Complete Study Material Flashcards
Typosquatting
relies on mistakes such as typos made by Internet users when inputting a website address into a web browser
Pretexting
Pretexting is a type of social engineering attack that involves a situation, or pretext, created by an attacker in order to lure a victim into a vulnerable situation
Pharming
Pharming is a more advanced method that manipulates DNS records, redirecting users to fake websites without their knowledge
Watering Hole Attack
a targeted attack designed to compromise users within a specific industry or group of users by infecting websites they typically visit and luring them to a malicious site
Influence Campaigns
a large-scale campaign launched by a threat actor, or group of threat actors, with a lot of power (like a hacktivist group, nation-state actor, or terrorist group) that seeks to shift public opinion
Worms
A worm can self-replicate and spread to other computers
Trojan
a type of malware that downloads onto a computer disguised as a legitimate program
Rootkit
A rootkit is malicious software code that provides bad actors with “root” access to an endpoint device kernel or core system files
Virus
A computer virus is a type of malicious software, or malware, that spreads between computers and causes damage to data and software
Backdoor
a means of bypassing an organization’s existing security systems
RAT
malware that can control a computer using desktop sharing and other administrative functions
Logic Bomb
A logic bomb is malware that installs and operates silently until a certain
event occurs
Password Spray
Password attack in which the same password is attempted across many accounts
Brute Force
Password attack in which many passwords are attempted against an account to eventually gain access
Rainbow Tables
Pre-built set of hashes. Requires different tables for different hashing methods
Salt
Random data added to a password when hashing. Prevents the success of rainbow tables and significantly slows down brute force attacks
Dictionary Attack
Password attacks where a “dictionary” or list of common words are used to guess an account’s password. Some password crackers can substitute letters for numbers and special characters (3/E, 1/!, A/@)
Hash Collision
Occurs when two entirely unique input values have the same hash
Downgrade Attack
Forces the system to downgrade their security measures, such as rolling back to vulnerable or un-patched versions.
Birthday Attack
An example of a hash collision
Mitigating Privilege Escalation
Patch vulnerabilities quickly, update security software, only allow data execution is certain areas, and randomize address space layout
XSS
Cross-Site Scripting is a vulnerability found on web-based application, which allows an attacker to run scripts in a user input (such as text field) to obtain credentials, session IDs, cookies, etc.
Non-persistent (reflected) vs. Persistent (stored)
SQL Injection
SQL Injection is an attack which allows the attacker to input SQL code into a text field to interact with the data stored in the SQL database. Input validation misconfiguration is typically the cause.
Buffer Overflow
When a section of memory is able to spill over and overwrite another section of memory.
DLL Injection
Dynamic Link Library Injection copies a DLL into an existing/valid process, causing the process to execute with the DLL
Replay Attack
An attacker with access to raw network data is able to copy traffic and “replay” the data across the network to appear as someone else
Pass the hash is an example of a Replay Attack, where an attacker may be listening in on an authentication between a client and server and capture the hash, and pretend to be the user by sending the server those authentication details.
Server Side Request Forgery (SSRF)
Attacker finds a vulnerable web application and is able to send requests to the web server, causing it to perform the request on behalf of the attacker
Cross-Site Request Forgery (CSRF)
Takes advantage of the trust that a website has with the browser, allowing for an attacker to send requests to a web server on a victim’s behalf.
Often requires victim to perform an action such as clicking a link to pass on the forged request
Shimming
Shimming is inserting code into a system library or API
Refactoring
Refactoring code is the process of rewriting the internal processing of the code, without changing its external behavior
SSL Stripping / HTTP Downgrade
a type of cyber attack in which hackers downgrade a web connection from the more secure HTTPS to the less secure HTTP. This makes all communications unencrypted and sets the stage for a man-in-the-middle attack
SSL & TLS
Transport Layer Security (TLS) is the upgraded version of SSL that fixes existing SSL vulnerabilities. TLS authenticates more efficiently and continues to support encrypted communication channels
Race Condition
A race condition is an undesirable situation that occurs when a device or system attempts to perform two or more operations at the same time
Memory Vulnerabilities
Examples of Memory Vulnerabilities include Memory Leaks, NULL Pointer dereference, and Integer Overflow
Memory Leak
A memory leak occurs when a process allocates memory from the paged or nonpaged pools, but doesn’t free the memory. As a result, these limited pools of memory are depleted over time, causing Windows to slow down. If memory is completely depleted, failures may result
NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit
Integer Overflow
An integer overflow occurs when you attempt to store inside an integer variable a value that is larger than the maximum value the variable can hold
Directory Traversal
A directory traversal is an HTTP attack that allows attackers to gain access to restricted files
Improper Error Handling
Improper handling of errors can introduce a variety of security problems for a web site. The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to the user (hacker)
Improper Input Handling
Improper input handling is one of the most common weaknesses identified across applications today. Poorly handled input is a leading cause behind critical vulnerabilities that exist in systems and applications
Resource Exhaustion
It’s a type of attack that uses up the available resources on a device so that the application or the service that’s being used by it is no longer accessible by others
Rogue Access Points
a wireless access point plugged into an organization’s network that the security team does not know exists
Evil Twin
An evil twin attack is a cyberattack that works by tricking users into connecting to a fake Wi-Fi access point
Bluejacking
Bluejacking is when an attacker sends unsolicited messages to a victim’s Bluetooth-enabled device
Bluesnarfing
accessing data through an unauthorized wireless connection
RF Jamming
RF Jamming, or Radio Frequency Jamming, is the concept of blocking a wireless device from communicating with other devices or a wireless
Interference
Unintentional jamming
RFID Attacks
RFID tags can be counterfeited, spoofed, sniffed, and even carry viruses that infect RFID readers and their associated networks
Near Field Communication (NFC)
Builds on RFID to enable two-way wireless communication. Similar vulnerabilities as RFID
Cryptographic nonce
A nonce is an arbitrary number used only once in a cryptographic communication, in the spirit of a nonce word. They are often random or pseudo-random numbers used in live data transmission to protect against replay attacks
Initialization Vector (IV)
An initialization vector (IV) is an arbitrary number that can be used with a secret key for data encryption to foil cyber attacks
On-Path Attacks
An on-path attack is an attacker that sits in the middle between two stations and is able to intercept, and in some cases, change that information that’s being sent interactively across the network
Media Access Control (MAC) Flooding
In a typical MAC Flooding attack, the attacker sends Ethernet Frames in a huge number. When sending many Ethernet Frames to the switch, these frames will have various sender addresses. The intention of the attacker is consuming the memory of the switch that is used to store the MAC address table. The MAC addresses of legitimate users will be pushed out of the MAC Table
Media Access Control (MAC) Cloning
MAC Cloning is the act of changing or impersonating the MAC address of a network interface card to match the MAC address of an authorized device on the network
DNS Poisoning
Domain Name System (DNS) poisoning happens when fake information is entered into the cache of a domain name server, resulting in DNS queries producing an incorrect reply, sending users to the wrong website
Domain Hijacking
Domain hijacking is the act of changing the registration of a domain name without the permission of the original owner
URL Hijacking
Another term for Typosquatting, which takes advantage of a user’s ability to enter typos when navigating to a website
Threat Actor Types
Threat actor types include Insiders, Nation States, Hacktivists, Script Kiddies, Organized Crime, Competitors, and Hackers
Insiders
An employee with extensive internal resources and knowledge of vulnerable systems
Nation States
Government-funded entities with various political and economic motives
Hacktivists
groups of criminals who unite to carry out cyber attacks in support of political causes
Script Kiddies
novice hackers who use existing scripts and software to carry out cyberattacks
Organized Crime
Well-funded professional criminals with sophisticated knowledge, typically motivated by money.
Competitors
Motives include espionage, harming competitor reputation, stealing customer data and financial information
Open Source Intelligence (OSINT)
he collection and analysis of data gathered from open sources (covert sources and publicly available information; PAI) to produce actionable intelligence
Zero-Day Attacks
A zero-day exploit is a cyberattack vector that takes advantage of an unknown or unaddressed security flaw
Known vs Partially Known Environment
Used to describe the access/knowledge granted to an attacker during Pentest
Passive Footprinting
This involves gathering information about the target without direct interaction, such as OSINT or other publicly available data
Active Footprinting
the process of using tools and techniques, such as performing a ping sweep or using the traceroute command, to gather information on a target
Data Masking Techniques
Data Masking techniques include substituting, shuffling, encrypting data
Data at-rest
The data is on a storage device
Data in-transit
Data transmitted over the network
Data in-use
Data is actively processing in memory and almost always decrypted
Tokenization
Replace sensitive data with a non-sensitive placeholder. Common with credit card processing
Information Rights Management (IRM)
The concept of controlling how data is used; restrict data access to unauthorized persons
Web Application Firewall (WAF)
Helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet
Hot Site
A hot site is a DR location that is set up and ready to go – that is, one can arrive and continue to work immediately.
Cold Site
a cold site is essentially available space with little, if anything, set up in it. When you arrive at a cold backup site, you need to set up the equipment, make all connections, load the software, etc
Warm Site
a facility where equipment is available and set up for you, but you must load or restore your latest data to the system
DNS Sinkhole
a mechanism aimed at protecting users by intercepting DNS request attempting to connect to known malicious or unwanted domains and returning a false, or rather controlled IP address
Cloud Deployment Models
Cloud models include Public, Community, Private, and Hybrid deployments
Public Cloud Deployment Model
Available to everyone over the internet
Community Cloud Deployment Model
Resources shared by several organizations
Private Cloud Deployment Model
Your own virtualized local data center
Hybrid Cloud Deployment Model
Combination of Public & Private
Cloud Computing
Computing on demand with massive data storage capacity. Often fast implementation with smaller startup costs. Could come with limited bandwidth/latency issues and is difficult to protect data
Fog Computing
Cloud that’s closed to your data, commonly referred to as an extension of the cloud. Data is processed locally, minimizing security concerns
Edge Computing
Processing data on an edge server close to the user, oftentimes processing the data on the device itself
Elasticity
the ability of a system to adapt and manage resources according to workload requirements
Containerization
Containerization is a type of virtualization in which all the components of an application are bundled into a single container image and can be run in isolated user space on the same shared operating system
Virtual Desktop Infrastructure (VDI)
the hosting of desktop environments on a central server. It is a form of desktop virtualization, as the specific desktop images run within virtual machines (VMs) and are delivered to end clients over a network
Software Defined Networking (SDN)
an approach to networking that uses software-based controllers or application programming interfaces (APIs) to communicate with underlying hardware infrastructure and direct traffic on a network
Software Defined Visibility (SDV)
Network visibility made available through security devices
Federation
Interconnected digital business networks with the ability to transparently send data and messages between parties, such that all the networks function as one network
Attestation
Providing proof of something
Time-based One-Time Password (TOTP)
a string of dynamic digits of code, whose change is based on time
HMAC-based One-Time Password (HOTP)
an event-based OTP where the moving factor in each code is based on a counter
Biometric False Acceptance Rate (FAR)
FAR occurs when we accept a user whom we should actually have rejected
Biometric False Rejection Rate (FRR)
FRR is the problem of rejecting a legitimate user when we should have accepted him
Crossover Error Rate (CER)
describes the point where the False Reject Rate (FRR) and False Accept Rate (FAR) are equal
AAA Framework
authentication, authorization, and accounting. AAA is a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services
Redundant Array of Independent Disks (RAID)
RAID (redundant array of independent disks) is a way of storing the same data in different places to provide increased speed, fault tolerance, and redundancy. Multiple disks/drives working in parallel.
RAID 0
Striping without parity - Great performance, but is not fault-tolerant. If one drive fails, all data in RAID 0 is lost. Requires two drives
RAID 1
Mirroring - Great r/w speed. In the event of a drive failure, data does not have to be rebuilt, just copied to the replacement drive from the still-functional mirror drive. Requires two drives
RAID 5
Striping with parity. RAID 5 is the most common secure RAID level, ideal for mission critical storage. If a drive fails, you have access to all data even while failed drive is being replaced. Requires 3+ drives
RAID 10
Combines characteristics of RAID 1 and RAID 0. If something goes wrong with one of the disks, the rebuild time is very fast. Half of storage capactity goes to mirroring, so this is expensive redundancy.
NIC Teaming
Network Interface Card (NIC) teaming is a common technique of grouping physical network adapters to improve performance and redundancy. NIC teaming maintains a connection to multiple physical switches but uses a single IP address. This ensures readily available load balancing and instant fault tolerance
Uninterruptable Power Supply (UPS)
a device that provides backup power to electrical systems during power outages or fluctuations. It helps to ensure uninterrupted operation and protect sensitive equipment from potential damage
Power Distribution Units (PDU)
a device with multiple power outlets that provides electrical protection and distributes power to IT equipment within a rack
Full Backups
A full backup is the most complete type of backup where you clone all the selected data
Incremental Backups
The first backup in an incremental backup is a full backup. The succeeding backups will only store changes that were made to the previous backup
Differential Backups
This type of backup involves backing up data that was created or changed since the last full backup
High Availability (HA)
High availability (HA) is the ability of a system to operate continuously without failing for a designated period of time
System on a Chip (SoC)
Embedded system that has multiple components running on a single chip. Limited off the shelf security options.
Internet of Things (IoT)
Smart devices, wearable technology, facility automation sensors for heating and cooling, lighting, etc.
Field Programmable Gate Array (FPGA)
Integrated circuit that’s configured after manufacturing, often programmed in the field. Problems don’t require hardware replacements
SCADA / Industrial Control Systems (ICS)
Large-scale multi-site systems. PCs manage facilities and equipment. No access from outside
Multifunction Devices (MFD)
All-in-one devices such as printers, scanners, fax machines. Logs stored on the local device.
Real-Time Operating System (RTOS)
Deterministic processing schedule. Commonly used in industrial equipment, automobiles, and military environments
Narrowband
Communication of analog signals over narrow range of frequencies, used for longer distance communication by IoT devices
Baseband
Generally a single cable with digital signal, either 0 or 100% utilization of bandwidth.
5G
5th Generation cellular networking with significant impact to IoT devices, allowing larger data transfers, faster monitoring and additional processing
Faraday Cage
A mesh conductive metal cage used to block electromagnetic fields
Screened Subnet / DMZ
Also known as a DMZ, this sits between the internal network and public internet, providing public access to select public resources
USB Data Blocker
Allows power supply but rejects data transfer
Air Gap
Term used to describe a physical separation between networks
Hot / Cold Aisles
Aisles at a data center used to control air flow to optimize cooling and conserve energy
Degaussing
the destruction of the data on a data storage device by removing its magnetism
Pulping
Process of removing ink from paper, breaking the paper down into pulp, and re-using the recycled paper.
Key Stretching
Taking an input password and running it through a hashing algorithm multiple times. “Hashing the hash”.
Homomorphic Encryption (HE)
the conversion of data into ciphertext that can be analyzed and worked with as if it were still in its original form.
Elliptic Curve Cryptography (ECC)
Use curves instead of large prime numbers. Uses smaller keys and requires less data transmission and storage. Great for allowing asymmetric encryption capabilities on IoT and mobile devices
Perfect Forward Secrecy (PFS)
An encryption system that changes the keys used to encrypt and decrypt information frequently and automatically
Steganography
the practice of representing information within another message or physical object, such as hiding data in an image.
Stream Ciphers
Encypts and stores 1 byte of plain-text at a time. High speed, low complexity. Used commonly in symmetric encryption. Often combines keys with an Initialization Vector
Block Ciphers
Encrypts/stores a block of bits at a time, typically 64 or 128-bits. Padding added to fill incomplete blocks.
Electronic Codebook (ECB)
The simplest encryption mode, using a single encryption key for every block in the series.
Cipher Block Chaining (CBC)
Another encryption method, where each block is XORed with previous ciphertext block, adding additional randomization. Initialization Vector added to first block prior to encryption. Each subsequent block uses the previous ciphertext as the IV.
Blockchain
Distributed ledger used to keep track of a particular event.
Process begins with a transaction, which is copied to each device participating in the blockchain. Once verified, it’s added into the existing block of transactions. Hashing is used with each transaction. The hash is then added to the block, which allows for validation that nothing has changed, and the block is added to the chain of existing blocks, available for all participating nodes.
Secure Real-Time Transport Protocol (SRTP)
Secure Real-time Transport Protocol (SRTP) is a network protocol for delivering audio and video over IP networks (VOIP). Utilizes a broad range of UDP ports.
Secure Network Time Protocol (SNTP)
Simple Network Time Protocol (SNTP) is an Internet Protocol (IP) used to synchronize the clocks of networks of computers. SNTP is over port 123.
Secure/Multipurpose Internet Mail Extensions (S/MIME)
A set of specifications for securing electronic mail. S/MIME is based upon the widely used MIME standard and describes a protocol for adding cryptographic security services through MIME encapsulation of digitally signed and encrypted objects
Simple Mail Transfer Protocol (SMTP)
SMTP is used for email transmissions over port 25. SMTPS (SMTP Secure) provides encryption and is over port 587.
Internet Protocol Security (IPSec)
a set of communication rules or protocols for setting up secure connections over a network utilizing encryption and authentication
Authentication Header (AH)
The IPSec component that provides integrity through hashing the packet. The AH gets added to the data being sent across the network.
Encapsulation Security Payload (ESP)
The IPSec component that provides encryption functionality. Adds ESP headers and trailers to the data
File Transfer Protocol Secure (FTPS)
Uses SSL to encrypt information sent over FTP. FTP is over port 20 and 21.
Remote Desktop Protocol (RDP)
RDP enables users to remotely connect to their desktop computers from another device over port 3389.
SSH File Transfer Protocol (SFTP)
Uses SSH to encrypt information sent over FTP client. SFTP utilizes SSH using port 22.
Lightweight Directory Access Protocol (LDAP)
Protocol used to access a centralized directory. LDAPS is a non-standard version of LDAP using SSL for encryption. LDAP is over port 389 and 636
Domain Name System Security Extensions (DNSSEC)
Security features added to DNS protocol. Allows validation of information received from a DNS server through the use of digital signatures.
Simple Network Management Protocol Version 3 (SNMPv3)
Provides secure access to devices by authenticating and encrypting data packets over the network. SNMP is over port 161 and 162.
Next Generation Firewall (NGFW)
A security appliance that processes network traffic and applies rules to block potentially dangerous traffic. Allows for IPS, deep packet inspection, and application control, in addition to features provided by standard firewalls.
Boot Integrity
Assuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running
Secure Boot
This is a feature of the Unified Extensible Firmware Interface (UEFI) that helps ensure that only trusted software is loaded during the boot process. It prevents the loading of malware or unauthorized operating systems during the boot sequence.
Trusted Boot
Trusted Boot is a broader term that encompasses the concept of using trusted hardware and software components to ensure the integrity of the boot process. This can include technologies such as Secure Boot and Measured Boot, as well as the use of hardware-based security features like TPMs
Measured Boot
Measured Boot is a feature that creates a record, or measurement, of the boot process. This record is then stored in a trusted location such as a Trusted Platform Module (TPM). By comparing this measurement with a known good measurement, it’s possible to detect any unauthorized changes to the boot process
Fuzzing
an automated software testing method that injects invalid, malformed, or unexpected inputs into a system to reveal software defects and vulnerabilities
Static Application Security Testing (SAST)
a testing methodology that analyzes source code to find security vulnerabilities that make your organization’s applications susceptible to attack
Full Disk Encryption (FDE)
Full-disk encryption (FDE) is a security method for protecting sensitive data at the hardware level by encrypting all data on a disk drive
Self-Encrypting Drive (SED)
All of the data written to the storage medium is encrypted by the disk drive before being written and decrypted by the disk drive when it is read
East-West Traffic
refers to network traffic that occurs within an organization’s internal network
North-South Traffic
network traffic that enters or exits an organization’s internal network
VPN Concentrator
A hardware device that creates and helps to manage multiple VPN connections remotely by creating safe tunnels on a large scale
Full Tunnel VPN
This means that every data packet, whether browsing a website, accessing emails, or streaming media, is encrypted and passed through the VPN before reaching its final destination on the internet
Split Tunnel VPN
only specific traffic is sent through the VPN tunnel, while the rest of the traffic is directly routed to the internet without passing through the VPN server
IPSec Transport Mode
Sends original IP Header with the data, but the data is surrounded by an IPSec Header and Trailer. IP Header remains in the clear.
IPSec Tunnel Mode
IP Header and Data are both encrypted. The original IP Header and Data are surrounded an IPSec Headers and Trailer, and a new IP header will be used to send across the network.
802.1D Loop Protection
Also known as Spanning Tree Protocol (STP), this prevents loops and selects the best LAN path, providing redundancy of a link were to fail.
MAC Filtering
MAC address filtering allows you to block traffic coming from certain known machines or devices
Unified Threat Management (UTM) / All-in-One Security Appliance
Unified threat management (UTM) refers to when multiple security features or services are combined into a single device within your network. Using UTM, your network’s users are protected with several different features, including antivirus, content filtering, email and web filtering, anti-spam, and more
Proxy
A proxy server is an intermediary server that retrieves data from an Internet source, such as a webpage, on behalf of a user. Protects the client
Reverse Proxy
A server that sits in front of one or more web servers to intercept and inspect incoming client requests before forwarding them to the web server. Protects the server
Hardware Security Module (HSM)
a physical computing device that safeguards and manages secrets (most importantly digital keys), performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions
Jump Server
a secure computer that spans two or more networks, allowing users to connect to it from one network, and then “jump“ to another network
Wired Equivalent Privacy (WEP)
Earliest security protocol used for securing wireless networks. No longer used due to vulnerabilities.
Wifi-Protected Access (WPA)
Wireless security protocol developed to solve the problems with WEP. Utilizes TKIP (Temporal Key Integrity Protocol) to dynamically change keys. TKIP has vulnerabilities of it’s own.
Wifi-Protected Access II (WPA2)
Wireless security protocol designed to improve upon WPA. Requires stronger encryption method AES, strong enough to resist brute-force attacks.
Wifi-Protected Access 2 Pre-Shared Key (WPA2 PSK)
WPA2-PSK stands for Wi-Fi Protected Access 2 – Pre-Shared Key. It uses the same passphrase for all devices.
Simultaneous Authentication of Equals (SAE)
key exchange protocol designed to establish a shared secret between two devices and securing the key exchange process as part of the WPA3 security standard.
Diffie-Hellman
Diffie–Hellman key exchange establishes a shared secret between two parties that can be used for secret communication for exchanging data over a public network
802.1X
a network authentication protocol that requires client authentication for access to a network. The clients identity is determined based on the credentials or certificate they provide, which is validated by an authentication server using the RADIUS protocol.
Wifi Protected Access 3 (WPA3)
WPA3 introduces the “Simultaneous Authentication of Equals” (SAE) or Dragonfly protocol
Wifi-Protected Setup (WPS)
A feature designed to make the process of connecting to a secure wireless network from a computer or other device easier
Extensible Authentication Protocol (EAP)
a framework for providing authentication that allows for the use of many different authentication methods for secure network access technologies - Generally 4 Common versions - LEAP, FAST, PEAP, and EAP-TLS.
EAP Flexible Authentication via Secure Tunneling (EAP FAST)
a version of EAP that enables mutual authentication between a client and an authentication server via a secure tunnel. Does not require use of certificates.
Protected Extensible Authentication Protocol (PEAP)
version of EAP that enables mutual authentication between a client and authentication server. Authentication server utilizes digital certificates to provide authentication, whereas the client provides standard credentials.
EAP Transport Layer Security (EAP-TLS)
version of EAP that enables mutual authentication between a client and authentication server through the use of digital certificates on both sides.
MSCHAPv2
a widely used authentication protocol primarily used for securing remote access connections in Virtual Private Networks (VPNs). MSCHAPv2 is used to verify the identity of a user or device trying to establish a connection to a network or a remote server
Mobile Device Management (MDM)
Mobile device management (MDM) is the administration of mobile devices, such as smartphones, tablet computers, and laptops
Rooting/Jailbreaking/Sideloading
Gaining access to the operating system to install custom firmware. Provides uncontrolled access
Hotspot/Tethering
the linking of a computer or other device to a smartphone in order to connect to the internet
Corporate Owned, Personally Enabled (COPE)
Corporate owned devices given to users that they can also use for personal use
Cloud Access Security Broker (CASB)
ensure regulatory compliance and data protection, govern cloud usage across devices and cloud applications, and protect against threats
Next-Gen Secure Web Gateway (SWG)
secure web gateways are a mix of tools specifically designed to protect users and their devices while browsing the internet beyond examining URLs and GET requests
Trusted Platform Module (TPM)
a physical or embedded security technology (microcontroller) that resides on a computer’s motherboard or in its processor. TPMs use cryptography to help securely store essential and critical information on PCs to enable platform authentication
Challenge-Handshake Authentication Protocol (CHAP)
an identity checking protocol that periodically re-authenticates the user during an online session
TACACS
Terminal Access Controller Access-Control System, is a network protocol that was developed by Cisco and controls user access to devices like routers, NAS, and switches, separating authentication and allowing fine-grained access control
Kerberos
Kerberos is a computer network security protocol that authenticates service requests between two or more trusted hosts across an untrusted network, like the internet. Enables SSO
Security Assertion Markup Language (SAML)
an open standard that allows you to use one set of credentials to log into many different websites
OAuth
a widely adopted authorization framework that allows you to consent to an application interacting with another on your behalf without having to reveal your password
Mandatory Access Control (MAC)
A means of restricting access to system resources based on the sensitivity (as represented by a label) of the information
Discretionary Access Control (DAC)
A means of providing access to an object at the discretion of the owner.
Role-Based Access Control (RBAC)
restricts network access based on a person’s role within an organization
Attribute-Based Access Control (ABAC)
an authorization model that evaluates attributes (or characteristics), rather than roles, to determine access
Rule-Based Access Control
used to manage access to locations, databases and devices according to a set of predetermined rules and permissions that do not account for the individual’s role within the organization
Public Key Infrastructure (PKI)
The set of hardware, software, policies, processes, and procedures required to create, manage, distribute, use, store, and revoke digital certificates and public-keys
Digital Certificates
A digital certificate is a file or electronic password that proves the authenticity of a device, server, or user through the use of cryptography and the public key infrastructure (PKI)
Certificate Authority
a trusted entity that issues Secure Sockets Layer (SSL) certificates after the registration authority has authorized the requestor’s ability to do so.
Registration Authority
A trusted entity that establishes and vouches for the identity and authorization of a client requesting a certificate, proving they allowed to request certificates for the domain in question.
Online Security Status Protocol (OCSP)
provides a mechanism, as a supplement to checking against a periodic certificate revocation list (CRL), to obtain timely information regarding the revocation status of a certificate
Certificate Revocation List (CRL)
a list of digital certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date
Root Certificate
The public key certificate that identifies the root CA. The root certificate issues other certificates. Access to the root certificate allows for the creation of any trusted certificate.
Privacy-Enhanced Mail (PEM)
Base64 encoded DER certificate, generally the format provided by CAs, readable in ASCII format.
PKCS #12
Container format - can be used to store many X.509 certificates in a single .p12 or .pfx file. Often used to transfer a private and public key pair.
PKCS #7
Distinguished Encoding Rules (DER)
Certificate format designed to transfer syntax. Binary format (not human readable).
OCSP Stapling
OCSP status is “stapled” into the SSL/TLS handshake
Certificate Pinning
You can “pin” the expected certificate or public key to an application. If the expected key doesn’t match, the application can device what to do in response (shut down, etc).
Key Escrow
Third-party holds the decryption/private keys. Often a legitimate business arrangement.
Hierarchical CA
Single CA issues certs to intermediate CAs.
Web of Trust
Decentralized alternative to traditional PKI. Trust unknown certificates based on others who have verified and established relationship with them
Certificate Chaining
List all the certs between server and root CA. Any certificate between the SSL certificate and the root certificate is an intermediate certificate.
Tracert/Traceroute
Determine the route a packet takes to a destination. Used to identify where a network issue may lie
Nslookup/DiG
Lookup information from DNS servers, such as IP addresses
Pathping
combines ping and traceroute commands. First phase runs a traceroute to build a map, then measures round trip time and packet loss at each hop.
hping
netstat
Returns network statistics, such as active connections and binaries
netcat
allows you to listen on a port, transfer data, scan ports and send data to a port
nmap
Network Mapper, used to discover information about network devices, such as open ports, services, versions, OS, etc.
arp (command)
views the local ARP table. The ARP table associates an IP address to a MAC address.
curl
request or send data over a URL
scanless
Allows you to run port scans sourced from a separate host. Essentially a port scan proxy, hiding your true source IP
dnsenum
Enumerate DNS information to find host names, view services, etc.
Nessus
Industry leader in vulnerability scanning. Used to identify known vulnerabilities and offers extensive reporting.
Cuckoo
A sandbox solution for malware testing in a safe environment. Offers reporting on network traffic, memory analysis, and API calls.
theHarvester
Used to gather OSINT, can scrape information from Google or Bing to find things like associated IP addresses, list of people from LinkedIN, email contacts
sn1per
Suite that combines many recon tools into a single framework, including dnsenum, metasploit, nmap, theHarvester, and more
head
command to view the first x lines of a file
tail
command used to view the last x lines in a file
cat
command used to copy file contents to the screen or to another file
grep
command to find text in a file (essentially CTL-F within a file)
chmod
command to change mode of a file system object, r/w/x
-rwxrw-r– would signify the owner of the file has r/w/x permissions, the group would have r/w, and everyone else would have r
logger
command used to manually add entries to a system log
OpenSSL
A toolkit and crypto library for SSL/TLS, used to build certificates and manage SSL/TLS communication
tcpreplay
A suite of packet replay utilities that can be used to replay and edit packet captures
tcpdump
Captures packets from the commandline and displays packets on the screen, can write output to a file. CLI version of wireshark.
Wireshark
Graphical version of tcpdump. Used to analyze packets and view traffic patterns
dd
command used to create a disk image or copy of a drive, or restore from an image
memdump
command used to copy information in system memory
Winhex
A universal hexadecimal editor used to edit disks, files, RAM. Offers disk cloning and secure wipe capabilities
FTK Imager
Forensic drive imaging tool
Autopsy
Perform digital forensics of hard drives to view and recover data.
Metasploit
Very common exploitation framework used to attack known vulnerabilities and build custom attacks
The Social-Engineer Toolkit (SET)
Well known exploitation framework
Reconstitution
The recovery phase of the incident response process.
IR Process
Preparation, Detection & Analysis, Containment, Eradication, Recovery, Post-Incident Activities
Tabletop
Talk through the drill’s logistics and steps that would be taken. “What would we do”
Simulation
Testing performed with an actual simulated event
Walkthrough
One step further than a Tabletop - Test processes and procedures prior to an event to identify faults and missing steps
MITRE ATT&CK Framework
Framework used to identify and understand actions of an attacker, as well as security techniques to mitigate them.
Diamond Model
Model used to document and better understand an intrusion. Identify relationship between the Adversary, Capability, Victim, and Infrastructure.
Cyber Kill Chain
Recon - Weaponization - Delivery - Exploit - Installation - C&C - Actions on objectives
System Logs
Operating system logs, file system information, and can include security events
Application Logs
Logs specific to an application
Security Logs
Logs containing information related to blocked/allowed traffic flows, exploit attempts, blocked URL categories, and DNS sinkhole traffic. Typically created by IPS, firewalls, and proxies.
Web Logs
Logs related to web server access, exploit attempts and server activity such as startup and shudown
DNS Logs
Logs related to DNS queries - includes IP address of the request, can identify queries to known bad sites, and log results of those queries (blocked/allowed)
Authentication Logs
Logs related to accounts logging into a system, success/failures, & source IP. Can be used to identify brute force activity.
Dump Files
Dump files store all contents of memory associated with an application or process
NetFlow
Method of gathering network stats from switches, routers, etc. Consolidated onto a NetFlow server and analyzed from a management console.
IP Flow Information Export (IPFIX)
Newer version of NetFlow. Provides flexibility on what data is collected
Sampled Flow (sFlow)
Embedded in switches/routers to capture a portion of network traffic
Metadata
Data that describes other data sources. Example - Email headers
Order of Volatility
Ask the question - how long does data stick around? Most volatile data includes CPU registers/cache > Router Table/ARP cache, process table, kernel statistics, memory > Temp File systems > Disk
Snapshot
A point-in-time system image, typically in relation to Virtual Machines.
Artifacts
Digital items left behind. Commonly found in logs, flash memory, cache files, recycle bins
Corrective Controls
Designed to mitigate damage. Think backups and IPS.
Deterrent Controls
Doesn’t prevent, but may discourage intrusion. Think warning signs/login banners.
Compensating Controls
Doesn’t prevent an attack, but provides restoration through other means. Think re-imaging, hot sites, or backups.
Physical Controls
Fences, locks, etc.
General Data Protection Regulation (GDPR)
European Union regulation on information privacy in the European Union
Payment Card Industry Data Security Standard (PCI DSS)
Standard for protecting credit cards
NIST Risk Management Framework (RMF)
6 steps to risk management. Categorize > Select > Implement > Assess > Authorize > Monitor
NIST Cybersecurity Framework (CSF)
Identify, Protect, Detect, Respond, and Recover
International Organization for Standardization (ISO)
n/a
ISO 27001
Standard for information security management systems
ISO 27002
Code of practice for information security controls
ISO 27701
Focuses on privacy information management systems
ISO 31000
Standards for risk management practices
Cloud Security Alliance (CSA)
Non-profit organization focusing cloud security
CSA Cloud Controls Matrix (CSA CCM)
Controls are mapped to standards, best practices, and regulations to follow in the cloud.
SOC 2 Type 1
Audit will test controls at a particular date and time
SOC 2 Type 2
Audit will test controls over a period of 6+ months
Acceptable Use Policies
Defines how technologies should be used
Non-Disclosure Agreements
Confidentiality agreement that limits information that can legally be shared to ensure privacy
Job Rotation
People rotate job roles, creating less of an opportunity for someone to take advantage of a security issue
Split Knowledge
No single person has all the knowledge/details
Dual Control
Two people must be present in-person to perform a business function
Service Level Agreement (SLA)
Sets a minimum set of service terms, such as uptime or response time
Memorandum of Understanding (MOU)
Informal letter of intent/expectations, not a signed legal contract.
Measurement System Analysis (MSA)
Provides a way for a company to evaluate and assess the quality of the process used in measurement systems.
End of Life (EOL)
When a manufacturer stops selling a product. End of Service Life refers to when support ends patches and updates are no longer provided.
Inherent Risk
Risk that exists in the absence of security controls
Residual Risk
Inherent Risk combined with effectiveness of security controls.
Annualized Rate of Occurrence (ARO)
Describes the likelihood of a risk occurring
Single Loss Expectancy (SLE)
How much money is lost if a single event were to occur
Annualized Loss Expectancy (ALE)
Calculated by multiplying ARO x SLE
Recovery Time Objective (RTO)
Describes how long it takes to get back up and running to a certain service level
Mean Time Between Failures (MTBF)
Predict time between outages
Mean Time To Repair (MTTR)
Time required to fix an issue
Personally Identifiable Information (PII)
Data that can be tied back to an individual, such as name, address, biometric information, telephone number
Protected Health Information (PHI)
Health records associated with an individual. Health status, insurance details, payments, etc.
Data Controller
Manages the purpose and means by which personal data is processed
Data Processor
Processes data on behalf of the data controller (often a third party or different group)
Data Custodian/Steward
Responsible for data accuracy, privacy and security.
Data Protection Officer
Responsible for the organization’s overall data privacy policies.
Session Hijacking
Session ID (often stored in cookies) is stolen by an attacker and is able to pose as the victim without username or passwords.
Prevent this by use of End to End encryption
Infrastructure as a Service
Outsourcing equipment/hardware. You’re still responsible for the management of data and the OS/application running on the equipment
Platform as a Service
Middle ground of IaaS and SaaS. Provides a platform, including hardware and OS for you to develop your own application.
Software as a Service
On-demand software. Everything is managed and configured by the provider.
Anything as a Service
A broad description of any service delivered over the internet.
Counter Mode (CTR)
Block cipher mode that acts like a stream cipher. Utilizes a incremental counter to create each block of ciphertext.
Galois/Counter Mode (GCM)
Combines Counter Mode (CTR) with Galois authentication. Commonly used in wireless connections and IPSEC.
