SY0-401: Glossary, GSEC, SEC + 401 Study Guide COMBINED
RDP
"Remote desktop protocol -- port 3389 TCP"
GECOS
'field' an entry in the /etc/passwd file
set-GID
's' displayed in place of 'x' (e.g. r-w-s) for group owner to show that program executes often used for printing
set-UID
's' displayed in place of 'x' (e.g. r-w-s) to show that program executes as the owner of the executable rather than the user e.g. 'passwd' (owned by root exec by user)
VPN security concerns
'trusted client' problem; third parties; IDS and AV can't inspect traffic
DHCP
(Dynamic Host Configuration Protocol) A set of rules that allow network client computers to find and use the Internet address that corresponds to a domain name dynamically assigns IP addresses from pool per request for the client needs
M2M
(Machine to Machine) enables connected devices to communicate with each other
3DES
(Triple Data Encryption Standard) A symmetric encryption algorithm that encrypts data by processing each block of data three times, using a different DES key each time.
TTLS
(Tunneled Transport Layer Security) Provides authentication like SSL/TLS, but does not require a certificate for each user Authenticates the server end of the connection by certificate Users are authenticated by password only
WSUS
(Windows Server Update Services) is a computer program that enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers in a corporate environment
Anomaly-based IDS
(also called behavior-based) starts with a performance baseline of normal behavior and compares network traffic against this baseline.
signature-based IDS
(also called definition-based) uses a database of predefined traffic patterns. An anomaly-based IDS (also called behavior-based) starts with a performance baseline of normal behavior and compares network traffic against this baseline
DAC
(discretionary access control) model specifies that every object has an owner, and the owner has full, explicit control of the object
802.11ad
(very high speed in very short distance over 60 GHz)
raw disk
- partition type used when no file system is appropriate; not mounted in LFS
cron
/etc/crontab; runs as root; first - last
Linux Partitions
/etc/fstab; partitions better for stability and security, backups
logrotate
/etc/logrotate.conf
systemd
/etc/systemd The newer initialization system which uses systemd-based systems initialize services and processes in parallel and can support on-demand services.
messages log
/var/log/messages
TCP well-know ports
0 - 1023
init runlevels
0 - shut down 1 - single user mode 2 - multiuser mode 3 - multiuser with networking 5 - start display manager with graphics 6 - system reboot
Three Components as Kerberos
1. KDC or Key Distribution Center 2. TGS or Ticket-Granting Service 3. AS or Authentication Service
Incident handling
1. Preparation, 2. Identification, 3. Containment, 4. Eradication, 5. Recovery, 6 Lesions Learned (May optionally add Wait and See step). Steps from DOE (Department of energy)
WPA2
1.) WPA2-Personal: Protects unauthorized network access via a password 2.) WPA2-Enterpris: Verifies network users through a server Uses Advanced Encryption Standards (AES) WPA 2 is the latest and most secured wireless encryption standard.
TCP registered ports
1024 - 49151
AES Block Size
128 bits
Twofish
128-bit key length. Capable using cryptographic keys up to 256-bits in length. Twofish is a secure solution
SHA-1
160 bit hash 20-byte key length
Workgroup
2+ Windows machines that share info in the absence of a domain controller with individual machines called standalone computers In Windows, standalone computers where administration, resources, and security are distributed, without centralized management or security < 50, < 10 just standalone computers
Windows Server Nano
2016+ install option; 110 MB install; no GUI; headless, manage over network, not through console; only runs AS CONTAINER; no bare metal install or VM; for web or db apps; cannot be patched, but redeployed; cannot run domain controller
TCP dynamic ports
49152 - 65535
DES Block Size
64
Blowfish
64-bit key length. Alternative to DES and IDEA. Acceptable option for encryption, but only when you're using key lengths of at least 128 bits
bluetooth version 5
800 ft range 2Mbit transfers IoT-ready
Windows MOM
? log aggregation?
BIA (business impact analysis)
A BCP preparatory step that identifies present organizational risks and determines the impact to ongoing, business-critical operations if such risks actualize.
incremental backup
A Backup that backs up all files in a selected storage location that have changed since the last full or differential backup.
trust model
A CA hierarchy
Xmas Tree
A Christmas tree is a packet that makes use of certain options for the underlying protocol.
Double DES
A DES version that uses a 112-bit key length; encipher message; then encipher encrypted message
tail command
A Linux command used to display lines of text at the end of a file; by default, the tail command displays the last 10 lines of the file. -s sleep interval -c number of bytes displayed -n number of lines
PKCS#7-Cryptographic Message Syntax Standard
A PKCS that describes the general syntax used for cryptographic data such as digital signatures.
PKCS#10-Certification Request Syntax Standard
A PKCS that describes the syntax used to request certification of a public key and other information.
NAS (Network Access Server)
A RADIUS server configuration that uses a centralized server and clients.
PSH
A TCP flag indicating to Push data to application layer.
RST
A TCP flag meaning to Reset (tear down) a connection
White Hat
A Type of Hacker that is contracted to break into a company's system
C shell
A UNIX/Linux command interpreter designed for C programmers. csh
PPTP (Point-to-Point Tunneling Protocol)
A VPN protocol that is an extension of the PPP remote access protocol.
VPS
A Virtual Private Server is a part of a physical machine that is used as a server, many may exist on the same computer.
PC Reset
A Windows 8.1 feature that enables you to return your PC back to the original state it was in when you purchased it or first set it up
Scheduled Tasks
A Windows XP Control Panel applet for scheduling programs. It was replaced in later versions by the Task Scheduler MMC. (13)
Guest Account
A Windows account with few permissions and no password that allows a user to use a computer without requiring a unique user account. Disable and assign a user name and password.
Active Directory
A Windows server directory database and service that is used in managing a domain to allow for a single point of administration for all shared resources on a network, including files, peripheral devices, databases, Web sites, users, and services.
Domain Controller
A Windows server that has Active Directory installed and is responsible for allowing client computers access to domain resources.
Backup and Restore
A Windows utility that allows the user to create a duplicate copy of all the data on the hard drive and copy it to another storage device. dangerous - create separate OU group
differential backup
A backup that backs up all files in a selected storage location that have changed since the last full backup.
full backup
A backup that backs up all selected files regardless of the state of the archived bit.
CFB encryption (Cipher Feedback mode encryption)
A block encryption model that allows encryption of partial blocks rather than requiring full blocks for encryption.
PCBC encryption (Propagating or Plaintext Cipher Block Chaining encryption)
A block encryption model that causes minimal changes in the ciphertext while encrypting or decrypting.
OFB encryption (Output Feedback mode encryption)
A block encryption model that converts a block cipher into a stream cipher, which is fed back as input of a block cipher.
CTR encryption (counter mode encryption)
A block encryption model that is similar to OFB and uses a counter as input.
CBC encryption (Cipher Block Chaining encryption)
A block encryption model where before a block is encrypted, information from the preceding block is added to the block. In this way, you can be sure that repeated data is encrypted differently each time it is encountered.
ECB encryption (Electronic Code Block encryption)
A block encryption model where each block is encrypted by itself. Each occurrence of a particular word is encrypted exactly the same.
SLA (service-level agreement)
A business agreement that outlines what services and support will be provided to a client.
anti-malware software
A category of software programs that scan a computer or network for known viruses, Trojans, worms, and other malicious software.
RADIUS Remote Authentication Dial-in User Service.
A centralized authentication often deployed to provide an additional layer of security for a network by offloading authentication of remote access clients from domain controllers or even the remote access server itself to dedicated authentication server. UDP and uses 1812. AAA Authentication. Non Proprietary
Group Policy
A centralized configuration management feature available for Active Directory on Windows Server systems.
group policy
A centralized configuration management feature available for Active Directory on Windows Server systems.
virtualization
A class of technology that separates computing software from the hardware it runs on via an additional software layer, allowing multiple operating systems to run on one computer simultaneously.
Microsoft Intune
A cloud-based management solution that allows you to manage your computers when they are not inside your corporate network.
update
A collection of files for updating released software that fixes bugs or provides enhancements.
rollup
A collection of previously issued patches and hotfixes, usually meant to be applied to one component of a system, such as the web browser or a particular service.
baseline report
A collection of security and configuration settings that are to be applied to a particular system or network in the organization.
security baseline
A collection of security configuration settings that are to be applied to a particular host in the enterprise.
Account Lockout Policy
A collection of settings, such as lockout duration, that control account lockouts duration: 120 minutes lockout threshold: 5 attempts reset counter lockout: 45 minutes
cipher suite
A collection of symmetric and asymmetric encryption algorithms commonly used in SSL/TLS connections.
service pack
A collection of system updates that can include functionality enhancements, new features, and typically all patches, updates, and hotfixes issued up to the point of the release of the service pack.
Key Stretching
A collection of techniques that can potentially take a weak key or password and stretch it to become more secure.
dmesg command
A command that displays hardware-related messages generated by the Linux kernel and prints to standard output
sudo command
A command that is used to perform commands as another user via entries in the /etc/sudoers file. No root pwd is used, only specific commands allowed, and use is logged
ifconfig command
A command used to display and modify the TCP/IP configuration information for a network interface. Linux
modprobe command
A command used to insert a module into the Linux kernel.
PowerShell
A command-line interactive scripting environment that provides the commands needed for most management tasks in a Windows Server 2012/R2 environment. TCP 5985, 5986 only on Windows, .NET full
business partner
A commercial entity that has a relationship with another, separate commercial entity.
ping floods
A common name for ICMP flood attack. It is a type of DoS attack in which the attacker attempts to overwhelm the target system with ICMP Echo Requests (ping) packets.
Smurf attacks
A common name for ICMP flood attacks These are a type of DoS attack in which a ping message is broadcast to an entire network on behalf of a victim computer, flooding the victim computer with responses.
account management
A common term used to refer to the processes, functions, and policies used to effectively manage user accounts within an organization.
FTP (File Transfer Protocol)
A communications protocol that enables the transfer of files between a user's workstation and a remote host.
Ubuntu
A community-developed Linux-based operating system with a GUI similar to that of Windows. Derived from Debian. APT package manager; FW not enabled by default
Hybrid Cloud Infrastructure
A composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability.
defense in depth
A comprehensive approach to layered security that is intended to slow an attack.
Zombie
A computer that has been infected with a bot and is being used by an attacker to mount a DDoS attack. Also called a drone.
failopen
A control that provides open access when a system fails.
failsecure
A control that provides security when a system fails.
failsafe
A control that provides user safety when a system fails.
identity theft
A crime that occurs when an individual's personal information or data is stolen and used by someone other than the authorized user.
computer crime
A criminal act that involves the use of a computer as a source or target, instead of an individual.
HSM (Hardware Security Module)
A cryptographic module that can generate cryptographic keys.
ECDHE (Elliptic Curve Diffie-Hellman Ephemeral)
A cryptographic protocol that is based on Diffie-Hellman and that provides for secure key exchange by using ephemeral keys and elliptic curve cryptography.
DHE (Diffe-Hellman Ephemeral)
A cryptographic protocol that is based on Diffie-Hellman and that provides for secure key exchange by using ephemeral keys.
decryption
A cryptographic technique that converts ciphertext back to cleartext.
Encryption
A cryptographic technique that converts data from plaintext (cleartext) into code (ciphertext)
DH (Diffie-Hellman)
A cyrptographic protocol that provides for secure key exchange.
tunneling
A data-transport technique in which a data packet in encrypted and encapsulated in another data packet in order to conceal the information of the packet inside.
certificate repository database
A database containing digital certificates.
registry
A database that Windows uses to store hardware and software configuration information, user preferences, and setup information. In AD, stores for domain. REGEDIT.EXE
NoSQL databas
A database that provides data storage and retrieval in a non-relational manner.
WEP (Wired Equivalent Privacy)
A deprecated protocol that provides 64-bit, 128-bit, and 256-bit encryption using the RC4 algorithm for wireless communication that uses the 802.11a and 802.11b protocols.
incident report
A description of the events that occurred during a security incident.
hardware-based encryption devices
A device or mechanism that provides encryption, decryption, and access control.
sniffer
A device or program that monitors network communications on the network wire or across a wireless network and captures data.
router
A device that connects multiple networks that use the same protocol.
STA (Station)
A device that contains an IEEE 802.11 conformant MAC interface to a wireless medium with an Ethernet-like driver interface.
Router
A device that forwards data packets between computer networks. Uses ACL's.
switch
A device that has multiple network ports and combines multiple physical network segments into a single logical network.
Load Balancers
A device that performs load balancing as its primary function.
hub
A device that uses its ports to connect devices (computers, printers, etc.) together and broadcasts all data on all channels
EMI (electromagnetic interference)
A disruption of electrical current that occurs when a magnetic field around one electrical circuit interferes with the signal being carried on an adjacent circuit.
account policy
A document that includes an organization's user account management guidelines.
back-out contingency plan
A documented plan that includes specific procedures and processes that are applied in the event that a change or modification made to a system must be undone.
Global Catalog Server
A domain controller that also contains a subset of active directory domain services objects from other domains in the forest.
802.11
A family of specifications developed by the IEEE for wireless LAN technology.
802.11a
A fast, secure, but relatively expensive protocol for wireless communication. It Supports speeds up to 54 Mbps in the 5 GHz frequency.
DLL (Dynamic Link Library)
A file of executable functions or data that can be used by a Windows application. Typically, a DLL provides one or more particular functions, and a program accesses the functions by creating links to the DLL.
archive bit
A file property that essentially indicates whether the file has been modified since the last back up.
web application-based firewalls
A firewall that is deployed to secure an organization's web-based applications and transactions from attackers.
IPv6 header
A fixed size of 40 Bytes.
vulnerability
A flaw or weakness that allows a threat agent to bypass security.
man-in-the-middle attack
A form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently.
Fibre Channel
A form of network data storage solution or network that allows for high-speed fi le transfers at upward of 16Gbps
Whaling
A form of spear phishing that targets the wealthy.
security policy
A formalized statement that defines how security will be implemented within a particular organization.
GPG (GNU Privacy Guard)
A free open-source version of PGP that provides the equivalent encryption and authentication services.
Windows Update for Business
A free service for Windows 10 Pro, Enterprise, and Education editions that can provide updates to your users based on distribution rings
Blowfish
A freely available 64-bit block cipher algorithm that uses a variable key length.
hot site
A fully configured alternate network that can be online quickly after a disaster.
Trapdoor Function
A function that is easy to compute in one direction, yet believed to be difficult to compute in the opposite direction (finding its inverse) without special information, called the "trapdoor."
data
A general term for the information assets of a person or organization. In a computer system, data is generally stored in files.
recovery team
A group of designated individuals who implement recovery procedures and control the recovery operations in the even of an internal or external disruption to critical business processes.
Red Team
A group of people authorized and organized to emulate a potential adversary's attack or exploitation capabilities against an enterprise's security posture. The Red Team's objective is to improve enterprise Information Assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment.
distribution group
A group used only for non-security functions, such as distributing email cannot be assigned permissions
hacktivist
A hacker motivated by the desire for social change.
cyberterrorist
A hacker that disrupts computer systems in order to spread fear and panic.
white hat
A hacker who exposes security flaws in applications and operating systems with an organization's consent so that they can fix them before the problems become widespread.
grey hat
A hacker who exposes security flaws in applications and operating systems without consent, and does so for the greater good instead of maliciously.
Black hat
A hacker who exposes vulnerabilities for financial gain or for some malicious purpose.
zero day exploit
A hacking attack that occurs immediately after a vulnerability is identified, when the security level is at its lowest.
network-based firewalls
A hardware / software combination that protects all the computers on a network behind the firewall.
MAC address
A hardware address of 48 bits, unique identifier similar to a serial number assigned to networking equipment at the time of manufacture; Media Access Control; aka ethernet address; .5 vendor / .5 NIC; L2
SHA (Secure Hash Algorithm)
A hash algorithm modeled after MD5 and considered the stronger of the two because it produces a 160-bit hash value.
tarpit
A honeypot that answers connection requests in such a way that the attacking computer is "stuck" for a period of time. Considered 'aggressive' defense using TCP flow control to set window size low to 0 to keep conn open and consume resources
tailgating
A human-based attack where the attacker will slip in through a secure area following a legitimate employee.
guessing
A human-based attack where the goal is to guess a password or PIN through brute force means or by using deduction.
shoulder surfing
A human-based attack where the goal is to look over the shoulder of an individual as he or she enters password information or a PIN.
dumpster diving
A human-based attack where the goal is to reclaim important information by inspecting the contents of trash containers.
spoofing
A human-based or software-based attack where the goal is to pretend to be someone else for the purpose of identity concealment. Spoofing can occur in IP addresses, MAC addresses, and email.
Multipartite
A hybrid of boot and program viruses. It first attacks a boot sector and then attacks system files or vice versa
PBKDF2 (Password-Based Key Derivation Function 2)
A key derivation function used in key stretching to make potentially weak cryptographic keys such as passwords less susceptible to brute force attacks.
Ephemeral Key
A key generated at the time of need for use in a short or temporary time frame.
bcrypt
A key-derivation function based on the Blowfish cipher algorithm.
CRL (Certificate Revocation List)
A list of certificates that are no longer valid.
Load Balancing
A load balancer is used to spread or distribute network traffic load across several network links or network devices
warm site
A location that is dormant or performs non critical functions under normal conditions, but which can be rapidly converted to a key operations site if needed.
subnet
A logical subset of a larger network, created by an administrator to improve network performance or to provide security.
superuser account
A login account that allows essentially unrestricted access to the application; UID of 0
Loop Protection
A major feature in Layer 2 managed switches is the Spanning Tree Protocol. Multiple active paths between stations cause loops in the network.
M of N scheme
A mathematical control that takes into account the total number of key recovery agents (N) along with the number of agents required to perform a key recovery (M).
Port Address Translation (PAT)
A means of translation between ports on a public and private network.Ports are selected at random for each inside address which generates a request
backdoor
A mechanism for gaining access to a computer that bypasses or subverts the normal method of authentication.
Exploit
A mechanism of taking advantage of an identified vulnerability
API (application programming interface)
A mechanism that defines how software elements interact with each other.
RIPEMD (RACE Integrity Primitives Evaluation Message Digest)
A message digest algorithm that is based on the design principles used in MD4.
CSR (certificate signing request)
A message sent to a certificate authority in which a resource applies for a certificate.
key escrow
A method for backing up private keys to protect them while allowing trusted third parties to access the keys under certain conditions.
ARP poisoning
A method in which an attacker, with access to the target network, redirects an IP address to the MAC address of a computer that is not the intended recipient.
OSI model (Open Systems Interconnection model)
A method of abstracting how different layers of a network structure interact with one another.
cloud computing
A method of computing that relies on the Internet to provide the resources, software, data, and media needs of a user, business, or organization.
penetration test
A method of evaluating security by simulating an attack on a system.
LDAPS (Lightweight Directory Access Protocol Secure)
A method of implementing LDAP using SSL/TLS encryption.
lockout
A method of restricting access to data on a device without deleting that data.
PGP (Pretty Good Privacy)
A method of securing emails created to prevent attackers from intercepting and manipulating email and attachments by encrypting and digitally signing the contents of the email using public key cryptography.
protected distribution
A method of securing the physical cabling of a communications infrastructure.
media
A method that connects devices to the network and carries data between devices.
IaaS (Infrastructure as a Service)
A method that uses the cloud to provide any or all infrastructure needs.
PaaS (Platform as a Service)
A method that uses the cloud to provide any platform-type services.
SaaS (Software as a Service)
A method that uses the cloud to provide applications services to users.
bluejacking
A method used by attackers to send out unwanted Bluetooth signals from smartphones, mobile phone, tablets, and laptops to other Bluetooth-enabled devices.
data wiping
A method used to remove any sensitive data from ma mobile device and permanently delete it.
HAMC (Has-based Message Authentication Code)
A method used to verify both the integrity and authenticity of a message by combining cryptographic hash functions, such as MD5 or SHA-1, with a secret key.
hot and cold aisle
A method used within data centers and server rooms as a temperature and humidity control method.
Redundant Servers
A mirror or duplicate of a primary server that receives all data changes immediately after they are made on the primary server
NFC (Near Field Communication)
A mobile device communication standard that operates at very short range, often through physical contact.
network tap
A monitoring device installed inline with network traffic. A network tap usually has three ports: two ports to send and receive all traffic and a third port that mirrors the traffic, sending it to a computer running monitoring software in promiscuous mode.
behavior-based monitoring
A monitoring system that detects changes in normal operating data sequences and identifies abnormal sequences.
anomaly-based monitoring
A monitoring system that uses a database of unacceptable traffic patterns identified by analyzing traffic flows.
signature-based monitoring
A monitoring system that uses a predefined set of rules provided by a software vendor to identify traffic that is unacceptable.
heuristic monitoring
A monitoring system that uses known best practices and characteristics in order to identify and fix issues within the network.
Secure Shell (SSH) Connections
A more secure replacement for the common command line terminal utility Telnet and FTP Allows you to securely remote into a router.
Triple DES (3DES)
A more-secure variant of DES that repeatedly encodes the message using three separate DES keys; 16 rounds per pass
Motion Detection
A motion detector, or motion sensor, is a device that senses movement or sound in a specific area
DoS attack (Denial of Service attack)
A network attack in which an attacker disables systems that provide network services by consuming a network link's available bandwidth, consuming a single system's available resources, or exploiting programming flaws in an application or operating system.
DDoS attack (Distributed Denial of Service attack)
A network attack in which an attacker hijacks or manipulates multiple computers (through the use of zombies or drones) on disparate networks to carry out a DoS attack.
eavesdropping attack
A network attack that uses special monitoring software to gain access to private communications on the network wire or across a wireless network. Also know as a sniffing attack.
sniffing attack (eavesdropping)
A network attack that uses special monitoring software to gain access to private communications on the network wire or across a wireless network. Also known as an eavesdropping attack.
DMZ
A network between the internal network and the Internet with a firewall on both sides.
application aware device
A network device that manages information about any application that connects to it.
load balancer
A network device that performs load balancing as its primary function.
directory service
A network service that stores identity information about all the objects in a particular network, including users, groups, server, client computers, and printers.
P2P (peer-to-peer)
A network that has a broadcast application architecture that distributes tasks between peer systems who have equal privileges, and in which resource sharing, processing, and communications controls are decentralized.
nmap
A network utility designed to scan a network and create a map. Frequently used as a vulnerability scanner.
netcat
A network utility program that reads from and writes to network connections. Connects to TCP and UDP ports, transmit files, execute commands.
Read-Only Domain Controller (RODC)
A new feature of Active Directory Domain Services in Windows Server 2008, that provides the same authentication and authorization services as a standard domain controller, but administrators cannot make changes on an it directly. No multi-master replication
upgrade
A new version (Win 7 - 10) or edition (Pro - Enterprise) of a software program that includes new features or a change in the software design.
Rule-Based Access Control
A non-discretionary access control technique that is based on a set of operational rules or restrictions.
TCP/IP (Transmission Control Protocol / Internet Protocol)
A non-proprietary, routable network protocol suite that enables computers to communicate over all types of networks.
hash
A number generated by an algorithm from a text string. Also known as a message digest. Hashing is based on a file's binary composition, not its viewable ASCII characters.
Passive fingerprinting
A passive method of identifying the OS of a targeted computer or device. No traffic or packets are injected into the network attackers simply listen to and analyze existing traffic.
OTP (one-time password)
A password that is generated for used in one specific session and becomes invalid after the session ends.
strong password
A password that meets the complexity requirements that are set by a system administrator and documented in a password policy.
hotfix
A patch that is often issued on an emergency basis to address a specific security flaw.
Penetration Testing
A penetration tests seeks to exploit vulnerabilities
mantrap
A physical security control system that has a door at each end of a secure chamber.
logic bomb
A piece of code that sits dormant on a target computer until it is triggered by the occurrence of specific conditions, such as a specific date and time. Once the code is triggered, the logic bomb "detonates," performing whatever action it was programmed to do.
device
A piece of hardware such as a computer, server, printer, or smartphone.
succession plan
A plan that ensures that all key business personnel have on or more designated backups who can perform critical functions when needed.
continuity of operations plan
A plan that includes best practices to mitigate risks and attacks and the best measures to recover from an incident.
Disaster Recovery Plan (DRP)
A plan that prepares (reactive) an organization to react appropriately if the worst were to happen.
DRP (disaster recovery plan)
A plan that prepares the organization to react appropriately in a natural or man-made disaster and provides the means to recover from a disaster.
VLAN (virtual local area network)
A point-to-point physical network that is created by grouping selected hosts together, regardless of their physical location.
BCP (business continuity plan)
A policy that defines how normal day-to-day business will be maintained in the event of a business disruption or crisis.
802.1x
A port-based authentication protocol. Wireless can use 802.1X. For example, WPA2-Enterprise mode uses an 802.1X server (implemented as a RADIUS server) to add authentication.
cold site
A predetermined alternate location where a network can be rebuilt after a disaster.
VPN (Virtual private network)
A private network that is configured within a public network, such as the Internet.
Fuzzing
A process by which semi-random data is injected into a program or protocol stack for detecting bugs. Looking for something out of the ordinary. It checks to see if common errors will crash a certain program/ application.
bluesnarfing
A process in which attackers gain access to unauthorized information on a wireless device using a Bluetooth connection.
Viruses
A program or piece of code that runs on your computer without your knowledge. Replicates when an infected file is executed or launched, requires action on the users part.
drive-by download
A program that is automatically installed on a computer when you access a malicious site, even without clicking a link or giving consent.
anti-spam
A program that will detect specific words that are commonly used in spam messages.
SQL (Structured Query Language)
A programming and query language common to many large-scale database systems.
perfect forward secrecy
A property of public key cryptographic systems that ensures that any session key derived from a set of long-term keys cannot be compromised if one of the keys is compromised at a future date.
WAP (Wireless Application Protocol)
A protocol designed to transmit data such as web pages, email, and newsgroup postings to and from wireless devices such as mobile phones, smartphones, and tablets over very long distances, and display the data on small screens in a web-like interface.
SSH (Secure Shell)
A protocol for secure remote logon and secure transfer of data.
FTPS (File Transfer Protocol Secure)
A protocol that combines the use of FTP with additional support for TLS and SSL.
HTTP (Hypertext Transfer Protocol)
A protocol that defines the interaction between a web server and a browser.
Fiber Channel
A protocol that implements links between data storage networks using special-purpose cabling to increase performance and reliability.
iSCSI (Internet Small Computer System Interface)
A protocol that implements the links between data storage networks using IP.
SCP (Secure Copy Protocol)
A protocol that is used to securely transfer computer files between a local and remote host, or between two remote hosts, using SSH.
SSTP (Secure Socket Tunneling Protocol)
A protocol that uses the HTTP over SSL protocol and encapsulates an IP packet with a PPP header and then with an SSTP header.
Internet Control Message Protocol (ICMP)
A protocol to test for connectivity and search for configuration errors in a network Ping Tracert
DHCP (Dynamic Host Configuration Protocol)
A protocol used to automatically assign IP addressing information to IP network devices.
Elliptic Curve Cryptography
A public-key cryptosystem based upon complex mathematical structures. Used for mobile and wireless device. Faster and consumes fewer resources. 160-bit key that is equivalent to the 1024-bit RSA Key.
high availability
A rating that expresses how closely systems approach the goal of providing data availability 100 percent of the time while maintaining a high level of system performance.
log
A record of significant events. In computing, it is using an operating system or application to record data about activity on a computer.
Single Sign-On SSO
A relationship between the client and the network wherein the client is allowed to log on one time
SQL Database
A relationship table based structuring scheme used in databases. Brings everything that is true and presents it to you.
S-box
A relatively complex key algorithm that when given the key, provides a substitution key in its place.
stream cipher
A relatively fast type of encryption that encrypts data one bit at a time.
PAP (Password Authentication Protocol)
A remote access authentication service that sends user IDs and passwords as cleartext.
Replay attacks
A replay attack is the re-transmission of captured communications in hope of gaining access to the targeted system
private root CA
A root CA that is created by a company for use primarily within the company itself.
public root CA
A root CA that is created by a vendor for general access by the public.
ping sweep
A scan of a range of IP addresses to locate active hosts within the range.
key storage
A secure repository for key assignment records.
FTP over SSH
A secure version of FTP that uses an SSH tunnel to encrypt files in transit. SFTP.
HTTPS (Hypertext Transfer Protocol Secure)
A secure version of HTTP that supports e-commerce by providing a secure connection between a web browser and a server.
Principle of Least Privilege
A security discipline that requires that a particular user, system, or application be given no more privilege than necessary to perform its function or job.
mutual authentication
A security mechanism that requires that each party in a communication verifies its identity.
Application Whitelisting
A security option that prohibits unauthorized software from being able to execute. Approves things to put on a device everything else deny by default.
TKIP (Temporal Key Integrity Protocol)
A security protocol created by the IEEE 802.11i task group to replace WEP.
TLS (Transport Layer Security)
A security protocol that uses certificates and public key cryptography for mutual authentication and data encryption over a TCP/IP connection.
SSL (Secure Sockets Layer)
A security protocol that uses certificates for authentication and encryption to protect web communication.
hardening
A security technique in which the default configuration of a system is altered to protect the system against attacks.
encryption
A security technique that converts data from plain, or cleartext form, into coded, or ciphertext form so that only authorized parties with the necessary decryption information can decode and read the data.
honeypot
A security tool used to lure attackers away from the actual network components. Also Called a decoy or sacrificial lamb.
virus
A self-replicating piece of code that spreads from computer to computer by attaching itself to different files.
worm
A self-replicating piece of code that spreads from computer to computer without attaching to different files.
Password Policy
A series of Group Policy settings that determine password security requirements, such as length, complexity, and age.
RC (Rivest Cipher)
A series of variable key-length symmetric encryption algorithms developed by Ronald Rivest.
CA (Certificate Authority)
A server that can issue digital certificates and the associated public/ private key pairs.
botnet
A set of computers that has been infected by a control program called a bot that enables attackers to exploit the computers to mount attacks
IPSec (Internet Protocol Security)
A set of open, non-proprietary standards that you can use to secure data through authentication and encryption as the data travels across the network or the Internet.
PKCS (Public Key Cryptography Standards)
A set of protocol standards developed by a consortium of vendors to send information over the Internet in a secure manager using a PKI.
protocol
A set of rules governing the exchange or transmission of data between devices Standardize comms format specify order and timing and determining meaning
schema
A set of rules in a directory service for how objects are created and what their characteristics can be.
RAID (Redundant Array of Independent Disks)
A set of vendor-independent specifications for fault tolerant configurations on multiple-disk systems.
Bluetooth
A short-range wireless radio network transmission medium usually used between two personal devices, such as between a mobile phone and wireless headset.
NAT (Network Address Translation)
A simple form of Internet security that conceals the internal addressing schemes from the public Internet by translating between a single public address on the external side of a router and private, non-routable addresses internally.
LDAP (Lightweight Directory Access Protocol)
A simple network protocol used to access network directory databases, which store information about authorized users and their privileges as well as other organizational information.
NetBIOS
A simple, broadcast-based naming service.
CA hierarchy
A single CA or group of CAs that work together to issue digital certificates.
VPN concentrator
A single device that incorporates advanced encryption and authentication methods in order to handle a large number of VPN tunnels.
Hierarchical CA Model
A single group of CAs that work together to issue digital certificates. Think of it as a platoon Sergeant who issues objectives to different teams.
all-in-one-security appliance
A single network device that is used to perform a number of security functions to secure a network.
session key
A single-use symmetric key used in encrypting messages that are in a series of related communications.
computer forensics
A skill that deals with collecting and analyzing data from storage devices, computer systems, networks, and wireless communications and presenting this information as a form of evidence in the court of law.
DMZ
A small network between the internal network and the Internet that provides a layer of security and privacy
cookie
A small piece of text saved on a computer by a web browser that consists of one or more name-value pairs holding bits of information useful in remembering user preferences.
DMZ (demilitarized zone)
A small section of a private network that is located between two firewalls and made available for public access.
patch
A small unit of supplemental code meant to address either a security problem or a functionality flaw in a software package or operating system.
IP address
A software address, Internet Protocol; a unique string of numbers separated by periods that identifies each computer on a network; 32 bits / 4 bytes; NET_ID / HOST_ID
IDS (intrusion detection system)
A software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress.
firewall
A software or hardware device that protects a system or network by blocking unwanted network traffic.
web security gateway
A software program used primarily to block Internet access to a predefined list of websites or category of websites within an organization or business.
security incident
A specific instance of a risk event occurring whether or not it causes damage.
Keys
A specific piece of information that is used in conjunction with an algorithm to perform encryption and decryption
Ciphers
A specific set of actions used to encrypt data
802.11g
A specification for wireless data throughput at the rate of up to 54 Mbps in the 2.4 GHz band that is a potential replacement for 802.11b
TPM (Trusted Platform Module)
A specification that includes the use of cryptoprocessors to create a secure computing environment.
RADIUS (Remote Authentication Dial-In User Service)
A standard protocol for providing centralized authentication and authorization services for remote users.
Office 365
A subscription service we receive that offers online apps and storage in the OneDrive. License is based on user, not device.
AES (Advanced Encryption Standard)
A symmetric 128-, 192-, or 256-bit block cipher based on the Rijndael algorithm developed by Belgian cryptographers Joan Daemen and Vincent Rijmen and adopted by the U.S. government as its encryption standard to replace DES.
3DES Triple Data Encryption Standard
A symmetric algorithm used to encrypt data and provide confidentiality. It is a block cipher that encrypts data in 64-bit blocks.
DES (Data Encryption Standard)
A symmetric encryption algorithm that encrypts data in 64-bit blocks using a 56-bit key, with 8 bits used for parity.
Twofish
A symmetric key block cipher, similar to Blowfish, consisting of a block size of 128 bits and key sizes up to 256 bits.
Public Key Infrastructure (PKI)
A system composed of: Certificate Authority CA Registration Authority Certificates (OSCSP) Certificate Revocation List (CRL)
RBAC (Role-Based Access Control)
A system in which access is controlled based on a user's role. Users are assigned to roles, and network objects are configured to allow access only to specific roles. Roles are created independently of user accounts.
MAC (Mandatory Access Control)
A system in which objects (files and other resources) are assigned security labels of varying levels, depending on the object's sensitivity. Users are assigned a security level or clearance, and when they try to access an object, their clearance is compared to the object's security label. If there is a match, the user can access the object; if there is no match the user is denied access.
environmental controls
A system or device that is implemented to prevent or control environmental exposures or threats.
HVAC system (Heating, ventilation, and air conditioning)
A system that controls the air quality and flow inside a building.
PKI (Public Key Infrastructure)
A system that is composed of a CA, certificates, software, services, and other cryptographic components, for the purpose of enabling authenticity and validation of data and/ or entities.
proxy server
A system that isolates internal networks from the Internet by downloading and storing Internet files on behalf of internal clients.
certificate management system
A system that provides the software tools to perform the day-to-day functions of a PKI.
WIDS (wireless intrusion detection system)
A system that uses passive hardware sensors to monitor traffic on a specific segment of a wireless network.
NIDS (network intrusion detection system)
A system that uses passive hardware sensors to monitor traffic on a specific segment of the network.
Active Asset Tracking (MOBILE DEVICES)
A system will push out a request for the device to respond
change management
A systematic way of approving and executing change in order to ensure maximum security, stability, and availability of information technology services.
Tabletop Exercises
A tabletop exercise is a discussion meeting focused on a potential emergency event
Spear Phishing
A targeted version of phishing. It involves going after a smaller group or specific individual.
router redundancy
A technique for employing multiple routers in teams to limit the risk of routing failure should a router malfunction.
Frequency Analysis
A technique that is based on how frequently certain letters appear in English versus others.
key strretching
A technique that strengthens potentially weak cryptographic keys, such as passwords or passphrases created by people, against brute force attacks.
IV (initialization vector)
A technique used in cryptography to generate random numbers to be used along with a secret key to provide data encryption.
Attack
A technique used to exploit a vulnerability
attackers
A term for users who gain unauthorized access to computers and networks for malicious purposes.
VoIP (Voice over IP)
A term used for a technology that enables you to deliver telephony communications over a network by using the IP protocol.
black box test
A test in which the tester is given no information about the system being tested.
white box test
A test in which the tester knows about all aspects of the systems and understands the function and design of the system before the test is conducted.
grey box test
A test in which the tester may have knowledge of internal architectures and systems, or other preliminary information about the system being tested.
fuzzing
A testing method used to identify vulnerabilities and weaknesses in applications, by sending the application a range of random or unusual input data and nothing failures and crashes.
key escrow agent
A third party that maintains a backup copy of private keys.
malicious insider threat
A threat originating from an employee in an organization who performs malicious acts, such as deleting critical information or sharing this critical information with outsiders, which may result in a certain amount of loss to the organization.
Hoaxes
A threat that doesn't really exist. Can consume a lot of resources.
flood guard
A tool used by network administrators and security professionals to protect resources from flooding attacks, such as DDoS attacks.
symmetric encryption
A two-way encryption scheme in which encryption and decryption are both performed by the same key. Also known as shared-key encryption.
asymmetric encryption
A two-way encryption scheme that uses paired private and public keys.
UDP flood
A type of DoS attack in which the attacker attempts to overwhelm the target system with UDP ping requests. Often the source IP address is spoofed, creating a DoS condition for the spoofed IP.
SYN flood
A type of DoS attack in which the attacker sends multiple SYN messages initializing TCP connections with a target host.
buffer overflow
A type of DoS attack that exploits fixed data buffer sizes in a target piece of software by sending data that is too large for the buffer.
permanent DoS attack
A type of DoS attack that targets the hardware of a system in order to make recovery more difficult. (phlashing)
reflected DoS attack
A type of DoS attack that uses a forged source IP address when sending requests to a large number of computers. This causes those systems to send a reply to the target system causing a DoS condition.
SYN flood
A type of DoS where an attacker sends a large amount of SYN request packets to a server in an attempt to deny service.
ICMP flood
A type of Dos Attack that exploits weaknesses in ICMP. Specific attacks include Smurf attacks and ping floods.
site-to-site VPN
A type of VPN in which VPN gateways at multiple sites encrypt and encapsulate data to exchange over a tunnel with other VPN gateways. Meanwhile, clients, servers, and other hosts on a site-to-site VPN communicate with the VPN gateway.
XSRF (cross-site request forgery)
A type of application attack where an attacker takes advantage of the trust established between an authorized user of a website and the website itself.
XSS (cross-site scripting)
A type of application attack where the attacker takes advantage of scripting and input validation vulnerabilities in an interactive website to attack legitimate users.
backdoor attack
A type of attack where the attacker creates a software mechanism to gain access to a system and its resources. This can involve software or a bogus user account.
social engineering attack
A type of attack where the goal is to obtain sensitive data, including user names and passwords, from network users through deception and trickery.
keystroke authentication
A type of authentication that relies on detailed information that describes exactly when a keyboard key is pressed and released as someone types information into a computer or other electronic device.
IM (instant messaging)
A type of communication service which involves a private dialogue between two persons via instant text-based messages over the Internet.
phishing
A type of email-based social engineering attack, in which the attacker sends email from a spoofed source, such as a bank, to try to elicit private information from the victim.
quantum cryptography
A type of encryption based on quantum communication and quantum computation.
SCADA system (supervisory control and data acquisition)
A type of industrial control system that monitors and controls industrial processes such as manufacturing and fabrication, infrastructure processes such as power transmission and distribution, and facility processes such as energy consumption and HVAC systems.
replay attack
A type of network attack where an attacker captures network traffic and stores it for re transmission at a later time to gain unauthorized access to a network.
dictionary attack
A type of password attack that automates password guessing by comparing encrypted passwords against a predetermined list of possible password values.
birthday attack
A type of password attack that exploits weaknesses in the mathematical algorithms used to encrypt passwords, in order to take advantage of the probability of different password inputs producing the same encrypted output.
brute force attack
A type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to try cracking encrypted passwords.
takeover attack
A type of software attack where an attacker gains access to a remote host and takes control of the system.
malicious code attack
A type of software attack where an attacker inserts malicious software into a user's system.
password stealer
A type of software that can capture all passwords and user names entered into the IM application or social networking site that it was deigned for.
impersonation
A type of spoofing in which an attacker pretends to be someone they are not, typically and average user in distress, or a help desk representative.
block cipher
A type of symmetric encryption that encrypts data one block at a time, often in 64-bit blocks, It is usually more secure, but is also slower, than stream ciphers.
MAC address (Media Access Control address)
A unique physical address assigned to each network adapter board at the time of manufacture.
User Acceptance
A user needs to sign this prior to On-boarding their device within the Enterprise. The User Acceptance will cover restrictions, security settings, and MDM tracking.
cracker
A user who breaks encryption codes, defeats software copy protections, or specializes in breaking into systems.
System Restore
A utility in Windows that restores system settings to a specific previous date when everything was working properly. Returns to 'restore point' using snapshots
PATH variable
A variable that stores a list of directories that will be searched in order when commands are executed without an absolute or relative pathname.
BSD (Berkeley Software Distribution)
A version of UNIX developed out of the original UNIX source code and given free to the University of California at Berkeley by AT&T.
Cloud Computing
A very general term which describes anything that involves delivering hosted computing service over the internet. It is a hard drive which you save stuff too over the internet.
Logic Bombs
A virus designed to execute malicious actions when a certain even occurs or time goes by.
polymorphic malware
A virus that is able to alter its decryption module each time it infects a new file.
armored virus
A virus that is able to conceal its location or otherwise render itself harder to detect by anti-malware programs.
captive portal
A web page that a client is automatically directed to when connecting to a network, usually through public Wi-Fi.
XML (eXtensible Markup Language)
A widely adopted markup language used in many documents, websites, and web applications.
pop-up
A window or frame that loads and appears automatically when a user connects to a particular web page.
802.11ac
A wireless communication protocol that improves upon 802.11n by adding wider channels to increase bandwidth.
WPA (Wi-Fi Protected Access)
A wireless encryption protocol that generates a 128-bit key for each packet sent. Superseded by WPA2.
802.11b
A wireless network standard that uses the 2.4 GHz band at a speed of up to 10 Mbps. (13)
802.11n
A wireless standard for home and business implementations that adds QoS features and multimedia support to 802.11a and 802.11b.
Access Control List
ACL; in Windows, list of permissions based on user and group SID
FVEK
AES 128 or 256 key that encrypts and decrypts all sectors on BitLocker protected drive
attack back
AKA active defense (retaliation). legal concerns great. AKA 'offensive countermeasures'. must have attribution.
Windows on ARM
ARM platform: medical devices, GPS, mobile, lower power, less heat, more battery life)
ARP Poisoning
ARP does not require any type of validation, as ARP requests are sent the requesting devices believe that the incoming ARP replies are from the correct devices
ARP Poisoning Attack
ARP poisoning attack, some Ethernet switches flood the directed traffic to all ports of the switch, which could allow an attacker to monitor traffic not normally visible to the port where the attacker was connected, and thereby eavesdrop on VOIP traffic.
pfirewall.log
ASCII text file for writing Windows Firewall log data 32 MB maximum
Router Access Control List
Ability to filter packets, by source address, destination address, protocol, or port
ACE
Access Control Entry. Identifies a user or group that is granted permission to a resource. ACEs are contained within a DACL in NTFS. If conflict, DENY gray-checked: inherited solid-checked: explicit to object C: explicit only inheritance is NOT mandatory
Role-Based Access Control
Access control based on a user's role. What role do you have? Are you the proper member of that group to inherent those rights?
Rule-Based Access Control
Access control list based on a set of rules. Non-Discretionary.
transitive access
Access given to certain members in an organization to use data on a system without the need for authenticating themselves.
AP
Access point, short for wireless access point (WAP). APs provide access to a wired network to wireless clients. Many APs support isolation mode to segment wireless uses from other wireless users.
Brute Force
Accomplished by applying every possible combination of characters that could be the key. 100% successful - time is the factor
ACK
Acknowledgment TCP flag; set on all headers after connection established
ADFS
Active Directory Federation Services installed on Windows Server to provide users with SSO access to systems and applications located across organizational boundaries. It uses a claims-based access control authorization model to maintain application security and implement federated identity.
Malicious add-ons
Active content within websites offers an attractive attack space for aggressors, who might craft special "drivers" required for content access that are in fact Trojans or other forms of malware
Cross-Site Scripting
Adding a script to execute when users access it and it will then attack other websites on user's behalf. Can be used to get personal data using this method because the user is going to be trusted.
ARP
Address Resolution Protocol. An Internet protocol used to map an IP address to a MAC address. Defined in RFC 826.
ASLR
Address space layout randomization, randomizes memory addresses in use, which can help ensure that an attacker cannot predict where their shellcode will reside within memory in order to execute it. Can be bypassed by using a technique known as egg-hunting. Which involves executing a code stub that will ID where the attacker's malicious payload is located within memory.
Reporting
After containment has been established, the incident response team will fully document the incident and make recommendations about how to improve the environment to prevent recurrence
Hashing
Algorithm to provide a message digest
Key Management (MOBILE DEVICES)
Algorithms need to be strong. Always a concern when cryptography is involved.
Differential Backup
All Selected files that have changed since the last full backup are backed up
Unified Threat Management Device (UTM)
All in one appliance that has Web security gateway, Url Filter, and Malware Inspection Filter
Guards
All physical security controls, whether static deterrents or active detection and surveillance mechanisms, ultimately rely on personnel to intervene and stop actual intrusions and attacks
Access Lists
All secure entry points should have a readily available access list providing the permitted personnel and a black list, if applicable. The use of a black list can aid in the apprehension of suspects
Incremental Backup
All selected files that have changed since the last full or differential backup are back up
Authenticated Users group
All user accounts that have been authenticated to access the system except the Guest account. Compare to anonymous users. Have read, exe rights.
Infrastructure-as-a-Service (IaaS)
Allow the client to literally outsource everything that would normally be in a typical IT Department.
VPN
Allows a secure private connection over a public network, using an encrypted 'tunnel'. For example, a remote computer can securely connect to a LAN, as though it were physically connected.
Port Address Translation (PAT)
Allows a single public IP Address to host up to 65,536 simultaneous communications from internal clients. Uses TCP port numbers to host multiple simultaneous communications across each public IP address
NetBios
Allows applications on separate computers to communicate over LAN.
PaaS
Allows developers to create, test, and run their solutions on a cloud platform without having to purchase or configure the underlying hardware or software
Domain Name Service (DNS)
Allows host to resolve host-names (FQDN) to IP Addresses. Critical service must be protected.
Nat Overloading
Allows many IP's to be mapped to a single IP
Server clusttering
Allows servers to work together to provide access, ensuring minimal data loss from a server failure. Should one of the servers in the cluster fail, the remaining servers, or server, will assume the responsibilities, but with the possibility of decreased performance. The failed server can be repaired/replaced back into the cluster with minimal notice of performance shift.
Windows Event Collector Service
Allows you to configure a single server as a repository of Event Viewer information for multiple computers.
Proximity Readers
Also called "Prox Box". Can be passive, field-powered or transponder driven. A token stored in a carried device such as a smart card or security token is used in conjunction with the reader to control access to areas of importance
Smishing
Also known as sms phishing involves using phishing methods through a text message.
Recovery Time Objectives
Amount of time the business can be without the service, without incurring significant risks or significant losses
CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)
An AES cipher-based encryption protocol used in WPA2. (as of this writing has not been cracked in any real world applications)
Centralized Management
An Advantage of virtualization server, database and office applications.
OCSP (Online Certificate Status Protocol)
An HTTP-based alternative to a certificate revocation list that checks the status of certificates.
802.1x
An IEEE standard used to provide a port based authentication mechanism over a LAN or WLAN
spim
An IM-based attack just like spam but which is propagated through instant messaging instead of through email.
ICMP (Internet Control Message Protocol)
An IP network service that report on connections between two hosts.
URL shortening service
An Internet service that makes it easier to share links on social networking sites by abbreviating URLs
IPv6 (IP version 6)
An Internet standard that increases the available pool of IP addresses by implementing a 128-bit binary address space.
IPv4 (IP version 4)
An Internet standard that uses a 32-bit number assigned to a computer on a TCP/IP network.
SAML (Security Assertion Markup Language)
An XML-based data format used to exchange authentication information between a client and a service.
Implicit Deny
An access control practice wherein resources availability is restricted to only those logons explicitly granted access, remaining unavailable even when not explicitly denied access.
NIPS (network intrusion prevention system)
An active, inline security device that monitors suspicious network and / or system traffic and reacts in real time to block it.
WIPS (wireless intrusion prevention system)
An active, inline security device that monitors suspicious network and/ or system traffic on a wireless network and reacts in real time to block it.
malicious add-on
An add-on that is meant to look like a normal add-on, except that when a user installs it, malicious content will be injected to target the security loopholes that are present in a web browser.
BPA (business partner agreement)
An agreement that defines how a business partnership will be conducted.
ISA (interconnection security agreement)
An agreement that focuses on securing technology in a business relationship.
HOTP (HMAC-based one-time password)
An algorithm that generates a one-time password using a has-based authentication code to verify the authenticity of the message.
IT contingency plan
An alternate plan that you can switch over to when faced with an attack or disruption of service.
Key Escrow
An alternate to key backups. Used to store keys securely
S-HTTP
An alternative to HTTPS which is developed to secure banking transactions
Simple Network Management Protocol (SNMP)
An application layer protocol whose purpose is to collect statistics from TCP/IP Devices. Used to monitor health of networked equipment.
Computer Management Console
An application that provides access to several of the most commonly used administrative tools such as Task Scheduler, Event Viewer, Local Users and Groups, Performance monitor, Device Manager,Services, and several others. compmgmt.msc get-help localuser
antivirus software
An application that scans files for executable code that matches specific patterns that are known to be common to viruses.
credential manager
An application that stores passwords in an encrypted database for easy retrieval by the appropriate user.
SNMP (Simple Network Management Protocol)
An application-layer service used to exchange information between network devices.
layered security
An approach to securing systems that incorporates man different avenues of defense.
identity management
An area of information security that is used to identify individuals within a computer system or network.
SSO (single sign-on)
An aspect of privilege management that provides users with one-time authentication to multiple resources, servers, or sites.
vulnerability scan
An assessment that identifies and quantifies weaknesses within a system, but does not test the security features of that system.
key generation
An asymmetric encryption process of generating a public and private key pair using a specific application.
ECC (elliptic curve cryptography)
An asymmetric encryption technique that leverages the algebraic structures of elliptic curves over finite fields.
integer overflow
An attack in which a computed result is too large to fit in its assigned storage space, leading to crashing, corruption, or triggering a buffer overflow.
pharming
An attack in which a request for a website, typically and e-commerce site, is redirected to a similar-looking, but fake, website.
sinkhole attack
An attack in which all traffic on a wireless network is funneled through a single node.
DNS poisoning
An attack in which an attacker exploits the traditionally open nature of the DNS system to redirect a domain name to an IP address of the attacker's choosing.
URL hijacking
An attack in which an attacker registers a domain name with a common misspelling of an existing domain, so that a user who misspells a URL they enter into a browser is take to the attacker's website. (typo squatting)
DNS hijacking
An attack in which an attacker sets up a rogue DNS server. This rogue DNS server responds to legitimate requests with IP addresses for malicious or non-existent websites.
ransomware
An attack in which an attacker takes control of a user's system or data and demands a payment for return of that control.
watering hole attack
An attack in which an attacker targets a specific group, discovers which websites that group frequents, then injects those sites with malware. At lease one member of the group will be infected, possibly compromising the group itself.
Cross-Site Request Forgery (CSRF)
An attack in which the end user executes unwanted actions on a web application while the user is currently authenticated
packet sniffing
An attack on wireless networks where an attacker captures data and registers data flows in order to analyze what data is contained in a packet.
directory traversal
An attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.
arbitrary code execution
An attack that exploits an applications vulnerability into allowing the attacker to execute commands on a user's computer.
clickjacking
An attack that forces a user to unintentionally click a link. An attacker uses opaque layers or multiple transparent layers to trick a user.
SQL injection
An attack that injects an SQL query into the input data directed at a server by accessing the client side of the application.
XML injection
An attack that injects corrupted XML query data so that an attacker can gain access to the XML data structure and input malicious code or read private data.
buffer overflow
An attack that occurs when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer.
MAC flood
An attack that sends numerous packets to the switch, each of which has a different source MAC address, in an attempt to use up the memory on the switch and switch can downgrade to hub
bluejacking
An attack that sends unsolicited messages to Bluetooth-enabled devices.
Directory Traversal
An attack that takes advantage of a vulnerability in the Web application program or the Web server software so that a user can move from the root directory to other restricted directories.
transitive access attack
An attack that takes advantage of the transitive access given in order to steal or destroy data on a system.
hardware attack
An attack that targets a computer's physical components and peripherals, including its hard disk, motherboard, keyboard, network cabling, or smart card reader.
LDAP injection
An attack that targets web-based applications by fabricating LDAP statements that typically are created by user input.
hybrid password attack
An attack that utilizes multiple attack methods, including dictionary, rainbow table, and brute force attacks when trying to crack a password.
cookie manipulation
An attack where an attacker injects a meta tag in an HTTP header making it possible to modify a cookie stored in a browser.
stored attack
An attack where an attacker injects malicious code or links into a website's forums, databases, or other data.
port scanning attack
An attack where an attacker scans your systems to see which ports are listening in an attempt to find a way to gain unauthorized access.
attachment attack
An attack where the attacker can merge malicious software or code into a downloadable file or attachment on an application server so that users download and execute it on client systems.
session hijacking attack
An attack where the attacker exploits a legitimate computer session to obtain unauthorized access to an organization's network or services.
IV attack
An attack where the attacker is able to predict or control the IV of an encryption process, thus giving the attacker access to view the encrypted data that is supposed to be hidden from everyone else except the user or network.
header manipulation
An attack where the attacker manipulates the header information that is passed between web servers and clients in HTTP requests.
reflected attack
An attack where the attacker poses as a legitimate user and sends information to a web server in the form of a page request or form submission.
Directory Traversal
An attacker is trying to gain access to restricted files by traversing thru your directories, like trying to find ways to get there, if one does not work maybe through here it might or through here
sql injection
An attacker issues a SQL command to a web server as part of the URL or as input to a form on a company's website; web server might pass the command onto the database which then allows potentially anything to be done to the database
Certificate-Based Authentication
An authentication method that uses a certificate instead of a password to establish an entity's identity.
NTLM (NT LAN Manager)
An authentication protocol created by Microsoft for used in its products.
Diameter
An authentication protocol that allows for a variety of connection types, such as wireless.
EAP (Extensible Authentication Protocol)
An authentication protocol that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication.
Kerberos
An authentication system developed by the Massachusetts Institute of Technology (MIT) and used to verify the identity of networked users.
Kerberos
An authentication system in which authentication is based on a time-sensitive ticket-granting system. It uses an SSO method where the user enters access credentials that are then passed to the authentication server, which contains the allowed access credentials.
RA (Registration Authority)
An authority in a PKI that processes requests for digital certificates from users.
DoS
An availability attack, to consume resources to the point of exhaustion; Denial of Service; flood of ICMP requests targets router takes down server
SFTP (Simple File Transfer Protocol)
An early unsecured file transfer protocol that has since been declared obsolete.
digital certificate
An electronic document that associates credentials with a public key.
hoax
An email-based or web-based attack that tricks the user into performing undesired actions, such as deleting important system files in an attempt to remove a virus, or sending money or important information via email or online forms.
spam
An email-based threat that floods the user's inbox with emails that typically carry unsolicited advertising material for products or other spurious content, and which sometimes deliver viruses. It can also be utilized within social networking sites such as Facebook and Twitter.
tabletop exercise
An emergency planning exercise that enables disaster recovery team members to meet and discuss their roles in emergency situations, as well as their responses in particular situations.
digital signature
An encrypted has value that is appended to a message to identify the sender and the message.
CHAP (Challenge Handshake Authentication Protocol)
An encrypted remote access authentication method that enables connections from any authentication method requested by the server, except for PAP and SPAP unencrypted authentication.
honeynet
An entire dummy network used to lure attackers.
security architecture review
An evaluation of an organization's current security infrastructure model and security measures.
code reviews
An evaluation used in identifying potential weaknesses in an application.
Threat
An event or action that could potentially result in a security violation
XTACACS
An extension to the original TACACS protocol.
PMI (Privilege Management Infrastructure)
An implementation of a particular set of privilege management technologies.
Compliancy and Security Posture
An important part of the long-term success of a security endeavor. Includes validating compliance and security posture
TOTP (timed HMAC-based one-time password)
An improvement on HOTP that forces one-time passwords to expire after a short period of time.
recovery agent
An individual with the necessary credentials to decrypt files that were encrypted by another user.
script kiddie
An inexperienced hacker with limited technical knowledge who relies on automated tools to hack.
MOU (Memorandum of understanding)
An informal business agreement that is not legally binding and does not involve the exchange of money.
risk
An information security concept that indicates exposure to the chance of damage or loss, and signifies the likelihood of a hazard or dangerous threat.
IPS (intrusion prevention system)
An inline security device that monitors suspicious network and/ or system traffic and reacts in real time to block it.
Initialization Vector (IV) Attack
An input to a cryptographic algorithm, which is essentially a random number. Unique and unpredictable
WPS (Wi-Fi Protected Setup)
An insecure feature of WPA and WPA2 that allows enrollment in a wireless network based on an 8-digit PIN. (Turn this off to increase security)
TFTP (Trivial File Transfer Protocol)
An insecure, limited version of FTP used primarily to automate the process of configuring boot files between computers.
Trojan horse
An insidious type of malware that hides itself on an infected system and can pave the way for a number of other types of attacks.
intrusion
An instance of an attacker accessing your computer system without the authorization to do so.
PowerShell ISE
An integrated scripting environment that includes a text editor.
application whitelisting
An inventory of applications and associated components (libraries, configuration files, etc.) that have been pre-approved and authorized to be active and present on the device.
guideline
An official recommendation or advice that indicates policies, standards, or procedures for how something should be accomplished.
snort
An open source network intrusion detection system (IDS) utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods can detect data-driven attacks like buffer overflow
Vulnerability
An opening or weakness
static environment
An operating system or other environment that is not updated or changed.
Security Policy
An organization should have a clear outline that is created by senior management that addresses all areas of security
Acceptable Use Policy (AUP)
An organization's acceptable use policy must provide details that specify what users can do on the network
Advanced Persistent Threat (APT)
An organized group of attackers who are highly motivated, skilled, and patient. They are often sponsored by a government, are focused on a specific target, and will continue attacking for a very long time until they achieve their goal.
policy statement
An outline of the plan for an individual security component.
rogue access point
An unauthorized wireless access point on a corporate or private network, which allows unauthorized individuals to connect to the network.
rogue machine
An unknown or unrecognized device that is connected to a network, often for nefarious purposes.
Implicit Deny
An unwritten access-control entry
Frequency Analysis
Analyzing blocks of an encrypted message to determine if any common patterns exist by using common occurrences in the English language
ARO
Annualized Rate of Occurrence | estimated frequency at which the threat is expected to occur
anomaly analysis based IDS
Anomaly analysis-based IDS looks for changes to the normal patterns of traffic using inclusive analysis which means the IDS vendor identifies and defines anomalous behavior
Bcrypt
Another example of a key-stretching technology. It's based on the Blowfish cipher. It uses salting, and it includes an adaptive function to increase iterations over time
TACAS
Another example of an AAA Server. Cisco proprietary. Runs on TCP port 49. Begins with T so TCP port 49. Entire packet is encrypted unlike RADIUS.
subordinate CAs
Any CAs below the root in the hierarchy.
software attack
Any attack that targets software resources, including operating systems, applications, protocols, and files.
multi-factor authentication
Any authentication scheme that requires validation of at least two of the possible authentication factors.
vulnerability
Any condition that leaves a system open to harm.
Hardware
Any element in your IT infrastructure, component in your physical environment, or person on your staff can be a single point of failure
key exchange
Any method by which cryptographhic keys are transferred among users, thus enabling the use of cryptographic algorithm.
wireless security
Any method of securing your wireless LAN to prevent unauthorized access and data theft while ensuring that authorized users can connect to the network.
personal identification verification card
Any physical token like a smart card that is used in identification and authentication. (CAC)
multi-function network device
Any piece of network hardware that is meant to perform more than one networking task without having to be reconfigured.
Static IT Environment
Any system that is intended to remain unchanged by users and administrators. The goal is to prevent or at least reduce the possibility of a user implementing change that could result in reduced security or functional operation
attack
Any technique that is used to exploit a vulnerability in any application on a computer system without the authorization to do so.
input validation
Any technique used to ensure that the data entered into a field or variable in an application is within acceptable bounds for the object that will receive the data.
password attack
Any type of attack in which the attacker attempts to obtain and make use of passwords illegitimately.
resource
Any virtual or physical components of a system that have limited availability. A physical resource can be any device connected directly to a computer system. A virtual resource refers to any type of file, memory location, or network connection.
Provides the rules that indicate how the certificate will be used and its purpose
Anything that was taken away or revoked before its expiration date. Each CA has its own CRL that can be accessed through directory services of the network operating system
Backdoors
Application code functions created intentionally or unintentional that enable unauthorized access. Often placed through malware.
Wireshark
Application that captures and analyzes network packets; can sniff wired, wifi, VoIP and bluetooth
Key Generation
Application that generates a pair of public and private key. Key pair has a mathematical relationship which can not be spoofed
Penetration tests
Are almost always considered active
Transitive Trust / Authentication
Are potential backdoor or ways to work around traditional means of access control
Clustering
Array of 4 server to accomplish one task
Spyware
Associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Key loggers are an example of this
Sniff and Crack
Attack on NTLM (especially v1) where attacker captures traffic, then cracks weakly protected passwords
Zero-day
Attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or the software developer
P2P attacks
Attacks that are launched by malware propagating within a P2P architecture to launch DoS attacks.
application attacks
Attacks that are targeted at web-based and other client-server applications.
client-side attacks
Attacks that exploit the trust relationship between a client and the server it connects to.
segmentation fault
Attempt by a program to access memory not its own. A segfault may be caused by a dereferencing an uninitialized pointer, going past the end of an array, etc.
Phishing
Attempt to acquire sensitive information by masquerading as a trustworthy entity via an electronic communication, usually an email
IPSec Security Association SA
Authenticates and negotiates end users and manages secret keys
IPsec Services
Authentication and encapsulation standard is widely used to establish secure VPN communications
Internet Protocol Security (IPsec)
Authentication and encapsulation standard is widely used to establish secure VPN communications
biometrics
Authentication schemes based on individuals' physical characteristics.
Captive Portals
Authentication technique that redirects a newly connected wireless web client to a portal access control page.
XSRF Cross Site Forgery Prevention
Authentications should be protected and encrypted. Technic used to try to act as you and act in your behalf.
Mean Time To Restore (MTTR)
Average time that it will take to recover from any failure
BITS
Background Intelligent Transfer Service; runs in background to update Windows; can set up custom groups
Full Backup
Backs up all selected files regardless of the stat of archived bit
Bio-metrics
Based on an individuals' physical characteristics. Who you ARE
NoSQL
Based system uses hierarchical structuring rather than relationship
Hypertext Transport Protocol over Secure Sockets Layer (HTTPS)
Basic web connectivity using Hypertext Transport Protocol HTTP. An alternative that involves the use of TLS and SSL
User Rights and Permissions Reviews
Be sure to review user rights and permissions to make sure they meet your needs for confidentiality.
Types of Network Monitoring Systems
Behavior Based, Signature Based, Anomaly-Based and Heuristic.
Data Encrypted Standard (DES)
Block-cipher, Will encrypt 64-bit blocks or chunks of data at a time, Uses a 56-bit Key, and Short key length makes it weak
BEHN
Bluetooth Network Encapsulation Protocol (wifi hostspot)
port 67 and 8
Bootp
Grey Hat
Both ethical and unethical at times. A fence sitter.
on-boarding
Bringing new employees or business partners up to speed on security protocols.
Session hijacking
Browser traffic is easily identifiable by an attacker who may elect to hijack legitimate user credentials and session data for unauthorized access to secured resources
WPS attacks
Brute force attacks were used to exploit the access codes used during WPS connection negotiation without the need to physically press the button to connect
Birthday Attack
Built on the premise that if 23 people are in a room, there is a probability that 2 people will have the same birthday
BPA
Business Partners Agreement
BCP
Business continuity plan. last line of defense predict and plan for potential outages of critical services or functions. includes DRP elements to return critical BUSINESS functions to operation. BIA is under BCP and drives decisions to create redundancies such as failover clusters or alternate sites.
CCMP
CCMP is an enhanced data cryptographic encapsulation mechanism designed for data confidentiality Replaced TKIP in WPA
Polymorphic
Can change form each time it is executed. It was developed to avoid detection by antivirus software
netstat command
Can display a variety of information about IP-based connections on a Windows or UNIX host. -a all ports -l listening ports -at all tcp -au all udp -s stats
Proxy Server
Can limit a users access to external websites
Kerberos
Can prevent man in the middle attacks. A centralized authentication solution. Contains the KDC or Key Distribution Center. Uses TCP Port 88.
Sniffers
Capture network traffic from low level packets. Can be used by network administrators to troubleshoot but can also be used for malicious reasons.
Incident Management
Carried out immediately after a security breach was detected
CSMA / CD
Carrier Sense Multiple Access with Collision Detection. It is the method for multiple hosts to communicate on a Ethernet.
CIS
Center for Internet Security; hardening guides and other tools
Syslog-ng
Centralized syslog collector and syslog replacement
CA
Certificate Authority. An organization that manages, issues, and signs certificates and is part of a PKI. Certificates are an important part of asymmetric encryption. Certificates include public keys along with details on the owner of the certificate and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate.
chgrp
Change group ownership
XSS Prevention
Checks for the input of embedded scripts. Validates the input prior to storing. XSS Scripting is when you are on a website and you click on a link, than that link will forward you to a virus.
CDP
Cisco Discovery Protocol; transmits in the clear; manipulation attack; disable this protocol
IOS
Cisco Internetwork Operating System Software that provides the majority of a router's or switch's features, with the hardware providing the remaining features.
LEAP
Cisco Proprietary authentication
LEAP (Lightweight Extensible Authentication Protocol)
Cisco Systems' proprietary EAP implementation.
TACACS+
Cisco's extension to the TACACS protocol that provides multi-factor authentication.
bluetooth classes
Class 1 has a maximum transmission range of 100 meters; Class 2 (the most common) has a range of 10 meters; Class 3 is short range and hardly used at 1 meter. Bluetooth version 1 has a maximum data transfer rate of 721 kb/s; Version 2 is 2.1 Mb/s; Version 3 is 24 Mb/s
Video Surveillance
Closed Circuit Television (CCTV)Often many different cameras networked together
Private Cloud
Cloud Service within a corporate network isolated from the internet.
Clustering
Clustering means deploying two or more duplicate servers in such a way as to share the workload of a mission-critical application
big data
Collections of data that are so large and complex that they cannot be managed using traditional database management tools.
Hash-Based Message Authentication HMAC
Combines a hash with a secret key
C2
Command and control (by attacker)
airodump-ng
Command used to collect RF; available wireless networks and clients
CIFS
Common Internet File System TCP Port 445, UDP Port 137, 138, 139 - Dialect of Server Message Block (SMB) protocol. - Enables the sharing of folders/files, printers and ports over a network.
Availability
Company that purchased an HVAC system is most concerned with this
Signature Based Detection
Compares event patterns against known attack patterns.
Baseline reporting
Compares existing implementations against expected baselines
ZigBee
Competes with Bluetooth in non consumer markets | short-range low-power network technology used for the Internet of Things product tracking etc
IT contingency planning
Component of the Business Continuity Plan (BCP) that specifies alternate IT contingency procedures that you can switch over to when you are faced with an attack or disruption of service leading to a disaster for an organization.
TCP / IP
Comprised of four main protocols: 1.)Internet Protocol IP 2.)Transmission Control Protocol TCP 3.)User Datagram Protocol UDP 4.)Internet Control Message Protocol ICMP
Standalone Computer
Computer that is not connected to other computers and that uses software applications and data stored on its local disks.
ALE
Concept requires an organization to determine the number of failures per year.
Encryption
Confidentiality
CIA Triad
Confidentiality, Integrity, Availability
CIA
Confidentiality, Integrity, Availability (triad)
CIA triad
Confidentiality, integrity, availability. The three principles of security control and management. Also know as the information security triad or triple.
Windows security policies
Configuration settings within the Windows operating system that control the overall security behavior of the system.
UDP
Connection-less
Architecture Review
Considers the entire system
Cryptosystem
Consists of the algorithm (cipher) and cryptovariable (key), as well as all the possible plaintexts and ciphertexts produced by the cipher and key.
Mitigation steps
Containment prevents the further spread of a problem to other systems
Kerberos ticket
Contains information linking it to the user User presents ticket to network for a service Difficult to copy Expires after a few hours or a day
/usr/bin
Contains the executable programs installed by your Linux distribution
CFA
Controlled folder Access; also works as app whitelisting run in audit only mode to test
detection controls
Controls that are implemented to monitor a situation or activity, and react to any irregular activities by bringing the issue to the attention of administrators.
prevention controls
Controls that can react to anomalies by blocking access completely, thereby preventing damage to a system, building, or network.
correction controls
Controls that help to mitigate a consequence of a threat or attack from hazardously affecting the computer system.
Port Mirroring/Spanning
Copies the traffic from one, a group, or all ports to a single port and disallows bidirectional traffic on that port. Used to view traffic on other ports in a switched environment.
John the Ripper
Cracks encrypted password files. John's Cracking Modes: Single Crack Mode (uses variations of account name, GECOS, and more) Wordlist Mode (Uses Dictionary and Hybrid) Incremental Mode (uses brute force guessing) External Mode (uses an external program to generate guesses. John Autodetects passwords in: *standard & double length DES *BSDI exetended DES *FreeBSD Md5 *OpenBSD Blowfish * LANMAN
Mozilla Firefox
Created by Mozilla Corporation. It is a free and open source Web browser and its use has expanded rapidly in recent years. about:config (and other options) ESR versions supports containers to isolate different activities UAC compatible
CSC
Critical Security Controls (20) formerly SANS now maintained by Center for Internet Security (CIS) generally technical and preferably automated | offense informs defense automate control must map to attack
Reporting
Critical to the overall health and security of an organization.
Job Rotation
Cross training
CSRF
Cross-Site Request Forgery--Third-party redirect of static content within the security context of a trusted site.
XSS
Cross-site scripting. Attacker redirects users to malicious websites, steal cookies. E-mail can include an embedded HTML image object or a JavaScript image tag as part of a malicious cross-site scripting attack. Prevent with input validation.
Quantum Cryptography
Cryptography that does not rely upon mathematics
data fragmentation
DDBMS can divide and manage a logical object among various locations under its control
port 53
DNS
port 53 (UDP)
DNS
DNS Attacks
DNS Poisoning and DNS Hijacking
DNS Record Keeping
DNS records are kept in various places depending on the application
RPO Deals with what?
Data Loss
Data Loss Prevention (DLP)
Data Loss Prevention is the idea of systems specifically implemented to detect and prevent unauthorized access
DLP
Data Loss Prevention; Systems that monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed
Sensitivity of Data
Data has different sensitivities
Which is a security risk regarding the use of public P2P method of collaboration
Data integrity is susceptible to being compromised
What is a security risk regarding the use of public P2P as a method of collaboration
Data integrity is susceptible to being compromised.
Data backups
Data ownership needs to be addressed when dealing with backups Essential to data recovery in the event of loss or corruption
LSO (locally shared object)
Data stored on a user's computer after visiting a website that uses Adobe Flash Player. These can be used to track a user's activity.
ciphertext
Data that has been encoded with a cipher and is unreadable.
Written Security
Deals with management control
Succession planning
Deals with people. Ensures that all key business personnel have one or more designated back-ups who can perform critical functions when needed
Application Hardening
Default application admin accounts, standard passwords, and common services installed by default should also be reviewed and changed or disabled as required
Layered Security/ Defense in Depth
Defense in depth is the use of multiple types of access controls in literal or theoretical concentric circle or layers.
Purpose of an MOU
Defines onboard/offboard procedures
X.509 Standard
Defines the format of required data for Digital Certificate
standards
Definitions of how adherence to a policy will be measured.
DDoS
Denial of service attack committed using many computers, usually zombies on a botnet.
HIPS
Deploy on a machine to prevent malicious form entering systems.
VPN Concentrators
Deployed where the requirement is for a single device to handle a very large number of VPN tunnels
Application Patch Management
Describes the method for keeping computers up-to-date with new software releases that are developed after an original software product is installed
Temporal Key Integrity Protocol (TKIP)
Designed as the replacement for WEP without requiring replacement of legacy wireless hardware
Intrusion Detection System (IDS)
Designed to analyze data, identify attack and respond to the intrusion (Passive)
DaaS
Desktop as a Service; see AutoPilot
Error and Exception Handling
Determines how your computer handles errors.
PKIX
Develops Internet standards based on X.509
smart cards
Devices similar to credit cards that can store authentication information, such as a user's private key, on an embedded microchip. (CAC)
Soft data
Digital
DFIR
Digital Forensics and Investigation Response
Digital Certificates
Digitally signed block of data by the Issuing CA
Certificates
Digitally signed electronic documents that bind a public key with a user identity.
DMA
Direct memory access (DMA) is a feature which allows for the accessing of memory and controllers (video and network cards), without utilizing the CPU such
DAS (Directly attached Storage)
Directly connected
DRP
Disaster recovery plan part of BCP. A document designed as a RESPONSE for the tactical recovery of IT systems in the event of disasters, such as hurricanes, floods, and fires. It includes a hierarchical list of critical systems and often prioritizes services to restore after an outage. Testing validates the plan. Recovered systems are tested before returning them to operation, and this can include a comparison to baselines. The final phase of disaster recovery includes a review to identify any lessons learned and may include an update of the plan. (IT focused), usually tactical, response; data center; biz ops; biz location' biz procs
tcpdump -e
Display Ethernet header data
Denial of Service (DOS)
Disrupt the resources or services that a user would expect to have access to. Taking away something you'd expect to have access to. Overwhelming your computer to shut down. Ping of death is a DOS attack. Is one to one
separation of duties
Dividing responsibilities between two or more people to limit fraud and promote accuracy of accounting records. Mitigate fraud
Data labeling, handling and disposal
Document and label everything. Disposal becomes a legal issue
Financial Server
Does not belong in a DMZ
Perform Routine Audits
Double checking policies are being audited. Might need to bring a third party.
BitLocker Drive Encryption
Drive encryption software offered in high-end versionsof Windows. BitLocker requires a special chip to validate hardware status and to ensure that the computer hasn't been hacked. AES 128 or 256
IPv4 versus IPv6
Due to the increased demand of devices IP addresses, IPv4 was not able to keep up with such an expansive demand. IPv4 32 bits IPv6 128 bits
NULL algorithm
ESP w/o message encryption
Windows Server sequence
Edition - version - interface (graphical or no) - roles
ECC
Elliptic curve cryptography. An asymmetric encryption algorithm commonly used with smaller wireless devices. It uses smaller key sizes and requires less processing power than many other encryption methods
Port Security
Enables individual switch ports to be configured to allow only a specified number of source MAC addresses coming in through the port. Disable unused ports.
ESP
Encapsulated Security Payload Ipsec protocol confidentiality through encryption of message contents but also message integrity origin authN and can use NULL algorithm support (plaintext)
ESP
Encapsulating Security Payload IPsec protocol confidentiality through encryption of message contents but also message integrity origin authN and can use NULL algorithm support (plaintext)
Block Cipher
Encrypt in fixed-length blocks of data. 64-bit, 128-bit, 256-bit. Pads the data to fill up a block
Stream Cipher
Encrypt one bit or byte at a time. High speed
Session Key
Encrypted key that is used for a communication session like SSL/ TLS.4
feature update
Enhancements to the software to provide new or expanded functionality, but do not address security vulnerability. Requires more testing. Windows 1709 (Sept 2017) twice a year
M of N Control
Ensures no single administrator can abuse the key recovery process
Availability
Ensures systems operate continuously and that authorized persons can access the data that they need
Integrity
Ensures that data isn't altered while in transit or while at rest
Confidentiality
Ensures that data remains private while at rest or in motion
Data Loss Prevention (DLP)
Ensuring that data does not get outside of your organization or in the hands of people who should not have access to that data
off-boarding
Ensuring that employees or partners leaving an organization or business relationship do not pose a security risk.
EOI
Event of interest; IDS decides if alert necessary
Wi-Fi Protected Access (WPA)
Every packet gets a unique encryption key. Uses RC4 Stream Cipher. Two different modes. 1.) WPA - PSK 2.) WPA-802.1x
Public key
Everyone has access to your Public Key. (located on the CA)
ALE (Annual Loss Expectancy)
Expected amount to lose annually from resources failing. Monetary measure of how much loss you can expect in a year. ALE = SLE * ARO
EF
Exposure Factor (0 - 100% asset loss)
Wireless Authentication: EAP
Extensible Authentication Protocol (EAP)
EAP
Extensible Authentication Protocol; use with AD, LDAP and RADIUS
Fibre Channel communication over Ethernet (FCoE)
FCoE is used to encapsulate Fibre Channel communications over Ethernet networks
TCP port 21
FTP File Transfer Protocol
File Transfer Protocol over SSL (FTPS)
FTP is unsecure protocol that sends username and password in plain- text form. User port 20 and 21
Fault Tolerance
Fault tolerance is the ability of a system to smoothly handle or respond to failure
FCoE (Fiber Channel over Ethernet)
Fiber Channel implementations that use high-speed Ethernet networks to transmit and store data.
FIC
File Integrity Checking uses crypto hashes to fingerprint files and alert administrators to changes
port 79
Finger (Unix program) (TCP/UDP)
host/personal firewalls
Firewalls installed on a single or home computer.
Firewall
First line of defense for a network. Uses packet filtering but doe not inspect content of packets.
Fencing
First line of defense in physical security. Entry points should be strategically located for both control and safety
Incidence Response Team
First people to be contacted in the event of a security breach
Business Impact Analysis (BIA)
Focuses on the relative impact on critical business functions due to the loss of operational capability due to threats. Used to determine the maximum allowable downtime for any system. Once a calculation is determined on how much revenue is lost during an outage, the maximum allowable downtime is used calculate how much downtime an organization can endure before revenue is affected. Useful to develop a disaster recovery plan; however, the calculation of the maximum allowable downtime is mostly used for calculating the Business Impact Analysis.
Tailgating
Following behind someone to gain access to a secured area
Mandatory Vacations
For audits, stress relieve and Job rotation
Local Users and Groups
For business and professional editions of Windows, a Windows utility console (lusrmgr.msc) that can be used to manage user accounts and user groups.
Microsoft Cloud Services (categories)
Free Hybrid Full
GPG
Free software that is based on the OpenPGP standard like PGP but uses open standards; encrypt / decrypt / sign / verify for confidentiality integrity and non repud
FHSS
Frequency-Hopping Spread Spectrum; method of transmitting radio signals by rapidly switching a carrier among many frequency channels, using a pseudorandom sequence known to both transmitter and receiver; many consumer devices in 2.4 GHz
FQDN
Fully Qualified Domain Name complete domain name for a host on the internet consists of the hostname and the domain name FQDN for a mail server might be mymail.somecollege.edu hostname is mymail, and the host is located within the domain somecollege.edu
Backup Techniques and Practices
Fundamental to any disaster recovery plan is the need to provide for regular backups of key information. Without a regular backup process, loss of data through accidents or directed attack could severely impair business processes
GPA
GNU Privacy Assistant
GPT
GUID partition table is a newer partition type that is used to create drives larger than 2 TB.
data leakage
Gaining access to data through unintentional methods that could lead to data loss or theft.
Patches
Generally used to add new functionality, update existing code operation, or to extend existing application capabilities. Update compatibility.
First Responders
Get the right people in place
Azure roles
Global Admin Admin Units (AU) like OU log in should be through hardened workstation or VM
Change Management
Good change management practices can mitigate unintentional internal risks caused by inappropriate alterations to systems, tools, or the environment Must be approved before any work happens!
Social Media Networks and or Applications
Great risk of exposure or negative reflection upon your organization is involved with social media.
GPMC
Group Policy Management console; used to edit GPO on domain controllers
HEAD / HTTP/1.0
HEAD method is identical to GET except that the server MUST NOT return a message-body in the response
inclusive analysis
HIDS, uses a list of keywords and phrases that define EOI alert if event matches list entry
exclusive analysis
HIDS, uses a list of keywords and phrases to ignore alert if event does not match list entry
procedure
HOW derived from policy and used for operations and therefore tactical operational mandatory
port 80
HTTP
POST
HTTP Method submits some data for the server to accept or process.
port 443
HTTPS
Electronic Activists ("Hacktivists")
Hack into government systems are ideologically driven
Footprinting
Hacker gathers information that is available.
Enumerating
Hacker tries to gain access to resources or other information such as users, groups, and network shares. May use social engineering
Black Hat
Hacker who exposes vulnerabilities for financial gain or malicious purpose
Collisions
Happen when two messages produce the same hash value
HSM
Hardware Security Module managed private encryption keys in HSM hosted at MS datacenter
network adapter
Hardware that translates the data between the network and a device.
Proper Lighting
Having well lit areas near access points can provide aid to cameras and guards alike
Data Classification
Helps apply proper security control of information
Steganography
Hide data within other data. Embedded in pictures, audio, document files
Mainframe
High-end computer systems used to perform highly complex calculations and provide bulk data processing
Mantraps
Holding area between two entry points that gives security personnel time to view a person before allowing access
HIPS
Host Based Intrusion Prevention System. A security application designed to monitor and analyze the local computer system for malicious or anomalous activity. Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems that are restricted to a passive response (such as recording an event or sending notification to the manager's console) intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that are detected by terminating processes or sessions, or by implementing network configuration changes on the fly (e.g instructing a firewall to reject IP traffic from certain address).
Samhain
Host-based intrusion detection system (HIDS) for file integrity checking can centrally monitor logs
HIDS
Host-based intrusion detection system. An IDS used to monitor an individual server or workstation. It protects local resources on the host such as the operating system files.
ARO (annual rate of occurrence)
How many times per year a particular loss is expected to occur.
Measure Risks
How much is this going to affect my operations and what my cost vs risk is going to be
AGULP
How privileges and permissions should be applied Accounts (AD, person = acct) Global Groups (domain, RBAC); inner Universal Groups - forest; inner Local Groups - outer Permissions & Rights (up) inheritance is outer to inner
HVAC
Humidity and temperature control Overcooling causes condensation on equipment
HTML
Hypertext Markup Language, a standardized system for tagging text files to display data
HTTP
Hypertext Transfer Protocol; stateless; header
Firewall Benefits
ID; protection; NAT; detection
false positive
IDS alert no malicious activity analyst interprets
false negative
IDS fails to detect malicious activity no alert for real threat
true negative
IDS functions as designed anomalous activity detected alert is generated for analyst
true postive
IDS functions as designed anomalous activity detected alert is generated for analyst
Alarms
IDSs are systems designed to detect an attempted intrusion, breach or attack. Physical IDSs, known as burglar alarms, detect unauthorized activities and notify the authorities
SAM
IIS user account database for authN if AD not used
ISAKMP
IKE uses Internet Security Association and Key Management Protocol for key management
Oakley
IKE uses this protocol for key exchange
footprinting (authN)
IP, software / signature / system config to ascertain id of user or device requesting access
AH (IPsec)
IPsec Authentication Header adds key hashed authN Integrity Check Value (ICV) info to each packet to validate origin does not provide confidentiality but protects against replay
Internet Protocol Security (IPsec)
IPsec provides security for the Internet Protocol (IP) via its open framework.
Private cloud (internal or corporate cloud)
IT infrastructures that can be accessed only by a single entity or by an exclusive group of related entities that share the same purpose
Whaling
Identical to spear phishing except for the "size of the fish". Goes after high profile targets.
IAAA
Identification, authentication, authorization, accountability
Incident handling phase 2
Identification; alert early, primary handler, id witnesses, legal?
Risk Acceptance
Identifying residual risk is most important to this concept
Risk Mitigation
Identifying residual risk is most important to this concept
Windows Recovery Environment
If a Windows 8 computer fails to start, or if it crashes repeatedly, a technician can launch this. Which is simply another name given to Windows PE on a computer with Windows 8 already installed
Password Policy
Implemented in order to minimize data loss or theft.
physical security controls
Implemented security measures that restrict, detect, and monitor access to specific physical areas or assets.
DAC (Discretionary Access Control)
In DAC, access is controlled based on a user's identity. Objects are configured with a list of users who are allowed access to them. An administrator has the discretion to place the user on the list or not. If a user is on the list, the user is granted access; if the user is not on the list, access is denied.
access control
In IT security terms, the process of determining and assigning privileges to various resources, objects, and data.
authorization
In IT security terms, the process of determining what rights and privileges a particular entity has.
accounting
In IT security terms, the process of tracking and recording system activities and resource access.
MLS
In SELinux Multi-Level Security uses data classification and access levels, Bell LaPadula model
Access Control Lists (ACL)
In a DAC (discretionary access control) access control scheme, this is the list that is associated with each object, specifying the subjects that can access the object and their levels of access.
Barricades
In addition to fencing, are used to control both foot traffic and vehicles
Header Manipulation
In cases where a developer chooses to inspect and use the incoming headers, it is important to note that the headers originate at the client. Changes the header of the packet
strings program
In computer software, strings is a program in Unix-like operating systems that finds and prints text strings embedded in binary files such as executables. It can be used on object files and core dumps.
key
In cryptography, a specific piece of information that is used in conjunction with an algorithm to perform encryption and decryption.
qubit
In quantum cryptography, a unit of data that is encrypted by entangling data with a sub-atomic particle such as a photon or electron that has a particular spin cycle. It is the equivalent of a bit in computing technology.
identification
In security terms, the process of attacking a human element to an authentication.
accountability
In security terms, the process of determining who to hold responsible for a particular activity or event.
authentication
In security terms, the process of validating a particular individual or entity's unique credentials.
evil twin attack
In social networking, an attack where an attacker creates a social network account to impersonate a genuine user, becoming friends with others and joining groups, and thus getting access to various types of personal and professional information. In wireless networking, a type of rogue access point at a public site that is configured to look like a legitimate access point in order to tempt a user to choose to connect to it.
account phishing
In social networking, and attack where an attacker creates an account and gets on the friends list of an individual just to try to obtain information about the individual and their circle of friends or colleagues.
IoC
Indicator of compromise - a data point that is extracted from security data and can be used as high fidelity predictor of system compromise; attack signatures, tampered logs; unauthZ access attempts
Program
Infects and executable program
IaaS
Infrastructure as a Service. A cloud computing technology useful for heavily utilized systems and networks. Organizations can limit their hardware footprint and personnel costs by renting access to hardware such as servers. Compare to PaaS and SaaS.
Security Posture
Initial baseline configuration, Continuous security monitoring, and remediation.
IV
Initialization vector. An provides randomization of encryption keys to help ensure that keys are not reused. WEP was susceptible to IV attacks because it used relatively small IVs. In an IV attack, the attacker uses packet injection, increasing the number of packets to analyze, and discovers the encryption key. WEP IV keyspace is 2**24
Macro
Inserted into a Microsoft Office document and emailed to unsuspected users.
SQL injection
Inserts malicious code into strings which are later passed to a database server. The SQL Server then passes and executes this code. This injection looks for a true statement. Tries to attack a database server.
stateful firewall
Inspects traffic leaving the inside network as it goes out to the Internet. Then, when returning traffic from the same session (as identified by source and destination IP addresses and port numbers) attempts to enter the inside network, the stateful firewall permits that traffic. The process of inspecting traffic to identify unique sessions is called stateful inspection.
dpkg
Installs, removes, updates, queries or verifies packages on a Debian-based Linux distribution.
procedures
Instructions that detail specifically how to implement a policy.
Hashing
Integrity
ICV
Integrity Check Value keyed hash added to Authentication Header in Ipsec includes each field that doesn't change in transit
IPC
Inter Process Communications- file share that facilitate communication between processes or threads
ISA
Interconnection Security Agreement
IIS
Internet Information Services. A Microsoft Windows web server. IIS comes free with Microsoft Windows Server products. Use version >= 8.5 deploy in a separate forest for public exposure deploy on a standalone server
IKE
Internet Key Exchange IPsec uses this protocol to create a secure channel and document with Security Associations (SA) with key management (ISAKMP) and Oakley for key exchange
IPSec
Internet Protocol Security. Used to encrypt traffic on the wire and can operate in both tunnel mode and transport mode. It uses tunnel mode for VPN traffic. IPsec is built into IPv6, but can also work with IPv4 and it includes both AH and ESP. AH provides authentication and integrity, and ESP provides confidentiality, integrity, and authentication. IPsec uses port 500 for IKE with VPN connections.
IP (not intellectual property)
Internet Protocol; L3; TCP/IP internet layer; core routing; packets; addressing
iSCSI
Internet Small Computer System Interface (iSCSI) is a networking storage standard based on IP.
IDS
Intrusion detection system. A detective control used to detect attacks after they occur. A signature-based IDS (also called definition-based) uses a database of predefined traffic patterns. An anomaly-based IDS (also called behavior-based) starts with a performance baseline of normal behavior and compares network traffic against this baseline. An IDS can be either host-based (HIDS) or network-based (NIDS). In contrast, a firewall is a preventative control that attempts to prevent the attacks before they occur. An IPS is a preventative control that will stop an attack in progress.
IPS
Intrusion prevention system. A preventative control that will stop an attack in progress. It is similar to an active IDS except that it's placed in line with traffic. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress.
War Driving
Involves driving around with a laptop system configured to listen for open Access Points (APs)
Risk Awareness
Involves evaluating assets, vulnerabilities, and threats in order to clearly define an organization's risk level
Avoidance
Involves identifying the risk and making the decision to no longer engage in the actions associated with that risk
Damage and Loss Control
Involves methodologies in order to protect assets from damage
Deterrence
Involves understanding something about the enemy and letting them know the harm that can come their way if they cause harm to you
aggressive mode
Ipsec IKE mode doe not check the id of connection participants (if PKI used then id is inferred) contrast with main mode
main mode
Ipsec IKE mode that checks id of connection participants
Cygwin
Is a Unix-like environment and command-line interface for Microsoft Windows. Cygwin provides native integration of Windows-based applications, data, and other system resources with applications, software tools, and data of the Unix-like environment. It is not Linux and is not an emulator.
Blind SQL injection
Is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the attacker constructs input strings that probe the target through simple Boolean SQL expressions. The results are usually not visible to the attacker.
Challenge Handshake Authentication Protocol (CHAP)
Is a means of authentication based on a random challenge number combined with the password hash to computer a response.
Tripwire
Is a security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems.
Password Authentication Protocol (PAP)
Is an insecure plaintext password-logon mechanism.
Authentication
Is the act of verifying or proving the claimed identity.
Identification
Is the claiming of an identity. A network element goes through a process to recognize a valid user's identity.
Authorization
Is the mechanism that controls what a subject can and can't do. Authorization is commonly called access control or access restriction.
TCP
It guarantees delivery, or at least notification of undelivered packets
Data Ownership
It is important to clearly establish rules and restrictions regarding data ownership
Near field communication
It lets you perform a type of automatic synchronization and association between devices by touching them together or bringing them within inches of each other
Null user
It's a user that does not have a username or password. SMB user sessions
NIST SP 800-53
Its primary goal and objective is to ensure that appropriate security requirements and security controls are applied to all U.S. Federal Government information and information management systems.
incremental mode
John the Ripper brute force mode; can run indefinitely, as will hash and compare all possible combinations of chars in a particular algorithm
single mode
John the Ripper uses GECOS field data from /etc/passwd
wordlist mode
John the Ripper uses a wordlist or dictionary provided by the user
JEA
Just Enough Administration configured on host blocks all commands (PS remote) by default and only allows commands explicitly permitted
AppArmor
Kernel module that restricts the capabilities of specific programs
KDC
Key Distribution Center. All AD DC are KDC | Part of the Kerberos protocol used for network authentication. The KDC issues time-stamped tickets that expire.
White Box
Know everything he is now attacking the system to find holes in it and test the security mechanism
Grey Box
Know some info, but requires more to get into the network
Vishing
Known as voice phishing, fake caller ID appears from a trusted organization and attempts to get the individual to enter account details via the phone.
Black Box
Knows nothing about the system.
cryptsetup
LUKS utility to set up disk encryption based on DMCrypt kernel module includes TrueCrypt
Physical Layer
Layer 1 of the OSI model. Protocols in this layer generate and detect signals so as to transmit and receive data over a network medium. These protocols also set the data transmission rate and monitor data error rates, but do not provide error correction.
Data Link Layer
Layer 2 in the OSI model. This layer bridges the networking media with the Network layer. Its primary function is to divide the data it receives from the Network layer into frames that can then be transmitted by the Physical layer.
network layer
Layer 3 in the OSI model. Protocols in the Network layer translate network addresses into their physical counterparts and decide how to route data (packets) from the sender to the receiver.
Transport Layer
Layer 4 of the OSI model. In this layer protocols ensure that data are transferred from point A to point B reliably and without errors. this layer services include flow control, acknowledgment, error correction, segmentation, reassembly, and sequencing.
session layer
Layer 5 in the OSI model. This layer establishes and maintains communication between two nodes on the network. It can be considered the "traffic cop" for network communications.
Session
Layer 5 of the OSI Model
presentation layer
Layer 6 of the OSI model, it is responsible for the formatting of data being exchanged and securing the data with encryption.
application layer
Layer 7 of the OSI model. Application layer protocols enable software programs to negotiate formatting, procedural, security, synchronization, and other requirements with the network.
LSB
Least Significant Bit graphics color tables | the bits that have the list impact on shifting color and can accommodate the message
Hard Drive
Least volatile when performing incidence response procedures.
Alerts
Less critical does not require immediate reaction.
Secure Router Configuration
Let's you know who is able to log on to a router and configure it. Don't allow everyone to log on to your routers or switches. Implement access list to allow only certain users.
LDAP
Lightweight Directory Access Protocol TCP/389/636/3268/3269 plaintext/secure
Wireless Authentication
Lightweight EAP Protected EAP
Risk Calculation
Likelihood (ARO), Singe Loss Expectancy (SLE), and Annual Loss Expectancy (ALE).
LUKS
Linux Unified Key Setup disk encryption and key management
Kismet
Linux WLAN sniffer completely passive used for vulnerability assessment and intrusion detection
sysctl
Linux command used to modify kernel parameters at runtime; /etc/sysctl.conf; -w changes w/o commit
LXC
Linux containers with groups / namespaces; process isolation and allocation of resources; OS-level containers
syslogd
Linux daemon syslogd utility reads and logs messages to the system console, log files, other machines and/or users as specified by its configuration file rules found in /etc/syslog.conf; often found in routers
xxd
Linux tool that dumps contents of a file in hex
DACL
List of Access Control Entries (ACEs) in Microsoft's NTFS Each ACE (individual permissions) includes a security identifier (SID) and a permission. ALWAYS ENFORCED BY THE OS NO MATTER HOW ACCESSED
Risk Associated with Virtualization
Little control over VM to VM communication Virtualization server contains VMs that have different security profiles.
Hot site
Location that is already running and available 24/7. Minimal downtime, but expensive
Bastion Host
Locked Down to provide maximum security; commonly reside in DMZ
Log Analysis
Logging is the process of collecting data to be used for monitoring and auditing purposes.
VLAN Management
Logically can separate voice from data. Helps separate traffic on a switch. VLAN's cannot communicate to each other without a router.
Media Access Control Filter
MAC filtering is a security access control method whereby the MAC address is used to determine access to the network Vulnerable to spoofing attacks
Google Chrome
MSI installer; auto update; SafeBrowsing API; UAC compatible
IV Attacks
Main weakness in WEP : Randomization is crucial for encryption schemes to achieve security.
Community Cloud
Maintained, used and paid for by a group of users or organizations for their shared benefit, such as collaboration and data exchange.
High Availability
Maintaining an onsite stash of spare parts can reduce downtime. Strive to achieve the 5 "9s"
Service packs
Major revisions of functionality or service operation in an installed application. Large files that can contain hotfixes and patches.
Subnetting
Makes efficient use of network address space and controls network traffic.
Virtual Firewall
Makes sure all traffic is properly analyzed when two guest machines on the same physical host communicate
malware
Malicious code, such as viruses, Trojans, or worms, which is designed to gain unauthorized access to, make unauthorized use of, or damage computer systems and networks.
chkconfig
Manages xinetd scripts via the configuration files in /etc/xinetd.d
MAC
Mandatory Access Control model that uses labels to determine access. NTFS uses DAC instead of MAC and is set by the system
Mandatory Access Control or MAC
Mandatory Access Control or MAC Most basic form of access control. Involves the assignment of labels to resources accounts. Think labels.
Risk Control
Mandatory vacations implemented
One-way Function
Mathematical operation that easily produces an output for each possible combination of inputs but makes it impossible to retrieve input values
Flood Guards
May be part of firewall or IDS/IPS A network device, firewall/router that has the ability to prevent some flooding Dos Attacks.
MTBF
Mean time between failures means how long before it will or could fail
MTTF
Mean time to failure means how long is this product or system is going to last (Life expectancy)
MTTR
Mean time to restore means how long is it going to take to repair
MOU
Memorandum of Understanding
Cold site
Merely a prearranged request to use facilities if needed. Cheapest option, but most downtime
MD5
Message Digest 5. A hashing function used to provide integrity. MD5 uses 128 bits. A hash is simply a number created by applying the algorithm to a file or message at different times. The hashes are compared to each other to verify that integrity has been maintained.
Software exploitation
Method of searching for specific problems, weaknesses, or security holes in software code
cryptoprocessors
Microprocessors that provide cryptographic functions.
MAAD
Microsoft Azure Active Directory user and device authN at massive scale can perform 3rd party authN; Azure Cloud Shell; no support for NTLM Kerberos etc rather supports SAML Oauth
MBSA
Microsoft Baseline Security Analyzer (MBSA) is software developed and used by Microsoft to check the security of an operating system by assessing missing security updates and less secure areas of the operating system. User must be member of the administrators group. Local and remote machines can be scanned.
EFS (Encrypting File System)
Microsofty Windows NTFS-based public key encryption.
DHCP spoofing attack
MitM attack listens for DHCP traffic then sends attacker IP address as default gateway
Geo-tagging
Mobile devices with GPS support enable the embedding of geographical location in the form of latitude and longitude as well as date/time information on photos taken with these devices.
Secure Hash Algorithm (SHA)
Modeled after MD5 but considered the stronger of the two
Data Loss Prevention DLP
Monitor the contents of systems to make sure key content is not deleted or removed. They also monitor who is using the data and transmitting the data
NIDS
Monitor the packet flow and try to locate packets that have gotten through the firewall.
HIDS
Monitors host to host connections. Intrusion prevention system. Always active.
ROT 13
Monoalphabetic cipher that shifts characters 13 characters. Stands for Rotate 13. A would become N, B would become O, etc.
Trends
More like behavior patterns
Vulnerability scans
Most often passive attempts to identify weaknesses
Message Digest 5 (MD5)
Most widely used hashing algorithm in the world and will remain so for at least several more years to come. Is coded into operating systems and popular software products. Does not have strong collision resistance
MCS
Multi-category Security CompanyConfidential Patient Record Unclassified Top Secret
MPLS
Multiprotocol Label Switching is a type of data-carrying technique for high-performance telecommunications networks. MPLS directs data from one network node to the next based on short path labels rather than long network addresses, avoiding complex lookups in a routing table
S/MIME
Multipurpose internet Mail Extensions (S/MIME). Internet standard for encrypting and digitally signing email.
Private key
Must keep private (located on your CAC)
SMB Relay Attack
NTLM v2 vulnerable;
RSA Algorithm
Named after inventors Rivest, Shamir, and Adelman, RSA is a system for encrypting and decrypting a message using a pair of keys, both of which contain the product of two prime numbers. SSL; asymmetric
Preparation
Necessary to ensure a successful outcome of unplanned downtime, security breaches, or disasters
Least Privilege
Need to know, only what they need to perform their job
NFS
Network File System (UNIX); uses UDP port 2049
NLA
Network Level Authentication is a technology used in Remote Desktop Services or Remote Desktop Connection that requires the connecting user to authenticate themselves before a session is established with the server.
Nova
Network Obfuscation and Virtualized Anti-Recon can launch VMs called haystacks (honeypots)
NTP
Network Time Protocol; UDP port 123
NAC
Network access control. Inspects clients for health and can restrict network access to unhealthy clients to a remediation network. Clients run agents and these agents report status to a NAC server. NAC is used for VPN and internal clients. MAC filtering is a form of NAC.
NIDS
Network-based intrusion detection system used to identify events of interest on the network. It can detect network-based attacks, such as smurf attacks. A NIDS cannot monitor encrypted traffic, and cannot monitor traffic on individual hosts. Snort is an example of an open source NIDS
NIPS
Network-based intrusion prevention system. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress. Deployed inline at the perimeter in front of or behind firewalls (usually between ISP and FW) can be single point of failure due to being inline false positive drops legit traffic
NTLM
New Technology LANMAN. Authentication protocol intended to improve LANMAN. The LANMAN protocol stores passwords using a hash of the password by first dividing the password into two seven-character blocks, and then converting all lowercase letters to uppercase. This makes LANMAN easy to crack. NTLM stores passwords in LANMAN format for backward compatibility, unless the passwords are greater than fifteen characters. NTLMv1 is older and has known vulnerabilities. NTLMv2 is newer and secure.
NSE
Nmap Scripting Engine; written in LUA
Digital Signatures
Non-Repudiation
NDA
Non-disclosure agreement. Ensures that third parties understand their responsibilities. It is commonly embedded as a clause in a contract with the third party. Most NDAs prohibit sharing data unless you are the data owner.
Personally Identifiable Information (PII)
Not everyone understands the importance of PII
Script Kiddie
Not hackers just call themselves hackers. Use programs to hack for themselves.
Keyspace
Number of values that are valid for use as a key for a specific algorithm
TCP application layer
OSI app, presentation, session layers
TCP network layer
OSI data link and physical layers
TCP internet layer
OSI network
TCP transport layer
OSI transport layer
Organizational Unit
OU; in Windows a local set of computers/users/groups with Group Policy
object storage
Objects (files) are stored with additional metadata (content type, redundancy required, creation date, etc.). These objects are accessible through APIs and potentially through a web user interface. (e.g. Dropbox)
Intrusion
Occurs when attacker accesses your system without authorization
Data Breach
Occurs when nonpublic data is read, copied or destroyed during an incident
Buffer Overflows
Occurs when the data presented to an application or service exceeds the storage-space allocation that has been reserved in memory
Network Access Control (NAC)
Offers a method of enforcement that helps ensure computers are properly configured
Virtualization
Offers cost benefits by decreasing the number of physical machines required within an environment.
Password Authentication Protocol (PAP)
Offers no true security. Sends user IDs and passwords in cleartext
NTFS
Often referred to as a "journaling" file system because it keeps track of transactions performed when working with files and directories.
Acceptance
Often the choice made when implementing any of the other four choices exceeds the value of the harm that would occur if the risk came to fruition
Bluesnarfing
Once paired, the user's data becomes available for unauthorized access, modification, or deletion
Forest
One or more AD domains with trust
hashing encryption
One-way encryption that transforms cleartext into a coded form that is never decrypted.
OCSP
Online Certificate Status Protocol. An alternative to using a CRL and meant to replace it allows entities to query a CA with the serial number of a certificate. The CA answers with good, revoked, or unknown.
GNU Privacy Guard (GPG)
Open Source
OSSEC
Open Source HIDS Security
OSI model
Open System Interconnection: Application, Presentation, Session, Transport, Network, Data Link, Physical
Switch
Operates at Layer 2 Data Link Layer. Can be used to create VLANS. Seperates broadcast domains.
Replay
Packets are captured using sniffers. After the pertinent information is extracted the packets are placed back on the network.
one time password
Password generated by a security token, which expires as soon as it is used.
Public key
People encrypt data using
security auditing
Performing an organized technical assessment of the security strengths and weaknesses of a system.
Transport Layer Security (TLS)
Performs a similar function to SSL. Both are used for secure connections over the Internet.
mandatory vacations
Periods of time in which an employee must take time off from work so that their activities may be subject to a security review.
account privileges
Permissions granted to users that allow them to perform various actions such as creating, deleting, and editing files, and also accessing systems and services on the network.
PAN
Personal Area Network (bluetooth)
Pharming
Pharming does not require the user to be tricked into clicking on a link Pharming redirects victims to a bogus website, even if the user correctly. Entered the intended site. To accomplish this, the attacker employs another attack, such as DNS cache poisoning
Physical Security
Physical access to a system or network creates many avenues for a breach in security
tokens
Physical or virtual objects that store authentication information.
ping -n
Pings a host a specific amount of times ping -n 10 www.google.com (Windows)
ping -c
Pings a host a specific number of times ping -c 10 www.google.com (Linux)
NAC
Place a computer into a restricted VLAN until the computers virus definitions
Border Router
Placed between your ISP and your external firewall
Boot Sector
Placed into the first sector of the hard drive so that when the computer boots virus loads into memory
ethical hacking
Planned attempts to penetrate the security defenses of a system in order to identify vulnerabilities.
PAM
Pluggable authentication module -service plugin for apps, code, or scripts for user authentication and session management (resource choke) /etc/pam.d - auth, password, sessions, accounts
PPTP
Point-to-Point Tunneling Protocol. Tunneling protocol used with VPNs. PPTP uses TCP port 1723.
Port 53
Port that uses DNS
Get-Process
PowerShell command to return a list of running processes. Can use with | format-list *
Get-FileHash
PowerShell command, computes hashes for designated files. Include -Algorithm SHA256 (e.g.)
Get-Content
PowerShell command, displays the contents of a designated file
Select-Object
PowerShell command, removes object properties apart from those specified
Restart-Service
PowerShell command, sditops and then starts one or more services.
Out-GridView
PowerShell command, sends output to an interactive table in a separate window.
GetWmiObject
PowerShell command, talks to WMI service using SQL-like queries
Cain
Powerful multipurpose tool for Windows that can sniff and crack passwords, perform RDP, VoIP capture and RTP stream replay
GetWinEvent
Powershell command, used to query Windows event logs
incident management
Practices and procedures that govern how an organization will respond to an incident in progress.
System-Specific Policy
Presents the management's decisions that are specific to the actual computers, networks, and applications
Impersonation
Pretending to be someone you are not. Using information from other attack.
Secure Socket Layer (SSL)
Primarily used for secure online transactions such as online shopping or banking. Public desire for a completely open-source alternative finally found fruition in TLS, discussed next
Data Security
Primary security concern when deploying a mobile device on a network
Hard data
Printed out
password
Private combination of characters associated with a user name that allows access to certain computer resources.
user assigned privileges
Privileges that are assigned to a system user and can be configured to meet the needs of a specific job function or task.
group based privileges
Privileges that are assigned to an entire group of users within an organization.
management controls
Procedures implemented to monitor the adherence to organizational security policies.
SHA-1
Produces a 160-bit hash value and is used in DSS
Privilege Escalation
Programming errors can result in system compromise, allowing someone to gain unauthorized privileges
Trojan horse
Programs disguised as useful applications. Do not replicate themselves like viruses, but they can be just as destructive. Hides itself as a real program
spam filters
Programs used to read and reject incoming messages that contain target words and phrases used in known spam messages.
Pretty Good Privacy (PGP)
Proprietary
PEAP
Protected Extensible Authentication Protocol. PEAP provides an extra layer of protection for EAP. PEAP-TLS uses TLS to encrypt the authentication process by encapsulating and encrypting the EAP conversation in a Transport Layer Security (TLS) tunnel. Since TLS requires a certificate, PEAP-TLS requires a certification authority (CA) to issue certificates.
Protected distribution (cabling)
Protected distribution or protective distribution systems (PDSs) are the means by which cables are protected against unauthorized access or harm
VPN protocols
Protocols that provide VPN Functionality
TACACS (Terminal Access Controller Access Control System)
Provides centralized authentication and authorization services for remote users.
Elliptic Curve Cryptography (ECC)
Provides more security than other algorithms when both are used with keys of the same length. Used for mobile devices.
Digital Policies
Provides the rules that indicate how the certificate will be used and its purpose
Public Cloud Infrastructure
Provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
PKCS
Public Key Cryptography Standards Defacto cryptography message standards
PKI
Public Key Infrastructure. Group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. Certificates are an important part of asymmetric encryption. Certificates include public keys along with details on the owner of the certificate and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate.
Artillery
Python-based cross platform tool for honeypot file system monitoring threat intelligence mainly event warning
Incident isolation
Quarantine separates an entity apart from the rest of an environment to provide protection
Redundancy and Fault Tolerance
RAID on Hard Drives. Hot-swapping of failed drives and redundant power supplies so that replacement hardware can be installed without ever taking the server offline
Rivest Cipher (RC)
RC4 uses a variable key-length. RC4 is a stream cipher (only RC that is a stream cipher) One Tim Past (OTP) Are the strongest encryption.
Substitution Cipher
ROT 13
Jamming / Interference
Radio waves can be disrupted. Can cause DoS conditions.
RPO
Recovery point objectives how much can we lose and how much do we have backed up. Deals with data loss.
RTO
Recovery time objectives how long is it going to take to get it back operational or to a certain level (can be of use but not fully operational)
Fedora
Red Hat Linux distro; used rpm and yum for package management; FW enabled by default, with GUI
Ansible
Red Hat; scalable; a controlled machine is called a node, primary is called main controller machine
RAID
Redundant Array of Independent Disc. Different versions are RAID 0 Fault tolerance, RAID 1 That has mirroring with minimum disk of two, and RAID 5 stripping with parity. RAID prevents data loss.
Privacy Policy
Referred to as personally identifiable information (PII)
Design Review
Refers more specifically to the components of the architecture at a more micro level
Hardening
Refers to reducing security exposure and strengthening defenses against unauthorized access attempts and other forms of malicious attention
Rogue Access Points
Refers to situations in which an unauthorized wireless access point has been set up
Determine the attack surface
Refers to the amount of running code, services, and user-interaction fields and interfaces
Remote Access
Remote Access Services (RAS) lets you connect your computer from a remote location, such as your home or an on-the-road location, to corporate network.
RDP
Remote Desktop Protocol Port 3389 use PKI, not self-signed TLS only available if cert signed
RDS
Remote Desktop Services; role on Windows Server; used for remote assist, same protocol MSTSC.EXE
RD
Remote Desktop; must have thin client
RPC
Remote Procedure Call. TCP 135 over HTTP 80/443/593 over SMB 139/445
Remote Desktop Protocol
Remote access protocol used by many systems as a means of remotely configuring another via a GUI. Uses TCP port 3389
Remote Wiping (MOBILE DEVICES)
Removes all data from your mobile device if your phone cannot be found.
Hashing
Represent data as a short string of text (fixed-length). Also called Message digest, checksum, hash value
GET (HTTP Method)
Requests a specific web page or data.
Alarms
Require immediate response.
need to know
Requirement of access to data for a clearly defined purpose remove when no longer needed
token-based authentication
Requires a computer user to physically hold a device called a token.
Public Cloud
Requires a subscription and is open and offered to the public
Registration Authority (RA)
Responsible for verifying users' identities and approving or denying requests for digital certificates. RA's do not issue certificates.
ROI
Return of investment or return on investment. A performance measure used to identify when an investment provides a positive benefit to the investor. It is sometimes considered when evaluating the purchase of new security controls. ROI(%) = (gain - expenditure)/(expenditure) x 100
RMS
Rights Management Services Azure based DLP
AGUDLP the AGULP (Accounts, Global Groups, Universal Groups, Local Groups, Permissions and Rights} model
Rights and permissions should only be granted to Local Group
Risk Calculation
Risk = Threat x Vulnerability
Botnets
Robot network. Once a machine is infected it becomes a bot or zombie. Used for Disturbed Denial of Service.
puppet
Ruby-based configuration manager with some Windows support
BearTrap
Ruby-based tool contained in ADHD opens up ports to deceive attackers and actively block their IPs
Deny Tcp any any port 53
Rule that denies DNS zone transfers on a firewall
Rule-Based Management
Rules an organization incorporates into their network.
Firewall rules
Rules can be created for either inbound traffic or outbound traffic. Three actions allow connection, allow the connection if it is secured or block the connection. Firewalls go off of a top down process. As soon as a network packet matches a rule, that rule is applied.
SID (well known)
S-1-1-0 Everyone S-1-5-11 Authenticated Users group S-1-5-32-544 Local administrations group
rkhunter
SHA-1 hashes of critical files to compare against system; must update db
Simple Mail Transfer Protocol
SMTP
port 25
SMTP (mail)
port 22
SSH
Service Set Identifier (SSID) Management
SSID is used to identify wireless access points on a network.
3-way handshake
SYN; SYN/ACK; ACK
Safety
Safety of the facility and personnel should always be the top priority of a security effort
How to defeat Rainbow Table Attacks
Salting the hash
Warm site
Scaled-down version of a hot site. Generally configured with power, phone, and network jacks
Scanning
Scans for vulnerabilities. Port scan and ping sweep.
Dumpster Diving
Scavenging for discarded equipment and documents
grep
Search file(s) for lines that match a given pattern
Failsafe
Secure
SHA
Secure Hashing Algorithm
SSP
Secure Simple Pairing; PK crypto, PIN, in bluetooth after 2.1 +
HTTPS
Secure form of the ever-popular HTTP
Secure Shell (SSH)
Secure replacement for Telnet uses port 22.
Sandbox
Secure test environment.
Diffie-Hellman Key Exchange
Secure way to exchange keys
Monitoring System Logs
Securing logs is important; they contain sensitive information and may be used in the forensic process if needed. Used to log important auditing. Can show you incorrect authentications.
SAT
Security Access Tokens; ticket issued to user includes acct number, SID number, list of privileges whoami.exe /all/fo/list
SAML
Security Assertion Markup Language. Based on XML. Uses a third party service to authenticate the user. Can also be referred to as FIM.
SA (IPsec)
Security Association documents security services of connection (transforms) | unidirectional required for each IPsec connection | generates the encryption and authentication keys that are used by IPsec.
SCA
Security Configuration and Analysis snap in for GPMC; apply templates to system (local only)
time of day restrictions
Security controls that restrict the periods of time when users are allowed to access systems, which can be set using a group policy.
Windows Server 2008
Security features added in this Windows version: Component modularization, Server Core, Read-only domain controllers, Network Access Protection (NAP), Secure Socket Tunneling Protocol (SSTP), RDP Virtualization, R2: DNSSEC, AppLocker, DirectAccess, AD Recycling Bin, Enhanced Audit Policy Control; only available in 64-bit
SID
Security identifier. Unique set of numbers and letters used to identify each user and each group in Microsoft environments. permissions and privileges attached to user unique - not reused if deleted
Incident Management
Security incidents will occur. Good management strategies mitigate the severity of damage caused by risks
Wireless Transport Layer Security WTLS
Security layer for WAP applications Provides authentication, encryption and data integrity for wireless devices.
safety controls
Security measures implemented to protect personnel and property from physical harm.
testing controls
Security measures that verify whether or not certain security techniques meet the standards set for them.
SELinux
Security-Enhanced Linux. A trusted operating system platform that prevents malicious or suspicious code from executing on both Linux and UNIX systems. It is one of the few operating systems that use the MAC model.
Spoofing
Seeks to bypass IP address filters by setting up a connection from a client and sourcing the packets with an IP address that is allowed through the filter
Worms
Self-replicating virus that repeats with no user intervention. Built to take advantage of a security hole in existing application or OS.
SYN Flood
Sends a flood of synchronization (SYN) requests and never sends the final acknowledgment (ACK)
SMB
Server Message Block Full Control, Change (compare to Modify in NTFS), Read; $ indicates hidden
SNI
Server Name Indication and is an extension of the TLS protocol. It indicates which hostname is being contacted by the browser at the beginning of the 'handshake'-process.
SLA
Service Level Agreement
SSID
Service Set Identifier. Identifies the name of a wireless network. Disabling SSID broadcast can hide the network from casual users but an attacker can easily discover it with a wireless sniffer. It's recommended to change the SSID from the default name.
rainbow tables
Sets of related plaintext passwords and their hashes.
hping3
Sets up connections to visible IPs can spoof IP addresses and craft packets to id open ports and OS | Fully scriptable using TCL language command line TCP/IP assembler/analyzer -A --ack set ACK flag -p --destport -c -- number of packets to send -i --interval between each packet example: hping3 -A 192.168.1.100 -p80
Transference
Share some of the burden of the risk with someone else, such as an insurance company
PNAC
Shutdown, Protect, Restrict
Digital Signatures
Similar in function to a standard signature on a document. Sender signs with their Private key. Receiver decrypts the hash and verifies the data with the sender's Public key
PEAP (protected Extensible Authentication Protocol)
Similar to EAP-TLS, PEAP is an open standard developed by a coalition made up of Cisco Systems, Microsoft, and RSA Security.
Fraggle
Similar to a smurf attack. Uses UPD rather than ICMP. The attacker sends spoofed UDP packet to broadcast addresses as in the Smurf Attack.
SNMP
Simple Network Management Protocol
SNMP
Simple Network Management Protocol; query network for monitoring and troubleshooting; UDP port 161/2
Trivial File Transfer Protocol (TFTP)
Simple protocol to transfer files. Only reads and write files from /to a remote server Uses UDP port 69
SLE
Single loss expectancy | $ measure the cost of a single occurrence of a threat exploiting a vulnerability
Separation of Duties
Single point of failure, it's also subject for an inside threat. Easier to manage
Web Security Gateway
Single point of policy control and management for web-based content access. Blocks websites based on URL.
SSO
Single sign-on. Authentication method where users can access multiple resources on a network using a single account. SSO can provide central authentication against a federated database for different operating systems.
honeypot
Single, hardened and secure system with no legitimate purpose. A computer system that's set up to attract unauthorized users by appearing to be a key part of a network or a system that contains something of great value. focus on what attacker does to discover new vulns
Proxy Server
Sits between users and external networks. Used for load balancing, internet connectivity, content filtering, and hiding IP Addresses. Can hide users IP address.
Hotfixes
Small and specific-purpose updates that alter the behavior of installed applications in a limited manner. Need to be installed as soon as possible.
LSO (Local Shared Objects)
Small files or data sets that websites may store on a visitor's computer through the Adobe Flash Player. Generally used to store user preferences and settings, but can be a form of tracking cookie
Ettercap
Sniffers. A suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.
SDN
Software Defined Network | split network into subnets with software | allows for micro-segmentation and traffic analysis between two endpoints
SaaS
Software as a Service; a subscription service where you purchase licenses for software that expire at a certain date. Office 365, OneDrive
source code
Software code that is generated by programming languages, which is then compiled into machine code to be executed by a computer. Access to source code enables a programmer to change how a piece of software functions.
Rootkits
Software hidden on a computer to get escalated privileges such as administrative rights. Can be invisible to the OS
adware
Software that automatically displays or downloads advertisements when it is used.
protocol
Software that controls network communications using a set of rules.
network operating systme
Software that controls network traffic and access to network resources.
host-based firewall
Software that is installed on a single system to specifically guard against networking attacks.
rootkit
Software that is intended to take full or partial control of a system at the lowest levels.
anti-spyware
Software that is specifically designed to protect systems against spyware attacks.
pop-up blockers
Software that prevents pop-ups from sites that are unknown or untrusted and prevents the transfer of unwanted code to the local system.
DLP (data loss/leak prevention)
Software that stops data in a system from being stolen.
type 2 hypervisor
Software to manage virtual machines that is installed as an application in an operating system. (e.g. Virtual Box)
antivirus software
Software used to detect and eliminate computer viruses and other types of malware.
LDAP injection
Some websites perform LDAP queries based upon data provided by the end user. LDAP injection involves changing the LDAP input so that the web app runs with escalated privileges. Will work off of port 389. Lightweight Directory Access Portal.
Malicious Insiders
Someone who attacks from inside an organization
Data Thief (Corporate Espionage)
Someone who goes around and tries to steal information from a company or people
Cyberterrorist
Someone who uses the Internet or network to destroy or damage computers for political reasons.
Wrappers
Something used to enclose or contain something else. Some wrappers might have Trojan horses inside them.
TCP header
Source Port, Destination Port, Sequence Number, Acknowledgment Number, Header Number, Reserved, Code Bits, Window, Checksum, Urgent, Options, Data; 20 bytes
STP
Spanning Tree Protocol. Protocol enabled on most switches that protects against switching loops. A switching loop can be caused if two ports of a switch are connected together, such as those caused when two ports of a switch are connected together.
SMART
Specific, Measurable, Attainable, Realistic, Timely
tcpdump -i
Specify which interface tcpdump listens on
Log Aggregators
Splunk, Kiwi, Snare, WinSyslog, ArcSight, LogRythm; encrypt logs and transfer to SIEM; formattingL
Sarbanes-Oxley Act
Standard to when people break regulations and or policies
Cipher Suites
Standardized collection of authentication, encryption, and hashing algorithms used to define the parameters for a security network communication.
systemctl
Start, stop, enable, disable, and view the status of services; systemd (BSD does not use)
packet-filtering firewall
Stateless; A firewall that examines each packet and determines whether to let the packet pass. To make this decision, it examines the source address, the destination addresses, and other data.
Risk Based Controls
Strategy that will allow an admin to enforce least privilege principles
Rivest Shamir Adelman (RSA)
Strength depends on the difficulty of factoring the product of prime numbers The most commonly used public key algorithm on the market
guidelines
Suggestions for meeting a policy standard or best practices.
Non-Repudiation
Supplemental to the CIA Triad. Ensures parties have sent transmission.
Advanced Encryption Standard (AES)
Supports key sizes of 128, 192, 256 bit keys.
spyware
Surreptitiously installed malicious software that is intended to track and report the usage of a target system or collect other data the author wishes to obtain.
CCTV (closed-circuit television)
Surveillance cameras that do not openly broadcast signals.
Azure AD Connect
Sync DC with Azure AD; SSO 365
Supervisory control and data acquisition (SCADA)
System can operate as a stand-alone device, be networked together with.
data classification
System of organizing data according to its sensitivity. Common classifications include public, highly confidential, and top secret.
configuration management
Systems are configured based on standards, and changes are made as part of a disciplined change management process
TACAS +
TACAS + not backwards compatible with TACAS. Uses TCP.
SMB Port
TCP 139 with CIFS; TCP 445 without CIFS for file and printer sharing
Citrix port
TCP 1494
FTP data port
TCP Port 20
FTP Command Port
TCP Port 21
URG
TCP flag indicating a Packet contains urgent data
SYN
TCP flag; request connection
TCP flow control
TCP provides flow control by having the sender maintain a variable called the receive window. The size of this window is important. Set low to 0 in tarpit to keep attacker connections open and consume system resources
MS SQL Server port
TCP/UDP 1433/4
Kerberos port number
TCP/UDP 88
DNS port
TCP/UDP port 53. TCP port 53 is used for zone transfers, whereas UDP port 53 is used for queries.
Transitive Access
Takes advantage of trust, gives unauthorized access to other domain users
Man in the Middle
Takes place when an attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other.
bluebugging
Taking control of a phone to make calls, send text messages, listen to calls, or read text messages.
Risk Control Types
Technical, Management and Operational
biometric authentication
Technology for authenticating system users that compares a person's unique characteristics such as fingerprints, face, or retinal image, against a stored set profile of these characteristics.
telephony
Technology that provides voice communications through devices over a distance.
CTI (computer telephony integration)
Telephony technology that incorporates telephone, email, web, and computing infrastructures.
TKIP
Temporal Key Integrity Protocol. Wireless security protocol introduced to address the problems with WEP. TKIP was used with WPA but many implementations of WPA now support CCMP, 802.11i. Can be used with most existing hardware
Cookies
Temporary files stored in the client's browser cache to maintain settings across multiple pages, servers, or sites.
/usr/bin/sbin
The /usr/local tree is where programs that are not included with your distribution but are intended for system-wide use are installed.
/usr/local
The /usr/local tree is where programs that are not included with your distribution but are intended for system-wide use are installed.
Bourne Again Shell (bash)
The Bourne again shell (Bash) is a common application to offer a shell command line; other common shell applications are the C shell, the Bourne shell, and the Kern shell.
802.11i
The IEEE standard for wireless network encryption and authentication that uses the EAP authentication method, strong encryption, and dynamically assigned keys, which are different for every transmission. 802.11i specifies AES encryption and weaves a key into each packet.
802.1x
The IEEE standard that defines port-based security for wireless network access control
802.1x
The IEEE standard that defines port-based security for wireless network access control. Keeps network port disconnected until authentication is complete
ISN
The Initial Sequence Number of a TCP connection is the sequence number chosen by the client ( resp. server) that is placed in the SYN (resp. SYN+ACK) segment during the establishment of the TCP connection.
IPv4
The Internet Protocol version 4 is the dominant protocol for routing traffic on the Internet, specifying "to" and "from" addresses using a dotted decimal such as "122.45.255.0". 32-bit addressing
IPv6
The Internet Protocol version 6 provides a large number of new addresses to route Internet traffic, using "from" and "to" addresses written as colon-hexadecimal notation, such as "fe80::42:acff:feaa:1bf0". 128-bit addressing; authN, encryption and traffic prioritization
PUT
The PUT method requests that the enclosed entity be stored under the supplied Request-URI.
Telephony
The Transmission of data through equipment in a telecommunications environment.
PPP (Point-to-Point Protocol)
The VPN protocol that is an Internet standard for sending IP datagram packets over serial point-to-point links.
REGEDIT.EXE
The ____ tool allows a user to connect to the active registry database and make changes that are effective immediately.
/etc/login.defs
The ________________ file contains parameters that set the default location for: e-mail, password expiration information, minimum password length and the range of UIDs and GIDs available for use. It also determines whether home directories will be automatically made during user creation as well as the password hash algorithm used to store passwords within /etc/shadow.
host availability
The ability of a host to remain accessible despite any system changes it needs to adapt to. Also call host elasticity.
fault tolerance
The ability of a network or system to withstand a foreseeable component failure and continue to provide an acceptable level of service.
remote access
The ability to connect to systems and services from an offsite or remote location using a remote access method.
Arbitrary code execution
The ability to run any software on a target system. Often combined with privilege escalation and other attacks to perform a local attack remotely
logging
The act of creating a log.
detection
The act of determining if a user has tried to access unauthorized data, or scanning the data and networks for any traces left by an intruder in any attack against the system.
recovery
The act of recovering vital data present in files or folders from a crashed system or data storage devices when data has been compromised or damage.
war driving
The act of searching for instances of wireless LAN networks while in motion, using wireless tracking devices like mobile phones, smartphones, tablets, or laptops.
Recovery Point Objectives
The age of files that must be recovered from backup storage for normal operations to resume
Smurf/Smurfing
The attacker sends ping packets to the broadcast address of the network, replacing the original source address in the ping packets with the source address of the victim, thus causing a flood of traffic to be sent to the unsuspecting network device.
Differential Cryptanalysis
The attacker takes two messages of plaintext and follows the changes that take place to the blocks as they go through the different S-boxes, each message is encrypted with same key
MTTR (mean time to recovery)
The average time taken for a business to recover from an incident or failure.
chroot command
The chroot command changes its current and root directories to the provided directory and then run command, if supplied, or an interactive copy of the user's login shell. Please note that not every application can be chrooted.
site survey
The collection of information on a location for the purposes of building the most ideal infrastructure.
NAC (Network Access Control)
The collection of protocols, policies, and hardware that govern access on devices to and from a network.
top command
The command used to give real-time information about the most active processes on the system; it can also be used to restart or kill processes.
ps command
The command used to obtain information about processes currently running on the system. -ef all running -C proc_name --sort=pcpu
public key
The component of asymmetric encryption that can be accessed by anyone.
private key
The component of asymmetric encryption that is kept secret by on party during two-way encryption.
Continuity of Operations (CooP)
The component of the BCP that provides best practices to mitigate risks, and best measure to recover from the impact of an incident
Linux Kernel
The core component of the Linux operating system is called the___. It is written almost entirely in the C programming language.
controls
The countermeasures that you need to put in place to avoid, mitigate, or counteract security risks due to threats or attacks.
Privilege Management
The creation and use of policies defining the users and groups that access company resources.
L2TP (Layer Two Tunneling Protocol)
The de facto standard VPN protocol for tunneling PPP sessions across a variety of network protocols such as IP, Frame Relay, or ATM.
Platform-as -a service (PaaS)
The delivery of a computing platform, often an operating system with associated services, that is delivered over the internet without downloads or installation.
Software-as-a-Service (SaaS)
The delivery of a licensed application to customers over the Internet for use as a service on demand On demand software, no local installation
Passive Asset Tracking (MOBILE DEVICES)
The device will attempt to contact the management service on a regular basis
Open Directory
The directory service that ships as part of Mac OS X Server.
subnetting
The division of a large network into smaller logical networks.
ports
The endpoints of a logical connection that client computers use to connect to specific server programs.
attacking
The final phase of a hack in which the attacker steals data, disrupts traffic, or damages systems.
Lessons learned
The final step in incident response. Involves planning and procedures to improve mitigation strategies. It is the AAR to make improvements.
SLE (single loss expectancy)
The financial loss expected from a single adverse event.
Mac OS
The first commercially available operating system to incorporate a graphical user interface (GUI) with user-friendly point-and-click technology. Build on BSD and XNU kernel. Offers sandboxing, and many network options not enabled.
first responder
The first person or team to respond to an accident, damage site, or natural disaster in an IT company.
802.11b
The first specification to be called Wi-Fi, it is the least expensive wireless network protocol used to transfer data among computers with wireless network cards, or between a wireless computer or device and a wired LAN. It provides for an 11 Mbps transfer rate in the 2.4 GHz frequency.
Fire Suppression
The first step in a fire-safety program is fire prevention
Incident identification
The first step in incident response. Without detection, incidents would be false negatives
RSA
The first successful algorithm to be designed for public key encryption. It is named for its designers, Rivest, Shamir, and Adelman.
integrity
The fundamental security goal of ensuring that electronic data is not altered or tampered with.
availability
The fundamental security goal of ensuring that systems operate continuously and that authorized persons can access data that they need.
confidentiality
The fundamental security goal of keeping information and communications private and protecting them from unauthorized access.
TCB (Trusted Computing Base)
The hardware, firmware, and software components of a computer system that implement the security policy of a system.
physical security
The implementation and practice of various control mechanisms that are intended to restrict physical access to facilities.
URL filtering
The inspection of files and packets to block restricted websites or content.
MTTF (mean time to failure)
The length of time a device or component is expected to remain operational.
RTO (recovery time objective)
The length of time within which normal business operations and activities must be restored following a disturbance.
MTD (maximum tolerable downtime)
The longest period of time a business can be inoperable without causing the business to fail irrecoverably.
data exfiltration
The malicious transfer of data from one system to another.
Maximum Tolerable Downtime (MTD)
The maximum length of time a business function can be discontinued without causing irreparable harm to the business.
Authentication
The mechanism by which a person proves their identity to the system.
ARP (Address Resolution Protocol)
The mechanism by which individual hardware MAC addresses are matched to an IP address on a network.
data snaitization
The method used to repeatedly delete and overwrite any traces or bits of sensitive data that may remain on a device after data wiping has been done.
Wired Equivalent Privacy (WEP)
The most basic form of encryption can be used on 802.11 based wireless networks. 64-Bit or 128 bit key size. WEP is no longer used.
X.509
The most widely accepted format for digital certificates as defined by the International Telecommunication Union (ITU).
Blue Team
The network defenders in a blind (or black box) penetration test. Don't have knowledge of the attack.
TOS (Trusted Operating System)
The operating system component of the TCB that protects the resources from applications.
order of volatility
The order in which volatile data should be recovered from various storage locations and devices following a security incident.
threat vector
The path or means by which an attacker compromises security.
scanning
The phase of the hacking process in which the attacker uses specific tools to determine an organization's infrastructure and discover vulnerabilities.
PII (personally identifiable information)
The pieces of information that a company uses or prefers to use to identify or contact an employee.
RPO (recovery point objective)
The point in time, relative to a disaster, where the data recovery process begins.
attack surface
The portion of a system or application that is exposed and available to attackers.
security posture
The position an organization takes on securing all aspects of its business.
Network Segmentation
The potential for damage greatly increases if one compromised system on the network could spread to other networks.
BYOD (bring your own device)
The practice in which employees bring their own personal devices (usually mobile) into the office and use them for work-related purposes.
Application Whitelisting
The practice of allowing approved programs to run on a computer, computer network, or mobile device.
application whitelisting
The practice of allowing approved programs to run on a computer, computer network, or mobile device.
steganography
The practice of attempting to obscure the fact that information is present.
compliance
The practice of ensuring that the requirements of legislation, regulations, industry codes and standards, and organizational standards are met.
auditing
The practice of examining logs of what was recorded in the accounting process.
sandboxing
The practice of isolating an environment from a larger system in order to conduct security tests safely.
account federation
The practice of linking a single account across many different management systems.
risk management
The practice of managing risks from the initial identification to mitigation of those risks.
patch management
The practice of monitoring for, evaluating, testing, and installing software patches and updates.
application blacklisting
The practice of preventing undesirable programs from running on a computer, computer network, or mobile device.
load balancing
The practice of spreading out the work among the devices in a network.
implicit deny
The principle that establishes that everything that is not explicitly allowed is denied.
separation of duties
The principle that establishes that no one person should have too much power or responsibility.
job rotation
The principle that establishes that no one person stays in a vital job role for too long a time period.
least privilege
The principle that establishes that users and software should only have the minimal level of access that is necessary for them to perform the duties required of them.
On-Boarding
The process of adding new employees to the identity and access management (IAM) system of an organization
Salting
The process of adding random data to the hashed value.
enciphering
The process of applying a cipher.
risk awareness
The process of being consistently informed about the risks in one's organization or specific department.
UTM (unified threat management)
The process of centralizing various security techniques into a single device.
Data Normalization
The process of decomposing relations with anomalies to produce smaller, well-structured relations.
storage segmentation
The process of dividing data storage along certain predefined lines.
geolocation
The process of identifying the real-world geographic location of an object, often by associating a location such as a street address with an IP address, hardware address, Wi-Fi positioning system, GPS coordinates, or some other form of information.
Threat Intelligence
The process of investigating and collecting information about emerging threats and threat sources. Where to look? Visibility?
port forwarding
The process of redirecting traffic from its normally assigned port to a different port, either on the client or server. In the case of using SSH, port forwarding can send data exchanges that are normally insecure through encrypted tunnels.
Recovery
The process of removing any damaged elements from the environment and replacing them
deciphering
The process of reversing a cipher
information security
The protection of available information or information resource from unauthorized access, attacks, thefts, or data damage.
TCP
The protocol is reliable and connection orientated
Extranet
The public portion of the company's IT infrastructure that allows resources to be used by authorized partners and re-sellers that have proper authorization and authentication
reputation
The public's opinion of a particular company based on certain standards.
Mean Time Between Failures (MTBF)
The rating on a device or devices that predicts the expected time between failures
MTBF (mean time between failures)
The rating on a device or devices that predicts the expected time between failures.
chain of custody
The record of evidence history from collection, to presentation in court, to disposal.
gain
The reliable connection range and power of a wireless signal, measured in decibels.
Multi-factor Authentication
The requirement a user must use two or more authentication factors to authenticate to a device or system.
Off-Boarding
The reverse of this process in that it is the removal of an employee's identity from the IAM system On-Boarding is like in processing Off-Boarding the opposite
cipher
The rule, system, or mechanism used to encrypt or decrypt data.
Cryptanalysis
The science of breaking codes and ciphers
cryptography
The science of hiding information.
SHA-2
The second revision of SHA, also designed by the NSA, which supports a variety of hash sizes, the most popular of which are SHA-256 and SHA-512.
secure log file
The secure log file contains information regarding the last user to log in to a system.
prevention
The security approach of blocking unauthorized access or attacks before they occur.
data security
The security controls and measures taken in order to keep an organization's data safe and accessible and to prevent unauthorized access.
non-repudiation
The security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.
WTLS (Wireless Transport Layer Security)
The security layer of a wireless AP and the wireless equivalent of TLS in wired networks
risk analysis
The security management process for addressing any risk or economic damages that affect an organization.
IRP (Incident Response Policy)
The security policy that determines the actions that an organization will take following a confirmed or potential security breach.
Two-Way Transitive Trust
The security relationship between domains in the same domain tree in which one domain grants every other domain in the tree access to its resources and, in turn, that domain can access other domains' resources. When a new domain is added to a tree, it immediately shares a two-way trust with the other domains in the tree.
MAC Filtering
The security technique of allowing or denying specific MAC addresses from connecting to a network device.
MAC limiting
The security technique of defining exactly how many different MAC addresses are allowed access to a network device.
Spim
The sending of unsolicited Instant Messages.
Spam
The sending of unsolicited commercial email.
Certificate Authority (CA)
The server that issues and signs digital certificates and generates the public/private key pair. Key pair is based on a mathematical relationship that can not be spoofed. You can only trust a certificate if you can trust the CA that issued it
DNS (Domain Name System/server/service)
The service that maps names to IP addresses on most TCP/IP networks, including the internet.
key length
The size of a key, usually measured in bits or bytes, which a cryptographic algorithm used in ciphering or deciphering protected information.
footprinting
The stage of the hacking process in which the attacker chooses a target organization or network and begins to gather information that is publicly available. Also called Profiling.
enumerating
The stage of the hacking process in which the attacker will try to gain access to users and groups, network resources, shares, applications, or valid user names and passwords.
Active Directory
The standards-based directory service from Microsoft that runs on Microsoft Windows servers.
snapshot
The state of a virtual system at a specific point in time.
Integer overflow
The state that occurs when a mathematical operation attempts to create a numeric value that is too large to be contained or represented by the allocated storage space or memory structure
Credential Management
The storage of credentials in a central location.
TLS
The successors to SSL Uses stronger encryption methods.
privilege bracketing
The task of giving privileges to a user only when needed and revoking them as soon as the task is done.
transport encryption
The technique of encrypting data that is in transit, usually over a network like the Internet.
root CA
The top-most CA in the hierarchy and consequently, the most trusted authority in the hierarchy.
ALE (annual loss expectancy)
The total cost of a risk to an organization on an annual basis.
XOR
The truth table for the ____ gate indicates that the output is 1 only when the inputs are different.
bluesnarfing
The unauthorized access of information from a wireless device through a Bluetooth connection.
cleartext
The unencrypted form of data. Also known as plaintext.
privilege management
The use of authentication and authorization mechanisms to provide an administrator with centralized or decentralized control of user and group role-based privilege management.
rule-based management
The use of operational rules or restrictions to govern the security of an organization's infrastructure.
Server-Side Validation
The user submits a form to a web server. Web server looks over form and will let you know if you have forgotten something. It will review and make corrections.
ipconfig
The utility used to display TCP/IP addressing and domain name information in the Windows client operating systems.
hash
The value that results from hashing encryption. Also known as hash value or message digest.
Port Numbers
There are 65,536 TCP and UDP Ports on which a computer can communicate. The ports are divided in three ranges.
Network Administration Security Methods
There are many tools that can be implemented within an organization to secure the networking infrastructure
LDAP or Lightweight Directory Access Protocol
Think active directory. Has a hierarchy of services and allows your system to navigate through directory services.
Confidentiality
Think encryption. Keeps information and communications private and protected from unauthorized access
Integrity
Think hashing. Keeps organization information accurate, free of errors and without unauthorized modifications
N of M Control
This access-control mechanism creates a PIN number during the archive process and splits the number into two or more parts (N is the number of parts)
Ping Flood/Ping of Death
This attack attempts to block service or reduce activity on a host by sending ping requests directly to the victim
Teardrop
This attack sends fragmented UDP packets to the victim with odd offset values in subsequent packets. Since come systems cannot handle the error of fragmented packets it will cause them to crash or reboot.
FAT 32
This file system retains some features of the original FAT while reducing the maximum size limit of the file cluster so the space on the disk can be more efficient. < 400 MB and no audit, access controls
MD4 (Message Digest 4)
This has algorithm, based on RFC 1320, produces a 128-bit has value and is used in message integrity checks for data authentication.
MD5 (Message Digest 5)
This has algorithm, based on RFC 1321, produces a 128-bit has value and is used in IPSec policies for data authentication.
Computer Forensic
This is the evidence gathered when incident happens, to try to figure out what the issue was and or to defend your business against other
Collision (cryptographic attacks)
This type of attack is where two different inputs yield the same output of a hash function. Through manipulation of data, creating subtle changes that are not visible to the user yet create different versions of a digital file and the creation of many different versions, then using the birthday attack to find a _____ between any two of the many versions, an attacker has a chance to create a file with changed visible content but identical hashes.
protocol analyzer
This type of diagnostic software can examine and display data packets that are being transmitted over a network.
TTL
Time To Live; # router hops before drop; decrement to 0; prevent router loops; Windows = 128 Linux, Mac OS = 64 BSD = 255
Why would a technician use a password cracker?
To change users passwords if they have forgotten them.
Capture the system image
To ensure proper evidence collection this step should be performed first.
Physical Security
To ensure proper physical security, you should design the layout of your physical environment with security in mind
Mandatory Vacations
To help detect fraud among st the organization
Windows Account lockout duration setting
To increase the time it takes for someone to guess a password, The purpose is to increase the time it takes for a brute-force password guessing attack to be effective.
Storage Segmentation (MOBILE DEVICES)
To segregate data on a disk from other sectors. An example on a mobile device would be to logically segment the OS from the Apps
Token-Based Access Control
Token based access control associates a list of objects and their privileges with each user. (The opposite of list based.) Privileges are called 'capabilities'
Network Address Translation NAT
Translates a private address into a public address. Hides devices in a private network
TCP
Transmission Control Protocol provides reliable, ordered and error checked delivery of a stream of packets in the internet; L4 / Session
Two modes of IPSec
Transport mode, Tunnel Mode
TFTP
Trivial FTP; UDP port 69; no authN
TFTP
Trivial File Transfer Protocol: UDP 69 Uses UDP for transferring smaller amounts of data, especially when communicating with network devices
cross-forest trust
Trust type that allows resources to be shared between Active Directory forests. No replication; transitive; can be 1 or 2-way
TPE
Trusted Path Execution grsecurity security option Trusted Path Execution (TPE) is a protection which restricts the execution of files under certain circumstances determined by their path
TPM
Trusted Platform Module. This is a hardware chip on the motherboard included on many newer laptops. A TPM includes a unique RSA asymmetric key, and it can generate and store other keys used for encryption, decryption, and authentication. TPM provides full disk encryption.
Mutual Authentication
Two way authentication.
Symmetric Encryption
Two-way encryption. A single, shared key, secret-key, private-key encryption. Encrypt and decrypt with the same key
Authentication Types
Type 1= something you Know (Password, Usernames, Pins) Type 2= something you Have (Tokens, CAC) Type 3= Something your Are (Fingerprint, Retina Scan)
Code review
Typically conducted using automated software programs designed to check code
self-signed certificate
Typically done to provide SSL functionality in temporary test or development servers. Not used for public/production.
Malicious Insider Threat
Typically motivated by financial gain, sabotage, and theft in order to gain a competitive advantage
IPsec port
UDP 500
syslog
UDP 514; plaintext, so no confidentiality; vulnerable to replay attacks, DoS (because accepts any/all logs); syslog.conf
port 123
UDP NTP Network Time Protocol
port 69
UDP. TFTP. Trivial File Transfer Protocol
Active Defense Harbinger Distribution (ADHD)
Ubuntu-based Linux distro focused on active defense and offensive countermeasures and has many tools for deception and attack-back
plaintext
Un-encoded data. Also known as cleartext.
VLAN
Unites network nodes logically into the same broadcast domain regardless of their physical attachment to the network.
/usr
Unix folder path containing primary OS files. READ ONLY except for patches and installs. Includes binaries tools and libraries.
SSH FTP (SFTP)
Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network.
Failopen
Unsecure
Internet
Unsecured zone
Bluejacking
Unsolicited text and message broadcast spam sent from a nearby Bluetooth device Goal is to pair to the victim's device
Triple-DES (3DES)
Upgraded DES, Uses 168-bit key and Processes each block of data three times using a different day each time
SSL Secure Sockets Layer
Used by millions of websites in the protection of their online transactions with their customers. Uses certificates for authentication and encryption for message integrity and confidentiality
POP3 and IMAP
Used for Email
RSA
Used for digital signatures
Hybrid Cloud
Used for the extranet it is a mixture of a private and public cloud.
Challenge Handshake Authentication Protocol (CHAP)
Used over dial-up connections a mean to provide secure transport mechanism for logon credentials.
Web-Security Gateway
Used to intentionally block a predefined list of websites or categories of websites
PII Handling
Used to minimize data loss or theft
File Transfer Protocol (FTP)
Used to move files between one system to another with no true security.
Telnet
Used to remote into routers. Runs on TCP port 23. Because it is a clear text protocol and service it should be avoided and replaced with SSH (PORT 22)
Nslookup
Used to resolve web addresses to IP address and vice versa
Forensics
Used to uncover issues and increase investigation.
Elliptic Curve Cryptography
Used with mobile devices
Corporate Policies
User Acceptance
UAC
User Account Control allows users to install run programs as low-privileged and elevate as needed
UDP
User Datagram Protocol; multimedia, VoIP; know ports; 4 fields
orphaned accounts
User accounts that remain active even after the employees have left the organization.
/etc/passwd file
Username | PWD location | UID | primary group | GECOS field | home directory | login action
hackers
Users who excel at programming or managing and configuring computer systems, and have the skills to gain access to computer systems through unauthorized or unapproved means.
Dictionary Attack
Uses a dictionary of common words to reveal the users password
PBKDF2
Uses a hashing operation, an encryption cipher function, or an HMAC operation
Analytic Cryptanalysis
Uses algorithms and mathematics to deduce key or reduce key space to be searched
Heuristic Based Monitoring
Uses algorithms to analyze network traffic over time
Social Engineering
Uses deception and trickery to convince unsuspecting users to provide sensitive data or to violate security guidelines.
XML injection
Uses malicious code to compromise XML applications, typically web services.
Secure Copy Protocol (SCP)
Uses port 22. Protects the authenticity and confidentiality of the data in transit
Statistical Cryptanalysis
Uses statistical characteristics of langauges or weaknesses in keys
Stealth
Uses techniques to avoid detection such as temporarily removing itself from infected file
VPN
Uses the public internet as a backbone for a private interconnection between locations. It allows you to connect to something as if you were there locally
Encrypting Email
Uses these two programs to do this S/MIME and PGP/GPG
port scanning
Using a program to remotely determine which ports on a system are open (e.g., whether systems allow connections through those ports).
Command Injections
Using malicious code injection, attackers can perform a variety of attacks upon systems. These attacks can result in the modification or theft of data
Identifying vulnerability
Using software to test systems for known vulnerabilities or weaknesses
war chalking
Using symbols to mark off a sidewalk or wall to indicate that there is an open wireless network which may be offering Internet access.
Virtual Private Network
VPN is a communications "tunnel" between two devices across an intermediary, usually untrusted network
SSL VPN (Secure Socket Layer VPN)
VPN used with a web browser and protects against casual eavesdropping | installing a separate client is not necessary; cheaper, requires open ports on firewall
Authentication
Verifies the claimed identity of a user. Is a major component of a cryptosystem.
IPv4 header
Version, length, TTL, Protocol, Source / Target. 20 - 60 Bytes
VLAN
Virtual LAN split network on a switch into multiple networks software-split networks; control visibility, access
.vmx
Virtual Machine primary Configuration File
Hyper-V
Virtualization software developed by Microsoft that can be included with most versions of Windows Server 2008.
vishing
Voice phishing, a human-based attack where the attacker extracts information while speaking over the phone or leveraging IP based voice messaging services. (VoIP)
WEP/WPA attacks
WEP and WPA attacks can focus on either password guessing or encryption key discovery
Windows Defender Firewall
WF.MSC; NETSH.EXE IPsec driver integration no IDS or central logging
standards
WHAT specific hardware / software technology to use - mandatory for the whole organizations and strategic
DoublePulsar
WannaCry malware that runs in kernel mode allows privileged access on compromised systems for remote code execution
Signs
Warning signs provide a layer of security with notification of prohibited access or briefly outlining site information. Can be used to declare areas as off limits
Client-Side Validation
Web form will make on the spot corrections in real time. After making corrections the user can submit the form to the web server.
security template
What is a collection of configuration settings stored as a text file with an .inf extension?
Input Validation
What is the expected input is. Validates the actual input vs expected. Prevents XSS Scripting and SQL Injections.
Server Manager
What is used to install IIS on Windows Server 2008 R2?
Identify Risks
What risks could or will this risks bring to my business
Hop Limit, TTL
What two fields below are used by IPv4 and IPv6 respectively to limit the number of times that a packet can be forwarded on a network?
multi-master replication
When a domain has multiple domain controllers, all domain controllers are capable of making changes to the security domain database they share. The changes are replicated from one domain controller to another.
transitive trust
When a trust relationship between entities extends beyond its original form.
Distributed Denial of Service
When an attacker infects a bunch of machine to take down one device on the network. Is many to one.
spear phishing
When attackers target a specific individual or institution.
IntelliSense
When entering a criterion expression, which of the following tools helps suggest a list of possible values?
Mitigation
When steps are taken to reduce the risk
Get-Service
When using PowerShell, what cmdlet can be utilized to retrieve a list of services?
Authentication
Whenever possible, use a password, provide a PIN, offer your eyeball or face for recognition, scan your fingerprint, or use a proximity device such as an NFC or RFID ring or tile.
shoulder surfing
Where other people secretly peek at your monitor screen as you work to gain valuable information.
Bourne shell (sh)
Which UNIX shell is the most compact and is often used for writing shell scripts?
ls -a
Which command can be used to list all file (include hidden files) inside current directory? a) ls * b) ls -a c) ls -l d) show -a
Default Domain Policy
Which feature affects all users in the domain, including domain controllers?
Global Catalog
Which of the following does an Active Directory client use to locate objects in another domain?
tcpdump
Which of the following is a command line packet analyzer similar to GUI-based Wireshark?
Aircrack-ng
Which wireless hacking tool attacks WEP and WPA-PSK?
Escalation and Notification
Who to notify?
WPA 2
Wifi Protected Access. Based on the IEEE 802.11i standard. Uses AES with CCMP to provide for enhanced confidentiality, integrity and authentication. CCMP requires new NIC and AP
SAN (Storage area Network)
Will go thru network to the storage
NAS (Network Attached Storage)
Will go to the file server and from there to storage
AutoPilot
Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows Autopilot to reset, repurpose and recover devices.
Windows Defender Advanced Threat Protection
Windows Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats
Windows server OS
Windows NT 2000 2003 (XP/Vist) 2008 (8) 2012 2016 Hyper-V
Windows Server Backup
Windows Server 2008 feature that allows you to perform one-time and recurring scheduled backups of a Windows server. ROBOCOPY.EXE
R2
Windows Server major version every 4 years, R2 every 2; should be regarded as new version
WSL
Windows Subsystem Linux
CCB
Windows compares configuration against template using SCA
AppLocker
Windows software restriction (whitelisting) feature. Can import and export configs, audit configs, apply rules based on Group Policy. Available only in Enterprise
process hacker
Windows tool for monitoring running processes, services, device drivers, listening TCP ports, disk activity, etc
secedit.exe
Windows tool that allows for the application of security templates .inf
WEP
Wired Equivalent Privacy uses RC4 which produces weak Initialization Vector (IV), preshared secret on all connected devices DO NOT USE
WIDS
Wireless IDS
WLAN
Wireless Local Area Network
Wireless Encryption
Wireless NICs are radio transmitters and receivers. Signals can be intercepted and eavesdropped on Solution Encrypt Data
bluetooth
Wireless PAN technology that transmits signals over short distances between cell phones, computers, and other devices and does not need line of sight as IR capable of 7 simultaneous connections
WPA
Wireless Protected Access; uses TKIP; AES CCMP
802.11n
Wireless networking standard that can operate in both the 2.4-GHz and 5-GHz bands and uses multiple in/multiple out (MIMO) to achieve a theoretical maximum throughput of 100+ Mbps.
802.11g
Wireless networking standard that operates in the 2.4-GHz band with a theoretical maximum throughput of 54 Mbps and is backward compatible with 802.11b.
802.11ac
Wireless networking standard that operates in the 5-GHz band and uses multiple in/multiple out (MIMO) and multi-user MIMO (MU-MIMO) to achieve a theoretical maximum throughput of 1 Gbps.
802.11a
Wireless networking standard that operates in the 5-GHz band with a theoretical maximum throughput of 54 Mbps.
interference
Within wireless networking, the phenomenon by which radio waves from other devices interfere with the 802.11 wireless signals.
Protocol Analyzers
Work on Layer 3 the network layer to troubleshoot network issues by gathering packet label info
Full Device Encryption (MOBILE DEVICES)
You are encrypting the hard disk itself. If you are sending something over the web you are not encrypting the disk
Identify Vulnerabilities
You can use software, footprints and/or third party companies
Private key
You decrypt that data with
Discretionary Access Control (DAC)
You give the right to who you think should have access to that data. The owner assigns security levels based on objects and subjects and can make his own data available to others at will.
John the Ripper
You want to check a server for user accounts that have weak passwords. Which tool should you use?
Windows Server Core (2012+)
____ is a minimum server configuration, designed to function in a fashion similar to traditional UNIX and Linux servers. Not a version, but an installation option; default install only powershell and notepad; 2 - 4 GB install
Intranet
a company's private network of computers
honeynet
a group of honeypots used to more accurately portray an actual network intended to slow down attacker make the attack more expensive and risky
rotation of duties
a policy that requires an employee to alternate jobs periodically; mitigate collusion
deep packet inspection
a process that examines the data in the body of a TCP packet to control traffic, rather than looking only at the information in the IP and TCP headers
Trojan Horse
a program designed to breach the security of a computer system while ostensibly performing some innocuous function.
Windows Insider program
a program that allowed users to sign up for early builds of the Windows operating system which has been expanded to include enterprise testers and advanced users
cookie
a short line of text that a web site puts on your computer's hard drive when you access the web site; often sets authN and session state
UEFI
a software layer that replaces the BIOS and sits between the OS and the system firmware
ethernet
a system for connecting a number of computer systems to form a local area network, with protocols to control the passing of information and to avoid simultaneous transmission by two or more systems.
thin client
a terminal that looks like a desktop but has limited capabilities and components
sniffer
a type of eavesdropping program that monitors information traveling over a network; puts NIC in promiscuous mode; usually software
Windows Server
a version of Windows that has been specially designed and configured for server use; comes in Datacenter, Enterprise and Standard; after 2012 no Enterprise
snapshot
a view of data at a particular moment in time; baseline for comparison; also useful for forensics automate; plaintext; store to NTFS with README threat hunting; needs human analysis
chain of custody
a written record of all people who have had possession of an item of evidence
onboarding
account administration; setting up user account and access management
Penetration Testing
active analysis of a system through simulated attacks and may involve exploit of live vulns | does not include maintaining access and covering tracks
threat
activities that represent danger to info or operations | agent of risk
logs
activity recorded on a system
Issue-specific policy
address specific needs of the org - password, Internet use not system specific NDA and copyright
Cumulative Update
addresses many bugs at one time
AES
advanced encryption standard, a symmetric 128-bit block data encryption technique; also 192 or 256 bit keys
rsyslog
advanced filtering and directing (to central log server, Splunk)
bridge
aggregates two physical networks or segments together contrast with routing of independent networks
Active Defense (goals)
aka Defensive Countermeasures slow down attacker; positive id (attribution); more time to respond to attack
Microsoft site license
aka Software Assurance License
Windows Embedded
aka Windows IoT, stripped down to kernel designed primarily for consumer and industrial devices that are not personal computers; aka Windows IoT
protocol analysis
aka application analysis IDS examines the entirety of protocols and how they operate and can detect known and unknown attacks
carrier file
aka host file | the file in which the data is hidden | message is the hidden data
privilege
aka right; not specific to object; general capability, machine specific (vs permission, 1:1 with object) listed in SAT
Symmetric Key Encryption
aka secret key, single or 1-key encryption, single key is used for encryption and decryption | fast | PRIVACY | no non repudiation, AES, Blowfish, IDEA
permutation
aka transposition, use same chars, just change position
database activity monitoring
all SQL transactions and policy violations
domain
all users, groups and computers in Active Directory
Quantitative
allows for the clearest measure of relative risk and expected return on investment or risk reduction on investment.
Diffie-Hellman
allows two users to share a secret key securely over a public network; asymmetric
Upstart
alternative to init for Linux startup
Transport mode
an IPSec mode in which only the IP data is encrypted, not the IP headers
incident
an adverse event in an information system and/or network or the threat of such an event
disaster
an incident, so needs DRP
data classification scheme
an information scheme used throughout an organization that helps secure confidentiality and integrity of information that is typically used by corporations
nikto
an open source web server scanner which performs comprehensive tests against web servers for multiple items including over 6400 potentially dangerous files, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers
threat
any potential damage to an asset.
danger
anything that can negatively impact to CIA of systems and services
Wireless benefits
anywhere; lower costs; raise productivity; better in historic buildings, etc.
Notification Alarms
are often silent from the intruder but record data about the incident and notify administrators, security and law enforcement
BCP steps
assess - threat id; damage (potential impact) eval - cost benefit, risk assessment prep - contingent operations, management of plan, testing of plan mitigate - id preventive to reduce risks respond - minimize impact recover - return to normal ops
Honey Badger
attack back tool determines physical location of system with geolocation wifi and IP address
VM escapes
attack to escape guest OS compromise hypervisor
Birthday Attack
attacker can take a collision and substitute one message for another at will (as they produce the same hash)
central logging server
attacker can't cover tracks - only legit machines can send log files - valuable target; should be protected with FW
hyperjumping
attacker compromises one guest OS and jumps to another | lateral compromise
flushing the logs
attacker dumps data on log files to cover tracks
TCP reset
attacker sniffs target traffic the spoofs packet with RST flag set to end session
activity summary report - quarterly
audit report; long term trends; review infra changes; review log mgt system performance
essential log elements
authN - fail and success change report network activity resource access malware activity system failures analytics reports NBS - never before seen
AuthN
authentication, or validate an identity claim: know, have, are, geo
monitoring (access)
authentications and authorizations must be monitored | log access transactions, including both successful and failed login attempts
AuthZ
authorization; what can subject do to object; principle of least privilege
Trust
automatic in forest, two-way transitive; must have trust for SSO, privilege and permissions assignment and desktop log in cross domain
type 1 hypervisor
bare metal hypervisor it is a software program that acts as an operating system and also provides the ability to perform virtualization of other operating systems using the same computer (e.g. Hyper V)
border router
between ISP and org firewall; prefilters traffic before org firewall and uses and ACL; aka edge router
SAFER+
bluetooth with authN, 128 bit key
kernel
brains of the OS; loaded into memory at boot
FIDO
browser MFA?
B2B
business to business
Windows Edition
business, pro and enterprise have AD other (but only ent has AppLocker)
SECEDIT.exe
cannot be used over the network; See MMC; MMC.EXE GPO configurations
packet sniffing
capture network traffic for analysis | no longer requires physical access to network due to prevalence of wifi
logging considerations
centralize; normalize; correlate; time server (UTC, use same time zone); detect log tampering
BOOTP
centrally managed allocates addresses for networked machines based upon pre-configured MAC:IP, UDP Ports 67 and 68
CRL
certificate revocation list - a list of certificate revocations not updated in real time and must be downloaded regularly
chmod
change permission modifiers
sysctl -w variable=<value>
change variable, commits on reboot
chrootkit
checks for rootkits
Form-Based Authentication
cleartext unless SSL; authN errors minimal; acct lockouts
SSL / TLS (PKI)
client knows server, but not inverse; client is anonymous; certificates used for key exchange, session key used to encrypt
Windows OS classes
client server embedded
client-to-site VPN
clients, servers, and other hosts establish tunnels with a private network using a VPN gateway at the edge of the private network. Each remote client on a client-to-site VPN must run VPN software to connect to the VPN gateway, and a tunnel is created between them to encrypt and encapsulate data. This is the type of VPN typically associated with remote access.
CFEngine
cloud-based focused on local datacenters
virus
code that attaches itself to an executable and infects systems when the exe is run it is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data
logging activities
collect; store; search; correlate / alert
log file
collection of messages
diff
command compares files and prints their differences
Linux shell
command line, allows for interactions with the kernel, OS
binding
communications path between a netowrking component service or protocol and a physical network adapter card IP + TCP + hostname
cloud resistance
compliance; multi tenancy; vendor lock; logging
pivot point
compromise in one element in system can lead to another; registry keys in windows, start up files, running processes
lateral movement
compromise one system, then another
hyperjacking
compromise the hypervisor to gain access to the VMs and their data typically launched against type 2 hypervisors that run over a host OS
crypto (goals)
confidentiality, integrity, authentication, non repudiation
jailed environment
configured to look like real environment no real data all traffic permitted
CLOSED
connection state in which server accepts no connections
Windows Logging
consider what to log; logs slow performance, consume disk space check temp folders for attacker plants
Incident handling phase 3
containment; stabilize, secure area, backups (forensics), copies (one for evidence, one for analysis); change passwords; pull from network?
log preprocessing
convert logs from one format to another
Log normalization
converts data to structured form (e.g.: a database table) thus enabling experts analyze data from different sources and gain deep insight about the whole system.
CCMP
counter mode with cipher block chaining messaging authentication code protocol - a wrapper that uses 128-bit AES encryption with a 48-bit initialization vector
CREATOR_OWNER
creator is owner, can delete, modify admins own objects created during OS install
Equifax
credit bureau; hacked through unpatched Java Struts vuln CI attack
PowerShell Core
cross platform, .NET Core framework
active summary report
daily; weekly; monthly; quarterly; annual
Azure
data centers that implement MS could services everything is built on (IaaS PaaS)
Security Updates Guide
database of CVEs, etc. for Microsoft
system call interception
deny/permit requests; HIDS sits between apps and system resources, OS
logical design
depicts how data flows across different devices in network | detailed, rather than abstract network diagram | services, application names | for developers and security architects | shows servers workstations routers firewalls...
honeycreds
deploy decoy usually privileged accounts
captive web portal
deployed for hotspots, higher ed, etc.
bogus DNS
descriptive but deceptive DNS domain names redirect attackers to jailed env or honeypot
security controls (types)
detective corrective and preventive
SmartScreen Filter
detects threats on Web sites, such as phishing attacks and malware downloads, and prevents them from running
router
device that connects different networks together internal and external | forwards data packets between computer networks | operates at OSI L3, handles packets
/dev
device; hardware
intellectual property (IP)
dictated by logical architecture | key is reduce number or locations where present; subject to copyright
communications flow
dictated by logical design, shows how data flows in and out of the network | informs threat model; attack surface and vectors; estimate impact; determines defense
policy
directive that defines the 'what'; reduces liability for people; supports org mission and accomplishment of objectives; mandatory | execs $ users make jobs easier 3 - 5 pages
Decloak
discover attacker IP even if through proxy
df
disk free space command
network profile
domain - AD, least strict public - most strict private - home or office
Global users and group
domain user with account in AD
Complete Trust Domain
domains in a forest always have two-way transitive trusts with multi-master replication
tcpdump -n
don't resolve hostnames
tcpdump -nn
don't resolve hostnames or well known port numbers to their services
Threat hunting metrics
dwell time; lateral movement; reinfection
Rotation Substitution
e.g. Caesar cipher, swapping out one character for another, rotate by n chars | predictable | if one mapping discovered, all is lost
Threat Hunting goals
early and accurate detection control and reduce impact improve defenses understand org weaknesses
qualitative analysis
easier and can identify high-risk areas and produces more subjective results (low, medium, high)
tractable
easy crypto problem
Top 5 Wireless attacks
eavesdropping; masquerading; DoS; rogue AP; wireless phishing
digital signature
electronically signing a document with data that cannot be forged; NON REPUDIATION INTEGRITY sender signs with private key for non repudiation recipient decrypts with sender public key
PKI uses
email disk encryption code and driver signing user authN Ipsec and VPN authN wireless authN NAC digital signatures
Defense in Depth
employ multiple layers of controls in order to avoid having a single point of failure
Revocation Certificate
employee termination; new role in org; email address change; key compromise
hypervisor
emulation software for virtualization; allows a single computing device to run multiple operating systems through hardware emulation
virtualization
emulation software for virtualization| allows a single computing device to run multiple operating systems through hardware emulation | accesses virtualized hardware, not physical
MMC (Microsoft Management Console)
enables an administrator to customize management tools by picking and choosing from a list of snap-ins. Available snap-ins include Device Manager, Users and Groups, and Computer Management.
Volume Storage Encryption
encryption of virtual hard drives in cloud environment
network mapping
enumerating hosts responding on a network. NMAP
Incident handling phase 4
eradication; repair before restore; remove backdoors; vulnerability analysis after recovery; improve security (ok to fix in prod if necessary)
baseline document
establish a known baseline configuration and managing that condition with a baseline document instrument to detect and change management
0-day
exploit that is not publicly know or available
Shallow Packet Inspection
fast evaluates at offset predictable offset locations
dictionary attack
fast password attack method that automates password guessing by comparing encrypted passwords against a predetermined list of possible password values.
deception
fewer legal issues; delays attacker so more time to respond; more likely to id attacker
injection (steganography)
file size can tip off; adding hidden data to carrier file
OneDrive
file storage on Azure (SaaS)
john.pot
file where John the Ripper stores cracked passwords
honeytoken
files and folders set up to deceive attacker and allow for detection of the attack
FIN
finish TCP flag; request tear down of connection
Egress filtering
firewall filters packets when they are leaving the network, prevents replies to probe packets from leaving the network and prevents a firm's infected hosts from attacking other firms
log system prioritization
firewalls and network devices, security devices, servers, databases, applications and desktops
network security devices (3)
firewalls prevention NIDS detection NIPS prevention
init
first process to start PID 1 checks and starts services mounts file systems
Firewall concerns
gap at app layer; encrypted bypass; mgt sees as solution
File generation (steganography)
generate from hidden data; carrier not needed before; produced by stego program; each new input produces new output
endpoint security
goal is to control damage by reducing attack surface needs: asset management, configuration management, change control includes AV, local FW
data classification primary categories
government / military and commercial
grsecurity
gradm utility to manage RBAC set of patches to enhance Linux kernel security MAC with RBAC support file system hardening; kernel audit PaX memory management Trusted Path Execution (TPE)
histogram
graphical representation of the number of occurrences of data in a given distribution of such data
servicing ring
group of computers assigned particular servicing channel with specific update deferral period
intractable
hard crypto problem (factor large integers into two prime factors) also encompasses discrete logarithm problem (el gamal)
rowhammer
hardware exploit; escalate privileges, escape VM, flipping bits in memory
diode data
hardware focused; military / govt; one direction data flow; input anode; output cathode
technical controls
hardware or software installations that are implemented to monitor and prevent threats and attacks to computer systems and services.
vertical market
healthcare, education, IoT, etc
Steganography
hide data in a 'carrier' file or medium; disguise encrypted data; SECRECY
Windows 10 Pro for workstations
high end, 3D, video editing
conceptual design
high level design that includes core components of network architecture | 'black box' I/O | legal, environmental safety | customer experience | multidisciplinary
Program Policy
high level policy sets tone for org security and provides guidance to enact other types of policies and delineates responsibility
detection (stego)
histogram; high entropy = encryption; no universal method to detect stego
/home
home directory for user physically found in /export/home
physical topology
how a network is wired together; includes wifi
threat agents (3)
human or not | organized crime | espionage | hactivist
attribution
id attacker; block country? legal concerns. attacker can defeat with relay attacks and spoofed IPs
data classification steps
id roles | classification and labeling criteria | owner classifies | exceptions | controls | declass destruction procedures | awareness program
vector-oriented defense
identify attack vectors; mitigate or eliminate
Risk Management goals
identify measure control and minimize/eliminate the likelihood of an attack, reduce risk to an acceptable level
algorithm group
if cipher is in a 'group' multiple rounds of encryption does not increase security
Active Directory Global admin
in AD, one for each domain in a forest (ALL POWERFUL IN THAT DOMAIN)
HTTP authN
in headers; basic (base 64 encode) digest: MD5
cut command
in linux cut shows 'cut' of line
Privacy considerations
in relation to integrated systems and data with third parties should be taken seriously Should be outlined in the organization Privacy Policy
message
indicates a system event has occurred
Secure Coding
initialize vars; input validation; error management; least priv; vuln notifications; check 3rd party code; no secrets in code; no admin for server, db access | includes performance and load testing
anode
input in diode system
attacker actions
install programs run daemons and services make outbound connections
ReFS
intended for large storage volumes in RAID array does not support compression
PKI problems
interoperability; certification of CAs; outsource of trust
WDAG
is a feature that allows you to isolate Microsoft Edge at the hardware level using Hyper-V technology to protect your device and data from malware and zero-day attacks like sandbox with no data persistence and no usual browser features
docker
is an open platform for developers and sysadmins to build, ship, and run distributed applications, whether on laptops, data center VMs, or the cloud.
auditd
kernel level, does not use syslog can monitor all network traffic and file access logs with SELinux
key escrow
key back up keys are managed by a third party, such as a trusted CA.
client-to-client VPN
key distribution problem and difficult to configure, but very secure
reversible encryption
key required to decrypt
Windows Registry
keys - folders | values - files | type data | disable remote registry access
Korn Shell (ksh)
ksh
physical design
last before implementation | all known details | physical components and connections | OS versions
layer independence
layers unaware of each other; security must have visibility into all layers
decoy ports
lead attacker to believe many ports open. more scanning needed. deploy on network device
false headers
leave blank or include incorrect information to deceive attackers about systems
Incident handling phase 6
lessons learned; incident handler reports; meet to review, achieve consensus, report to management, including costs
Caesar Cypher
letter-by-letter method to make a cipher. For each letter, substitute another letter 4 letters ahead. For "a", write "d".
threat hunting plan
limit scope specific goals document effort, outcomes metrics
A ptr record
links a IPv4 address to a FQDN
wtmp
linux log maintains the logs of all logged in and logged out users (in the past). The 'last' command uses this file to display listing of last logged in users
List Based Access Control
list of users and their privileges with access to object
threat enumeration
list threat agents | list attack methods | list system-level objectives
ls -l
lists all contents in long format
LKM
loadable kernel modules; /lib/modules; disable or blacklist modules not needed; dynamically load after boot; disable as risky
blue pill
logical exploit; create false hypervisor with root access
elevate to root (3 ways)
login as root; su to root (no accountability) sudo
btmp
logs failed login attempts
activity summary report - monthly
long term trends; minor policy violation summary; resource usage reports; security tech measurement
network threat hunting
look for lateral movement; assume compromised; C2 (command and control)
vulnerability scanning
look for vulnerabilities associated with discovered systems ports and services
Windows Server (roles)
major piece of functionality: domain controller, IIS, Hyper-V, RDS, VPN, File, Print, DHCP, DNS, RADIUS
bluetooth defenses
make non discoverable; pair in secure environment
session ID
makes stateful; inclues: form element; URL; cookie long and random sign / hash IDs new issued on authN expire / timeout
packet misroute
malware on router sends traffic to evil location or causes routing loops DoS or network congestion
Logical File System
manages metadata - manages the directory structure to provide the file-organization module with the information the latter needs, given a symbolic file name - maintains file structure via file-control blocks - protection
security
managing risk to critical assets; not all risk can be eliminated; track, manage and mitigate
lynis
matches Linux security configuration to regulatory standards e.g. SOX, PCI, etc.
Deterrent Alarms
may engage additional locks or shut doors in efforts to increase intrusion difficulty
alert
message to notify system owner or operator
LISTEN
mode where server has no active connections but listens for client requests
RBAC (Role Based Access Control)
model in which access is based on a user's job function within the organization and determined by role or group assignment
hybrid attack (pwd)
modifies dictionary words in guessing attempts
content discovery
monitor data for restricted info
virtual machine introspection
monitor hypervisor and all VMs
quality update
monthly; aka hot fixes or patches
quantitative analysis
more powerful because based on metrics and typically yields an objective numeric value (often $)
baseline
more specific implementation of a standard; specific mandatory; e.g. hardening guide
Signature Analysis
most common method of identifying EOI on network uses a series of rules and pattern matching to detect and alert
substitution (steganography)
most popular; file size remains same
MIMO
multiple input multiple output (802.11ac); can transmit to many receivers
OS virtual machine
multiple operating systems run independently on the same hardware
Microsoft patching
must patch due to anti trust settlement
ICMP
network layer protocol for diagnostics such as ping. Many DoS attacks use ICMP. block ICMP at firewalls and routers. If ping fails, but other connectivity to a server succeeds, it indicates that ICMP is blocked. network info (ping); L3; v 4 of 6 (like IP); 3 fields
protected enclave defense
network segmentation with VLANs and ACLs
Nmap
network vulnerability scanner; can perform ping sweeping; TCP/UDP port scans, OS fingerprinting, application version scanning, and script execution
switch
networking device that connects computers together to form physical and virtual networks | handles frames at OSI L2
Edge Browser
no Active X, Java, Flash; HTML 5 SmartScreen filter of phishing, malware sites InPrivate window
windows admin account best practices
no NTLM 1 or LANMANAGER 2 accounts - one for regular activity, one for admin rename 'admin' account
End of Custom support
no further support or update options unless directly negotiated with MS
hash function
no key; one-way function (trapdoor); MD2 - 5; aka 'message digest'; INTEGRITY
virtual sprawl
number of VMs / guest systems too big to manage
tcpdump -c
number of packets to capture before stopping
event
observable and verifiable occurrence
Cryptanalysis
obtaining the plaintext or key from ciphertext to obtain valuable information or pass on altered, fake messages to intended recipients
firewalld
offers trust zones and levels; inbound and outbound rules, IPv4, 6; application whitelisting; puppet integration
password cracking
offline password guessing from exfiltrated file or database of usernames and passwords get plaintext given only encrypted
irreversible encryption
one-way function (hash); hash is stored, not plain text
Windows S
only MS Store apps; can change to full, but not back
Long Term Channel
only available in Enterprise; limits to monthly quality updates never gets features updates (must upgrade entire OS)
session cookie
only for current session; stored in memory; close browser, exits
Debug Programs
only local admin; dangerous (Cain)
Transport mode (IPSec)
only the payload of the IP packet is encrypted and or authenticated
Chef
open source CM; offers more Windows support than Puppet
nodev
option in Unix ignores special device files. Used in areas outside /dev folder to prevent unauthorized system device access
nosuid
option in Unix ignores the set-UID and set-GID bits on executables
cathode
output in diode system
Threat hunting maturity model
p 185
unidirectional gateway
p 72
APT
package manager for ubuntu; install, remove, update, upgrade
firewall types
packet filtering (stateless), stateful, proxy (nextgen)
NTLM
password hash storage system used on Microsoft Windows
Cisco Type 7
password, easily cracked by readily available tools
activity summary report - weekly
perimeter and internal log trends; account activity; host/network device changes; critical attack summary
maintenance (access)
periodic review of user accounts and access | must perform when user changes roles responsibilities
default allow
permissive firewall ruleset in that all traffic is allowed unless it has been specifically blocked. NOT RECOMMENDED
air gap
physical separation of hardware (servers)
telnet
plain text; port 23
file activity monitoring
policy violations
activity summary report - annual
policy; retention; trends; budget; new regulations
ESTABLISHED
port / socket state in which there is an active connection
SSL/TLS
port 443 | encryption protects confidentiality and integrity, verification of server id | client/server agree on best encryption; uses symmetric keys; RSA/Diffie; new key for each request
John the Ripper - incremental mode
powerful, slow; all combinations and lengths attempted can run indefinitely
Rainbow Tables
pre calculated hashes
Incident handling phase 1
preparation; management support; policy; legal and law enforcement, compliance, id team, communications
Firewall
preventive; hardware and software; ENFORCE ORG SEC POLICY; router with filtering; between NIC and PC or public / internal networks
End of Sales
product no longer sold to retailers or OEMs
offboarding
prompt revocation of access
crypto (3 components)
protect data at rest protect data in transit protect keys
PaX
protection against corruption of memory (part of grsecurity)
data dispersion
protects data without encryption through fragmentation
copyright
protects owner; includes year, owner; registration not req'd but good
Authentication Header (AH):
provides assurance of message integrity and non-repudiation. Also provides authentication and access control and prevents replay attacks
Encapsulating Security Payload (ESP)
provides confidentiality and integrity of packet contents. Provides encryption and limited authentication and also prevents replay attacks.
SaltStack
provides public cryptography between configuration server and clients; highly suitable for cloud environments
Steganography (3 types)
provides secrecy by hiding data within data | injection; substitution; file generation
Log correlation
provides the ability to discover and apply logical associations among disparate individual raw log events in order to identify, respond, validate, measure, report
asymmetric key encryption
public key crypto | two keys are used: a public key used only to encrypt data, and a private key used only to decrypt it. key exchange, authN, non repudiation
public internet
publicly accessible system of networks that connects computers around the world
Controls
put in place to close vulnerabilities, prevent exploitation, reduce the threat potential, and/or reduce the likelihood of a risk or its impact
system()
python function that allows for commands to run on the target system
symbolic permissions
r - 4 w - 2 x - 1
precomputation attack
rainbow tables calculated
salt
random value added to plaintext password before hashing to produce unique values, eliminate collisions
WannaCry
ransomware, spread as worm NOT VIRUS; SMB vuln; uses ping, kill, exec commands CIA attack using Eternal Blue and DoublePulsar
semi-public internet
reachable from internet; may have internet access
ro
read only option causes the Unix operating system to prevent writes or updates
reconnaissance
recon: step one; google hacking; find IPs, ports, services, map network (casing a house)
Application behavior monitoring
record normal activity for app, alert when anomaly; detect zero days and worms
accountability
record of subject / object transactions or who did what when
john.log
records how long John the Ripper took to crack passwords
Incident handling phase 5
recovery; do not restore bad code; system owner makes decision to return to ops; monitor closely after redeployment
PC refresh
reinstalls Windows and keeps your personal files and settings
permission
related to a particular object like read access to file
Eternal Blue
remote code execution against Microsoft SMB
absolute permissions
represented in octal (755) and binary (111, 101) - if flag set (1) if flag note set (0) e.g. rwx = 111
swap space
reserved for the full virtual memory space of a process not mounted to LFS
rbash
restricted shell that limits commands available so as to contain users to specific areas of the file system and prevent running certain commands. Often cannot tab complete.
Default deny policy
restrictive firewall ruleset policy whereby access is denied unless it is specifically allowed protect against previously unknown attacks and vulns
risk
risk = threat x vulnerability
fragmentation
router splits packet into smaller packets and sends on | 16-bit flag
routing table poisoning
routers exchange data to build tables; attacker injects bad data
RSBAC (RBAC)
ruleset based access control (e.g. firewall rules)
application-level virtual machine
run an app on its own VM so if compromised cannot compromise other systems
Bastille
runs scripts to harden Linux machines to industry standards; good auditing tool; however, only targets local machine
service branch
same as channel
Symmetric
same key to encrypt / decrypt data
Cryptology
science of interpreting secret writings and codes and encompasses cryptography and cryptanalaysis
scratch data
scratch and intermediate data written to /var/tmp and similar directories
Normal user account
second type of user account after superuser
confidentiality
secure from unauthz access; opposite disclosure; government and healthcare
SSH
secure shell; port 22; user certs, preshared keys
loss controls
security measures implemented to prevent key assets from being damaged.
operation controls
security measures implemented to safeguard all aspects of day-to-day operations, functions, and activities.
transform
security services documented in IPsec | see security association
End of extended support
security updates and paid support no longer available unless custom support
protected enclave
segment of internal network defined by common security policies
layer flow
sender(app -> physical); receiver(physical->app)
middleware
separate private DMZ from private network
umask command
set default permissions for users - deny = allow either with absolute or symbolic notation | (UNIX 666 is default file and 777 for directory)
servicing channel
set delay for application of updates; quality updates up to 30 days; feature update up to 365
claim
set of AD attributes included in Kerberos ticket
Rootkit
set of binaries that gives attacker backdoor to system and helps evade detection often installed in /usr/bin and /sbin dirs. Does not provide root access
NetBIOS
set of connectionless and connection-oriented protocols that make comps accessbile by human-readable names rather than IP *disable - recon threat*
swapon -s
sets the swap area to the file or block device specified by path. swapoff() stops swapping to the file or block device specified by path.
Group Policy Object
settings that define what a system will look like and how it will behave for a defined group of users. You can think of _____ as policy documents that apply their settings to the computers and users within their control.
tcpdump -X
show packet contents in hex and ASCII
tcpdump -XX
show packet contents in hex, ASCII, with Ethernet header
Cold boot attack
side-channel attack related to removing RAM from computer while it still contains encryption key, then reading it on a different computer
Workgroup benefits
simplicity low initial cost isolation local admin for owners
full duplex
simultaneous send / receive for two nodes; Any device that can send and receive data simultaneously.
Hash Collision
situation that occurs when two distinct inputs into a hash function produce identical outputs
NextGen Firewalls
slow; difficult to manage; best security; tears down each layer of packet; process tables aka proxy or application gateway
Windows Server (feature)
smaller functionality, e.g. disk encryption
Ingress Filtering
sniffing incoming packets and discarding those with source IP addresses outside a given range
device
source of security-relevant logs
tcpdump- s
specify number of bytes to capture per packet. default 65535
VLAN hop
spoof 802.1Q tags, attacker can frames to diff VLAN w/o router
Windows mass client upgrade
start 2 years before end of support
cover tracks
step five; delete logs, or - more advanced: modify logs, clear bash history, browser history, registry, temp net files
maintain access
step four; ultimate goal; backdoor, create accounts, covert channels for exfil
gain access
step three; get the shell; social and physical attacks included; system, software, IP blocks, vulns (no one home)
scanning
step two; (knock on door anybody home); ping, nikto, netcat, nmap tools; find ports, protocols and services
messages log
stores valuable nondebug and noncritical messages located in /var/log/messages
sed
stream editor; filter and transform text; supports regex; implicit vs explicit?
Adware
supported software or adware is a form of spyware. Reports general surfing habits and which sites you have visited
AADDS
supports Kerberos, NTLM, traditional DC services
Arbitrary Substitution
swap one character for another arbitrarily; cannot derive key by mapping just one character (as with rotation substitution); vulnerable to freq analysis
su
switch user command; can change to any user with password; /usr/bin/su or /bin/su
DES
symmetric; 64 bit block cipher (56 key + 8 for parity) vulnerable due to small key size
UIDs 1-500 are usually reserved for what kind of users?
system accounts; e.g. NFS nobody; attackers favor these for backdoors
exTended C Shell
tcsh
port 23
telnet
persistent cookie
text file on disk; need expiration date; browser deletes
cryptography
the art of protecting information by transforming (plaintext) into an unreadable format, called cipher text
Tunnel Mode (IPSec)
the entire IP packet is encrypted and or authenticated.
brute force attack
the password cracker tries every possible combination of characters will always recover password given time
Keyspace
the range of all possible values for a key in a cryptosystem the larger the better
utmp
the who of Linux logging
awk
this command can be used to specify the exact record to match based on a particular pattern
uniform protection defense
threats, and protections, treated equally (e.g. FW, VPN, AV) most common approach
Redundancy
to remove the single point of failure
capabilities
token based access privileges
aireplay-ng
tool to attempt to inject and capture traffic from WiFi networks
TTP
tools, techniques, procedures
government data classification scheme
top secret, secret, classified, sensitive but unclassified, unclassified
Endpoint firewall
treat local machine as trusted includes packet filter (stateful) and application control, OS control; file integrity checking (FIC)
collision
two different files produce an identical hash
ICMP fields
type; code; checksum; payload
activity summary report - daily
unauthZ config; service disrupt; intrusion evidence; suspicious login fails; minor malware
OS injection
unauthZ user sends commands to server OS; defend with input validation, define valid inputs
Threat hunting activities
understand threats know network critical data and business processes normal vs abnormal system behavior threat intel indicators of compromise analysis seek root cause respond correlation is critical
Active Directory Enterprise admin
universal (not global), all powerful group with full control over every domain in the forest
mobility disaster recovery kit
unlocked phones sim cards charged batts solar
Network Monitoring
use HIDS to monitor traffic on each network node; costly; myopic; can stop known and unknown attacks
snmp-check
use target IP address and SNMP community string to enumerate system details
private internet
used exclusively within an organization is called an
chown command
used on Unix-like systems to change the owner of file system files, directories
ping
used to enumerate systems during the scanning phase | ICMP command line
Workgroup drawbacks
users bad chaos difficult to manage no centralization (policy and auditing) no SSO no consistent permissions
Asymmetric
uses a key pair to encrypt / decrypt data
John the Ripper - external mode
uses an external program (modules) to generate guesses for algorithms not natively supported
John the Ripper - word list mode
uses dictionary and hybrid can perform substitutions and transformations
Qualitative
uses processes to determine asset worth and valuation to the organization
John the Ripper - single crack mode
uses variations of account name, GECOS, and more faster and used first
Risk Management
using strategies to reduce the amount of risk to an acceptable level
Repellent Alarms
usually sound an audio siren or bell and turn lights on
AV
value of an asset in dollars
info-centric defense
value of info determines defense
cryptographic key
values used to initialize a particular algorithm must be protected at all costs uniqueness and length matters protection growth is exponential not linear
/var
variable, malleable content, including logging, web, etc. set as separate partition for security
Volume Storage
virtual hard drive; data dispersion and/or encryption
Tunnel Mode (IPSec)
virtual tunnel between GATEWAYS Encrypts the entire IP packet sent to gateway (destination) where it is unpacked and routed on
decoy IP
visible but unused IP appear active with open port and vulnerable service appear as real systems to attackers
integrity
vs alteration; banking and finance
availability
vs destruction; e-commerce
Penetration Testing Techniques
war dialing war driving sniffing eavesdropping dumpster diving social engineering
End of mainstream support
warranties expire for the product and it is no longer improved only security patching
sticky bit
was previously used on files in the past to lock them in memory. However, they are currently applicable to directories. This ensures that a user can only delete his/her own files in a directory.
baselining for endpoint security
what is normal? traffic type, volume logs access time, length system config
identity
who you claim to be
ncpa.cpl
windows cmd for network configuration
/tmp
writable directory; good practice is to set sticky bit, or otherwise avoid their use