Acronyms Flashcards
TTPs
tactics techniques and procedures of a threat actor
FAR
False acceptance rate. Letting an unauthorized person have access to a location
FRR
False rejection rate. Rejecting authorized personnel
CER
A balance between FAR and FRR for optimal
authentication effectiveness cross error rate. Lower the better
SOP’s
standard operating procedure. Detailed step by step instructions for implementing changes
-has to do with change management
CAB
Change advisory board
APT
Advanced persistent threat
used synonymously with nation state threat actors since they have long term persistence and stealth
it is a prolonged and targeted cyber attack where the threat actor gains access to a network and remains undetected while they steal data or monitor the network
XXE (XML External Entity Attack)
attempts to read local resources like password hashes in the shadow file
XSS
cross site scripting
injects a malicious script into a trusted site to compromise the sites visitors
DOM XSS
document object model
exploits client’s web browser using client side scripts to modify the content and layout of the webpage, client’s device executes the attack
NOP Slide
attackers fill the buffer with NOP No operation instructions. The return address slides down the NOP instructions until it reaches the attackers code
TOC
Time of Check, atackers manipulate a resource’s state after it is checked but before it is used
TOU
Time of Use. Attackers alter a resource’s state after it is checked but before it is used.
TOE
time of Evaluation. Attackers manipulate data or resources during the systems decision making or evaulation process
In the context of security, time of evaluation could refer to when a security policy or access control rule is evaluated to determine whether to grant or deny access to a resource. For instance, if a security policy is evaluated before a user logs in, it may grant access based on outdated or incomplete information, leading to a security vulnerability.
CSRF
cross site request forgery. triggers actions on different websites without user consent
exploits trust user has in browser
DLL
Dynamic Link Library
collection of code and data that can be used by multiple programs simultaneously to allow for code reuse and modularization in software development
IPS
intrusion prevention system
can identify and respond to DoS attacks for small scale incident
LDAP
lightweight directory access protocol
an open vendor neutral industry standard app protocol for accessing and maintaining distributed directory info services over an internet protocol network
DNSSES
domain name system security extensions to add digitial signatures to dns data
DAC
discretionary access control
allows object owners to directly control access using tools like chown and chomos
selinux uses mac not dac
RTOS
Real time OS
SCADA
supervisory control and data acquisition systems
type of ICS designed for monitoring and controlling geographically dispersed industrail processes
common in electric power generation transmission and distribution systems
water treatment oil and gas
PLCs
programmable logic controllers
used to control specific processes such as assembly lines and facotriess
DCS
distributed control system
used in control production systems within a single location
ICS
industrial Control System
used to monitor and control industrial processes found in industies like electrical water oil gas and data
GDPR
general data protection regulation
protects EU citizen data
compliance required regardless of location
PII
personally identification information
names, SSN, addresses
PHI
personal health info
protected under hippa
IPSec
internet security protocol secures IP communications by authenticating and encrypting IP packets
RAID
redundant array of indepedent disks
UPS
Uninterruptible Power Supplies (UPS)
● Provide emergency power during power source failures
● Offer line conditioning functions
● Include battery backup to maintain power during short-duration failures
● Typically supply 15 to 60 minutes of power during a complete power failur
PDC
Power distribution center
Central hub for power reception and distribution
● Includes circuit protection, monitoring, and load balancing
● Integrates with UPS and backup generators for seamless transitions during power event
RPO
ecovery Point Objective (RPO)
○ Ensures that the backup plan will maintain the amount of data required to keep any data loss under the organization’s RPO
threshold
COOP
Ensures an organization’s ability to recover from disruptive events or disasters
continuity of operations plan
BC Plan
business continuity planning
Plans and processes for responding to disruptive events
● Addresses a wide range of threats and disruptive incidents
● Involves preventative actions and recovery steps
● Can cover both technical and non-technical disruptions
DRP
disaster recovery plan
Focuses on plans and processes for disaster response
● Subset of the BC Plan
● Focuses on faster recovery after disasters
● Addresses specific events like hurricanes, fires, or flood
UAC
user account control
a mechanism designed to ensure that actions requiring admin rights are explicitly authorized by the user
ABAC
attribute based access control
includes user attributes like name, and Org ID
environmental variables, time of access data location etc and resource attributes like resource owner, rile name and data sensitivity
RBAC (Rule-Based): Access is based on predefined rules that apply universally.
ABAC: Access is based on the evaluation of multiple attributes of the user, resource, and environmen
Rule based access control
uses security rules or access control lists
policies can be changed quickly
applied across multiple users on a network segment
as needed access, require certain location, limit access based on device
lots of control and flexibility
dynamic
RBAC (Rule-Based): Access is based on predefined rules that apply universally.
ABAC: Access is based on the evaluation of multiple attributes of the user, resource, and environmen
RBAC
role based
assigns users to roles and assigns permissions to roles
mimics orgs hierarchy
enforces minimum privileges
sometimes a user needs more access and they cannot get it because its not within their role
DAC
discretionary access control
least restrictive
role based access control
admin can quickly and easily configure permissions
gives too much authority to admin
resource owners specify which users can access their resource
MAC
most restrictive
most beneficial for maximum security orgs
uses security labels to authorize resources
access is granted if user label is equal or higher than the resource’s label
JIT permissions
just in time, grants admin access only when needed for a specific time period and task
SAML
Security Assertion markup langugae
important for sso
when a sales employee at organization X tries to access a third party app from company Z, org x the IdP in this scenario kicks into action and sends a message to org z saying this user is valid. Org z then creates a session for that user
standard for logging users into apps based on sessions in another contect
oauth
How can we let a third party app access a user’s data without giving the app their credentials?
Forces users to only put in password in one app in oauth center.
if you login to reddit for example you dont put in gmail password, you sign in first in gmail
open standard for token based authentication and authorization
allows third party services to access user account info without exposing passwords
restful apis
LDAP
lightweight directory access protocol
used to access and maintain distributed directory information
can share user info across network devices
its like a phone book and is used when you dont know the exact information about a given resource or individual, it uses AD to help you find them
can be used to share information in sso
PAM
priviledged access management
JIT permissions just in time
password vaulting
temporal accounts
Privileged Access Management (PAM) is a critical security measure that helps organizations control, monitor, and secure access to systems and data by users with elevated privilege
BYOD
bring your own device
COPE
coporate owned personally enabled
high intial investment
employees may have privacy concerns
CYOD
employees select devices from a company approved list
choose your own device
ICS
industrial control system
DCS
distributed control system
PCL
programmable logic controllers
used to control specific processes such as assembly lines and factories
SCADA
supervisory control and data acquisition systems
type of ICS used for controlling geographically dispersed industrial processes
RTOS
real time OS
critical for time sensitive apps
OTA
over the air updates for real time operating systems
WAP
wireless access point
ESS
extended service set
multiple waps working together to provide seamless network coverage
WEP
wired equivalent privacy
outdated encryption protocol
SAE
simultaneous authentication of equals
replaces the 4 way handshake with a diffie hellman key
protects against offline dictionary attacks
AAA protocols
important for centralized user authentication and access control
RADIUS
Remote Authentication Dial-In User Service)
Function: Handles authentication, authorization, and accounting for users accessing a network.
How it works: Users’ credentials are sent to a RADIUS server, which checks the information and sends back a response to allow or deny access.
TACACS+
terminal access controller access control system
Usage: Often used in enterprise networks for managing access to routers, switches, and other network devices.
Function: Separates authentication, authorization, and accounting processes, offering more flexibility and detailed control.
How it works: Similar to RADIUS, but allows for more granular control over command execution and user privileges on network device
EAP
extensible authentication protocol
authentication frameowkr supporting multiple methods
can be used with AAA protocols as the authentication piece for user access to networks
PEAP
protected extensible authentication protocol
encapsulates EAP within an encrypted TLS tunnel
can be used with AAA protocols as the authentication piece for user access to networks
EAP-FAST
extensible authentication protocol tunneled transport layer security
extends tls support accross platforms
can be used with AAA protocols as the authentication piece for user access to networks
SAST
Statis code analysis
reviewing and examining a source code before running the program
identifies issues like buffer overflows, sql injection and xss
DAST
dynamic code analysis
OSINT
open source intelligence
Collected from publicly available sources like reports, forums, news
articles, blogs, and social medi
CVSS
common vulnerability scoring system
CVE
common vulnerabilities and exposures
system that provides a standadized way to uniquely identify and reference known vulnerabilities in software and hardware
SPOG
single pane of glass
MRTG
multi router traffic grapher
Creates graphs displaying network traffic flows through routers and switches
■ Uses SNMP (Simple Network Management Protocol) to gather data
■ Helps identify traffic patterns and anomalies by visualizing data transfer volumes
Zeke
Hybrid tool for network monitoring
■ Monitors traffic like NetFlow but logs full packet captures based on interest
■ Filters or signatures trigger full packet capture to analyze specific data
■ Normalizes data for easy import into other tools for visualization and analysis
FPC
full packet capture
Captures entire packets, including headers and payloads
Network and Flow Analysis
CVSS
Common Vulnerability Scoring System (CVSS)
Used to provide a numerical score reflecting the severity of a vulnerability (0 to
10)
■ Scores are used to categorize vulnerabilities as none, low, medium, high, or
critical
■ Scores assist in prioritizing remediation efforts but do not account for existing
mitigations
CPE
(Common Platform Enumeration)
● Identifies hardware devices, operating systems, and applications
● Standard formatting
CCE
common configuration enumeration method for SCAP
Scheme for provisioning secure configuration checks across multiple
sources
● Provides unique identifiers for different system configuration issues
ARF
asset reporting format
SCAP language
XML schema for expressing information about assets and their
relationships
● Vendor and technology neutral
● Flexible
● Suited for a wide variety of reporting application
XCCD
SCAP language
(Extensible Configuration Checklist Description Forma
XML schema for developing and auditing best-practice configuration
checklists and rules
● Allows improved automation
OVAL
an SCAP language
(Open Vulnerability and Assessment Language)
SCAP
Security Content Automation Protocol (SCAP)
Suite of open standards that enhances the automation of vulnerability
management, measurement, and policy compliance evaluation of systems
deployed in an organization
■ Developed by the National Institute of Standards and Technology (NIST)
■ Enhances the automation of security tasks, including the following
● Vulnerability scanning
● Configuration checking
● Software inventory
QRadar
A SIEM log management, analytics, and compliance reporting platform
created by IBM
Archsight
SIEM log management and analytics software
● Suitable for compliance reporting for regulations like HIPAA, SOX, and PCI
DSS
ELK
(Elastic Stack)
● A collection of free and open-source SIEM tools, including the following
○ Elasticsearch
○ Logstash
○ Kibana
○ Beats
Components work together for log collection, storage, analysis, and virtualization
MIB
management info base
A hierarchical namespace containing OIDs and their
descriptions
● Describes the structure of device subsystem
management data
● Stores consolidated information received through
SNMP traps
OID
Unique object identifier used to identify variables
for reading or setting via SNMP
● Allows the manager to distinguish individual SNMP
trap messages
SNMP
Simple Network Management Protocol (SNMP)
An Internet protocol used for collecting information from managed devices on IP
networks and modifying device behavior
Managed devices include the following
● Routers
● Switches
● Firewalls
● Printers
● Servers
● Client device
SNMP Agents and Manager
Asynchronous notifications from agents to the manager to notify
significant event
DLP
data loss prevention
a strategy to prevent sensitive data from leaving an org
aims to monitor data in use, in transit or at rest to detect and precent data theft
CURL
an api testing tool
soap
simple object access protocol
rest
represnetational state transfer
SOAR
(Security Orchestration, Automation, and Response)
■ Class of security tools for incident response, threat hunting, and security
configurations
■ Purpose
● Orchestrate and automate runbooks, deliver data enrichment
■ Example
● Integrating SIEM and SOAR for advanced security capabilities
RCA root cause analysis
SIEM
security info and event monitoring system
Real-time analysis of security alerts from applications and network hardware
■ Combination of different data sources into one tool
■ Provides a consolidated view of network activity
■ Allows for trend analysis, alert creation, and correlation of data
nxlog
Multi-platform, open-source log management tool
■ Identifies security risks and analyzes logs from server, OS, and applications
sFlow
Network protocol for collecting active IP network traffic data
■ Provides information on source, destination, volume, and path
IPFix
(Internet Protocol Flow Information Export)
■ Universal standard for exporting IP flow information
■ Used for mediation, accounting, and billing by defining data format for exporters
and collectors
EF
exposure factor
● Proportion of asset lost in an event (0% to 100%)
● Indicates asset loss severity
ex flooding hitting headquarters would be 70% loss in assets
SLE
single loss expectancy
Calculated as Asset Value x Exposure Factor (EF)
70% x say $5,000 (cost of asset)
ARO
annualized rate of occurrence
● Estimated frequency of threat occurrence within a year
● Provides a yearly probability
ALE
Annualized Loss Expectancy (ALE)
SLE x ARO
KRIs
key risk indicators
Predictive metrics signaling increasing risk exposure
■ Provide early warning of potential risks
■ Tied to the organization’s objectives
■ Used to monitor risk changes and take proactive step
MTBF
a high MTBF means system doesnt fail often
mean time between failures
RPO
recovery point objective
max acceptable data loss measured in time
MTTR
average time to repair a failed component or system
BIA
business impact analysus
■ Evaluates effects of disruptions on business functions
■ Identifies and prioritizes critical functions
■ Assesses impact of risks on functions
■ Determines required recovery time for function
NGFW
next gen firewall
- application aware (distinguishes different types of traffic)
-conducts deep packet analysis
-operates fast
WAF
web app firewall
–http traffic
-prevents SQL injections etc
ACL
access control list
- essential for securing networks from unwanted traffic
consist of permit and deny statements often based on port numbers
the
place most specific rules at the top and generic at the bottom
NAC
network access control
-used to protect networks from both known and unknown devices by scanning devices to assess their security status before granting network access
-can be a applied as a hardware or a software solution
DKIM
domainkeys identified mail
-Allows the receiver to verify the source and integrity of an email by
adding a digital signature to the email headers
● The recipient server validates the DKIM signature using the sender’s
public cryptographic key in the domain’s DNS records
● Benefits
○ Email authentication
○ Protection against email spoofing
○ Improved email deliverability
○ Enhanced reputation score
SPF
sender policy framework
Prevents sender address forgery by verifying the sender’s IP against
authorized IPs listed in the sender’s domain DNS records
● A receiving server checks if the sender’s IP is authorized in the SPF recor
DMARC
domain based message authentication reporting and conformance
DMARC detects and prevents email spoofing by setting policies for email
sending and handling failures
● DMARC can work with DKIM, SPF, or both
● Implementation helps protect against
○ Business email compromise attacks
○ Phishing
○ Scams
○ Cyber threats
EDR
end point detection and response
Category of security tools that monitor endpoint and network events and record
the information in a central databas
FIM
file integrity monitoring
Validates the integrity of operating system and application software files by
comparing their current state with a known, good baseline
■ Identifies changes to
● Binary files
● System and Application Files
● Configuration and Parameter Files
■ Monitors critical system files for changes using agents and hash digests,
triggering alerts when unauthorized changes occur
XDR
extended detection and response
ecurity strategy that integrates multiple protection technologies into a single
platform
■ Improves detection accuracy and simplified incident response
■ Correlates data across multiple security layers to detect threats faster, including
● email
● endpoint
● server
● cloud workloads
● network
○ Difference between EDR and XDR
■ EDR is focused on the endpoints to detect and respond to potential threats
■ XDR is more comprehensive solution because it focuses on endpoints, but also
on networks, cloud, and email to detect and respond to potential threats
● It integrates multiple protection technologies
UBA
user behavior analytics
advanced security strategy that uses big data and machine learning to analyze behaviors for detecting security threats
UEBA
User and Entity Behavior Analytics (UEBA)
■ Technology similar to UBA but extends the monitoring of entities like routers,
servers, and endpoints in addition to user accounts
TCP
TCP (Transmission Control Protocol)
● Connection-oriented, ensuring data delivery without errors
● Ideal for applications where data accuracy is crucial, like web and email
servers
● Uses acknowledgments, retransmission, and sequencing for data integrity
UDP
Connectionless and faster, but doesn’t guarantee data delivery
● Suitable for applications prioritizing speed over accuracy, like streaming
video or gaming
