CompTIA Security+ 601 - Vocabulary
ANSI
(American National Standards Institute) - Organization the development of technology standards in the US.
ATM
(Asynchronous Transfer Mode) it's a telecommunications standard defined as ANSI and ITU for digital transmission of multiple types of traffic including voice, data and video signals in one network without the use of separate overlay networks.
BSSID
(Basic Service Set ID) the MAC address of a base station, used to identify it to host stations. SSID is associated to the MAC address on a wireless access point and is known as a BSSID
DMZ
(Demilitarized Zone) two routers on the outside. One regular one and one gateway router, both with firewalls. This way we can insert servers in between the two routers to secure them.
DNS
(Domain Name System) The Internet's system for converting alphabetic names into numeric IP addresses.
Open-Source Sources
(Explicit Knowledge) US-CERT UK's NCSC AT&T Security (OTX) MISP (Malware Information Source Project) VirusTotal Spamhaus SANS ISC Suspicious Domains (Implicit Knowledge - from a professional in the field for a while)
FTP
(File Transfer Protocol) - a group of rules that govern how computers transfer files between systems over the internet. (Port 20 and 21). it's not secure
HTTPS
(Hypertext Transfer Protocol Secure) providing a secure connection between a web browser and a server. Port 443
ITU
(International Telecommunication Union) - Agency of the United Nations (UN) to coordinate telecommunication operations and services throughout the world.
IPSec
(Internet Protocol Security) - A integrity security mechanism that ensures that a sent message (packet) has been received intact, by the intended receiver. - uses IPSec for tunneling and encrypting - UDP ports 500, 4500 - great for IPv6
IP
(Internet Protocol) - numeric label assigned to each device connected to a computer network
LDAP
(Lightweight Directory Access Protocol) is an open and cross platform protocol used for directory services authentication. LDAP provides the communication language that applications use to communicate with other directory services servers port 389
LAN
(Local Area Network) - collection of devices connected together in one physical location, such as a building, office or home. It can be small ranging from home network to and enterprise of thousands of users in an office or school.
MAC
(Media Access Control) assigned to NIC (Network Interface Controller). It is assigned by the manufacturer also known as the burned-in address, Ethernet hardware address, hardware address, or physical address.
NAT
(Network Address Translation) - Translates the IP addresses of computers to a single IP address. This address is often used by the router that connects the computer to the Internet.
NIC
(Network Interface Controller) - also known as network adapter, LAN adapter, network interface card, or physical network interface. It's a computer hardware component that connects a computer to a computer network.
NTP
(Network Time Protocol) - for clock synchronization
Port 5004
(RTP) Real-time Transport Protocol (TCP/UDP)
RTP
(Real-Time Payments) - a system from the Clearing House, first new core payments infrastructure in the US. Available to financial institutions that hold 70% of US demand deposit accounts (DDAs)
RAS
(Remote Access Server) - a server that authenticates remote users before they have access to corporate network resources when working from home. Provides a suite of services to remotely connected users over a network or the internet.
RSA
(Rivest-Shamir-Adleman) An asymmetric algorithm, so it has a private and a public key. Oldest since 1977
RIP
(Routing Information Protocol) - Operating at Layer 3 of the OSI model that determines the path to a different network.
SHA-1
(Secure Hash Algorithms) - A family of cryptographic functions designed to keep data secured by transforming data using a hash function
SSH
(Secured Shell Protocol) - establishes a secure tunnel over an unsecured network, port 22
SIP
(Session Initiation Protocol) - Signaling protocol used for initiating, maintaining, modifying and terminating real-time sessions that involve video, voice, messaging and other communications applications and services between two or more endpoints on IP networks.
SMTP
(Simple Mail Transfer Protocol) - electronic mail transmission port 25
STP (switch)
(Spanning Tree Protocol) - builds a loop-free logical topology of Ethernet networks. Basic function is to prevent bridge loops
TCP
(Transmission Control Protocol) - Standard to maintain a network conversation. The Three-way handshake. Connection oriented and sends lots of packets
VLAN
(Virtual Local Area Network) - Broadcast domain that provides layer 2 separation of networks. They are setup in routers and switches. It can be separated in different zones for different departments ex.
NSLOOKUP
(from name server lookup) is a network administration command-line tool for querying the Domain Name System (DNS) to obtain domain name or IP address mapping, or other DNS records.
Netstat
(network statistics) is a command-line network utility that displays network connections for Transmission Control Protocol (both incoming and outgoing), routing tables, and a number of network interface (network interface controller or software-defined network interface) and network protocol statistics.
SOHO network
(small office home office network) A network that provides connectivity and resource sharing for a small office or home office.
tracert command
(tracerout) can help see what routers are being hit, both internal and external.
Memory/Buffer Vulnerability
*Memory Leak:* - Unused memory is not properly released - Begins to slowly grow in size - Eventually uses all available memory - System crashes *Integer Overflow:* - Huge number in a small allocation *Buffer Overflow:* - Overwriting a buffer of memory - Spills over into other memory areas *NULL Pointer Deference:* - Programming techniques that references a portion of memory - What happens if that interface points to nothing? - Application crash, debug information displayed (DoS) *DLL Injections:* - Attacker don't write the application - They write an external library and manipulate the OS or application to run the library
Forensic Data Acquisition
- Capture the system image - Network traffic and logs - Capture video - Take Hashes - Take screenshots -Interview witnesses - Track man hours
Static Hosts Hardening
- Change default passwords - Turn off unnecessary services - Monitor security and firmware updates
Mobile Device Management (MDM)
- Content Management: Applications management, databases - Geolocation: knows the location of that device - Geofencing: this is geolocation with geographic trigger - Push notifications services - Passwords and PINS - Biometrics - Screen locks - Remote wipe - Context-aware authentication: where are they right now, what time of day - Storage Segmentation
Data Security
- Data integrity - speed/quick access - high availability use RAID to secure data which is cheaper.
Chain of Custody Process
- Define the evidence - Document collection method - Date/time collected - Person(s) handling the evidence - Function of person handling evidence - All locations of the evidence
Physical Controls
- Deterrent Physical Controls: lighting, signage, security guards - Preventative Physical Controls: fence, barricades, K rating fences stop vehicles 30m/h, man trap - Cabling systems: Air gaps between cables, safe, locked cabinets, faraday cages, locks with key management, cable locks, screen filters - Detective Physical Controls: alarms, cameras, motion detectors, log files, - Compensating & corrective controls: having a guard sitting there while fence is fixed
Host Hardening
- Disable Unnecessary Services - Default Passwords for small devices such as thermostat, lights, cameras. - Disable Unnecessary User Accounts on the network for user privileges - Patch Management: monitor, test, evaluate, deploy patch, document - Anti-Malware: training for users, procedures, monitoring, intrusion detection systems (IDS), third-party anti-malware tools - Host Firewalls: running on application-level basis, white list or black list applications
Contingency Planning
- Disaster Recovery - Business Continuity - Distance & Location - Legal Issue
Data Roles
- Owner: legal responsibility, ex. corporation - Steward/Custodian: maintain the accuracy and integrity of data - Privacy Officer: ensure data adheres to privacy, policies and procedures
Order of Restortion
- Power - Wired LAN - ISP Link - Active Directory/DNS/DHP servers - Accounting servers - Sales & accounting workstations - Video production servers - Wireless - Peripherals (printers)
VPN Setup Steps
- Protocol to set up tunnel = Protocol to handle authentication and encryption
Memorandum of Understanding (MOU)
- Purpose of interconnection - Relevant authorities - Specify the responsibilities: downtime, billing - Define the terms of the agreement: cost - Termination/ authorization
Hardening 802.11 Networks
- Survey installation issues: survey tools - hardware or software - Maintaining existing wireless networks - Monitor wireless networks - Define how to defend wireless clients
OpenVPN
- Unique Tunnel - Encryption based on SSL/TLS protocol - TCP port 1194, but can be changed easily
Protecting Our Assets
- Use secure protocol on unsecure networks - Use https on Web sites that collect information - Use VPN in non-secure environments
User Roles
- Users: Assigned permissions to complete task - Privileged Users: increased access and control relative to a user - Executive users: set policy on data and incident response actions.
Compiled vs. runtime code
- compiled is when you write code and it goes through a compiler to execute it. - runtime is when it's interpreted by a client that is using it. ex. read java script to read on a website.
Virtualization Hardening
- remove remnant data - make good policies - define user privileges - patch everything - Cloud Access Security Brokers (CASB): a device that is in between the cloud and your VM's
Secure DevOps
- security automation tools: always look for vulnerabilities - change management/ version control: organization, authorization, documentation, continuous integration - baselining security objectives, encryption, input validation - Consider immutable systems: has interchangeable parts, embedded devices, virtual machine - infrastructure as code: create present definition files
Physical Risk Vectors
-Access control vestibules (mantraps) -server room access locks
Virus characteristics
-Attach to other files -Propagate -Spread to other devices -active
Threat intelligence sources
-Closed/proprietary - File/code repositories ex. GitHub -Vulnerability databases ex. Common Vulnerabilities and Exposures (CVEs) -Dark Web/dark net
Risk Vector
-Mission-critical IT systems ex. payment processing, human resources, emergency (911) -Sensitive data ex. do we know what we have and where it is -Third-party access
Hackers
-White Hat (non-malicious, pen testers, hired by the company) -Black Hat (malicious intent) -Gray Hat (try to hack in to see if they can do it) -Blue Hat (free-lance hacker)
White, Black, Grey Hats
-White Hats: Operate with permission and good intent. - Black Hats: Operate Illegally with malicious intent -Grey Hats: Operate without permission but with good intent
Offboarding
-disable accounts - return credentials - exit interview - knowledge transfer
Disabling ports (Securing SOHO Network)
-disable physical ports • Conference rooms or break rooms -Administratively disable unused ports which would prevent someone going into a wiring closet and connecting to the network • More to maintain, but more secure -Network Access Control (NAC) • 802.1X controls • You can't communicate unless you are authenticated
Threat Intelligence
-facilitate risk management -hardening can reduce incident response time -provide cybersecurity insight
Cryptography components
1) Algorithm 2) Key for encryption
Attack Model
1) White box: attackers have extensive knowledge about the target, more likely trusted insiders, cheapest and fastest. 2) Black Box: attached know nothing about the target, attackers are more like strangers, external hacking, potentially expensive and slow. 3) Gray box: we may know where the server is but don't know the passwords.
DES
168-Bit
TCP Model
4. Applications - emails, FTP, telnet 3. Transport - does assembly and dis-assembly 2. Internet - IP Addresses, routers 1. Network Interface - physical cables, mac address, network cards
OSI Model
7. Application - the smarts in the applications that allow us to see other applications such as word and excel 6. Presentation - convert data so you can see applications such as word and excel 5. Session - deciding if it's an email, folder or website 4. Transport - data get dis-assembled and assembled from packets 3. Network - logical layer with routers for IP addresses 2. Data Link - network cards, switches 1. Physical - cables
CNAME
A Canonical Name record (abbreviated as CNAME record) is a type of resource record in the Domain Name System (DNS) that maps one domain name (an alias) to another (the canonical name).
PTR
A DNS pointer record (PTR for short) provides the domain name associated with an IP address. A DNS PTR record is exactly the opposite of the 'A' record, which provides the IP address associated with a domain name. DNS PTR records are used in reverse DNS lookups.
hosted applications
A category of cloud computing in which a customer pays for the use of applications that run on a service provider's network; also called software as a service (SaaS).
CPU
A central processing unit (CPU), also called a central processor, main processor or just processor, is the electronic circuitry that executes instructions comprising a computer program. The brain of the computer.
Dynamic Code Analysis
A code analysis that is done using a running application
Cluster
A computer hard disk is divided into small segments called clusters.
logic bomb
A computer program or part of a program that lies dormant until it is triggered by a specific logical event.
VPN Tunnel
A connection over the Internet between a client and a server; the VPN tunnel enables the client to access remote resources as if they were local, securely.
NoSQL
A database that provides a mechanism for storage and retrieval of data. They are document, key-value, graph or wide-column stores. Different types of graphics. It is a nonrelational database and does not use SQL. It is therefore not vulnerable to SQL injection attacks but is vulnerable to similar injection-type attacks.
TwoFish
A derivation of the Blowfish algorithm that is considered to be strong.
Agile Model
A development model that emphasizes continuous feedback and cross-functional teamwork. vs waterfall model. It's a code development framework.
Media Converter
A device that enables networks or segments using different media to interconnect and exchange signals. easily connects two different types of networks, or devices, together. While connecting copper and fiber networks is the common application, Fiber Media Converters also enable users to join together two multimode networks or link multimode to single mode for longer data transmission distances.
Hot site
A disaster recovery site that can get a business up and running right away. It is the most expensive but shortest recovery time.
rubber duck
A disguised USB device used to steal data, run scripts, emulate, etc upon insertion.
Shimming
A driver manipulation method. It uses additional code to modify the behavior of a driver.
Spam Filter
A filter that is used to detect unsolicited and unwanted email. It looks for certain criteria on which it bases judgment.
MITRE ATT&CK Framework
A knowledge base and framework of different attack techniques to understand and defend against an attacker.
Third Party Libraries
A library where the code is not maintained in-house.
Cloud Controls Matrix (CCM)
A list of security controls and principles appropriate for the cloud environment, cross-referenced to other control frameworks such as COBIT, ISO standards, and NIST pubs.
MX
A mail exchanger record (MX record) specifies the mail server responsible for accepting email messages on behalf of a domain name. It is a resource record in the Domain Name System (DNS).
MX Record
A mail exchanger record (MX record) specifies the mail server responsible for accepting email messages on behalf of a domain name. It is a resource record in the Domain Name System (DNS).
Watering Hole Attack
A malicious attack that is directed toward a small group of specific individuals who visit the same website.
Splunk software
A market-leading big data information gathering and analysis tool that can import machine-generated data via a connector or visibility add-on
Multimeter
A measuring instrument for current, voltage, and resistance
RAID-6: Dual parity
A method of protecting against multiple storage drive failures by creating two sets of parity data on an array of hard disks. Six total drives, five actual data drives. The drives are striped with parity interleaved to optimize performance.
Framework
A methodology or a process that helps you organize risk management
Kill Chain
A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion. Reconnaissance (methods of getting to know their network), Weaponization (add code), Delivery (email, drive), Exploitation (execution, ex.email), Installation (run a remote control), Command & Control (C2) (establish an outbound server connection) Actions on Objectives (do what they want to do)
Nessus
A network-vulnerability scanner available from Tenable Network Security.
Cloud Security Alliance (CSA)
A nonprofit organization with a mission to promote best practices for using cloud computing securely.
Key Stretching
A password hashing algorithm that requires significantly more time than standard hashing algorithms to create the digest. A technique is PBKDF2 or bcrypt
Network Tap
A physical device that allows you to intercept the traffic between two points on the network
Web Proxy Server
A piece of software installed on a system that is designed to intercept all traffic between the local web browser and the web server.
802..1x
A port-based authentication protocol. Makes a strong robust network.
Secure Boot
A process that checks and validates system files during the boot process. A TPM typically uses a secure boot process.
Honeypot
A security tool used to lure attackers away from the actual network. A decoy
Waterfall Model
A series of steps in which a software system trickles down from analysis to design to implementation. vs. agile model
Proxies/Proxy Server
A server application or appliance that acts as an intermediary for requests from clients seeking resources from other servers that provide those resources. Also used to log all user internet activity when configured to to log all web traffic to a syslog server
Broadcast Domain
A set of all devices that receive broadcast frames originating from any device within the set. Devices in the same VLAN are in the same broadcast domain.
Sprint
A set period of time, normally two to four weeks, during which specific work must be completed and made ready for review when using Scrum methods
Remote Access VPN
A single computer that is trying to connect to a home network.
Layer 3 switch
A switch capable of interpreting Layer 3 data and works much like a router in that it supports the same routing protocols and makes routing decisions. Can segment the network into multiple broadcast domains.
Buffer Overflow
A technique for crashing by sending too much data to the buffer in a computer's memory. ex. an application developer, implemented error and exception handling alongside input validation. An attack would be when a customer is trying to download a pdf document and it says an application has encountered an unexpected issue and must be shut down.
Spyware
A type of Malware that locates and saves data from users without them knowing about it.
Cat5 cable
A type of UTP cable that can carry data at up to 100 Mbps.
Layer 2 switch
A type of switch that switches packets based on the MAC address. (or Data Link layer switching) is the process of using devices' MAC addresses to decide where to forward frames. Switches and bridges are used for Layer 2 switching. They break up one large collision domain into multiple smaller ones. In a typical LAN, all hosts are connected to one central device
Zero-day exploit
A vulnerability that is exploited before the software creator/vendor is even aware of its existence.
System Sprawl
A vulnerability that occurs when an organization has more systems than it needs. and systems it owns are underutilized. Compare with VM sprawl.
PKCS-7
A way to store certificates as individual files
Evil Twin
A wireless network router with the same name as another wireless access point. Users unknowingly connect to the evil twin; hackers monitor the traffic looking for useful information.
802.11i
A wireless standard that added security features.
Thin client
AP hardware mounted on the ceiling
AUP
Acceptable Use Policy - Defines what a person can or can not do when using company assets
Bluesnarfing Attack
Access a Bluetooth-enabled device and transfer data
ACL
Access control list. A list of rules used to grant access to a resource. How to get access to data and resources. ex. how to use fobs or smart cards.
Proper input validation
Accounting for errors such as incorrect user input.
Log evens on shared applications/resources
Activity on web servers Activity on a firewall
Scalability
Add extra servers if you need it for higher demand traffic ex. selling concert tickets
Injection Attck
Add something into an application that does harmful things. ex. Code injection, Command Injection,
ARP
Address Resolution Protocol - is a communication protocol that lets us resolve a ethernet mac address from an IP address
ARP spoofing
Address Resolution Protocol - spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker's MAC address with the IP address of a legitimate computer. ARP spoofing can enable malicious parties to intercept, modify or even stop data in-transit.
AES cipher
Advanced Encryption Standard. Came after DES because it's still un-hackable. It uses the same key to encrypt and decrypt. It's a Block Cipher, 128-bit Block Size, Rounds 10, 12, or 14, Key Size: 128, 192 or 256-bits. Automatically used in WPA2
APT
Advanced Persistent Threat - highly trained and funded groups of hackers that get into a system and they stay there mostly to gain government intelligence
Threat
Adversarial: hacker or someone that is doing intentional harm. Accidental: a user reformats a hard drive with a lot of data on it. Structural: power supply on the router dies, equipment or software failure Environmental: fires, earthquakes
TTP
Adversary Tactics, Techniques and Procedures for Threat Intelligence Sources
Aircrack-ng
Aircrack can be used to grab WEP Keys. command airmon-ng in command prompt
Port 5060
Allowed to provide access to certain VoIP applications.
USB OTG (USB on the go)
Allows other usb devices to connect to a smart phone and pass information between the two devices
RAID 01 (0+1)
Also called a nested RAID. Minimum of 4 drives. Described as two striped sets of mirrored drives.
ESP
An Encapsulating Security Payload (ESP) is a protocol within the IPSec for providing authentication, integrity and confidentially of network packets data/payload.
Authentication Header (AH)
An IPSec component that provides integrity
IPS
An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability
SNMP Walk
An SNMP application that uses SNMP GETNEXT requests to query a network entity for a tree of information.
Downgrade Attack
An attack in which the system is forced to abandon the current higher security mode of operation and fall back to implementing an older and less secure mode.
Brute force attack
An attack on passwords or encryption that tries every possible password or encryption key.
Session Hijacking
An attack that attempts to impersonate a user by capturing and using a session ID. Session IDs are stored in cookies.
Smurf Attack
An attack that broadcasts a ping request to computers yet changes the address so that all responses are sent to the victim.
SSL Stripping
An attack that focuses on stripping the security from HTTPS-enabled websites. Also known as Replay attack
XML injection
An attack that injects XML tags and data into a database.
cross-site request forgery (XSRF)
An attack that uses the user's Web browser settings to impersonate the user.
Replay Attack
An attack where the data is captured and replayed. Attackers typically modify data before replaying it
802.1x authentication
An authentication standard that uses username/passwords, certificates, or devices such as smart cards to authenticate clients.
tone generator
An electronic device that sends an electrical signal through one set of UTP cables.
FTPS (File Transfer Protocol Secure)
An extension of FTP that uses SSL or TLS encrypt FTP traffic. Some implementations of FTPS use ports 20 and 21
Split Horizon DNS
An implementation of DNS where internal and external DNS queries are handled by different DNS servers or by a single DNS server that is specially configured to keep internal and external DNS zones separate. Example: Only users outside the internal network can reach the site.
Misconfiguration
An incorrectly configured device.
Application Whitelisting
An inventory of applications that have been pre-approved and authorized to be active and present on the device.
ALE
Annualized Loss Expectancy = SLE x ARO
ARO
Annualized Rate of Occurrence - How often does a incident (flood or fire) happen annually
hardware root of trust
Anyone that wants to inject the system has to have a certificate
Wireshark
Application that captures and analyzes network packets
data sensitivity labeling
Applying the correct category to data to ensure proper data handling. 1) Public Data: no restrictions 2) Confidential Data: limited to authorized viewing as agreed on by the parties involved 3) Private: limited to the individual to whom the information is shared, PII (Personally Identifiable Information) 4) Proprietary: like private but at corporate level 5) PHI (Protected Health Information) HIPPA
Risk Management
Assets, likelihood, threat actors,
Dictionary attack
Attempt to break a password by trying all possible words.
Intrusive Vulnerability Scan
Attempts to actually penetrate the system to perform a simulated attack. Non is not doing anything to the system.
Rainbow Table Attack
Attempts to discover the password from the hash.
802.1X
Authentication standard that allows us to make connections between client and network. (it will be through a physical authenticator. It will then connect to an authentication server which makes a RADIUS.
AAA
Authentication, Authorization (granted access) and Accounting (tracking of data)
AIS
Automated Indicator Sharing - exchange of cybersecurity intelligence (CI) between entities
Onboarding
Background check of a person, sign a NDA, SOP's, rules and behaviors
Incremental backup
Backup that copies only the changed data since the last backup.
BOOTP
Bootstrap Protocol - is a computer networking protocol used in Internet Protocol networks to automatically assign an IP address to network devices from a configuration server. The BOOTP was originally defined in RFC 951
BYOD
Bring Your Own Device service agreement, makes it possible for users to be free to use their personal devices to access a corporate or a campus network
BIA: basic theory
Business Impact Analysis: -Determine mission process -Identification of critical systems -Single point-of-failure -Identify resource requirements -Identify recovery priorities
BPA
Business partners agreement. - Primary entities - Time frame - Financial Issues - Management
Mobile Deployment Options
COBO - Corporate owned, business only: company owned, company devices what to do with that device, what encryption is used, what applications are on that device. COPE - Corporate owned, personally enabled: everyone has the same advice, learning curve CYOD - Choose your own device: users get to choose their device BYOD - Bring your own device: very heavy device management
Band selection/width
Can choose between 2.4 GHz and 5 GHz depending on which 802.11 protocol is being used.
netstat command
Can detect what hosts are connected to you and all ports that are open to see what ports are listening. used to find out who you are talking to and who is listening to you
Wireless Networks
Can plug in Wireless access point (WAP) switch that then broadcasts SSID's (Service Set Identifiers that identifies the wifi name when searching for wireless networks.
CIS
Center for Internet Security standards
CA
Certificate Authority - (ex. godaddy)is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A root certificate is part of a public key infrastructure (PKI) scheme
CRL
Certificate Revocation List - When employees that use certificates leave the company they should be added to this list. It is comprised of Public Keys. Starting to fade to OCSP
CA Certificate
Certification Authority - issues digital certificates. In a hierarchical trust model, also known as a tree, a root CA at the top provides all of the information. The intermediate CAs are next in the hierarchy, and they trust only information provided by the root CA. The root CA also trusts intermediate CAs that are in their level in the hierarchy and none that aren't.
chmod
Change Mode - a command in command prompt mode that changes permissions. Old version is using bits and bytes with 0's and 1's. There is a diagram. chod and passwd both require SUDO user
CSU/DSU
Channel Service Unit/Data Service Unit - a device used to connect data terminal equipment (DTE) such as router, to a digital circuit, such as Digital Signal 1 (DS1) T1 line.
File integrity check (FIC)
Checks that a file is in good order and it's ready to run. It's not corrupted, virus free.
CBC
Cipher Block Chaining
fire extinguisher
Class A - wood Class B - liquids and gases Class C - energized electrical equipment Class D - Combustible metals Class K - Kitchen oils
Hybrid attack
Combination of dictionary and brute force
Remote Shell (RSH)
Command-line program that executes shell commands across a network in an unsecured manner through Telnet on port 23
CLF
Common Log Format - standard type of logs that every webserver generates
CVE
Common Vulnerabilities and Exposures - Uniquely numbered and identified threat internationally (cve website)
CAPTCHA
Completely Automated Public Turing Test To Tell Computers and Humans Apart
Security Policy
Complexity - length of character requirements Expiration - reset and time triggers Password History - Re-usage and retention
CIRT
Computer (Cyber) Incident Response Team that include IT security team, IT department, Human Resources, Legal and PR
CERT
Computer Emergency Response Team
CIA Triad
Confidentiality (encrypting with public and private keys), Integrity (no modifications were done without authority), Availability (data is stored and protected). Also included are Auditing & Accountability & Non-Repudiation (Can't deny made some form of communication)
Physical Security Controls
Control actions in the real world such as gates, guards, keys and man traps
Administrative Security Control/Management Control
Control actions towards IT security such as laws, policies, guidelines, best practices. Controls what people do.
Technical Security Control
Controls actions IT systems towards IT security such as computer stuff, firewalls, password links, authentication, encryption
Ceaser Cipher
Convert plain text into code when encrypting
Port Mirroring/Spanning
Copies the traffic from one, a group, or all ports to a single port and disallows bidirectional traffic on that port. Used to view traffic on other ports in a switched environment.
CCMP
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol
CCM mode
Counter with Chain Block Message Authentication Code. It is an authenticated encryption algorithm designed to provide both authentication and confidentiality.
XSS
Cross Site Scripting - a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
XSRF
Cross-Site Request Forgery - a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts. When you get a message from a website that you made the purchase.
Data Sensitivity and Classification Policies
Data Classification define the importance or nature of the data
DES
Data Encryption Standard - symmetric-key algorithm for encryption. It's a Block Cipher, 64-bit Block Size, 16 rounds and Key Size is 56-bit
DEP
Data Execution Prevention. A security feature in some operating systems. It helps prevent an application or service from executing code from a nonexecutable memory region
Data at rest
Data stored on the hard drive or on a thumb drive
system administrator
Day-to-Day administration of a system, implement security controls
DBI
Decibels-isotropic. Identifies the gain of an antenna and is commonly used with omnidirectional antennas. It references an isotropic antenna that can theoretically transmit the signal equally in all directions. Higher numbers indicate the antenna can transmit and receive over greater distances.
Network Baseline
Defines a point of reference for measuring network performance when problems begin to occur on the network.. When a technician notices that the network traffic to one of the servers is extremely high.
X.509 standard
Defines specific items that must be part of any certificate for use on the Internet.
Data owner
Defines the sensitivity of the data Defines the protection of the data Works with the system owner to protect data Defines access to the data
purge
Degauser is a massive magnet that wipes the hard drive but destroys the actual drive itself
DoS
Denial-of-Service Attack: -Volume Attack -Protocol Attack -Application Attack
deauthentication attack
Denial-of-service (DoS) strike that disconnects a wireless host from WAP, so that the victim is forced to reconnect and exchange the wireless key multiple times; an attacker can then perform an offline brute-force cracking of the password.
Antivirus
Designed to detect and destroy computer viruses.
Security Control Functions
Deterrent: deters the actor from attempting the threat Preventative: deters the actor from performing the threat Detective: recognizes an actor's threat Corrective: mitigates the impact of a manifested threat Compensating: provides alternative fixes to any of the above functions
Port Scanner
Different services use different ports. When a service is enabled on a computer, a network port is opened for that service, ex. During a security assessment, an administrator wishes to see which services are running on a remote server
Digital Certificate
Digital Signatures is used to validate the integrity of the message and the sender. Digital certificates refer to cryptography which is mainly concerned with Confidentiality, Integrity, Authentication, Nonrepudiation and Access Control. Nonrepudiation prevents one party from denying actions they carried out. It has the public key, 3rd party key and the other persons private key. Includes at least one pubic key and one digital signature.
DAC
Discretionary Access Control - owner of the data defines access such as the security team
DDoS Attack
Distributed Denial of Service Attack. Typically a virus installed on many computers (thousands) activate at the same time and flood a target with traffic to the point the server becomes overwhelmed.
DDS
Distributed Denial-of-Service attack
Separation of Duties
Dividing responsibilities between two or more people to limit fraud and promote accuracy of accounting records.
DNS
Domain Name System - The internet's system for converting alphabetical names into numeric IP addresses. port 53
DNSSEC
Domain Name System Security Extension - an authentication tool not encryption to verify the private key. popular on DNS servers.
Sideloading
Downloading an app from an unofficial third-party website.
BitLocker Drive Encryption
Drive encryption software offered in high-end versions of Windows. BitLocker requires a special chip to validate hardware status and to ensure that the computer hasn't been hacked.
DHCP
Dynamic Host Configuration Protocol. A service used to dynamically assign TCP/IP configuration information to clients. DHCP is often used to assign IP addresses, subnet masks, default gateways, DNS server addresses, and much more. port 67 & 68
EAP-FAST
EAP-Flexible Authentication via Secure Tunneling (EAP-FAST). A Cisco-designed replacement for Lightweight EAP (LEAP). EAP-FAST supports certificates, but they are optional.
EAP-PSK
EAP-PSK (pre-shared key) uses pre-determined symmetric keys, similar to WPA and WPA-2 Most popular form of authentication used in wireless networks.
Mitigation
Effort to reduce the impact of risk
EMI
Electromagnetic Interference; occurs when two signals in close proximity interfere with each other
ECB block encryption mode
Electronic Code Book - not used anymore. They will output the same results with the same input. It leaves a pattern in the ciphertext.
ESD
Electrostatic discharge (ESD) is the sudden flow of electricity between two electrically charged objects cause by contact an electrical short, or dielectric breakdown.
ECC
Elliptical Curve Cryptography. Used when minimal overhead is necessary for a mobile device. It is the most suitable PKC (Public-key cryptography) to use in a constrained environment. Part of Asymmetric Algorithm. Less keys than RSA and faster
Macro Virus
Embedded into a document and is executed when the document is opened by the user ex. word doc or excel
Dark Web/Dark Net
Encrypted anonymous connections. Tor network/Tor web browser. You can get to not indexed by search engine websites. It hides your IP address
Symmetric Block Modes
Encrypting with the same key over and over again where you can still make out the photo or voice message even though it's been encrypted
Algorithm
Encryption standards that every needs to understand and they have to have a key that has to be kept secret
Tunnel Mode (IPSec)
Encrypts the entire IP packet used in the internal network, and is the mode used with VPN's transmitted over the internet.
Disk encryption
Encrypts the entire contents of a hard drive.
ERM software
Enterprise Risk Management Software - helps businesses identify and monitor financial, strategic and operational risks.
broadcast storm
Excessive amounts of broadcasts
XOR Encryption
Exclusive OR
ESSID
Extended Service Set Identifier
EAP
Extensible Authentication Protocol - came after PPP designed to handle authentication
EAP-TLS
Extensible Authentication Protocol-Transport Layer Security - Can handle an entire TLS, needs server and client certificates
EAP-TLS
Extensible Authentication Protocol-Tunneled Transport Layer Security - uses the TLS exchange method, only the server has a certificate
XML
Extensible Markup Language - a set of codes, or tags, that describes the text in a digital document. The most famous markup language is hypertext markup language (HTML), which is used to format Web pages.
Port 20
FTP Data Transfer. When downloading a file from a remote FTP server, an error is received that a connection cannot be opened. Error port 20 is open.
RAID 5 - Striping with Parity
File blocks are striped along with a parity block. This requires at least three disks. Efficient use of disk space as files aren't duplicated, but space is still used for parity. High redundancy Data is available after drive failure but parity calculation may affect performance.
Router / Layer-3 Switch
Filter and Forward based on IP address. They have their own firewall.
Site Survey Tools
Find SSID's - finds MAC addresses - Bands, channels, and signals for 802.11
Firesheep
Firesheep is a free, open-source Firefox browser extension introduced in late 2010
DevOps
For Code: Plan, Create, Verify, Package, Release, Configure, Monitor
FDE
Full Disk Encryption - ex BitLocker that is built-in Windows Utility Drive Encryption too. must have recovery key to access the data.
Full Tunneling
Full tunnel is when the connection goes through home office router then google and back the same way.
GDPR
General Data Protection Regulation - protects EU citizens' private data
Unsigned Certificate
Generating my own certificate without 3rd party signature
GRE
Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links or point-to-multipoint links over an Internet Protocol network. It encapsulates layer protocols such as IPX and WAN.
GPS Tracking
Global Positioning System - When focus is on equipment recovery, this is used when there are concerns that employees will lose their company provided smartphones.
Maintenance of 802.11
Good Documentation: - SSIDs - Mac addresses associated to WAPS, ASP locations, Heatmaps - Good practice: AP isolation enabled
GPA
Group Policy Objects - a policy that we can apply to domains, individual sites, groups, organizational units and it can apply to an entire directory
Port 80
HTTP (Hypertext Transfer Protocol)
HSTS
HTTP Strict Transport Security - browsers require you to switch to HTTP instead of HTTPS
Hacktivists
Hackers who are driven by a cause like social change, political agendas, or terrorism
Network Events for logs
Happen between a host and the network
HSM
Hardware Security Module. A hardware card
Asset
Hardware, data, employee or company reputation, services
SNMPv1
Has limited command set and no encryption
HMAC
Hashed Message Authentication Code- provides message integrity, requires each side of the conversation to have the same key, It has a AH first, then TCP, then DATA, then IP address.
Credentialed Vulnerability Assessment
Having user names and passwords. Non is without user names and passwords
HIPPA
Health Insurance Portability and Accountability Act
HVAC
Heating, Ventilation and Air Conditioning
Loopback adapter
Helps to verify the configuration of the router. Plugs into a port and crosses over the transmit line to the receive line so that outgoing signals can be redirected into the computer for testing. is required if you are installing on a non-networked computer to connect the computer to a network after the installation. When you install a loopback adapter, the loopback adapter assigns a local IP address for your computer
HBA
Host Bus Adapter - Looks like a network card and it's couple thousand to buy
HIPS
Host-based Intrusion Prevention System - an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host
HTTP
Hypertext Transfer Protocol - an application-layer protocol for transmitting hypermedia documents, such as HTML. Designed for communication between web browsers and web servers. Using port 80 for unsecure websites
IRP
Identity Registration Protocol
Key Escrow
If a key need to be recovered for legal purposes the key escrow can be used. Key escrow addresses the possibility that a third party may need to access keys, such as the government.
Recovery Agent
If an employee leaves and we need access to data he has encrypted, we can use the key recovery agent to retrieve his decryption key.
Crypto-erase
If the hard drive is encrypted without the keys
Implicit Deny
Implicit deny says that if you aren't explicitly granted access or privileges for a resource, you're denied access by default. ex. users report that they are unable to access network printing services.
Transport Mode
In IPSec, an encryption method in which only a packet's IP data is encrypted, not the IP headers themselves; this method allows intermediate nodes to read the source and destination addresses.
encapsultion
In computer networking, encapsulation is a method of designing modular communication protocols in which logically separate functions in the network are abstracted from their underlying structures by inclusion or information hiding within higher-level objects
MIMO (multiple input-multiple output)
In the context of 802.11n wireless networking, the ability for access points to issue multiple signals to stations, thereby multiplying the signal's strength and increasing their range and data-carrying capacity. Because the signals follow multipath propagation, they must be phase-adjusted when they reach their destination.
Session Key
In-Band - Sending the key with the encrypted data. Out of Band - not provide the key with the encrypted data.
Script Kiddies
Individuals that have very little skill who want to break into computers to create damage that create some simple scripts. They are easily blocked
ICS
Industrial Control Systems - HVAC
IaaS
Infrastructure as a Service. A cloud computing technology useful for heavily utilized systems and networks. Organizations can limit their hardware footprint and personnel costs by renting access to hardware such as servers. Compare to PaaS and SaaS.
Tarpitting
Intentionally slow down the server conversation with spam emails
Network Sniffing
Intercepting packages on a wireless or wired network and viewing the contents of these packages. the process of capturing and analyzing the packets sent between systems on the network. A network sniffer is also known as a Protocol Analyzer.
ISA
Interconnection Security Agreement taken from NIST 800-47 - Statement of Requirements: why are we interconnecting, who is interconnecting - System security considerations: what information is interconnecting, where is the information is going, what services are involved, what encryption is needed - Topological drawing - Signature authority
Data Users
Internal and external stakeholders (customers, suppliers, and employees) who interact with information in support of their organization's planning and operations.
ISO/IEC
International Organization for Standardization/International Electrotechnical Commission
IMAP
Internet Message Access Protocol - mail uses port 143
IPVPN
Internet Protocol Virtual Private Network - is separated from the public internet, travelling via a private connection to each remote site.
ISAKMP
Internet Security Association and Key Management Protocol - between two hosts if they want to talk IPSec -Uses negotiation protocol - initial authentication through certificates, preshared keys, key exchange,
ISP
Internet Service Provider
iSCSI
Internet Small Computer System Interface - connect to other devices on top of the network ones. You will always have an initiator and a target.
IPX
Internetwork Packet Exchange (IPX) is the network layer protocol in the IPX/SPX protocol suite. IPX is derived from Xerox Network Systems' IDP. It may act as a transport layer protocol as well.
IDS
Intrusion Detection System - Tends to be on the inside of the network and it watches bad activity on the network and sends alerts on suspicious activity.
IPS (IDPS)
Intrusion Prevention System - also known as Active IDS. It's usually close to the edge of the network, an action to prevent will occur at the IPS device. Routers can have IPS and so can firewalls. Firewall filters, IDS notifies and IPS acts to stop.
Block cipher
Is a encryption method that applies a deterministic algorithm along with a symmetric key to encrypt and block of text rather than encrypting one bit at a time as in stream cipher.
False Positive
It identifies it as a problem but it's not real problem that won't make the system vulnerable
Ransomware/Crypto-malware
It locks it until you pay someone money.
digital signature
It's a hash of data I am looking at that says it came from a private key
SystemFileChecker (SFC)
It's a program that is used in command prompt
802.11 jammer
It's illegal in the US and it can be used to program to jam 2.4gh signal, can be programmed on channel 6
KDC
Key Distribution Center. Part of the Kerberos protocol used for network authentication. The KDC issues time-stamped tickets that expire.
Diffie-Hellman
Key generation algorithm, key exchange agreement, that is asymmetric, defines the size or type of key structure to use, can have very large keys. The benefit is only to the 2nd party, who only needs to know a color. Considered low overhead.
Attack Frameworks
Kill Chain MITRE ATT&CK Diamond Model of Intrusion Analysis
L2TP
Layer 2 Tunneling Protocol: - Cisco proprietary - Similar to PPTP - L2TP tunnel -IPsec encryption (so fast) - UDP ports 500, 4500
defense in depth (DiD)
Layering of security controls is more effective and secure than relying on a single control
LDAP
Lightweight Directory Access Protocol - Structured language that allows one computer to go to someone else's directory and update it. Uses TCP and UDP port 389
LDAP injection
Lightweight Directory Access Protocol - is an attack against a directory service. Just as SQL injection attacks take statements that are input by users and exploit weaknesses within, an LDAP injection attack exploits weaknesses in LDAP (Lightweight Directory Access Protocol) implementations. This can occur when the user's input is not properly filtered, and the result can be executed commands, modified content, or results returned to unauthorized queries. from X.500
LEAP
Lightweight Extensible Authentication Protocol - Cisco's high security tunnel but not used anymore. Replaced with EAP-FAST
Backup
Local backup, offsite backup, cloud backup
Business Continuity Plan
Long-term strategy for extended outages.
Shoulder Surfing
Looking over someone's shoulder to see info
Authorization Models
MAc,
Hash Types
MD5, SHA, RIPEMD. Hash is a digital signature.
Diffusion
Make it a little bit less visible when encrypting
Refactoring
Make it appear different each time: add NOP instructions Loops, pointless code strings.
Proper Error Handling
Making sure errors don't crash the system, allow for elevated privileges or expose unintended information.
Malware
Malicious Software a general term for any type of malicious software. Allows employees to surf the web unrestricted from their work computers.
Virus
Malicious code that runs on a machine ex, download software. 10 viruses: Boot sector Macro Program Multipartite Encrypted Polymorphic Metamorphic Stealth Armored Hoax
Polymorphic Malware
Malware code that completely changes from its original form whenever it is executed.
MIM
Man-in-the-Middle - A security attack in which network communication is intercepted in an attempt to obtain key data
MIB
Management Information Base - A database that we query using SNMP
SNMP MIB browser selection
Management Information Base. It needs to be added to the network management tool to allow it to interpret the new device and control it using SNMP. This option is in the Tools menu from any network map on the NNM
System Owner
Management level, maintains security of the system, defines a system administrator, works with all data owners to ensure data security
Firewall
Manages traffic using a rule or a set of rules. Should be configured on the outermost part of the network.
MAC
Mandatory Access Control. It has labels such as Top Secret for government info.
Personnel Management Controls
Mandatory Vacations Job Rotation Separation of Duties
MTTF
Mean time to failure. The length of time you can expect a device to remain in operation before it fails. It is similar to MTBF (Mean Time Before Failure), but the primary difference is that the MTBF metric indicates you can repair the device after it fails. The MTTF metric indicates that you will not be able to repair a device after it fails.
WiFi Direct/Ad hoc
Means for wireless devices to connect directly to each other without a wireless access point.
Memory Vulnerabilities
Memory leak. Buffer overflow. Integer overflow. Pointer dereference. DLL injection
MD5
Message Digest 5 - algorithm is a widely used hash function producing a 128-bit hash value.ex. The security manager must store a copy of a sensitive document and needs to verify at a later point that the document has not been altered
Directory Traversal
Method of accessing unauthorized directories by moving through the directory structure on a remote server
MAN
Metropolitan Area Network; a geographic network that covers a larger geographic area such as a city or community; may be used to connect computers in libraries, government agencies, etc. together - no more than 30 miles in size
MS-CHAP
Microsoft's variation of the Challenge Handshake Authentication Protocol that uses a slightly more advanced encryption protocol. Client sends a key and server sends a challenge question plus a hash.
Diamond Model of Intrusion Analysis
Model for analyzing incidents through Adversary > Infrastructure > Capability > Victim with Meta-Features such as Timestamp, phase, result, direction, methodology & resources
Maas
Monitoring as a Service - company helps monitor logs
Bluetooth
Most mobile phones and Bluetooth headsets are class 2 range upto 33'
MPLS
Multiprotocol Label Switching (MPLS) is a routing technique in telecommunications networks that directs data from one node to the next based on short path labels rather than long network addresses, thus avoiding complex lookups in a routing table and speeding traffic flows.
Federated Transient Trust
My computer will trust the computer that they trust other computers to
Get query
NMS sending a Get to a managed response from a device communication between a computer and ex. printer)
PCIDSS compliance package
National Compliance
NIST
National Institute of Standards and Technology - has a list of high to low vulnerabilities in the SP 800-30/37
NFC
Near field communication; a short-range, wireless communication standard. NFC is being used to support contactless payment and transactions over NFC-equipped mobile devices.
NAC
Network Access Control: - Wireless Network - Remote Access (your own dedicated T3 line) - VPN access
NAT
Network Address Translation
NAS
Network Attached Storage - A Specialized file server that is designed and dedicated to support only data storage needs. For file level.
NMS
Network Management System (ex. cacti, nagios, zabbix, spiceworks web interface)
NIC driver
Network interface card (NIC) drivers are computerized instructions and information that are required for a NIC card to be operational after it is installed into or connected to a computer. ... These drivers not only enable the hardware card to function, they also are intricately involved in configuring the settings for i
Mesh
Network topologu in which all nodes have point to point connections to all other nodes
NIDS
Network-based intrusion detection system. It detects malicious traffic on a network. Passive detection system
NIPS Detection
Network-based intrusion prevention system - monitors the entire network for suspicious traffic by analyzing protocol activity. - Blocks from router - detection methods: behavioral/anomaly, signature-based, rule-based, heuristic (combines anomaly & signature). In band
Managed Device
Networking devices, such as routers and advanced switches, that must be configured to use.
NTFS permissions for a folder
New Technology File System permission - when sharing a file on one computer by others ex. E drive. Set up groups rather than individuals and individual files. Folder: Full Control: do anything you want. Modify: read, write & delete files and subfolders Read/Execute: See contents and Run Programs List Folder Contents: See contents of folders and subfolders Read: view contents and open data files Write: write to files and create new files and folders
NTFS permissions for a file
New Technology File System permission: Full Control: Anything you want Modify: read, write and delete the file Read/Execute: open and run the file Read: open the file Write: open and write to the file
NTLM
New Technology LAN Manager
NDA
Non-Disclosure Agreement
Security events for logs
Non-Network Events: Logons, logon success and failures. ex. Date, Time, Process/Sources, Account, Event number, Event Description
Operating system events for logs
Non-Network Events: Host starting, Host shutdown, Reboot, Services starting, stopping, and failing Operating system updates
Application events in logs
Non-network events: Application installation, Application starts, stops or crashes
Cipher Locks
Numbered key pad to open doors
Risk Transference
Offload the risk ex. use cloud web based server
Vigenere Cipher Encryption
Offset letters and numbers in a bingo like square. Not good for encrypting pictures or credit cards.
OCSP
Online Certificate Status Protocol - similar to CRL but it's real time to check if a certificate is real.
OSINT
Open Source Intelligence - information you can get from Social Media, government reports, academic reports. Closed/proprietary (you will need to sign up ex. GitHub)
Non-Network Events
Operating System Events:
Blowfish
Part of symmetric encryption. It has 65-bit Block Size, 16 Rounds, Key Size minimum 32 and as high as 448 bit
PAP
Password Authentication Protocol - authentication protocol that does not encrypt the data and sends the password and username to the authentication server as plain text.
Attack Vector
Pathways to gain access to infrastructure: -weak configurations -open firewalls ports -lack of user security awareness -MFA (multifactor authentication) -missing patches (Equifax hack) -infected USB thumb drivers (stuxnet worm) -supply-chain attack: manufacturers, contractors, implementers, outsourced software development (right-to-audit clause)
PCI-DSS
Payment Card Industry Data Security Standard
PCI DSS
Payment Card Industry Data Security Standard - credit cards
Exposure Factor
Percentage of an asset that's lost as the result of an incident (flooding, fire)
PII
Personally Identifiable Information, ex. SSN, personal email address, drivers' license number
Mitigating Threats
Physical Controls, Technical Controls, Administrative Controls
DoS Volumetrick Attack
Ping Flood - hacker can keep sending ping and overwhelms it. UDP Flood - hacker sending out various UDP requests that can overwhelm the machine
POTS
Plain Old Telephone Service - telephone system for voice-grade telephone service employing analog signal transmission over copper loops.
PaaS
Platform as a Service. Provides cloud customers with an easy-to-configure operating system and on-demand computing capabilities. Compare to IaaS and SaaS.
PPP
Point-to-Point Protocol: - Transport Layer Protocol -Initiate connection - get address information. It had very basic authentication mechanisms. It could only do passwords.
PPTP
Point-to-Point Tunneling Protocol: - Oldest VPN protocol - Uses PPP for tunnel - Password only - TCP port 1723 - easily hacked
Administrative controls (Managerial Controls)
Policies, procedures, security awareness training, contingency planning, and disaster recovery plans, legal
PAT
Port Address Translation (PAT) - allows for many internal devices to share one public IP address. Is an extension to network address translation (NAT) that permits multiple devices on a local area network (LAN) to be mapped to a single public IP address. The goal of PAT is to conserve IP addresses.
PUP
Potentially Unwanted Program - Software installed as an add on while installing another software ex. browser bar
Incident Response Process
Preparation Reporting Identification Containment Eradication - clean up Recovery Lessons Learned
PGP/GPG
Pretty Good Protocol(Privacy)/Gnu Privacy Guard - encryption program most popular for email encryption. PGP encrypts a message with the public key, the message is decrypted with the private key. GPG is free and used to encrypt file and disks.
Technical Control
Preventing unauthorized access to PC's. ex. screen savers that lock the PC after five minutes of inactivity
Pop-up blocker
Prevents websites from opening new browser windows without the users consent.
PIA
Privacy Impact Assessment - how would it impact the company if private info go out.
PTA
Privacy Threshold Assessment - A privacy threshold assessment (PTA) is a process that a company uses to analyze how personal information is protected within an IT system. This process reviews how the information is collected, manipulated, transferred, or transmitted.
RunMe
Program that lets the admin change rights
Adware
Programs that put ads up that pop up while on the web
PEAP
Protected Extensible Authentication Protocol - Microsoft's version of EAP. Designed for access control protocols. Not used anymore.
PDUs
Protocol Data Units - These hold the control information attached to the data at each layer of the model. They're usually attached to the header in front of the data field but can also be in the trailer, or end, of it.
Identification
Proves to the system who I am
nslookup
Provides info on the DNS server about the name or IP address of a device
Least Privilege
Providing only the minimum amount of privileges necessary to perform a job or function.
PKCS
Public Key Cryptography Standards
PKI
Public Key Infrastructure - encryption that protects communications between the server (your website) and the client (the users). Based on hierarchy where a company (Certificate Authority) issues a certificate, then it goes through intermediate authority to take the load off.
Asymmetric encryption
Public key only used to encrypt and private key to decrypt. Used to send a secure session key. It is slow, but very useful in exchanging session keys.
RIPEMD
RACE Integrity Primitives Evaluation Message Digest - not very common, 128, 160, 256, 320 bit hash
RF Signal
Radio Frequency Signal
RFI
Radio frequency interference. Interference from RF sources such as AM or FM transmitters. RFI can be filtered to prevent data interference, and cables can be shielded to protect signals from RFI.
Jamming
Radio jamming is the deliberate jamming, blocking or interference with wireless communications. ex. malicious student is blocking mobile devices from connecting to the internet when other students are in the classroom.
RO command
Read Only setting you put in SNMP command prompt
RTO
Recover Time Objection - minimum time before getting back up online
RPO
Recovery Point Objective. A Recovery Point Objective identifies a point in time where data loss is acceptable. It is related to the RTO and the BIA often includes both RTOs and RPOs.
RAID
Redundant Array of Independent Disks - is a way of storing the same data in different places on multiple hard disks or solid-state drives to protect data in the case of a drive failure.
RAID controller
Redundant Array of Independent Disks - using multiple hard drives to provides integrity and improve access
RADIUS
Remote Authentication Dial-In User Service - supports dial-in networking
RCP
Remote Copy Protocol - a command used in UNIX operating systems to remotely copy one or more files between machines.
RDP
Remote Desktop Protocol port 3389
RPC
Remote Procedure Call (RPC) is a programming interface that allows a remote computer to run programs on a local machine.
RAT
Remote access Trojan. Malware that allows an attacker to take control of a system from a remote location. The attacker has to start it up.
Log events to the OS/system via network
Remote logons (fail or not)
SNMP Get
Request to query for information on a network entity.
Reservations
Reservations assure that a specified hardware device on the subnet can always use the same IP address. For example, if you have defined the range 192.168.1.11 through 192.168.1.254 as your DHCP scope, you can then reserve the IP address 192.168.1.100.
Rights and Privileges
Rights (also called privileges) are the entitlements, or permissions, granted to a user or role for a system level - for example, the right to modify particular data, or to authorize a change.
RMF
Risk Management Frameworks - Categorize, Select, Implement, Assess, Authorize, Monitor
RC4
Rivest Cipher 4. A Streaming Cipher, encrypts 1 bit at a time, 1 round, Key Size: 40-2048 bits. It's automatically used in WPA
RBAC
Role-based Access Control - Access to resources is defined by a set of rules. Establish groups so you can assign rights and permissions easier
Port 25
SMTP (Simple Mail Transfer Protocol)
Port 22
SSH (Secure Shell) - a port that is used to provide secure shell sessions over the web by default. Used to securely transfer files between remote UNIX systems.
DoS Protocol Attack
SYN Flood/TCP SYB Attack - client keeps sending a SYN signal and ignoring the SYN Ack response from the server
Email Address Harvesting
Searches for valid addresses to attack
SCP
Secure Copy Protocol. Used to securely transfer computer files between a local host and a remote host, or between two remote hosts. It uses SSH for data transfer, and uses the same authentication and provides the same security as SSH. It will as for passwords or passphrases if they are needed for authentication. Port 22
SSL
Secure Sockets Layer. Used to encrypt traffic on the wire. SSL is used with HTTPS to encrypt HTTP traffic on the Internet using both symmetric and asymmetric encryption algorithms. SSL uses port 443 when encrypting HTTPS traffic.
SSL/TLS
Secure Sockets layer / Transport Layer Security - An encryption layer of HTTP that uses public key cryptography to establish a secure connection. - TCP port 443 -Often works within a web browser - TUN/TAP (virtual network driver) tunnel - TLS encryption SSL is older. TLS is newer. ***FOUR main aspects: encryption, key exchange, authentication and HMAC
SAML
Security Assertions Markup Language. Used in website applications - allows us to log into different devices that are on the VPN through the IP (Identity Provider)
SIEM
Security Information and Event Management - takes monitors and puts it together in a single packages. - aggregate and correlate data, allowing you to organize them into valuable information -you can get to the time sequence of an event in all the logs quickly - have alerts and the ability to notify you based on configurable trigger
Port security
Security control that identifies when an organizational system has been plugged in. It is also provides the ability to supply automated notifications.
SED
Self-encrypting drive
Data in transit
Sending a text message that is moving in transit
OS Types
Server OS: Built-in functionality, connections Workstation: Desktop version, workhorse Embedded systems: appliances, own OS Kiosk: limited function Mobile OS: apple, android
SLA
Service Level Agreement - Service to be provided - Minimum up-time - Response time (contacts) - Strat and end date
SSID
Service Set Identifier. It lists or hides your LAN or WLAN
SATCOM (Satellite Communications)
Services such as voice and video calling, Internet access, faxing, and television and radio broadcasting.
USB port
Short for Universal Serial Bus, an external bus standard that supports data transfer rates of 12 Mbps. A single USB port can be used to connect up to 127 peripheral devices, such as mice, modems, and keyboards
CSMA/CA
Short for carrier sense multiple access with collision avoidance. It is used as a method for multiple hosts to communicate on a wireless network and AppleTalk.
SNMP
Simple Network Management Protocol - Notifies the status and creates reports on network devices
SLE
Single Loss Expectancy = Asset Value x Exposure Factor
SSO
Single Sign-On - go to each computer and connect it to the domain cmputer
SCSI
Small Computer System Interface - is a set of standards for physically connecting and transferring data between computers and peripheral devices. The SCSI standards define commands, protocols, electrical, optical and logical interfaces.
SFP
Small Form-factor Pluggable - a compact, hot-pluggable network interface module used for both telecommunication and data communications applications.
Technical Controls
Smart cards, encryption, access control lists (ACLs), intrusion detection systems, and network authentication
Non-persistence
Snapshots - second copy of what you were working on Known State - ex. uninstall updates and go back to the previous state Rollback driver - go back to the previous version
Ettercap
Software Program - a sniffing and spoofing tool. It's a pen test tool that will attack the network, finds the person's user name and password. Used for ARP poisoning
SaaS
Software as a service - allows for on-demand online access to specific software applications or suites without having to install it locally. It's a subscription based license. This will allow the data center to continue providing network and security services. ex. Office 365
Agent
Software on ex. printer
Authentication Factors
Something you know (password, pin, CAPTCHA, security questions), something you have (smart card or RSA key), and something you are (biometrics - retinal scan)
Authentication
Something you know, you are, you have, you do, somewhere you are. Proving I have rights to that system ex. passwords, smart cards, retinal scanners
SPIM
Spam over Internet Messaging ex. skype messaging
Whaling
Spear phishing the CEO
CybOX ( Cyber Observable expression)
Standard categorization for security organization when explaining them to other people
Stateful vs Stateless Firewall
Stateless firewall will filter and block no matter what situation by defined IP address(s), port access & URL addresses. Stateful firewall doesn't have ACL and looks at what's going on and makes a decision of what it will do.
SSAE SOC
Statements on Standards for Attestation Engagements Service Organization Control ex. financial statement integrity, internal controls, Type I and II
SAN
Storage Area Network. A specialized network of high-speed storage devices. Provides block-level storage using fiber channel or iSCSI
Boot Sector Virus
Stored in the first sector of a hard drive and loaded into memory upon boot up. Hard to detect as it will show up when you boot up your computer
SQL Injection
Structured Query Language Injection. Its a language with commands such as: inner join, insert into, select from
SQL
Structured Query Language. Used to communicate with a database. It is the standard language for relational database management system. More graphs and spreadsheets.
STIX
Structured Threat Information eXpression - format that packages threat intelligence - form of AIS
Substitution
Substitute the plain text, the message, with different letters. Rotating it 2 back is ROT2
SCADA
Supervisory Control and Data Acquisition - they need a cellular WAN connection
Transport Protocols
TCP, UDP, ICMP
Data in process
Take database that are sitting in a CPU and we think about where we will be encrypting that data
Obfuscation
Take something that makes sense and hide it so it doesn't make sense to the casual outside observer
TKIP
Temporal Key Integrity Protocol - wireless security technology that continuously supplies new keys for WEP. is an encryption protocol included as part of the IEEE 802.11i standard for wireless LANs (WLANs). It is a suite of algorithms that works as a wrapper to WEP where it wraps additional code at the beginning and end to encapsulate and modify it.
Ephemeral Key
Temporary encryption key. Provides perfect forward secrecy. ex. if someone cracked the code from 6 months ago, the key will no longer be valid.
TACACS+
Terminal Access Controller Access Control System Plus - manages multiple devices such as routers and switches. It decouples the authorization from the authentication. Uses TCP port 49. Does auditing for log files
ICMP
The Internet Control Message Protocol - used to determine whether or not data is reaching its intended destination in a timely manner. supporting protocol, handling ARP and ping
IPv4
The Internet Protocol version 4 is the dominant protocol for routing traffic on the Internet, specifying "to" and "from" addresses using a dotted decimal such as "122.45.255.0". - starts with 10 is a private address, 172-173 as well, and 192.168
IPv6
The Internet Protocol version 6 provides a large number of new addresses to route Internet traffic, using "from" and "to" addresses written as colon-hexadecimal notation, such as "fe80::42:acff:feaa:1bf0".
MSDS
The Material Safety Data Sheet lists the hazardous ingredients of a product, its physical and chemical characteristics (e.g. flammability, explosive properties), its effect on human health, the chemicals with which it can adversely react, handling precautions, the types of measures that can be used to control exposure, emergency and first
Layer 1
The Physical layer. To troubleshoot, an engineer flips the laptop's wireless switch to resolve the issue. Ex. computer can not reach the Internet.
Elasticity
The ability to scale down the servers when you don't need them for the demand
Subnetting
The act of dividing a network into smaller logical subnetworks.
hot and cold aisles
The aisles in a server room or data center that circulate cold air into the systems and hot air out of them. Usually, the systems and cabinets are supported by a raised floor. keep an air gap in the server room
Risk Avoidance
The combination of likelihood of impact that I don't want to deal with it so I will avoid having certain data about customers so I don't get in trouble
Transport Encryption
The concept of rendering data passing between two points over an IP based network impervious to all but the most sophisticated advanced persistent threats
Risk Acceptance
The cost of the risk is cheaper than trying to mitigate it or prevent it
Asset Value
The hardware plus the cost of how many hours it will take to set up and if the company lost any business time by replacing it
Load Balancer (DDoS Mitigator)
The methodical and efficient distribution of network or application traffic across multiple servers in a server farm. Each load balancer sits between client devices and backend servers, receiving and then distributing incoming requests to any available server capable of fulfilling them. It's a proxy service.
Scrum
The most common framework for Agile Development.
RTS/CTS
The optional mechanism used by the 802.11 wireless networking protocol to reduce frame collisions introduced by the hidden node problem.
Order of Volatility
The order in which volatile data should be recovered from various storage locations and devices following a security incident. 1) Memory 2) Data on the Disc 3) Remotely logged data 4) Backups
Inheritance
The owner who set up the folder gives permissions to everyone in the folder that he adds a person to. Checkmarks are gray, Check the Deny box as it's stronger than allow
Normalization
The process of applying rules to a database design to ensure that information is divided into the appropriate tables.
code signing
The process of assigning a certificate to code. The certificate includes a digital signature and validates the code.
Model Verification and Validation
The process of confirming that the model is correctly implemented as the conceptual model intended.
Cryptanalysis
The process of decrypting a message without knowing the cipher or key used to encrypt it.
Key Exchange
The process of sending and receiving secure cryptographic keys.
Tethering
The process of sharing an Internet connection from one mobile device to another
Unmatched key pairs
The send and the receiver must have a matching key in order for the receiver to decrypt data.
Heatmap
The signal strength within the office environment
mobile application management (MAM)
The tools and services responsible for distributing and controlling access to apps. Also called application control.
Default/generic Accounts
There might be too many. Disable them or delete them.
Shared Accounts
They are a bad thing without segregating people into groups
Switch
They filter & forward data based on MAC address. Some switches can also forward data at the network layer (layer 3) by additionally incorporating routing functionality. Such switches are commonly known as layer-3 switches or multilayer switches.[2]
Spear Phishing Attack
They get your full name in the sent email
Split Tunnel
They increase performance creating a split in traffic using both VPN or std internet traffic
collectors
Those who use RSS feeds to collect information and vote for Web sites online
TGT
Ticket Granting Ticket. Used with Kerberos. A KDC (or TGT server) issues timestamped tickets that expire after a certain time period.
RAID 0 (striping)
To increase that you can get data but it doesn't provide data integrity
Removable media control
Tools that can be used to restrict which removable media, such as USB flash drives, can be attached to a system.
Exploiting the Target
Tools: Metasploit, Kali Linux
Dark Web
Tor browser to Tor network entry point to Tor relay servers throughout the world to Tor network exit point to Origin Tor browser IP address unknown
Vulnerability Assessment Tools
Tracerout, port scanner, Advanced IP scanner, nmap, baseline security analyzer, Nessus, Nexpose, OpenVAS.
TLS
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).
SNMP Trap
Trap messages are the main form of communication between SNMP monitoring tools - an SNMP Agent and an SNMP Manager.
3DES
Triple Digital Encryption Standard. It is a Block Cipher, 64-bit Block Size, 16 Rounds, Key Size is 168 keys
TFTP
Trivial File Transfer Protocol - is a simple lockstep File Transfer Protocol which allows a client to get a file from or put a file onto a remote host. One of its primary uses is in the early stages of nodes booting from a local area network. runs on UDP port 69
TAXII
Trusted Automated eXchange of Intelligence Information - like RSS feed for threats - real-time cyber intelligence feeds
TPM
Trusted Platform Module - a chip that has a public and a private key that you can't encrypt. (PTT is when it's turned on)
Channel Bonding
Two channels that do not overlap are used together in an effort to double the connection speed
RAID 1 (mirroring)
Two drives are used in unison, and all data is written to both drives, giving you a mirror or extra copy of the data, in the case that one drive fails
Binary Block
Type of Encryption - plain text converted into 16-bit, 64-bit, or 128-bit binary ciphertext
URL
Uniform Resource Locator - a reference to a resource that specifies the location of the resource located on the Internet; a Web address
Airgap
Unplug different networks from other networks for protection.
Multiple Accounts
Use different user name and passwords for each user
NT LAM Manager
Used for Authentication where each computer challenges the other with a challenge question and a hash
SubKey
Used in encryption. it has 48 bits
Redundancy in Security Control
Used the same type of security over and over again. ex. applying anti-malware to a computer, a network, ACL or a firewall.
URL Filter
Used to block access to a site based on all or part of the URL. It's a reference to a resource that specifies the location of the resource. A URL filter is used to block access to a site based on all or part of a URL.
KERBEROS
Used when authenticating windows domain controllers
UDP
User Datagram Protocol. Used instead of TCP when guaranteed delivery of each packet is not necessary. UDP uses a best-effort delivery mechanism.
Open-Source Intelligence
Uses public information: Security websites, vulnerability database, news media, social media, dark web, information sharing centers, file repositories, file repositories, code repositories, security researchers.
SNMPv3
Uses robust TLS encryption. Different versions of SNMP can communicate together.
Diversity in Security Control
Using different types of security measures. ex. use different providers/vendors for malware intrusion
VTP
VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol that propagates the definition of Virtual Local Area Networks (VLAN) on the whole local area network. To do this, VTP carries VLAN information to all the switches in a VTP domain. VTP advertisements can be sent over 802.1Q, and ISL trunks.
EAP-MD5
Very simple version of EAP which uses only MD5 hashes for transfer and authentication credentials. It is weak and the least used of all versions of EAP.
VDE
Virtual Desktop Environment. accessing a remote physical desktop
VDI
Virtual Desktop Infrastructure. The actual virtualized environment in the cloud.
Virtualization Zones
Virtual Network example VM machines in the cloud
Virtualization
Virtualization allows a single set of hardware to host multiple virtual machines ex. A corporation is looking to expand their data center but has run out of physical space in which to store hardware. They want the ability to expand while keeping their current data center operated by internal staff.
VoIP
Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet.
IV attack
WEP Initialization Vector attack is vulnerable to cracking, use command airdump
infrared waves
Waves that are longer than visible light waves
WAF
Web application firewall. A firewall specifically designed to protect a web application, such as a web server. A WAF inspects the contents of traffic to a web server, can detect malicious content, and block it.
ProtonMail
Web interface that is fully encrypted (competition is gmail)
Typosquatting/URL hijacking
Websites with names similar to real websites; users making typographical errors are sent to a site filled with malware.
Permission
What are the resources that are assigned to you that you can do
Authorization
What rights do I have to the system once I have been authenticated
Data Exposure
What type(s) of data is exposed if unexpected inputs crash the system or cause an unintended result. What errors are returned if incorrect data is entered, etc.
Entrapment
When a law enforcement officer or a government agent encourages or induces a person to commit a crime when the potential criminal expresses a desire not to go ahead.
API Attack (Application Programming Interface)
When an attacker tries to manipulate the application programming interface of an application, to gain access to data that would not normally be available.
Integer Overflow
When arithmetic operations attempt to create a numeric value that is too big for the available memory space.
Network Diagrams
When half of the office is unable to access a shared resource, this should be used to troubleshoot the issue.
Read only mode
When performing a forensics examination but the required hardware is missing. This will allow the examination have minimal impact on the potential evidence.
Utilization
When users are reporting extreme slowness across the network, utilization needs to review this first.
WPA
Wi-Fi Protected Access - a certification program to secure wireless networks. Uses a 4-way handshake. It is vulnerable to a dictionary attack which is collecting the personal data of the person and trying it out as passwords randomly
Spatial Streams
Wi-Fi Spatial streaming or multiplexing (often shortened to SM or SMX) is a transmission technique used in MIMO wireless communication to transmit independent and separately coded data signals, so called streams, from each of the multiple transmit antennas.
WPS
WiFi Protected Setup - where you sink the router to the computer or the printer using WPA2 personal shared encryption by pressing a button. Weakness only has 8 digit key and one of those digits is redundancy check for the other seven digits so too easy to crack. WPS capable access points can detect an attack and shut off. It's best to turn off WPS for security.
WAN
Wide Area Network - needs to have at least 1 LAN and two routers
WEP
Wired Equivalence Protocol. Wireless network encryption system. is vulnerable to man-in-the-middle attacks by NOT using end to end TLS encryption. uses 64bit or 128bit key. can be easily hacked
WAP
Wireless Access Point
WIDS
Wireless Intrusion Detection System - looks for things on the ISM bands 2.4gh and 5gh. -Monitors wireless radios - Watches for rogue access points - Knows MAC address of authorized equipment - Watch working protocol It can get expensive It will start with sensors outside the office that are listening for things that shouldn't be there.
WLAN
Wireless Local Area Network - is a wireless computer network that links two or more devices using wireless communication to form a local area network (LAN) within a limited area such as a home, school, computer laboratory, campus, or office building.
WORM
Write Once Read Many - log files archived
Forward Proxy Server
a box/piece of software running on a computer acts as an intermediary between two different devices having a session. It hides the clients from the server by forwarding the message to the server. ex. school forwards it to the proxy. It can block, ads or certain websites like young students going to an inappropriate website.
PuTTy
a client (software) that connects SSH
Light meter
a device to measure light intensity
frame
a digital data transmission unit in computer networking and telecommunication. In packet switched systems, a frame is a simple container for a single network packet. In other telecommunications systems, a frame is a repeating structure supporting time-division multiplexing.
Parity
a drive dedicated for it
Clean Glass
a fire suppression system that minimizes IT system recovery period in the event of a fire.
ip addr command
a linux IP command to get info on your computer
Keylogger
a malicious program that records keystrokes.
Extranet
a network configuration that allows selected outside organizations to access internal information systems
Intranet
a network designed for the exclusive use of computer users within an organization that cannot be accessed by users outside the organization
Typosquatting
a problem that occurs when someone registers purposely misspelled variations of well-known domain names
Trojan Horse
a program that appears desirable but actually contains something harmful in the background
Bot
a program that performs a repetitive task on a network. Robot
Thick/Fat client
a regular desktop computer or a router device that you have to configure by itself.
TCP/IP
a set of protocols for the transfer of data over the Internet.
Web of Trust
a simple trust model that relies on each user creating and signing their own certificate. It's not as popular because it requires a lot of maintenance
Correlation Engine
a software component used to collect and analyze event log data from various systems within the network by aggregating the data
Worm
a software program able to replicate itself without user interaction
Patch Management
a system which all workstations on the network will receive security updates on the same schedule.
Cross-Site Scripting (XSS)
a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites
Containers on VM's
a type of virtualization that allows for shared operating systems for more resource savings and faster execution. One OS and run applications that are isolated from each other.
Vishing
a voice-based phishing solicitations requesting information about you that is confidential
cPanel
a web based hosting control panel provided by many hosting providers to website owners allowing them to manage their websites from a web based interface. (n)
rogue access point
a wireless access point that gives unauthorized access to secure networks. Ex. employee brings in a router to get better signal
Unauthorized Access
access to computer without the consent of the owner
SNMPv2
added basic encryption and slightly more commands
TTP
adversary tactics, techniques and procedures - hackers use to crash the system
Clustering
allows an organization to group large numbers of servers together in order to deliver a common service but they have to update each other. It's expensive
MAC Filtering
an access control method where MAC address assigned to each network card is used to determine access to the network.
Correlation
analyze data and show the data in a way we can make sense of it. - Alerts for notifications if something goes bad triggering exceeding thresholds
static code analyzer
analyzes source code to detect unsafe conditions
Wet Pipe Sprinkler System
are designed for use in applications where the temperature is maintained above freezing. In such systems, the entire piping network is fully pressurized so that water is discharged from a sprinkler head immediately after actuation.
DoS (application/service attacks)
attacker keeps sending messages and the Apatche server responds but doesn't hear back
Social Engineering Principles
authority, intimidation, consensus/social proof, scarcity, urgency, familiarity/liking, and trust
Differential backup
backup from the full backup
Benchmark
baseline values the system seeks to attain
Walk query (SNMPWalk)
batch of Gits
Link Key
bluetooth pairing creates a shared link key to encrypt the connection. ex. cell phone with car.
Windows Local Security Policy
built in policy in windows that you can set as an administrator
Clearing for data destruction
can be done with commands such as erase, format and delete. These methods are not final.
Mobile device management tools
can turn off cameras or voice off any mobile devices I own at once.
Server-side vs. client-side execution
client fills in personal info and server has to process it
Aggregation
collecting data and storing it.
Ethernet Patch Panel
collection of many wall ports on one panel, witch each of the ports connected via a patch cable to anther port elsewhere in the house.
CRC
colorectal cancer
Proprietary Sources
commercial service that you pay for
system failure
computer crashes
tracert
computer network diagnostic commands for displaying possible routes (paths) and measuring transit delays of packets across an Internet Protocol (IP) network. When a user cannot reach a particular website, this command would provide the Best information about the path taken across the network to this website.
Vulnerability
could be a code flaw, or firewall weakness
Elite Hacker
create their own tools to hack that people will use eventually to hack into systems. references the skill level of attacker
Bottleneck
data become limited due to insufficient computer or network resources.
Closed-Source threat intelligence
data taken from us using apps or websites
WIDS server
dedicated box to take information to log data of the WIDS intrusions. It will text you or email you of intrusions
weak configuration
default configuration ex. passwords
Cryptosystem
defines key properties, communication requirements for the key exchange and the actions taken through encryption and decryption process
Threat Hunting
detect presence of threats that have not been discovered by normal security monitoring -Establish a Hypothesis (who might harm us and how) -Profiling Threat Actors & Activities (what TTP's will they use and what their objectives are) ACTIONS: -Analyze network traffic -analyze the executable process list -analyze other infected hosts -identify how the malicious process was executed BENEFITS: -improve detection capabilities -integrate intelligence -reduce attack surface -block attack vectors -identify critical assets
VPN
directly connects into the network from a remote location, fully functional. Is much slower than being in the local area network.
Transparent Proxy
does not require any configuration on the user's computer
802.11 Infrastructure Mode
doesn't have any authentication or encryption
polymorphic virus
encrypted virus that changes itself every time it is executed by altering the decryption module to avoid detection
Streaming Ciphers
encrypts each bit at a time
Network event (logs)
event that deals with the communication between the host and something on the network
false positive
events that are mistakenly flagged and are not really events to be concerned about. This causes a significant administrative overhead because the reporting is what results in the false positives.
Non-network events (logs)
events that happen on a host even though it's not connected to a network
Amplification Attack
ex. Smurf Attack, one packet gets all computers to respond
Vulnerable business processes
ex. storing unnecessary customer info.
Biometrics
eye scan, finger print, facial recognition
nmap software
finds several networks/systems. Zenmap is the graphical version
multipartite virus
first it attaches itself to the boot sector and system files before attacking other files
RADIUS Server
for remote access ex. Open Radius brand, Steel Belted server, etc. Security Policy: Radius is used for network access, radius can use up to 4 different ports: 1812,1813,1645,1646
ELK software
free to help you gather data and show reports on data
RADIUS Client
gateway for separation
SFTP (Secure File Transfer Protocol)
great security runs on port 22
Threat Actors
hacker, hactivists, script kiddies, insider, competitors, shadow IT (unofficially adding hardware), criminal syndicates, state actors, advanced persistent threat (APT)
Patch graphic antenna
half of an omni directional antenna
Script Kiddie
has just enough knowledge to hack into a system, not as sophisticated as a hacker
Executive User
has read only privilege
Armored Virus
have a layer of protection to confuse a program or person analyzing it
redundancy
having a backup system. it helps to have them in different locations in case one office gets hit with a flood
Alternative Processing Sites
having separate sites for sale or other vendors
Armitage
helps run the framework of Metasploit framework
Steganography
hiding data within other data ex. hiding text in a photo using image steganography
Session Cookie
holds info like used name and password during a session
Network Topologies
how is the data moving around in a network
netstat -a
if anyone is listening regardless of an IP address, ex ports
Linux File Permissions
in the command prompt, there are permissions. ex. rwxrwxrwx. First 3 are for the creator/owner, next 3 are for the group, everyone else (dr means directory)
Microsoft Azure Cloud Security
included with microsoft, scans your computer and gives you a list to hard your computer
Improperly configured accounts
incorrect permissions having too much or too little permissions to configure stuff
Program Virus
infects an executable program file. every time you open word, it boots up
SSL accelerators/TLS accelerators
instantly encrypts & decrypts asymmetric encryption
Static host
intelligent device designed to do a specific task or process such as switch, router, printer that are single purpose devices that are network aware. Treat it like a regular host. if there are unique aspects then use Network Segmentation to help protect static hosts.
ipconfig command
internet protocol configuration that provides the IP address and ethernet details, and the -all options finds the MAC address. this command gives you info on your computer, quick snapshot of issues
Subnet Mask
is a 32-bit number created by setting host bits to all 0s and setting network bits to all 1s. In this way, the subnet mask separates the IP address into the network and host addresses. The "255" address is always assigned to a broadcast address, and the "0" address is always assigned to a network address.
ping command
is a DNS tool that resolves web addresses to an IP address.
Datagram
is a basic transfer unit associated with a packet-switched network. It's a PUD that is used by connectionless protocol across a packet-switched network.
Omni-directional
is a class of antenna which radiates equal radio power in all directions perpendicular to an axis (azimuthal directions), with power varying with angle to the axis (elevation angle), declining to zero on the axis.
PING
is a computer network administration software utility used to test the reachability of a host on an Internet Protocol (IP) network.
Driver
is a computer program that operates or controls a particular type ... transitions usually impose a considerable performance overhead, thus making kernel-mode drivers preferred for low-latency networking.
MP4
is a digital multimedia container format most commonly used to store video and audio, but it can also be used to store other data such as subtitles and still images
Yagi
is a directional antenna consisting of two or more parallel resonant antenna elements in an end-fire array; these elements are most often metal rods acting as half-wave dipoles.
Botnet
is a number of Internet-connected devices, each of which is running one or more bots. It can be used for Distributed Denial-of-Service (DDoS) attacks, steal data, send spam.
Clickjacking
is a technique that tricks users into clicking on a malicious link by adding the link to a transparent layer over what appears to be a legitimate web page.
Patch Antenna
is a type of antenna with a low profile, which can be mounted on a surface, utilizes the 802.11ac standard that links two buildings in an office park.
T1 connection
is an Internet connection providing high speed T1 bandwidth of 1.544Mbps delivered over fiber optic or copper phone lines
Parabolic
is an antenna that uses a parabolic reflector, a curved surface with the cross-sectional shape of a parabola, to direct the radio waves. The most common form is shaped like a dish and is popularly called a dish antenna or parabolic dish.
Telnet
is an application protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection.
DTE
is an end instrument that converts user information into signals or reconverts received signals. These can also be called tail circuits. A DTE device communicates with the data circuit-terminating equipment (DCE). The DTE/DCE classification was introduced by IBM.
Crosstalk
is any phenomenon by which a signal transmitted on one circuit or channel of a transmission system creates an undesired effect in another circuit or channel.
Information classification training
is done by confidentiality and comprises of three categories, namely: public use, internal use and restricted use. Knowing these categories and how to handle data according to its category is essential in protecting the confidentiality of the data. Best suited for data owners who are concerned with protecting the confidentiality of their data.
Node
is either a redistribution point or a communication endpoint. The definition of a node depends on the network and protocol layer referred to. A physical network node is an electronic device that is attached to a network, and is capable of creating, receiving, or transmitting information over a communication channel.[1] A passive distribution point such as a distribution frame or patch panel is consequently not a node.
Multicast
is group communication where data transmission is addressed to a group of destination computers simultaneously. Multicast can be one-to-many or many-to-many distribution. Multicast should not be confused with physical layer point-to-multipoint communication
Modem
is short for "Modulator-Demodulator." It is a hardware component that allows a computer or another device, such as a router or switch, to connect to the Internet. It converts or "modulates" an analog signal from a telephone or cable wire to digital data (1s and 0s) that a computer can recognize
Cluster tip
is the last bit of a cluster not used by a file.
Streams
is the native framework in Unix System V for implementing character device drivers, network protocols, and inter-process communication. In this framework, a stream is a chain of coroutines that pass messages between a program and a device driver (or between a pair of programs).
Default Gateway
is the node in a computer network using the internet protocol suite that serves as the forwarding host (router) to other networks when no other route specification matches the destination IP address of a packet
Web content filtering
is the practice of blocking access to web content that may be deemed offensive, inappropriate, or even dangerous. It is implemented to reduce the occurrences of ransmoware.
Hashing
is the process of converting a given key into another value. A hash function is used to generate the new value according to a mathematical algorithm. The result of a hash function is known as a hash value or simply, a hash. ex. when you save your password on a computer it stores it as hash. It's also used in encryption
Polling
is the process where the computer or controlling device waits for an external device to check for its readiness or state, often with low-level hardware. . In other words, the computer waits until the device is ready.
Port Filtering
is when a router monitors the destination ports of the tcp/udp and/or other port-based network protocol packets that pass through it. with port filtering you can have the router block packets that are heading to a certain port or block some packets based on their content
Trap query
it notifies the computer if something is wrong with the device. ex. overheating
ANT
it's a standard, slow and well protected
Wireshark analyzer
lists packets and analyzes them.
Cookie Cadger
looking for cookies, catches them and does a replay attack with them when hacking the victim called Replay Attack
Social Engineering
manipulating someone to take certain action that may not be in that person's best interest, such as phishing email
MTTR
mean time to repair - how long with the part be down before it gets repaired
Continuous Access Monitoring
monitor what users are accessing on the computer/network
unidirectional
moving in only one direction
Halon
multi-purpose dry chemical used to put out fires-- can be used for all types of fires
NETbios
networked basic input/output system run on SMB (Service Message Block) port 445
netcat command
open and listen on ports and act as a client. use it as an aggressive action such as pen testing or vulnerability assessment
SNMP Community
organization of managed device
Reaver
part of Kali Lynux tool kit that guesses passwords
Organized Crime
part of a crime group that is well-funded and highly sophisticated
RADIUS Supplicant
person/system that is trying to get authenticated
decentralized organization
physically go to each computer to see logs
Reverse Proxy Server
placed in front of web servers, high security, handle DOS attack, load balancing, caching, encryption acceleration. It hides the server and can provide load balancing and catching for high activity pages.
POP
port 110
Segments
portion of a computer network
Information Security
protecting data
Information Systems Security
protecting the systems that hold the process our data ex. phone or computer
FM-200
put out fires in a server room
IPSec with L2TP protocol
puts a tunnel within a tunnel
Race Condition
results when several threads try to access and modify the same data concurrently
After Action Report
retrospective analysis used to evaluate emergency response drills
Metamorphic Virus
rewrites itself every time it infects a new file.
Man Trap
rotating door where only one can get inside at a time
Destroy
ruin the media that it's not functional. ex. burn it, pulping (soak in water), shredding, pulverizing
Automation
scanning that's repetitive and consistent. Then use a program that will do Template Restoration, Continuous monitoring, Automatic updates of systems, Monitoring application whitelists, Application Development,
TOR Browser
shows your connection bouncing around different networks and hides your origin location
Dipole
single level antenna that sends out signal for one level of office
Port Scanner/Network Scanner
sniffs out networks
Rootkit/Backdoor Malware
software that escalates privileges to execute other things on computer.
Printer Firmware
software update for a printer
rogue system
something a person can bring from home and plug in
SMishing (SMS Phishing)
spam through texts
Link Local Address (IPv6)
start with FE80
PKCS-12
stores the certificates and the private keys as a package
Host-based
system controlled by a central or main computer
Embedded Systems
system that never changes that has storage, in put/output, etc. They need patches and firewalls.
Typo Squatting
taking advantage of miss-typing up website
Token Ring
technology used to build local area network. It's looping several computers in a loop. It uses a three-bite token that is passed around a logical ring of workstations.
Packet Sniffing
the practice of gathering, collecting, and logging some or all packets that pass through a computer network, regardless of how the packet is addressed. In this way, every packet, or a defined subset of packets, may be gathered for further analysis.
Rogue Machine Detection
the process of detecting devices on the network that should not be there. If a user brings in a laptop and plugs it into the network, the laptop is a "rogue machine". The laptop could cause problems on the network. Any device on the network that should not be there is classed as rogue.
pre-ATT&CK
the reconnaissance and weaponization phases of the kill chain
Symmetric Encryption
the same key is used to encode and decode. It is the primary way we encrypt data. It's a Block Cipher. It needs key size (how long the key is), number of rounds (it goes through it's encryption) and the block size
memory manager
the section of the operating system responsible for controlling the use of memory. It checks the validity of each request for memory space and, if it's a legal request, allocates the amount needed to execute the job
Privilege Escalation (Elevation)
to get enough privilege in a domain
"Ping -t" command
to keep going and searching
Sniffer
type of software ex. pcap, it grabs all data that goes in and out of the application
Snapshots
typically used with virtual machines and are usually not stored on separate media
UTP cable
unshielded twisted-pair cable
Spam
unsolicited email
Phishing
unsolicited emails that request information from you
stress test
use a Sandbox to test code
Centralized Logging
use a central repository, use SNMP systems
CBC, CFC, OFB, CTR block modes
use an initialization vector, which ensures the output block is uniquely different.
Tailgating
used for someone being so close to you when you enter a building that they are able to come in right behind you without needing to use a key, a card, or any other security device.
Protocol Analyzer
used to capture and analyze network traffic between hosts on the same network segment
digg command
using linux to get info (instead of nslookup) but it allows for further functionality
Hypervisor
virtual machine monitor (VMM) is a piece of computer software, firmware or hardware that creates and runs virtual machines.
Wireless clients hardening
watch for unknown SSID (wireless named link)
Dry pipe system
water mist system uses automatic sprinklers attached to a piping system containing compressed air. ... Pressure drops in the piping network filled with compressed air. Dry pipe valve opens, and releases water to the sprinklers. Dry pipe systems are typically used in spaces subject to freezing.
Server-Side Request Forgery (SSRF)
web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing
hoax virus
website that tells you to call the help center to install antivirus on your computer. What mom had.
Cross-site request
when going to someone's website but info is pulled from a different site ex. MLS leads
Domain Hijacking
when you let your domain name expire and they take it over
Guest Network
will have a separate VLAN, designed and protected to isolate outsiders. There will be a firewall between that one and the main network.
Penetration Test
will try to grab the data Vulnerability is only checking on it. Get authorization, discover vulnerabilities, exploit vulnerabilities ex. grab user names and passwords, take data from database, corrupt webpage.
Wiping programs
will write 0's and 1's to destroy the data
TCP Dump
works on linux only in the command prompt. it catches all packets rather than wireshark missing some
Non-repudiation
you have proof that someone has taken an action