer of protection to confuse a program or person analyzing it

redundancy

having a backup system. it helps to have them in different locations in case one office gets hit with a flood

Alternative Processing Sites

having separate sites for sale or other vendors

Armitage

helps run the framework of Metasploit framework

Steganography

hiding data within other data ex. hiding text in a photo using image steganography

Session Cookie

holds info like used name and password during a session

Network Topologies

how is the data moving around in a network

netstat -a

if anyone is listening regardless of an IP address, ex ports

Linux File Permissions

in the command prompt, there are permissions. ex. rwxrwxrwx. First 3 are for the creator/owner, next 3 are for the group, everyone else (dr means directory)

Microsoft Azure Cloud Security

included with microsoft, scans your computer and gives you a list to hard your computer

Improperly configured accounts

incorrect permissions having too much or too little permissions to configure stuff

Program Virus

infects an executable program file. every time you open word, it boots up

SSL accelerators/TLS accelerators

instantly encrypts & decrypts asymmetric encryption

Static host

intelligent device designed to do a specific task or process such as switch, router, printer that are single purpose devices that are network aware. Treat it like a regular host. if there are unique aspects then use Network Segmentation to help protect static hosts.

ipconfig command

internet protocol configuration that provides the IP address and ethernet details, and the -all options finds the MAC address. this command gives you info on your computer, quick snapshot of issues

Subnet Mask

is a 32-bit number created by setting host bits to all 0s and setting network bits to all 1s. In this way, the subnet mask separates the IP address into the network and host addresses. The "255" address is always assigned to a broadcast address, and the "0" address is always assigned to a network address.

ping command

is a DNS tool that resolves web addresses to an IP address.

Datagram

is a basic transfer unit associated with a packet-switched network. It's a PUD that is used by connectionless protocol across a packet-switched network.

Omni-directional

is a class of antenna which radiates equal radio power in all directions perpendicular to an axis (azimuthal directions), with power varying with angle to the axis (elevation angle), declining to zero on the axis.

PING

is a computer network administration software utility used to test the reachability of a host on an Internet Protocol (IP) network.

Driver

is a computer program that operates or controls a particular type ... transitions usually impose a considerable performance overhead, thus making kernel-mode drivers preferred for low-latency networking.

MP4

is a digital multimedia container format most commonly used to store video and audio, but it can also be used to store other data such as subtitles and still images

Yagi

is a directional antenna consisting of two or more parallel resonant antenna elements in an end-fire array; these elements are most often metal rods acting as half-wave dipoles.

Botnet

is a number of Internet-connected devices, each of which is running one or more bots. It can be used for Distributed Denial-of-Service (DDoS) attacks, steal data, send spam.

Clickjacking

is a technique that tricks users into clicking on a malicious link by adding the link to a transparent layer over what appears to be a legitimate web page.

Patch Antenna

is a type of antenna with a low profile, which can be mounted on a surface, utilizes the 802.11ac standard that links two buildings in an office park.

T1 connection

is an Internet connection providing high speed T1 bandwidth of 1.544Mbps delivered over fiber optic or copper phone lines

Parabolic

is an antenna that uses a parabolic reflector, a curved surface with the cross-sectional shape of a parabola, to direct the radio waves. The most common form is shaped like a dish and is popularly called a dish antenna or parabolic dish.

Telnet

is an application protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection.

DTE

is an end instrument that converts user information into signals or reconverts received signals. These can also be called tail circuits. A DTE device communicates with the data circuit-terminating equipment (DCE). The DTE/DCE classification was introduced by IBM.

Crosstalk

is any phenomenon by which a signal transmitted on one circuit or channel of a transmission system creates an undesired effect in another circuit or channel.

Information classification training

is done by confidentiality and comprises of three categories, namely: public use, internal use and restricted use. Knowing these categories and how to handle data according to its category is essential in protecting the confidentiality of the data. Best suited for data owners who are concerned with protecting the confidentiality of their data.

Node

is either a redistribution point or a communication endpoint. The definition of a node depends on the network and protocol layer referred to. A physical network node is an electronic device that is attached to a network, and is capable of creating, receiving, or transmitting information over a communication channel.[1] A passive distribution point such as a distribution frame or patch panel is consequently not a node.

Multicast

is group communication where data transmission is addressed to a group of destination computers simultaneously. Multicast can be one-to-many or many-to-many distribution. Multicast should not be confused with physical layer point-to-multipoint communication

Modem

is short for "Modulator-Demodulator." It is a hardware component that allows a computer or another device, such as a router or switch, to connect to the Internet. It converts or "modulates" an analog signal from a telephone or cable wire to digital data (1s and 0s) that a computer can recognize

Cluster tip

is the last bit of a cluster not used by a file.

Streams

is the native framework in Unix System V for implementing character device drivers, network protocols, and inter-process communication. In this framework, a stream is a chain of coroutines that pass messages between a program and a device driver (or between a pair of programs).

Default Gateway

is the node in a computer network using the internet protocol suite that serves as the forwarding host (router) to other networks when no other route specification matches the destination IP address of a packet

Web content filtering

is the practice of blocking access to web content that may be deemed offensive, inappropriate, or even dangerous. It is implemented to reduce the occurrences of ransmoware.

Hashing

is the process of converting a given key into another value. A hash function is used to generate the new value according to a mathematical algorithm. The result of a hash function is known as a hash value or simply, a hash. ex. when you save your password on a computer it stores it as hash. It's also used in encryption

Polling

is the process where the computer or controlling device waits for an external device to check for its readiness or state, often with low-level hardware. . In other words, the computer waits until the device is ready.

Port Filtering

is when a router monitors the destination ports of the tcp/udp and/or other port-based network protocol packets that pass through it. with port filtering you can have the router block packets that are heading to a certain port or block some packets based on their content

Trap query

it notifies the computer if something is wrong with the device. ex. overheating

ANT

it's a standard, slow and well protected

Wireshark analyzer

lists packets and analyzes them.

Cookie Cadger

looking for cookies, catches them and does a replay attack with them when hacking the victim called Replay Attack

Social Engineering

manipulating someone to take certain action that may not be in that person's best interest, such as phishing email

MTTR

mean time to repair - how long with the part be down before it gets repaired

Continuous Access Monitoring

monitor what users are accessing on the computer/network

unidirectional

moving in only one direction

Halon

multi-purpose dry chemical used to put out fires-- can be used for all types of fires

NETbios

networked basic input/output system run on SMB (Service Message Block) port 445

netcat command

open and listen on ports and act as a client. use it as an aggressive action such as pen testing or vulnerability assessment

SNMP Community

organization of managed device

Reaver

part of Kali Lynux tool kit that guesses passwords

Organized Crime

part of a crime group that is well-funded and highly sophisticated

RADIUS Supplicant

person/system that is trying to get authenticated

decentralized organization

physically go to each computer to see logs

Reverse Proxy Server

placed in front of web servers, high security, handle DOS attack, load balancing, caching, encryption acceleration. It hides the server and can provide load balancing and catching for high activity pages.

POP

port 110

Segments

portion of a computer network

Information Security

protecting data

Information Systems Security

protecting the systems that hold the process our data ex. phone or computer

FM-200

put out fires in a server room

IPSec with L2TP protocol

puts a tunnel within a tunnel

Race Condition

results when several threads try to access and modify the same data concurrently

After Action Report

retrospective analysis used to evaluate emergency response drills

Metamorphic Virus

rewrites itself every time it infects a new file.

Man Trap

rotating door where only one can get inside at a time

Destroy

ruin the media that it's not functional. ex. burn it, pulping (soak in water), shredding, pulverizing

Automation

scanning that's repetitive and consistent. Then use a program that will do Template Restoration, Continuous monitoring, Automatic updates of systems, Monitoring application whitelists, Application Development,

TOR Browser

shows your connection bouncing around different networks and hides your origin location

Dipole

single level antenna that sends out signal for one level of office

Port Scanner/Network Scanner

sniffs out networks

Rootkit/Backdoor Malware

software that escalates privileges to execute other things on computer.

Printer Firmware

software update for a printer

rogue system

something a person can bring from home and plug in

SMishing (SMS Phishing)

spam through texts

Link Local Address (IPv6)

start with FE80

PKCS-12

stores the certificates and the private keys as a package

Host-based

system controlled by a central or main computer

Embedded Systems

system that never changes that has storage, in put/output, etc. They need patches and firewalls.

Typo Squatting

taking advantage of miss-typing up website

Token Ring

technology used to build local area network. It's looping several computers in a loop. It uses a three-bite token that is passed around a logical ring of workstations.

Packet Sniffing

the practice of gathering, collecting, and logging some or all packets that pass through a computer network, regardless of how the packet is addressed. In this way, every packet, or a defined subset of packets, may be gathered for further analysis.

Rogue Machine Detection

the process of detecting devices on the network that should not be there. If a user brings in a laptop and plugs it into the network, the laptop is a "rogue machine". The laptop could cause problems on the network. Any device on the network that should not be there is classed as rogue.

pre-ATT&CK

the reconnaissance and weaponization phases of the kill chain

Symmetric Encryption

the same key is used to encode and decode. It is the primary way we encrypt data. It's a Block Cipher. It needs key size (how long the key is), number of rounds (it goes through it's encryption) and the block size

memory manager

the section of the operating system responsible for controlling the use of memory. It checks the validity of each request for memory space and, if it's a legal request, allocates the amount needed to execute the job

Privilege Escalation (Elevation)

to get enough privilege in a domain

"Ping -t" command

to keep going and searching

Sniffer

type of software ex. pcap, it grabs all data that goes in and out of the application

Snapshots

typically used with virtual machines and are usually not stored on separate media

UTP cable

unshielded twisted-pair cable

Spam

unsolicited email

Phishing

unsolicited emails that request information from you

stress test

use a Sandbox to test code

Centralized Logging

use a central repository, use SNMP systems

CBC, CFC, OFB, CTR block modes

use an initialization vector, which ensures the output block is uniquely different.

Tailgating

used for someone being so close to you when you enter a building that they are able to come in right behind you without needing to use a key, a card, or any other security device.

Protocol Analyzer

used to capture and analyze network traffic between hosts on the same network segment

digg command

using linux to get info (instead of nslookup) but it allows for further functionality

Hypervisor

virtual machine monitor (VMM) is a piece of computer software, firmware or hardware that creates and runs virtual machines.

Wireless clients hardening

watch for unknown SSID (wireless named link)

Dry pipe system

water mist system uses automatic sprinklers attached to a piping system containing compressed air. ... Pressure drops in the piping network filled with compressed air. Dry pipe valve opens, and releases water to the sprinklers. Dry pipe systems are typically used in spaces subject to freezing.

Server-Side Request Forgery (SSRF)

web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing

hoax virus

website that tells you to call the help center to install antivirus on your computer. What mom had.

Cross-site request

when going to someone's website but info is pulled from a different site ex. MLS leads

Domain Hijacking

when you let your domain name expire and they take it over

Guest Network

will have a separate VLAN, designed and protected to isolate outsiders. There will be a firewall between that one and the main network.

Penetration Test

will try to grab the data Vulnerability is only checking on it. Get authorization, discover vulnerabilities, exploit vulnerabilities ex. grab user names and passwords, take data from database, corrupt webpage.

Wiping programs

will write 0's and 1's to destroy the data

TCP Dump

works on linux only in the command prompt. it catches all packets rather than wireshark missing some

Non-repudiation

you have proof that someone has taken an action