Acronyms 2 Flashcards
Control Plane
used to achieve zero trust
includes adaptive identity, threat scope reduction and secured zones
Data Plane
subject/system, policy engine, policy admin, and enforcement point
ensures policies are properly executed
Threat
anything that could cause harm, loss damage or compromise to our info tech systems
Vulnerability
any weakness in system design
- Software bugs
● Misconfigured software
● Improperly protected network devices
● Missing security patches
● Lack of physical security
Risk Management
Finding different ways to minimize the likelihood of an outcome and achieve the
desired outcome
Confidentiality
Refers to the protection of information from unauthorized access and disclosure
■ Ensure that private or sensitive information is not available or disclosed to
unauthorized individuals, entities, or processes
reasons for it
-maintain a business advantage
- achieve compliance
- protect personal privacy
Ways to ensure confidentiality
data masking, physical security, training, encryption and access controls
Integrity
Helps ensure that information and data remain accurate and unchanged from its
original state unless intentionally modified by an authorized individuals
Hashing
checksums
digital signatures
access controls
regular audits
Availability
Ensure that information, systems, and resources are accessible and operational
when needed by authorized user
authentication
Security measure that ensures individuals or entities are who they claim to be
during a communication or transactio
Syslog Server
used to achiev accounting
it aggregates logs from various network devices
SIEM
Security Information and Event Management Systems
Provides us with a real-time analysis of security alerts generated by
various hardware and software infrastructure in an organization
Technical Controls
Technologies, hardware, and software mechanisms that are implemented
to manage and reduce risks
Managerial Controls
Sometimes also referred to as administrative controls
● Involve the strategic planning and governance side of security
Operational controls
Procedures and measures that are designed to protect data on a
day-to-day basis
● Are mainly governed by internal processes and human actions
Physical Controls
Tangible, real-world measures taken to protect assets
Preventative Controls
Proactive measures implemented to thwart potential security threats or
breaches
Deterrent Controls
Discourage potential attackers by making the effort seem less appealing or more challenging
Detective Control
Monitor and alert organizations to malicious activities as they occur or
Corrective Controls
Mitigate any potential damage and restore our systems to their normal state
Compensating Controls
Alternative measures that are implemented when primary security controls are not feasible or effective
Directive Controls
Guide, inform, or mandate actions
● Often rooted in policy or documentation and set the standards for
behavior within an organization
Gap Analysis
Process of evaluating the differences between an organization’s current
performance and its desired performance
Technical Gap Analysis
infrastructure
Business Gap Analysis
POA&M
plan of action and milestones
used in gap analysis
Outlines the specific measures to address each vulnerability
● Allocate resources
● Set up timelines for each remediation task that is neede
Zero Trust
demands verification for every device, user, and transaction within the
network, regardless of its origin
Adaptive Identity
Relies on real-time validation that takes into account the
user’s behavior, device, location, and more
Threat Scope Reduction
Limits the users’ access to only what they need for their
work tasks because this reduces the network’s potential
attack surface
Policy Driven Access Control
Entails developing, managing, and enforcing user access
policies based on their roles and responsibilities
Secured Zones
Isolated environments within a network that are designed
to house sensitive data
Policy Engine
Cross-references the access request with its predefined
policies
Policy Admin
Used to establish and manage the access policies
Policy Enforcement Point
Where the decision to grant or deny access is actually
execute
Unskilled Attackers
Limited technical expertise, use readily available tools
Hacktavist
Driven by political, social, or environmental ideologies
Organized Crime
Execute cyberattacks for financial gain (e.g., ransomware, identity theft)
Nation State Actor
Highly skilled attackers sponsored by governments for cyber espionage or
warfare
Insider Threat
Security threats originating from within the organization
Shadow IT
IT systems, devices, software, or services managed without explicit organizational
approval
Honeypot
Decoy systems to attract and deceive attackers
Honeynet
Network of decoy systems for observing complex attacks
Honeyfiles
Decoy files to detect unauthorized access or data breaches
Honeytoken
Fake data to alert administrators when accessed or used
Threat Actor Intent
Specific objective or goal that a threat actor is aiming to achieve through their attack-
Threat Actor Motivation
underlying reasons or driving forces that push threat actor to carry out attack
data exfiltration
Unauthorized transfer of data from a computer
Espionage
Spying on individuals, organizations, or nations to gather sensitive or
classified information
Script Kiddie
Individual with limited technical knowledge
Nation State Actor
Groups or individuals that are sponsored by a government to conduct cyber
operations against other nations, organizations, or individuals
False Flag Attack
Attack that is orchestrated in such a way that it appears to originate from a different source or group than the actual perpetrators, with the intent
to mislead investigators and attribute the attack to someone else
APT
Advanced Persistent Threat
Term that used to be used synonymously with a nation-state actor because of
their long-term persistence and stealth
-A prolonged and targeted cyberattack in which an intruder gains unauthorized
access to a network and remains undetected for an extended period while trying
to steal data or monitor network activities rather than cause immediate damage
Insider Threat
Cybersecurity threats that originate from within the organization
Threat Vector
Means or pathway by which an attacker can gain unauthorized access to a computer or network to deliver a malicious payload or carry out an unwanted
action
- the “how” of the attack
Ex. Message based threat vector
Attack Surface
Encompasses all the various points where an unauthorized user can try to enter
data to or extract data from an environment
-the “where” of the attack
Baiting
Leaving a malware-infected USB drive in a location where a target may find it
BlueBorne
Set of vulnerabilities in Bluetooth technology that can
allow an attacker to take over devices, spread malware, or
even establish an on-path attack to intercept communications without any user interaction
BlueSmack
Type of Denial of Service attack that targets Bluetooth-enabled devices by sending a specially crafted Logical Link Control and Adaptation Protocol packet to a
target device
TTPs
Tactics techniques and procedures of how a threat actor operates
Deception and Disruption Technologies
honeypots, bogus DNS entries, etc
Dynamic Page Generation purpose
Effective against automated scraping tools or bots trying to index or steal content from your organization’s website
Port Triggering
Security mechanism where specific services or ports on a network device remain closed until a specific outbound traffic pattern is detected
purpose of spoofing fake telemetry data
When a system detects a network scan is being attempted by an attacker, it can be configured to respond by sending out fake telemetry or network
data
Bollard
Robust, short vertical posts, typically made of steel or concrete, that are designed to manage or redirect vehicular traffic
Brute Force
Type of attack where access to a system is gained by simply trying all of the possibilities until you break through
Surveillance System
Organized strategy or setup designed to observe and report activities in a given
area. Can be as simple as a security guard.
PTZ System
Pan-Tilt-Zoom (PTZ) System
Infrared Sensors
Detect changes in infrared radiation that is often emitted
by warm bodies like humans or animal
Microwave Sensor
Detect movement in an area by emitting microwave pulses
and measuring their reflection off moving objects
Ultrasonic Sensors
Measures the reflection of ultrasonic waves off moving
objects
EMI
Electromagnetic Interference
Involves jamming the signals that surveillance system relies on to monitor the environment
Access Control Vestibule
Double-door system that is designed with two doors that are electronically
controlled to ensure that only one door can be open at a given time
Piggybacking
Involves two people working together with one person who has legitimate access intentionally allows another person who doesn’t have
proper authorization to enter a secure area with them
Tailgating
Occurs whenever an unauthorized person closely follows someone
through the access control vestibule who has legitimate access into the secure space without their knowledge or consent
NFC and RFID
RFID (Radio-Frequency Identification)
● NFC (Near-field Communication)
FAR
false acceptance rate
FRR
false rejection rate
CER
cross over error rate
Cipher Lock
■ Mechanical locks with numbered push buttons, requiring a correct combination
to open
■ Commonly used in high-security areas like server rooms
Social Engineering
Manipulative strategy exploiting human psychology for unauthorized access to
systems, data, or physical spaces
Impersonation
Pretending to be someone else
Pretexting
Creating a fabricated scenario to manipulate targets
Social Proof- Social engineering strategy
Psychological phenomenon where individuals look to the behaviors and actions of others to determine their own decisions or actions in similar
situations
Brand Impersonation
pretending to be Kohls on twitter
Typosquatting
Also known as URL hijacking or cybersquatting
Form of cyber attack where an attacker will register a domain name that is similar to a popular website but contain some kind of common typographical errors
Watering hole attack
Targeted form of cyber attack where attackers compromise a specific website or service that their target is known to use
Phishing
Sending fraudulent emails that appear to be from reputable sources with the aim of convincing individuals to reveal personal information, such as
passwords and credit card numbers
Spear Phishing
More targeted form of phishing that is used by cybercriminals who are
more tightly focused on a specific group of individuals or organizations
● Has a higher success rate
Whaling
Form of spear phishing that targets high-profile individuals, like CEOs or
CFOs
BEC
Business email compromise
Sophisticated type of phishing attack that usually targets businesses by
using one of their internal email accounts to get other employees to perform some kind of malicious actions on behalf of the attacke
Vishing
voice phishing
Smishing
SMS phishing
Anti-phishing campaign
part of security awareness training
Fraud
Wrongful or criminal deception that is intended to result in financial or personal
gain for the attacker
Identity Fraud
using someone else’s cc #
Identity Theaft
fully impersonating someone else
Scams
fraudulent or deceptive act or operation
Invoice Scam
In which a person is tricked into paying for a fake invoice for a
product or service that they did not actually order
Influence campaign
Coordinated efforts to affect public perception or behavior towards a particular
cause, individual, or group
Misinformation
False or inaccurate information shared without harmful intent
Disinformation
Involves the deliberate creation and sharing of false information with the intent to deceive or mislead
Diversion Theft
Involves manipulating a situation or creating a distraction to steal
valuable items or information
Hoax
Malicious deception that is often spread through social media, email, or
other communication channels
● Often paired with phishing attacks and impersonation attacks
Dumpster Diving
involves searching through trash to find valuable information
● Commonly used to find discarded documents containing personal or
corporate information
● Use clean desk and clean desktop policie
Malware
Malicious software designed to infiltrate computer systems and potentially damage them without user consent
Types of malware
Viruses
■ Worms
■ Trojans
■ Ransomware
■ Spyware
■ Rootkits
■ Spam
Viruses
Made up of malicious code that’s run on a machine without the user’s knowledge and this allows the code to infect the computer whenever it has been
run
Worms
standalone programs replicating and spreading to other computers without any user interaction
Trojans
Disguise as legitimate software, grant unauthorized access
Ransomeware
Encrypts user data, demands ransom for decryption
Boot sector virus
One that is stored in the first sector of a hard drive and is then loaded into memory whenever the computer boots up
Macro Virus
Form of code that allows a virus to be embedded inside another
document so that when that document is opened by the user, the virus is executed
Program Virus
Try to find executables or application files to infect with their malicious code
Multipartite Virus
Combination of a boot sector type virus and a program virus
Encrypted Virus
Designed to hide itself from being detected by encrypting its malicious code or payloads to avoid detection by any antivirus software
Polymorphic Virus
Advanced version of an encrypted virus, but instead of just encrypting the
contents it will actually change the viruses code each time it is executed by altering the decryption module in order for it to evade detection
Metamorphic Virus
Able to rewrite themselves entirely before it attempts to infect a given file
Stealth Virus
Technique used to prevent the virus from being detected by the anti-virus software
Armored Virus
Have a layer of protection to confuse a program or a person who’s trying to analyze it
RAT
Remote access trojan
Widely used by modern attackers because it provides the attacker with remote
control of a victim machine
Botnet
Network of compromised computers or devices controlled remotely by malicious
actor
Zombie
Name of a compromised computer or device that is part of a botnet
Command and control node
Computer responsible for managing and coordinating the activities of other nodes or devices within a network
DDoS
Occurs when many machines target a single victim and attack them at the
exact same time
Rootkit
Designed to gain administrative level control over a given computer system
without being detected
Ring 3
outermost ring where user level permissions are used
Ring 0
highest permission levels
Kernel Mode
located in ring 0
Allows a system to control access to things like device drivers, your sound card, your video display or monitor, and other similar things
DLL
dynamic link library
Collection of code and data that can be used by multiple programs
simultaneously
DLL Injection
Technique used to run arbitrary code within the address space of another process by forcing it to load a dynamic-link library
Shim
Piece of software code that is placed between two components and that
intercepts the calls between those components and can be used redirect them
Backdoor
Originally placed in computer programs to bypass the normal security and authentication functions
Remote Access Trojan (RAT) acts just like a backdoor in our modern networks
Easter Egg
a hidden feature or novelty within a program that is typically inserted by the software developers as an inside joke
Logic Bomb
Malicious code that’s inserted into a program, and the malicious code will only
execute when certain conditions have been met
Keylogger
Piece of software or hardware that records every single keystroke that is made
on a computer or mobile device
can be software or hardware keylogger
Spyware
Malicious software that is designed to gather and send information about a user
or organization without their knowledge
Bloatware
Any software that comes pre-installed on a new computer or smartphone that
you, as the user, did not specifically request, want, or need
Malware Exploitation Technique
Specific method by which malware code penetrates and infects a targeted system
Fileless Malware
is used to create a process in the system memory without
relying on the local file system of the infected hos
Fileless Malware Stage 1 Dropper or Downloader
Dropper - Specific malware type designed to initiate or run other malware forms within a payload on an infected host
Downloader - Retrieve additional tools post the initial infection facilitated by a dropper
Shellcode
Broader term that encompasses lightweight code meant to
execute an exploit on a given targe
Actions on Objectives Phase
Threat actors will execute primary objectives to meet core
objectives like
■ data exfiltration
■ file encryption
concealment
hiding tracks
■ erasing log files
■ hiding any evidence of malicious activity
Living off the Land
A strategy adopted by many Advanced Persistent Threats
and criminal organizations
■ the threat actors try to exploit the standard tools to
perform intrusions
Impossible Travel
Refers to a scenario where a user’s account is accessed from two or more
geographically separated locations in an impossibly short period of time
Data Protection
Safeguarding information from corruption, compromise, or loss
Data Sovereignty
Information subject to laws and governance structures within the nation it is
collected
DLP
data loss prevention
Data Classification
Based on the value to the organization and the sensitivity of the information,
determined by the data owner
Sensitive Data
Information that, if accessed by unauthorized persons, can result in the loss of
security or competitive advantage for a company
Commerical Public Data
No impact if released; often publicly accessible data
Commerical Sensitive Data
Minimal impact if released, e.g., financial data
Commerical Private Data
Contains internal personnel or salary information
Commerical Confidential Data
Holds trade secrets, intellectual property, source code, etc.
Commerical Critical Data
Extremely valuable and restricted information
Government Unclassified Data
Generally releasable to the public
Government Sensitive but unclassified data
Includes medical records, personnel files, etc.
Government confidential data
Contains information that could affect the government
Government Secret data
Holds data like military deployment plans, defensive postures
Government top secret data
Highest level, includes highly sensitive national security information
Data Ownership
Process of identifying the individual responsible for maintaining the
confidentiality, integrity, availability, and privacy of information assets
Data Owner
A senior executive responsible for labeling information assets and ensuring they are protected with appropriate controls
Data Controller
Entity responsible for determining data storage, collection, and usage purposes
and methods, as well as ensuring the legality of these processes
Data Processor
A group or individual hired by the data controller to assist with tasks like data
collection and processing
Data Steward
Focuses on data quality and metadata, ensuring data is appropriately labeled and
classified, often working under the data owner
Data Custodian
Responsible for managing the systems on which data assets are stored, including
enforcing access controls, encryption, and backup measures
Privacy Officer
Oversees privacy-related data, such as personally identifiable information (PII),
sensitive personal information (SPI), or protected health information (PHI),
ensuring compliance with legal and regulatory frameworks
Data at Rest
Data stored in databases, file systems, or storage systems, not actively moving
FDE
full disk encryption
Data in Transit
Data actively moving from one location to another, vulnerable to interception
SSL and TLS
Secure Sockets layer and Transport layer security. It secures and encrypts communciaion over networks
VPN
virtual private network
Creates secure connections over less secure networks like the
internet
IPSec
Secures IP communications by authenticating and encrypting IP
packets
Data in use
Data actively being created, retrieved, updated, or deleted
Regulated Data
Controlled by laws, regulations, or industry standards GDPR, HIPPA
PII
Personal Identification Information
PHI
Protected Health Information
Trade Secrets
Confidential business information giving a competitive edge (e.g., manufacturing
processes, marketing strategies, proprietary software)
IP
intellectual property
Creations of the mind (e.g., inventions, literary works, designs)
Human readable data
Understandable directly by humans (e.g., text documents, spreadsheets)
Non human readable data
Requires machine or software to interpret (e.g., binary code, machine language)
contains sensitive information that
Data Sovereignty
■ Digital information subject to laws of the country where it’s located
■ Gained importance with cloud computing’s global data storage
GDPR (General Data Protection Regulation)
Protects EU citizens’ data within EU and EEA borders
■ Compliance required regardless of data location
■ Non-compliance leads to significant fines
Geofencing
Virtual boundaries to restrict data access based on location
Hashing
■ Converts data into fixed-size hash values
■ Irreversible one-way function
■ Commonly used for password storage
Tokenization
Replace sensitive data with non-sensitive tokens. Original data stored securely in a separate database. Often used in payment processing for credit card protection
Obfuscation
Make data unclear or unintelligible
Segmentation
Divide network into separate segments with unique security controls
DLP
Data loss prevention
Aims to monitor data in use, in transit, or at rest to detect and prevent data theft
can be hardware or software
Types of DLP systems
endpoint DLP (installed on laptops)
Network DLP
Storage DLP
Cloud based DLP
Risk Identification
Proactive process recognizing potential risks
Risk Analysis
Evaluate likelihood and potential impact
Qualitative or quantitative methods
Risk Monitoring
Monitor residual risks, identify new risks, and review risk management
effectiveness
Risk Reporting
Communicate risk information and effectiveness of risk management to
stakeholders
● Various forms
○ Dashboards
○ Heat Maps
○ Detailed Reports
Qualitative Risk Analysis
Assess and prioritize risks based on likelihood and impact
Quantitative Risk Analysis
Numerically estimate probability and potential impact
Ad hoc risk assessment
Conducted as needed, often in response to specific events or situations
One time risk assessment
Conducted for specific projects or initiatives
BIA
Business Impact Analysis
Evaluates effects of disruptions on business functions
Identifies and prioritizes critical functions
Determines required recovery time for functions
RTO
recovery time objective
Maximum acceptable time before severe impact
RPO
Recovery point objective
Maximum acceptable data loss measured in time
MTTR
mean time to repair
MTBF
mean time between failures
Risk Reigster
Records identified risks, descriptions, impacts, likelihoods, and mitigation actions
Risk Impact
Low medium or high
Risk liklihood
probability of risk occurrence rated on a scale numerical or descriptive
Risk outcome
result if it occurs
Risk level or threshold
Determined by combining the impact and likelihood
Prioritizes risks (e.g., high, medium, low)
Risk Tolerance/Risk acceptance
An organization or individual’s willingness to deal with uncertainty in
pursuit of their goals
● Maximum amount of risk they are willing to accept
● Acceptance without countermeasures
Risk Appetite
Willingness to pursue or retain risk
expansionary, conservative etc
KRIs
key risk indicators
Risk Owner
Responsible for managing the risk
Monitors, implements mitigation actions, and updates Risk Register
EF
exposure factor
Proportion of asset lost in an event (0% to 100%)
SLE
single loss expectancy
Monetary value expected to be lost in a single event
Asset value x EF
ARO
annualized rate of occurence
ALE
Annualized Loss Expectancy (ALE))
SLE x ARO
Risk transference
Shifts risk to another party
Common methods
○ Insurance
○ Contract indemnity clauses
Contract Indemnity Clause
■ A contractual agreement where one party agrees to cover
the other’s harm, liability, or loss stemming from the
contract
Risk Acceptance
Acknowledge and deal with risk if it occurs
Exemption
(excludes party from a rule
Exception
(allows party to avoid rule under specific conditions)
Risk Avoidance
Change plans or strategies to eliminate a specific risk
Risk Mitigation
Take steps to reduce likelihood or impact of risk
● Common strategy involving various actions
Residual Monitoring
The likelihood and impact of the risk after mitigation,
transference, or acceptance measures have been taken on the initial risk
Control Risk
Assessment of how a security measure has lost effectiveness over time
Risk reporting
Communicating information about risk management activities to stakeholders
Third Party Vendor Risks
Potential security and operational challenges from external collaborators
MSP
managed service provider
Manage IT services on behalf of organizations
CHIPS Act of 2022
U.S. federal statute providing funding to boost semiconductor research and
manufacturing in the U.S.
■ Aims to reduce reliance on foreign-made semiconductors, strengthen the
domestic supply chain, and enhance security
Semiconductor
Essential components in a wide range of products, from smartphones and
cars to medical devices and defense systems
Vendor Assessment
■ Process to evaluate the security, reliability, and performance of external entities
■ Crucial due to interconnectivity and potential impact on multiple businesses
Vendors
provide goods or services
Suppliers
Involved in production and delivery of products or parts
Penetration Testing
Simulated cyberattacks to identify vulnerabilities in supplier systems
Right to Audit Clause
Contract provision allowing organizations to evaluate vendor’s internal processes
for compliance
Due dilligence
A rigorous evaluation that goes beyond surface-level credentials
● Includes the following
○ Evaluating financial stability
○ Operational history
○ Client testimonials
○ On-the-ground practices to ensure cultural alignmen
Vendor Questionnaires
Comprehensive documents filled out by potential vendors
Rules of Engagement
Guidelines for interaction between organization and vendors
Vendor Monitoring
Mechanism used to ensure that the chosen vendor still aligns with organizational
needs and standards
Feedback Loops
Involve a two-way communication channel where both the organization
and the vendor share feedback
Basic Contract
● Versatile tool that formally establishes a relationship between two parties
● Defines roles, responsibilities, and consequences for non-compliance
● Specifies terms like payment structure, delivery timelines, and product
specifications
SLA
Defines the standard of service a client can expect from a provider
● Includes performance benchmarks and penalties for deviations
Service level agreement
MOA
Memorandum of Agreement
Formal, outlines specific responsibilities and roles
MOU
Memorandum of Understanding
Less binding, expresses mutual intent without detailed specifics
MSA
master serivce agreement
● Covers general terms of engagement across multiple transactions
● Used for recurring client relationships, supplemented by Statements of
Work
SOW
statement of work
Specifies project details, deliverables, timelines, and milestones
NDA
Non-Disclosure Agreement
BPA or JV
Business Partnership Agreement or joint venture agreement
● Goes beyond basic contracts when two entities collaborate
● Outlines partnership nature, profit-sharing, decision-making, and exit
strategies
Governance
Overall management of IT infrastructure, policies, procedures, and operations
Risk management
strategic alingment
resource management
performance management
Compliance
Adherence to laws, regulations, standards, and policies
GRC
governance risk and compliance
Boards
elected by shareholders to oversee an orgs management
Commitees
subgroups of board with specific focuses
Centralized governance
Decision-making authority at top management levels
Decentralized governance
Decision-making authority distributed throughout the
organization
AUP
Acceptable use policy
Document that outlines the do’s and don’ts for users when interacting with an
organization’s IT systems and resources
Incident Response Policy
Specifies incident notification, containment, investigation, and prevention steps
SDLC Policy
software development lifecycle
Guides software development stages from requirements to maintenance
Includes secure coding practices, code reviews, and testing standards
Change Management Policy
Governs handling of IT system/process changes
Standards
Provides a framework for implementing security measures, ensuring that all
aspects of an organization’s security posture are addressed
Password Standards
■ Define password complexity and management
■ Include length, character types, regular changes, and password reuse rules
■ Emphasize password hashing and salting for security
Access Control Standards
■ Determine who has access to resources within an organization
■ Include access control models like
● Discretionary Access Control (DAC)
● Mandatory Access Control (MAC)
● Role Based Access Control (RBAC)
Encryption Standards
■ Ensure data remains secure and unreadable even if accessed without
authorization
■ Include encryption algorithms like AES, RSA, and SHA-2
■ Depends on the use case and balance between security and performanc
Procedures
■ Systematic sequences of actions or steps taken to achieve a specific outcome in
an organization
■ Ensures consistency, efficiency, and compliance with standard
Playbook
■ Detailed guides for specific tasks or processes
■ They provide step-by-step instructions for consistent and efficient execution
■ Used in various situations, from cybersecurity incidents to customer complaints
■ Include resource requirements, steps to be taken, and expected outcomes
compliance reporting
Systematic process of collecting and presenting data to demonstrate adherence
external or internal
Compliance Monitoring
Regularly reviews and analyzes operations for compIiance
includes due diligence and due care, attestation and acknowledgement, and
internal and external monitoringliance
Due Diligence
Identifying compliance risks through thorough review
Due Care
Mitigating identified risks
Assest Management
Systematic process of developing, operating, maintaining, and selling assets
cost-effectively
Acquisition
Process of obtaining goods and services
Procurement
Entire process of sourcing and obtaining those goods and services, including all
the processes that lead up to the acquisition
Purchase Order
Formal document issued by the purchasing department
For larger, more expensive purchases
Dictates payment terms (NET 15, NET 30, NET 60)
BYOD
bring your own device
Employees use personal devices for work
COPE
The company provides devices for employees
CYOD
Employees select devices from a company-approved list
Balance between employee choice and organizational control
Assest Monitoring
Maintaining an inventory with specifications, location, and
assigned users
Asset Tracking
Goes beyond monitoring, involving the location, status, and
condition of assets using specialized software and tracking
technologie
MDM
mobile device management
Asset Disposal and Decommissioning
Necessity to manage the disposal of outdated assets
NIST Special Publication 800-88 (Guidelines for Media Sanitization)
Provides guidance on asset disposal and decommissioning
Sanitization
Thorough process to make data inaccessible and irretrievable from storage
medium using traditional forensic method
Overwriting
Replacing the existing data on a storage device with random bits
of information to ensure that the original data is obscured
Deguassing
Utilizes a machine called a degausser to produce a strong
magnetic field that can disrupt magnetic domains on storage
devices like hard drives or tapes
Secure Erase
Deletes data and ensures it can’t be recovered
CE
cryptographic erase
Utilizes encryption technologies for data sanitization
Destruction
Goes beyond sanitization, ensures physical device is unusable
Used for high-security environments, especially with Secret or Top Secret data
■ Recommended methods
● Shredding
● Pulverizing
● Melting
● Incineratin
Certification
Acts as proof that data or hardware has been securely disposed of
■ Important for organizations with regulatory requirements
■ Creates an audit log of sanitization, disposal, or destruction
Data Retention
Strategically deciding what to keep and for how long
CAB
change advisory board
Change OWner
Individual or team responsible for initiating change request
Impact Analysis
Integral part of the Change Management process
Assesses potential fallout, immediate effects, long-term impacts
Scheduled Maintenance Window
Designated timeframes for implementing changes
Backout Plan
Pre-determined strategy to revert systems to their original state in case of
issues during change implementation
SOPs
standard operating procedure
Detailed step-by-step instructions for specific tasks
● Ensures consistency, efficiency, and reduces errors in change
implementation within the organization
has to do with change management
Allow List
Specifies entities permitted to access a resource
Downtime
Any change, even minor, carries the risk of causing downtime
Restricted Activities
Certain tasks labeled as ‘restricted’ due to their impact on system health
or security
Version control
Tracks and manages changes in documents, software, and other files
Allows multiple users to collaborate and revert to previous versions when
needed
Audits
Systematic evaluations of an organization’s information systems, applications,
and security controls
Assessment
Detailed analysis to identify vulnerabilities and risks
Performed before implementing new systems or significant changes
risk vulnerability or threat assessments
Reconnaissance in Pentesting
Gathering information before a pentest can be pasive or active
Audit committee
A group, often comprising members of a company’s board of
directors, overseeing audit and compliance activities
Threat Modeling Exercise
Identifies potential threats to applications (e.g., SQL injection, XSS, DoS attacks)
MCIT Cybersecurity Self-Assessment
is designed to help
organizations minimize data and cybersecurity-related exposures
● It assists in identifying areas where data security may need strengthening
● The checklist comprises yes-or-no questions with sections for comments
and action items
Examination
Detailed inspections of an organization’s security infrastructure conducted
externally
Red teaming
offensive pen testing
Blue teaming
defensive
integrated pen testing
purple teaming
Reconnaissance
Initial phase where an attacker gathers information about the target system
Active Reconnaissance
Engaging with the target system directly, such as scanning for open ports
using tools like Nmap
Passive Reconnaissance
Gathering information without direct engagement, like using open-source
intelligence or WHOIS to collect data
Metasploit
Multipurpose computer security and penetration testing framework
Attestation
Involves formal validation or confirmation provided by an entity to assert the
Cyber resilience
Ability to deliver outcomes despite adverse cyber events
Redundancy
Having additional systems or processes for continued functionality
Uptime
The time a system remains online, typically expressed as a percentage
Five Nines
Refers to 99.999% uptime, allowing only about 5 minutes of downtime
per year
Load Balancing
Distributes workloads across multiple resources
Clustering
Uses multiple computers, storage devices, and network connections as a single
system
Multi Cloud Approach
Distributes data, applications, and services across multiple cloud providers
Mitigates the risk of a single point of failure
RAID
helps with data redundancy
Combines multiple physical storage devices into a single logical storage
device recognized by the operating system
RAID Category Failure Resistent
resists hardware malfunctions through redundancy RAID 1
RAID Category Fault Tolerant
Allows continued operation and quick data rebuild in case of failure (e.g.,
RAID 1, RAID 5, RAID 6, RAID 10
RAID Category Disaster tolerant
Safeguards against catastrophic events by maintaining data in
independent zones (e.g., RAID 1, RAID 10)
Capacity Planning
People, technology, infrastructure and processes
Surge
Sudden, small increases in voltage beyond the standard level (e.g., 120V
in the US)
Spike
Short-lived voltage increases, often caused by short circuits, tripped
breakers, or lightning
Sags
Brief decreases in voltage, usually not severe enough to cause system
shutdown
Undervoltage Events Brownouts
Prolonged reduction in voltage, leading to system shutdown
Power Loss Events Blackouts
Complete loss of power for a period, potentially causing data loss and
damage
Line Conditioner
Stabilize voltage supply and filter out fluctuations
Stabilize voltage supply and filter out fluctuations
UPS
Uninterruptible Power Supplies (
Generator
Convert mechanical energy into electrical energy for use in an external
circuit through the process of electromagnetic inductio
PDC
Power Distribution Centers
Central hub for power reception and distribution
Integrates with UPS and backup generators for seamless transitions
during power events
Onsite backups
Storing data copies in the same location as the original data
Offsite Backup
Storing data copies in a geographically separate location
Snapshots
Point-in-time copies capturing a consistent state
Replication
Real-time or near-real-time data copying to maintain data continuity
Journaling
Maintaining a detailed record of data changes over time
COOP
Continuity of Operations Plan
BC Plan
Business Continuity Planning
DRP
Disaster Recovery Plan
subset of BC plan
Redundant Site
Backup location or facility that can take over essential functions and operations
in case the primary site experiences a failure or disruption
Hot Site
Up and running continuously, enabling a quick switchover
Requires duplicating all infrastructure and data
Warm site
Not fully equipped, but fundamentals in place
Cold Site
Fewer facilities than warm sites
May be just an empty building, ready in 1-2 months
Virtual hot site
Fully replicated and instantly accessible in the cloud
Virtual Warm Site
Involves scaling up resources when needed
Resilience Testing
Assess system’s ability to withstand and adapt to disruptive events
-Conducted through tabletop exercises, failover tests, simulations, and parallel
processing
Recovery Testing
Evaluates the system’s capacity to restore normal operation after a disruptive
event
TTX
Table Top Exercise
Scenario-based discussion among key stakeholders
Failover Test
Controlled experiment for transitioning from primary to backup components
Simulation
Computer-generated representation of a real-world scenario
Allows for hands-on response actions in a virtual environment
Parallel Processing
Replicates data and system processes onto a secondary system
Responsibility Matrix
Outlines the division of responsibilities between the cloud service provider and
the customer
Hybrid Solutions
Combined on-premise, private cloud, and public cloud services, allowing
workload flexibility
Lack of Up-to-date Security Measures
Cloud environments are dynamic and require up-to-date security measures
Single Point of Failure
Cloud services relying on specific resources or processes can lead to system-wide
outages if they fail
Data Remnants
Residual data left behind after deletion or erasure processes
Virtualization
Emulates servers, each with its own OS within a virtual machine
Contanerization
Lightweight alternative, encapsulating apps with their OS environment
Hypervisor Type 1
bare metal
Type 2 Hypervisor
Operates within a standard OS (e.g., VirtualBox, VMware)
VM Escape
Attackers break out of isolated VMs to access the hypervisor
Privilege Escalation
Unauthorized elevation to higher-level users
Live VM Migration
Attacker captures unencrypted data between servers
Resource Reuse
Improper clearing of resources may expose sensitive data
Serverless
Relies on cloud service providers to handle server management, databases, and
some application logic
FaaS
Developers write and deploy individual functions triggered by events
Microservices
Architectural style for breaking down large applications into small, independent
services
Network Infrastructure
Comprises hardware, software, services, and facilities for network support and
management
Air Gapping
physical separation of systems
Logical Separation
■ Establishes boundaries within a network to restrict access to certain areas
■ Implemented using firewalls, VLANs, and network devices
SDN
softwre defined network
Enables dynamic, programmatically efficient network configuration
Provides a centralized view of the entire network
SDN Architecture
Decouples network control and forwarding functions
SDN Architecture - Data Plane
forwarding plane
Responsible for handling data packets
Concerned with sending and receiving data
SDN Architecture - Control Plan
Centralized decision-maker in SDN
Dictates traffic flow across the entire network
Replaces traditional, distributed router control planes
SDN Architecture - App Plan
Hosts all network applications that interact with the SDN
controller
○ Applications instruct the controller on network management
○ Controller manipulates the network based on these instructions
IaaC
Infrastructure as Code
Automates provisioning and management through code
Used in DevOps and with cloud computing
Centralized Architecture
All computing functions managed from a single location or authority
Decentralized Architecture
No single point of control; each node operates independently
IoT
internet of things
Network of physical devices with sensors, software, and connectivity
Hub/Control System
Central component connecting IoT devices
Collects, processes, analyzes data, and sends commands
Smart Devices
Everyday objects enhanced with computing and internet capabilities
Wearables
Subset of smart devices worn on the body
Sensor
Detect changes in environment, convert into data
ICS
Industrial Control Systems
-Systems used to monitor and control industrial processes, found in various
industries like electrical, water, oil, gas, and data
DCS
Distributed Control Systems
Used in control production systems within a single location
PLC
Programmable Logic Controllers
Used to control specific processes such as assembly lines and factories
SCADA Systems
Supervisory Control and Data Acquisition
Type of ICS designed for monitoring and controlling geographically dispersed
industrial processes
Embedded System
Specialized computing components designed for dedicated functions within
larger device
RTOS
real time operating system
Designed for real-time applications that process data without significant delays
Critical for time-sensitive applications like flight navigation and medical
equipment
Wrappers
Protect data during transfer by hiding data interception points
Firmware Code Control
Manage low-level software to maintain system integrity
OTA
over the air updates
Ports
Logical communication endpoints on a computer or server
Well known ports
0-10230
Registered ports
1024-49151 vendor specific
registered with IANA
Dyanmic and private ports
49152-65535
Firewall
A network security device or software that monitors and controls network traffic
based on security rules
■ Protects networks from unauthorized access and potential threats
Screened Subnet or Duel-homed Host
DMZ
acts as a security barrier between external untrusted networks and the internal network uses firewalls
Packet filtering firewall
limited inspection of packet headers for IP addresses and port numbers
operates at layer 4 transport layer
Stateful Firewall
It allows return traffic for outbound requests
operates at layer 4
Proxy Firewall
Makes connections on behalf of endpoints
two types:
circuit layer (layer 5)
app layer (layer 7)
Kernel proxy firewall
minimal impact on network performance
full inspection of packets at eveyr layer
placed closed to system they protect
NGFW
next gen firewall
application aware and can distinguish between different types of traffic
Example: it may allow aql server traffic regardless of the port # used
conducts deep packet analysis and use signature based intrusion protection
-
UTF
unified threat management firewall
-combines multiple security functions in a single device
single point of failure
WAF
web application firewall
prevents against cross site scripting and SQL injections
can be placed in line (live attack prevention) where the device sits between the network firewall and the web servers or out of line (detectio) device receives a mirroed copy of web server traffic
Layer 4 Firewall
operates at the transport layer
filters traffic based on port numbers and protocol data
Layer 7 firewall
operates at app layer
inspects filters and controls traffic based on content and data characteristics
ACL
access control lists
consist of permit and deny statements often based on port numbers
rule sets placed on firewalls, routers and network infrastructure devices
includes types of traffic
source destination and action to be taken against the traffic
Hardware based firewall
a dedicated network security device
software based firewall
A firewall that runs as a software application on individual devices, such
as workstations
● Utilizes ACLs and rules to manage incoming and outgoing traffic,
providing security at the software level on a per-device basis
IDS
intrusion detection system
Logs or alerts that it found something suspicious or malicious
NIDS
Network-based IDS
Monitors the traffic coming in and out of a network
HIDS host-based
Looks at suspicious network traffic going to or from a single or endpoint
WIDS
wireless IDS
Detects attempts to cause a denial of a service on a wireless
network
Signature based IDS
Analyzes traffic based on defined signatures and can only
recognize attacks based on previously identified attacks in its database
Signature based IDS Pattern Matching
specific pattern of steps NIDS and WIDS
Stateful matching
known system baseline HIDS
Anomaly based IDS
Analyzes traffic and compares it to a normal baseline of traffic to
determine whether a threat is occurring
Five Types of Anomaly-based Detection Systems
■ Statistical
■ Protocol
■ Traffic
■ Rule or Heuristic
■ Application-based
IPS
Logs, alerts, and takes action when it finds something suspicious or malicious
Scans traffic to look for malicious activity and takes action to stop it
Network Appliance
A dedicated hardware device with pre-installed software for specific networking
services
Load Balancer
Distribute network/application traffic across multiple servers
● Enhance server efficiency and prevent overload
● Ensure redundancy and reliability
● Perform continuous health checks
● Application Delivery Controllers (ADCs) offer advanced functionality
Proxy Server
Act as intermediaries between clients and servers
Provide content caching, requests filtering, and login management
Enhance request speed and reduce bandwidth usage
Add a security layer and enforce network utilization policies
Protect against DDoS attacks
Jump server/jump box
Secure gateways for system administrators to access devices in different security zones
-Control access and reduce the attack surface areaSecure gateways for system administrators to access devices in different secuA jump server is placed between a user’s workstation and the target servers or devices, providing a controlled point of access. It helps isolate the internal network from potential threats originating from external networks.
Port Security
A network switch feature that restricts device access to specific ports based on
MAC addresses
Network Switches
Networking devices that operate at Layer 2 of the OSI model
Use MAC addresses for traffic switching decisions through transparent bridging
CAM table
Content Addressable Memory
Stores MAC addresses associated with switch ports
Vulnerable to MAC flooding attacks, which can cause the switch to fail open
802.1x authentication
Provides port-based authentication for wired and wireless networks
Requires three roles
● Supplicant
● Authenticator
● Authentication server (RADIUS or TACACS+
RADIUS
Remote Authentication Dial-In User Service) is a protocol that manages authentication, authorization, and accounting (AAA) for users who connect to the network.
cross platform
TACACS+
TACACS+ is slower but offers additional security and independently handles
authentication, authorization, and accounting
CISCO
EAP
(Extensible Authentication Protocol) you walk up to a building, a guard comes up and asks for a form of identification could be a driver’s license, etc this is like the different variants of EAP then your credentials are forwaded to the RADIUS server whcih checks them against a database
EAP-MD5
Uses simple passwords and the challenge handshake
authentication process to provide remote access authentication
○ One-way authentication process
○ Doesn’t provide mutual authentication
EAP TTLS
REquires a digital certificate on the server, but not on the client
○ The client uses a password for authentication
EAP TLS
Uses public key infrastructure with a digital certificate which is
installed on both the client and the server
○ Uses mutual authentication
EAP-FAST
Uses protected access credential, instead of a certificate, to
establish mutual authentication
PEAP
Supports mutual authentication using server certificates andActive Directory databases to authenticate a password from the
client
EAP LEAP
Cisco proprietary and limited to Cisco devices
VPN
virtual private network
Extend private networks across public networks
Site to Site VPN
Connects two sites cost-effectively
Replaces expensive leased lines
Utilizes a VPN tunnel over the public internet
Encrypts and secures data between sites
Client to Site VPN
Connects a single host (e.g., laptop) to the central office
Ideal for remote user access to the central network
Options for full tunnel and split tunnel configurations
Clientless VPN
Uses a web browser to establish secure, remote-access VPN
No need for dedicated software or hardware client
Utilizes HTTPS and TLS protocols for secure connections to
websites
Full tunnel VPN
Encrypts and routes all network requests through the VPN
○ Provides high security, clients fully part of central network
○ Limits access to local resources
○ Suitable for remote access to central resources
Split Tunnel VPN
Divides traffic, routing some through the VPN, some directly to the internet
Enhances performance by bypassing VPN for non-central traffic
TLS
Provides encryption and security for data in transit
Used for secure connections in web browsers (HTTPS)
operates at layer 4 Transport layer
TLS: Operates at the Transport Layer, securing individual connections between applications.
IPSec: Operates at the Network Layer, securing IP packets and often used for creating secure network tunnels
DTLS
datagram TLS
A faster User Datagram Protocol-based (UDP-based) alternative
Ensures end-user security and protects against eavesdropping in clientless
VPN connections
IPSec
A secure protocol suite for IP communication
IPSec: Operates at the Network Layer, securing IP packets and often used for creating secure network tunnels
IPSec Transport Mode
securing the payload of the IP packet
IPSec Tunnel Mode
Provides confidentiality for both payload and header
Adds a new header to encapsulate the entire packet
AH
AH adds an extra header to the original IP packet. This header contains a cryptographic hash of the packet’s content, which allows the recipient to verify that the packet has not been altered.
: Think of AH as sending a sealed and stamped letter (packet) where the recipient can verify that the letter has not been tampered with and is indeed from the sender, but anyone can still see the content of the letter.
ESP encapsulating security payload
Provides confidentiality, integrity, and encryption
● Provides replay protection
● Encrypts the packet’s payload
Think of ESP as sending a sealed and locked box (packet) that not only ensures the recipient can verify the sender and check for tampering but also keeps the contents of the box hidden from anyone who doesn’t have the key.
SD-WAN
Software defined wide area network
is a technology that simplifies the management and operation of a WAN (Wide Area Network) by separating the networking hardware from its control mechanism using software. Here’s a simple explanation:
Without SD-WAN: It’s like driving without a GPS, relying on static maps and hoping for the best route, even if traffic conditions change.
With SD-WAN: It’s like using a GPS that constantly updates your route based on real-time traffic information, ensuring you always take the fastest and most efficient path to your destination.
SASE
Secure Access Service Edge)
A network architecture combining network security and WAN capabilities in a
single cloud-based service
SD-WAN is a foundational component of SASE. It provides the network optimization and dynamic routing capabilities.
SASE builds on SD-WAN by adding comprehensive security services
Security Zones
Isolate devices with similar security requirements
Fail open
allows traffic to pass during a failure
Fail closed
Blocks all traffic during a failure, prioritizing security over connectivity
Least Privilege
Users and systems should have only necessary access rights to reduce the
attack surface
Defense in Depth
Utilize multiple layers of security to ensure robust protection even if one
control fails
Risk Based Approach
Prioritize controls based on potential risks and vulnerabilities specific to
the infrastructure
Lifecycle Management
Regularly review, update, and retire controls to adapt to the evolving threat landscape
Open design principle
Ensure transparency and accountability through rigorous testing andscrutiny of controls
IAM Solutions
Ensures right individuals have right access to right resources for right reasons
● Password Management
● Network Access Control
● Digital Identity Management
IAAA
identification, authentication, authorization, and accounting
Identification
User claims an identity using a unique identifier (e.g., username or email
address
Authentication
Verifies the identity of a user, device, or system
● Typically involves validating user credentials against an authorized user
database
Authorization
Determines the permissions or access levels for authenticated users
Accounting
tracks and records user activities
Provisioning
Creating new user accounts, assigning permissions, and providing system access
Deprovisioning
Removing access rights when no longer needed (e.g., when an
employee leaves
Identity Proofing
Process of verifying a user’s identity before creating their accoun
Interoperability
Ability of different systems, devices, and applications to work together
and share information
● In IAM, it can involve using standards like SAML or OpenID Connect for
secure authentication and authorization
MFA
A security system requiring multiple methods of authentication from
independent categories of credentials
Passkeys
An alternative to traditional passwords for authentication
Involves creating a passkey secured by device authentication methods like fingerprint or facial recognition
Password Manager
password generation
auto fill
secure sharing
cross platform access
OTP
one time passwords
Magic link
one time links sent to email for auto login
Brute force password attack
Tries every possible character combination until the correct password is found
Dictionary attack
Uses a list of commonly used passwords (a dictionary) to crack passwords
Password Spraying
A form of brute force attack that tries a few common passwords against many
usernames or account
Hybrid Attack
Combines elements of brute force and dictionary attacks
May include variations, such as adding numbers or special characters to
passwords
SSO
single sign on
Authentication process allowing users to access multiple applications with one
set of credentials
LDAP
Lightweight Directory Access Protocol)
-protocol for SSO
-Lightweight Directory Access Protocol)
-Can share user information across network resources
OAuth
Allows third-party services to access user account information without exposing passwords
SAML
Redirects users to an identity provider for authentication
Federation
Links electronic identities and attributes across multiple identity management
systems
-Enables users to use the same credentials for login across systems managed by different organizations
PAM
priviledged access managment
Solution that restricts and monitors privileged access within an IT environment
JIT Permissions
Security model that grants administrative access only when needed for a
specific task
Password Vaulting
Technique that stores and manages passwords securely, often in a digital
vault.
Temporal accounts
Temporary accounts used for time-limited access to resources
MAC
Uses security labels to authorize resource access
Requires assigning security labels to both users and resources
DAC
discretionary access control
Resource owners specify which users can access their resources
RBAC
Role-Based Access Control
Rule based access control
Uses security rules or access control lists
● Policies can be changed quickly and frequently
● Applied across multiple users on a network segment
ABAC
attribute base access control
user attributes, environment attributes etc
Privileges
Define the levels of access that users have
UAC
A mechanism designed to ensure that actions requiring administrative rights are explicitly authorized by the use
Firmware Vulnerabilities
Specialized software stored on hardware devices
● Can grant attackers full control, leading to unauthorized access or
takeover
End of Life systems assessment
No updates or support from the manufacturer
Legacy system
Outdated and superseded by newer alternatives
unsupported system
no official support ever
hardening
Tighten security by closing unnecessary ports, disabling services, and
setting permission
Patching
Regular updates to fix known vulnerabilities in software, firmware, and applications
Bluetooth
Wireless technology for short-distance data exchange
Insecure Pairing
Occurs when Bluetooth devices establish a connection without
proper authentication
Device spoofing
Occurs when an attacker impersonates a device to trick a user into connecting
On Path attcks
Exploits Bluetooth protocol vulnerabilities to intercept and alter
communications between devices without either party being
aware
Bluejacking
Sending unsolicited messages to a Bluetooth device
● Often used for pranks or testing vulnerabilities
Bluesnarfing
Unauthorized access to a device to steal information like contacts, call
logs, and text messages
Bluebugging
Allows attackers to take control of a device’s Bluetooth functions
Bluesmack
DOS
Sideloading
Installing apps from unofficial sources bypassing the device’s default app store
Jailbreaking/rooting
Gives users escalated privileges but exposes devices to potential security
breaches
Zero Day
Discovered or exploited before vendors issue patches
Malicious updates
Appear as legitimate security updates but contain malware or exploits
Injection Attack
Involves sending malicious data to a system for unintended consequences
SQL Data
used to interact with databases
SQL injection
Involves inserting malicious SQL code into input fields
XML Data
Used for data exchange in web applications
XML Bomb
billions laigh attack
Consumes memory exponentially, acting like a denial-of-service
attack
XXE
xml external entity attack
Attempts to read local resources, like password hashes in the shadow file
XSS
cross site scripting
Injects a malicious script into a trusted site to compromise the site’s visitors
Non persistent XSS
A XSS attack that only occurs when it is launched and only
happens once
○ Server executes the attack (Server-side scripting attack)
Persistent XSS
Allows an attacker to insert code into a backend database used by that trusted website
DOM XSS
document object model
Exploits the client’s web browser using client-side scripts to
modify the content and layout of the web page
Session management
Enables web applications to uniquely identify a user across several different actions and requests
Cookie
Text file used to store information about a user when they visit a
website
Non persistent cookies
■ Also known as a session cookie
■ Resides in memory and are used for a very short time
period
■ Deleted at the end of the session
Persistent Cookies
Stored in the browser cache until either deleted by a user
or expire
Session hijacking
Type of spoofing attack where the attacker disconnects a host and then replaces it with his or her own machine by spoofing the original host IP
Session prediction
Type of spoofing attack where the attacker attempts to predict the
session token in order to hijack the session
XSRF
cross site request forgery
Malicious script is used to exploit a session started on another site within the
same web browser
Buffer overflow attack
Occurs when a process stores data outside the memory range allocated by the
developer
Buffers
Temporary storage areas used by programs to hold data
Stack
Programs have a reserved memory area called a stack to store data during
processing
Smashing the stack
Attackers aim to overwrite the return address with a pointer to their malicious
code
NOP Slide
Attackers fill the buffer with NOP (No-Operation) instructions
ASLR
Address Space Layout Randomization mitigation against buffer attack
Race condition
Software vulnerabilities related to the order and timing of events in concurrent
processes
Dereferencing
Software vulnerability that occurs when the code attempts to remove the
relationship between a pointer and the thing that the pointer was
pointing to in the memory which allows changes to be made
Dirty Cow exploit
A real-world example of race condition exploitation
TOC
time of check
Attackers manipulate a resource’s state after it is checked but before it is
used
TOU
Attackers alter a resource’s state after it is checked but before it is used
TOE
time of evaulation
Attackers manipulate data or resources during the system’s
decision-making or evaluation process
● Can lead to incorrect results or unexpected behavior
Mutex
Mutually exclusive flag that acts as a gatekeeper to a section of
code so that only one thread can be processed at a time
○ Mutexes ensure only one thread or process can access a specific
section of code at a time
mitigation against race condition
Deadlock
Occurs when a lock remains in place because the process it’s waiting for is
terminated, crashes, or doesn’t finish properly, despite the processing
being complete
DoS
denial of service
Used to describe an attack that attempts to make a computer or server’s
resources unavailable
Ping flood
Overloading a server with ICMP echo requests (pings)
SYN flood
Initiating multiple TCP sessions but not completing the 3-way handshake
PDOS
permanent DoS
exploits security flaws to break a networking device permanently by re-flashing
its firmware
Fork Bomb
Attack creates a large number of processes, consuming processing power
DDoS
Malicious attempt to disrupt the normal functioning of a network, service, or
website by overwhelming it with a flood of internet traffic
DNS amplification attack
Specialized DDoS that allows an attacker to initiate DNS requests
from a spoof IP address to flood a website
Black hole or sink hole
Routes attacking IP traffic to a non-existent server through a null interface
● Effective but temporary solution
DNS
domain name system
Fundamental component of the internet that is responsible for translating
human-friendly domain names into IP addresses that computers can understand
DNSSEC
(Domain Name System Security Extensions) to add
digital signatures to DNS data
DNS Cache Poisoning
aka DNS spoofing
● Corrupts a DNS resolver’s cache with false information
● Redirects users to malicious websites
DNS Amplification attack
Overwhelms a target system with DNS response traffic by exploiting the
DNS resolution process
DNS Tunneling
Encapsulates non-DNS traffic (e.g., HTTP, SSH) over port 53
Attempts to bypass firewall rules for command and control or data
exfiltration
Domain hijacking or domain theft
Unauthorized change of domain registration
DNS Zone Transfer Attacks
Exposes sensitive information about a domain’s network infrastructure
Directory Traversal attack
An injection attack occurs when the attacker inserts malicious code through an
application interface
File inclusion
Web application vulnerability that allows an attacker either to download a file
from an arbitrary location on the host file system or to upload an executable or script file to open a backdoor
Local File inclusion
An attacker adds a file to the web app or website that already exists on
the hosting server
Arbitrary Code Execution
Vulnerability allows an attacker to run their code without restrictions
Remote Code execution
Type of arbitrary code execution that occurs remotely, often over the internet
Privilege Escalation
Gaining higher-level permissions than originally assigned
Horizontal privilege escalation
Accessing or modifying resources at the same level as the attacker
Rootkit
Class of malware that conceals its presence by modifying system files, often at
the kernel level
Ring 0
the kernel
User mode rootkit
rings 1-3
has admin privileges
Replay attacks
Type of network-based attack where valid data transmissions are maliciously or
fraudulently re-broadcast, repeated, or delayed
■ Involves intercepting data, analyzing it, and deciding whether to retransmit it
later
Credential replay attack
Specific type of replay attack that Involves capturing a user’s login credentials
during a session and reusing them for unauthorized access
Session management
Enables web applications to uniquely identify a user across a number of different
actions and requests, while keeping the state of the data generated by the user
and ensuring it is assigned to that user
Session hijacking
A type of spoofing attack where the attacker disconnects a host then replaces it
with his or her own machine, spoofing the original host’s IP address
Session prediction attack
A type of spoofing attack where the attacker attempts to predict the session
token to hijack a sessioC
Cookie poisoning
Modifies the contents of a cookie after it has been generated and sent by the
web service to the client’s browser so that the newly modified cookie can be
used to exploit vulnerabilities in the web application
On path attack
An attack where the attacker positions their workstation logically between two
hosts during communication
ARP Poisoning
Manipulating Address Resolution Protocol (ARP) tables to redirect
network traffic
DNS Poisoning
Altering DNS responses to reroute traffic
Rogue Wireless Access Point
Creating a fake wireless access point to intercept traffic
Rogue hub or switch
Introducing a malicious hub or switch to capture data on a wired network
Replay attack
Occurs when an attacker captures valid data and then replays it immediately or
with a delay
Relay attack
The attacker becomes part of the conversation between two hosts
SSL Stripping
An attack that tricks the encryption application into presenting an
HTTP connection instead of HTTPS
Downgrade attack
An attacker forces a client or server to abandon a higher security mode in favor
of a lower security mode
LDAP Injection
An application attack that targets web-based applications by fabricating LDAP
statements that are typically created by user inpu
Command Injection
Occurs when a threat actor is able to execute arbitrary shell commands on a host
via a vulnerable web application
Process injection
method of executing arbitrary code in the address space of a separate live process
IoC
indicators of compromise
Pieces of forensic data that identify potentially malicious activity on a network or
system
Least Functionality
Involves configuring systems with only essential applications and services
App allow listing
Only applications on the approved list are allowed to run
App blocklisting
Applications placed on the blocklist are prevented from running
■ All other applications are permitted to run
ToS
trusted OS
An operating system that is designed to provide a secure computing environment
by enforcing stringent security policies that usually rely on mandatory access
control
EAL
evaluation assurance level
EAL 1 lowest EAL 7 highest
Hotfix
A software patch that solves a security issue and should be applied immediately
after being tested in a lab environment
Update
Provides a system with additional functionality, but it doesn’t usually provide any
patching of security related issues
■ Often introduce new vulnerabilities
Service Pack
Includes all the hotfixes and updates since the release of the operating system
Patch MAnagement
Planning, testing, implementing, and auditing of software patches
