Deck 1 Flashcards
Cookie
A text file placed on a computer by a webpage or web app that stores information that can be used to customize a user’s experience. Can be targeted by an attacker to gain information on a host system, which can enable XSS or session hijacking.
Kerberos
A network protocol built on symmetric key cryptography that provides mutual authentication within a client-server model. Works on the basis of tickets to allow nodes on a non-secure network to prove their identity to one another in a secure manner. Uses UDP-88 by default. Version 5 uses AES.
TOGAF
The Open Group Architecture Framework (TOGAF) is a high-level framework for designing, planning, implementing and managing an enterprise IT architecture.
Modeled at four levels: Business, Application, Data and Technology.
ARP cache poisoning
An attack method that responds to ARP broadcast queries with falsified replies. Can also be caused by creating static ARP entries via ARP command.
ARP
Address Resolution Protocol (ARP) is a sub-protocol of the TCP/IP suite used to map IP network addresses to MAC hardware addresses used by a data link protocol.
X.509
The cryptography standard defining the format of public key certificates. TLS/HTTPS rely on these digital certs for secure web browsing. These certs can also be used offline in electronic signatures. An X.509 cert contains a public key and an ID; gets signed by a certificate authority.
Steganography
Cryptographic method, via a covert channel, to hide information within other information, such as embedding text within an image or saving a file in a different format than expected.
Trojan
A social engineering technique that exploits weaknesses in human nature by enticing a user to open and execute a file using impersonation or appealing language. Often involves an interesting PDF document in a phishing email that actually contains a malicious payload.
XACML
eXtensible Access Control Markup Language (XACML) is an XML standard that defines a fine-grained, attribute-based access control architecture, to streamline the exchange of provisioned users and resources between organizations. This kind of model separates the access decision from the point of use and supports role-based access control.
OSPF
Open Shortest Path First (OSPF) is a routing protocol that uses a link-state algorithm and operates as an interior gateway protocol within a single autonomous systems (AS). Suports Classless Inter-Domain Routing (CIDR) addressing.
BGP
Border Gateway Protocol (BGP) is a routing protocol that combines link-state and distance-vector routing algorithms to create a network topology for routing data on exterior gateways.
Blowfish
A 64-bit block symmetric key encryption algorithm that uses variable key length (32 to 448-bits) and puts the blocks through 16 rounds of crypto functions.
RDP
Remote Desktop Protocol (RDP), developed by Microsoft, provides the user with a Graphical User Interface (GUI) to connect to another computer over a network connection. By default RDP Server listens on tcp-3389 and udp-3389.
FRR
The false recognition rate (FRR) is the measure of the likelihood that a biometric security system will incorrectly reject an access attempt by an authorized user. Typically measured as the ratio of false recogs / number of ID attempts.
FAR
The false acceptance rate (FAR) is the measure of the likelihood that a biometric security system will incorrectly accept an access attempt by an UNauthorized user. Typically stated as the ratio of false accepts / number of ID attempts.
Phreaking
An attack whereby a telephone system is hacked using various tricks and techniques, in order to make free long-distance calls or steal specialized services.
LDAP
Lightweight Directory Access Protocol (LDAP) is the industry standard application protocol for accessing and maintaining directory information services over an IP network. Directory services is a common place to store usernames and passwords, or the hierarchical structure of organizational groups.
SOAP
Simple Object Access Protocol (SOAP) is an XML-based messaging protocol specification for exchanging structured data as part of a web services request. Relies on HTTPS or SMTP for message negotiation and transmission.
XML
eXtensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. Supports Unicode for different human languages. APIs are used to aid in the processing of XML data.
API
Application Programming Interface (API) is a set of subroutines, comm protocols and tools for building software, used to define methods of communication between disparate components, networks or organizations. An API may be for a web-based system, operating system, hardware component or software library.
REST
Representational State Transfer (REST) is a software architecture that defines a set of constraints to be used for web services. RESTful web services allow for stateless operations between disparate systems using payloads formatted in HTML, XML or JSON. The HTTP methods available are GET, HEAD, POST, PUT, PATCH, DELETE, CONNECT, OPTIONS and TRACE.
JSON
JavaScript Object Notation (JSON) is an open-standard file format that uses human-readable text to transmit data objects made up of attribute-value pairs and array data types. Common format for asynchronous browser-server coms as a replacement for XML. JSON file extension is .json.
NIST CSF
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a policy framework for how private sector orgs can improve their ability to identify, protect, detect, respond and recover from cyber attacks.
ISO27001
International Organization of Standards (ISO) 27001 is an information security standard that gives specific requirements for information security controls. The full string is ISO/IEC 27001:2013.
ISO27002
International Organization of Standards (ISO) 27002 is intended to be a “code of practice” for information security controls.
ITIL
Information Technology Infrastructure Library (ITIL) is a set of detailed practices to demonstrate compliance and to measure improvement. ITIL focuses on aligning IT services with business needs. ITILv4 was released in Feb 2019 and includes the service value system (SVS) and the four dimensions model (people, products, partners, process).
AES
The Advanced Encryption Standard (AES), established by NIST in 2001, uses a variant of the Rijndael block cipher to encrypt and protect data. AES is a symmetric-key algorithm with a fixed block size of 128-bit with three different key lengths: 128, 192 and 256-bit.
GDPR
The General Data Protection Regulation (GDPR) is a European Union legal regulation for data protection and privacy for all citizens of the EU, effective May 2018. Primary aim is to give individuals control over their personal data. “Appropriate technical and organizational measures” must be in place to protect personal data. Businesses must report data breaches within 72 hours.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996, to govern how Personally Identifiable Information (PII) was maintained by the healthcare industry.
PCI-DSS
The Payment Card Industry Data Security Standard (PCI-DSS) is an infosec standard for companies that handle payment card data, meant to reduce credit card fraud and improve controls around cardholder data. Most recent version is v3.2.1. Validation is performed quarterly or annually by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA) that creates a Report on Compliance (ROC) for large volumes or a Self-Assessment Questionnaire (SAQ) for smaller volumes.
BCP
Business Continuity Planning (BCP) is the process of creating systems of prevention and recovery to deal with potential threats or interruptions to a company. The goal is to permit ongoing operation, before and during execution of disaster recovery. An early stage is a Business Impact Analysis (BIA).
DRP
Disaster Recovery Plan (DRP) is a documented set of procedures for an organization to follow to recover and protect IT infrastructure in the event of a disaster (natural, environmental or man-made). Three basic strategies are involved: Prevention, Detection and correction.
FDE
Full Disk Encryption (FDE) protects data by encrypting every bit of data that is written to the disk or volume. Can work with a TPM to secure hardware through integrated crypto keys.
POODLE
Padding Oracle On Downgraded Legacy Encryption (POODLE) is a padding attack against SSL 3.0 that is used for a man-in-the-middle attack after a version rollback attack from TLS 1.0 down to SSL 3.0, to decrypt packets and break browser encryption.
BEAST
Browser Exploit Against SSL/TLS (BEAST) is a proof-of-concept attack that uses a cipher block chaining (CBC) vulnerability in RC4 to compromise a TLS 1.0 browser session. Modern versions of Chrome and Firefox are not vulnerable to BEAST. Microsoft resolved this by changing the way SChannel transmits encrypted packets.
TPM
Trusted Platform Module (TPM) is an international standard for a dedicated microcontroller designed to secure hardware using integrated crypto keys. Conceived by the TCG, standardized by the ISO and IEC in 2009.
MFA
Multi-Factor Authentication (MFA) is an authentication method where the user must present two or more pieces of evidence to the mechanism: 1) knowledge (something you know), 2) possession (something you have) and/or 3) inherence (something you are). May involve a one-time password (OTP) from an authenticator such as Google Authenticator. Sometimes called “2FA.”
MITRE ATT-CK
The MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT-CK) framework is a globally-accessible knowledge base of hacker tactics and techniques based on real-world observations. Can be used to develop information security threat models for the private sector, government and military.
Bitlocker
A full-volume encryption tool that is included by default on all Windows versions starting with Vista. Uses the AES encryption algorithm in cipher block chaining (CBC) or XTS mode with a 128-bit or 256-bit key. Designed to encrypt entire volumes; supports a different key for each volume.
CVSS
The Common Vulnerability Scoring System (CVSS) is an open industry standard for assessing and assigning a severity score to each discovered vulnerability, allowing incident response to prioritize based on risk.
DKIM
DomainKeys Identified Mail (DKIM) is an email authentication method for detecting forged sender addresses and prevent email spoofing, phishing and spam. Each outgoing message receives a digital signature linked to the sender’s domain name, allowing the recipient system to verify by looking up the sender’s public key published in DNS.
DMARC
Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol designed to protect a domain from being used in targeted email phishing attacks. Extends the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), allowing a domain owner to publish a policy via Domain Name System (DNS) to specify what mechanism is used to validate the sender.
SPF
The Sender Policy Framework (SPF) is an email authentication method designed to detect forged sender addresses during the delivery of email. Must be used in combination with Domain-based Message Authentication, Reporting and Conformance (DMARC) in order to detect a forged visible sender in email.
FISMA
The Federal Information Security Modernization Act of 2002 (FISMA) is federal law meant to enforce information security standards in protection of the economic and national security interests of the United States. It requires each agency to develop, document and implement an agency-wide program to provide information security for all systems that support the operations of that agency, including contractors.
LAPS
Local Administrator Password Solution (LAPS) provides management of local administrative account passwords for domain-joined computers. Passwords are stored in Active Directory (AD) and protected by an Access Control List (ACL) so only eligible users can read it or request a password reset.
NTLM v2
In a Windows network, New Technology LAN Manager (NTLM) v2 is a suite of Microsoft challenge-response protocols that provide authentication, integrity and confidentiality to users, based on the configuration in Group Policy. Superior to NTLM v1, which is now vulnerable to pass-the-hash and brute-force attacks.
OWASP
The Open Web Application Security Project (OWASP) is an online community that produces articles, methods, tools and technologies for web application security. The OWASP Top Ten (2017) aims to raise awareness about the most common webapp exploits such as SQL Injection, broken auth, XXE, XSS, broken access control.
ZAP
The Zed Attack Proxy (ZAP) is an open-source security tool from the OWASP community designed to find security vulnerabilities in web applications during development and testing.
SIEM
Security Information and Event Management (SIEM) is a log aggregration tool that provides real-time analysis of security alerts generated by applications and network hardware. Enterprise-wide SIEM solutions typically leverage a hybrid of cloud and on-prem hardware appliances and software applications.
UDP
User Datagram Protocol (UDP), a member of the IP suite, is a connectionless communication protocol that provides checksums for data integrity and can use port 0-65,535 to address source or destination functions. UDP doesn’t use handshakes and has no guarantee of delivery. UDP has low overhead and is suitable when no error-checking or correction is needed. Time-sensitive apps often use UDP since dropped packets are preferable to waiting for packet re-transmission.
VLAN
A Virtual Local Area Network (VLAN) is a broadcast domain that is partitioned and isolated in a network at the Data Link layer (Layer 2) of the OSI model. VLANs use tagging to keep application traffic separate despite being connected to the same physical network.
WPA2 or WPA3
Wi-Fi Protected Access (WPA) 2 and 3, defined under IEEE 802.11i, are secure wireless security protocol replacements for Wired Equivalent Privacy (WEP). Includes Temporal Key Integrity Protocol (TKIP) with a 64- or 128-bit key that is manually entered on access points and does not change. WPA also includes a Message Integrity Check, replacing the cyclic redundancy check (CRC) used by WEP.
ACL
An Access Control List (ACL) is a list of permissions attached to an object. A filesystem ACL is typically a table with entries that specify user or group rights to system objects such as programs or files. A network ACL, found on firewalls, routers or switches, provide rules that are applied to port numbers or IP addresses and rely on Layer 3 routing between hosts or network segments.
DNS
The Domain Name System (DNS) is a hierarchical, decentralized naming system for computers, services or other Internet-connected resources. DNS translates domain names to numerical IP address using udp-53 and functions as the “phone book for the Internet.”
CRL
A Certificate Revocation List (CRL) is a “list of digital certificates that have been revoked by the issues Certificate Authority (CA) before their expiration date and should no longer be trusted.”
race condition
When system behavior depends on the sequence or timing of other uncontrollable events. A race condition in a logic circuit or software program can be reported as a ‘bug.’
IDEA
International Data Encryption Algorithm (IDEA) is a symmetric-key block cipher designed to replace Data Encryption Standard (DES) and was used in Pretty Good Privacy (PGP) v2.0 and as an option in the OpenPGP standard. IDEA operates on 64-bit blocks using a 128-bit key and involves a series of 8 rounds of encryption.
H.323
ITU recommendation that defines audio-visual communication protocols across a packet network. Supports IP, PSTN, ISDN and QSIG and is compatible with most Voice over IP (VoIP) systems.
Kerckhoff’s principle
A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.
SAML
Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between parties, such as the handoff from identity provider and service provider. One common use case is web-based Single Sign-on (SSO).
SSO
Single Sign-on (SSO) is an access control method for authentication that includes multiple, independent software systems. A user logs in with a single ID and password to gain access to all authorized environments and applications. Commonly used with an LDAP lookup.
OAuth
An open standard for secure access delegation, used as a way for Internet users to grant websites or applications access to their data on a website without granting them the password. Allows access tokens to be issued to third parties by an authorization server with the approval of the resource owner.
KPI
Key Performance Indicator (KPI) is a type of performance measurement based on a set of values against which to measure. They can be Quantitative (objective) or Qualitative (subjective) and typically reveal lagging or leading indicators.
XOR
“Exclusive or” (exclusive disjunction) is a logical operation that outputs TRUE only when inputs differ. Can also be described as “one or the other but not both.”
SABSA
The Sherwood Applied Business Security Architecture (SABSA) is a framework and layered methodology for enterprise security architecture and service management. Developed from the Zachman Framework. Creates a chain of traceability thru strategy, concept, design, implementation and ‘manage and measure’ phases.
Copyright
Guarantees creators of “original works of authorship” protection against unauthorized duplication for up to 70 years after death.
Trade Secret
Confidential intellectual property within a company. Proprietary information that would severely damage the business if lost or stolen. Can be protected forever.
ISC Code of Ethics
- Protect society, the commonwealth and the infrastructure.
- Act honorably, honestly, justly, responsibly and legally.
- Provide diligent and competent service to principals.
- Advance and protect the profession.
DRM
Digital Rights Management (DRM) tools, also known as Technological Protection Measures (TPM), are a set of access control technologies for restricting the use of copyrighted material. Meant to prevent intellectual property from being copied freely.
MIC
Message Integrity Check (MIC) replaced the flawed cyclic redundancy check (CRC) for error check functions in WPA.
SSID
Service Set Identifier (SSID) is a unique, customizable identifier (up to 32 bytes) that is broadcast in beacon packets to announce the presence of a WiFi network. A null SSID is called a “wildcard SSID.”
TKIP
Temporal Key Integrity Protocol (TKIP) is a symmetric encryption that relies on single use 128-bit session keys for WiFi access. Renegotiates each hour to prevent indefinite compromise of a single key within a WiFi environment.
OLE
Object Linking and Embedding (OLE) is a Microsoft tech that allows embedding and linking to documents and other objects. It includes OLE Control Extension (OCX) for developers to make custom user interface elements.
Biba model
A formal state transition system that describes a set of access control rules designed to ensure data integrity. This model is designed so that users cannot corrupt data in a level ranked higher than the user.
HRU
The Harrison-Ruzzo-Ullman model is an O/S-level security model that deals with integrity of access rights within the system. Proves the safety of systems using an algorithm.
Lattice model
A complex Mandatory Access Control (MAC) model based on the interaction between any combination of objects and subjects. A lattice is used to define the levels of security for objects; a subject is only allowed access to an object if the security level of the subject is greater than, or equal to, that of the object.
CAIN
An abbrevation for “Cain and Abel,” a password recovery tool for Windows that can use network packet sniffing, cracking password hashes using dictionary attacks, brute force or cryptanalysis (using rainbow tables). Designed and supported by Massimiliano Montoro.
CSMA/CD
Carrier-sense multiple access with collision detection (CSMA/CD) is a media access control method used in early Ethernet LAN networks. It leverages carrier-sensing to defer transmissions until no other stations are transmitting, used in combination with collision detection, which waits to resend the frame.
IPSec
Internet Protocol Security (IPSec) is a secure network protocol suite that authenticates and encrypts data packets sent over an IP network. A high-grade method for VPNs because it supports mutual authentication between endpoints and includes negotiation of crypto keys. Can be configured in transport or tunnel mode. Uses an authentication header (AH), which provides connectionless data integrity and prevents insertion attacks. Encapsulating Security Payloads (ESP) provides confidentiality, integrity and authentication. The Security Association (SA) provides the parameters necessary for AH + ESP operation and ISAKMP provides the framework for authentication and key exchange.
DNS
The Domain Name System (DNS) is a hierarchical, decentralized naming system for computers, services and resources on the Internet (or on a private network). This essential function on the Internet relies on UDP port 53 for communication. The most common types of records stored in the DNS database include Start of Authority (SOA), host IP address (A record), name servers (NS), mail exchangers (MX record) and domain aliases (CNAME). DNS uses TCP for a zone transfer, to replicate a portion of the database.
SSH
Secure Shell (SSH) is a cryptographic network protocol for using network services securely over an untrusted network. SSH supports remote command-line, login and command execution over an encrypted channel using TCP port 22. SSH was designed as a secure replacement for Telnet and does not pass any data in plaintext.
ISAKMP
Internet Security Association and Key Management Protocol (ISAKMP) is a protocol for establishing security associations (SA) and crypto keys. Provides a framework for authentication and key exchange.
IKE
Internet Key Exchange (IKE) is the protocol used to setup a security association (SA) for an IPSec connection. IKE uses X.509 certificates for authentication and works in conjunction with ISAKMP. Modern version is IKEv2.
AAA
Authentication, Authorization and Accounting (AAA) refers to network protocols that mediate network access such as RADIUS or Diameter.
AV
Asset Value (AV) is a measurement of replacement cost for a particular resource or asset.
SLE
Single Loss Expectancy (SLE) is the monetary value expected from the occurrence of a risk (exposure factor) on an asset (asset value).
SLE = AV x EF
ALE
Annualized Loss Expectancy (ALE) is the product of the single loss expectancy and the annual rate of occurrence.
ALE = SLE x ARO
ARO
Annualized Rate of Occurrence (ARO) represents the probability of a specific threat taking place in a given year.
ARO x SLE = ALE
APT
An Advanced Persistent Threat (APT) is an adversary that uses expertise and resources to create opportunities across multiple attack vectors to gain a foothold in the organization and remain unnoticed for long periods of time while extending access and stealing sensitive data. Threat actors in an APT often work on behalf of a government or intelligence agency.
AUP
An Acceptable Use Policy (AUP) is a set of rules applied by the owner of a company or website that restrict behavior of employees or users. Signed or acknowledged as part of the onboarding process.
SA
A security association (SA) is a one-way channel and logical connection that provides a secure connection between two network devices. Defines a logical set for data encryption, public key and initiation vector (IV).
threat agent
An individual or group that can manifest a threat. Can include external hackers, internal employees, human error or even squirrels chewing on cables. Threat Agent = capabilities + intentions + past activities.
threat modeling
A process for identifying, enumerating and prioritizing structural vulnerabilities from an attacker’s point of view. Provides defenders with a systemic analysis of probable attack vectors. Threat models include: STRIDE (Microsoft, 1999, data flows), PASTA (7-step risk-centric), Trike (based on a requirements model) and VAST (process across infrastructure and entire SDLC).
802.11e
IEEE standard that defines Quality of Service (QoS) for wireless applications through modifications to the media access control (MAC) layer.
ECC
Elliptic-curve cryptography (ECC) is a form of public-key crypto based on the algebraic structure of elliptic curves over finite fields. Useful for key agreement, digital signatures, pseudo-random generators. Can be used for encryption by combining key agreement with a symmetric encryption scheme.
HMAC
Hash-based message authentication code (HMAC) involves a crypto hash function and a secret crypto key. Used to verify data integrity and the authentication of a message. HMAC depends on the strength of the underlying hash function such as SHA-256 or SHA-3.
MS-CHAP
The Microsoft version of the Challenge-Handshake Authentication Protocol (CHAP) is used as an authentication option for PPTP in VPNs or with RADIUS servers or as the main authentication option in PEAP.
chosen-plaintext attack
A chosen-plaintext attack (CPA) is an attack model for cryptanalysis where the adversary can access ciphertexts of arbitrary plaintext messages in order to reveal all or part of the encryption key.
chosen-ciphertext attack
A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis where the adversary can access the decryptions of chosen ciphertexts in order to recover the encryption key.
ciphertext only
A ciphertext-only attack (COA) is an attack model for cryptanalysis where the adversary can only access a set of ciphertexts in order to recover the encryption key.
known plaintext
A known-plaintext attack (KPA) is an attack model for cryptanalysis where the adversary can access both the plaintext and ciphertext for a message, in order to recover the encryption key.
3DES
The Triple Data Encryption Algorithm, or “Triple DES” (3DES) is a symmetric-key block cipher that applies the 56-bit DES cipher algorithm three times to each data block of 64-bits.
RSA
Rivest-Shamir-Adleman (RSA) is a relatively slow assymetric public-key cryptosystem used for secure data transmission, first described in 1977. User creates and publishes a public key based on two secret large prime numbers. Receiver has a private key for decryption.
ERES
An electronic record, electronic signature (ERES) is part of the FDA’s approach under Title 21 Part 11 of the CFR, meant to provide guidance for electronic signatures.
MOU
A memorandum of understanding (MOU) is an agreement between two or more parties that expresses a “converge of will” indicating a common line of action. Does not imply a legal commitment but acts as a way to define a relationship between companies or agencies.
CASE
Computer-aided software engineering (CASE) is the domain of software tools used for developing high-quality, defect-free software. Considered part of good SDLC process for some companies.
Smurf attack
A distributed denial-of-service (DDoS) attack where large numbers of ICMP packets with a spoofed source IP are broadcast to a network using an IP broadcast address, resulting in a flood of packets and degraded performance.
LEAP
Lightweight Extensible Authentication Protocol (LEAP) is a Cisco WLAN authentication method that supports dynamic WEP keys (or TKIP), mutual auth and re-authentication. Relies on a modified version of MS-CHAP that is vulnerable to password cracking.
L2TP
Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support VPNs or for point-to-point ISP links. Does not provide encryption or confidentiality; superior to L2F and PPTP. L2TP header send via UDP.
HAVAL
A cryptographic hash function (1992) that can produce hashes of different lengths (128, 160, 192, 224, 256 bits) with specified rounds (3, 4, 5) to generate the hash. Represented as 32- to 64-digit hexadecimal numbers. Broken in 2004 using collision attacks.
Sesame
An open source Resource Description Framework (RDF) database based on Java with support for RDFS inferences and querying. Offers an extensible API to build third party stores on. Now includes a Python wrapper.
salt
Random data that is used as additional input to a one-way hashing function in order to safeguard passwords in storage. A new salt is generated for each password, making all salted hash instances for the same password different from each other.
nonce
An arbitrary pseudo-random number that can be used just once in a cryptographic communication in order to ensure that old communications cannot be reused in replay attacks.
Block cipher
An symmetric key algorithm based on fixed-length groups of bits (called a block), used for encryption of bulk data. Notable block ciphers: DES, IDEA, RC5, Rijndael/AES, Blowfish.
Stream cipher
A symmetric key cipher where plaintext digits are combined with a pseudo-random cipher digit stream (keystream). Each digit is encrypted one at a time with the corresponding digit of the keystream. A digit is a bit and the combining operation is an exclusive-or (XOR). Loosely inspired from the one-time pad (OTP).
split knowledge
Also known as secret sharing, refers to a method for distributing a shared secret amongst a group of participants, each of whom is allocated a share of the secret (a part of the key). The key can only be derived from cooperation and secret sharing. Examples: encryption keys, missile launch codes, numbered bank accounts.
Diffie-Hellman-Merkle
A pubic-key cryptosystem for secure exchange of keys over an untrusted public channel with no prior knowledge. A shared secret key is jointly established; that key is then used to encrypt subsequent coms using a symmetric key cipher.
X.509
A standard that defines the format of public key certificates used by HTTPS, TLS and digital signatures. An X.509 certificate includes a public key, an identity and a signature from a trusted certificate authority (CA). Also defines certificate revocation lists (CRL) that include info about invalid or expired certs.
OCSP
The Online Certificate Status Protocol (OCSP) is an Internet protocol that is used for revocation status of an X.509 digital certificate. Used as a faster alternative to certificate revocation lists (CRL) within a public key infrastructure (PKI). A web browser can use OCSP to validate HTTPS certs in real-time.
Replay attack
A form of network attack where a valid data transmission is intercepted and re-transmitted as a masquerade attack. A lower-tier man-in-the-middle (MITM) attack meant to use original and expected content to fool a system or participant.
S/MIME
Originally developed by RSA Data Security, Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for public key encryption and signing of MIME data using the PKCS#7 or Cryptographic Message Syntax (CMS) secure message format to protect email software.
ICV
An integrity check value (ICV), or “checksum,” is a small chunk of datum derived from a block of data for the purpose of detecting errors or corruption during transmission or storage. Checksum functions can be used a primitives in larger authentication schemes. See: HMAC.
SDLC
The software development lifecycle (SDLC) describes the process of dividing software development into distinct phases to improve design, product management and project management. Methods include: Waterfall, Agile, Spiral, Rapid, Offshore, Extreme Programming.
CMMI
Capability Maturity Model Integration (CMMI) is a process level improvement training and appraisal program developed at Carnegie Mellon University and overseen by the ISACA. It is required by many DoD and U.S. Gov’t contracts for software development. Versions v1.3 (2010) and v2.0 (2018).
Maturity levels: Initial, Managed, Defined, Quantitatively Managed and Optimizing.
DevOps
A set of software development practices that combine development and IT operations to shorten the SDLC while delivering features, fixes and updates in alignment with business objectives.
Waterfall
A software development methodology based on a sequential, linear development process. Each phase must be completed before the next phase can begin: Requirements, Design, Implementation, Testing, Deployment, Maintenance.
Agile
A software development methodology based on iterative development where requirements and solutions evolve from collaboration between cross-functional teams. Coined in 2001 when the Agile Manifesto was formulated.
SLA
A service-level agreement (SLA) is a commitment between a service provider and a client that defines the responsibilities of each party (including faults, damages and fees) with specific metrics for quality and availability. May include thresholds for mean time between failures (MTBF), mean time to repair or mean time to recovery (MTTR). An ISP might measure their QoS using metrics for throughput or jitter.
OLA
An operational-level agreement (OLA) defines the interdependent relationships in support of a service-level agreement (SLA). This helps to ensure that underpinning activities are performed by support teams aligned to the SLA. An OLA is an important part of IT service management (ITSM).
Clark-Wilson model
An information integrity model that provides a foundation for specifying and analyzing an integrity policy for a computing system. Designed to prevent corruption of data due to error or malicious intent. This model relies on an access control triple (subject/program/object), whereby subjects do not have direct access to objects, which can only be accessed thr programs.
Bell-LaPadula model
A state machine model used for enforcing access control in government and military applications using multilevel security (MLS). As a formal state transition model it describes a set of access control rules which use security labels on objects - and clearances for subjects. Labels range from Unclassified/Public on up to Top Secret.
properties:
- Simple Security Property
- the * (star) property
- Discretionary Security Property
The tranquility principle of the Bell-LaPadula model states that the classification of a subject or object does not change while its being referenced.
SCAP
Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including FISMA compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP.
Meltdown
A hardware-level chip exploit that breaks the mechanism that keeps applications from accessing arbitrary system memory. Uses side channels to obtain the information from the accessed memory location.
Spectre
A hardware-level chip exploit that takes advantage of built-in speculative execution, tricking other applications into accessing arbitrary locations in their memory. Uses side channels to obtain the information from the accessed memory location.
802.1x
An IEEE network protocol standard for port-based Network Access Control (NAC), providing an authentication mechanism to devices trying to attach to a LAN or WLAN. 802.1x defines the encapsulation of Extensible Authentication Protocol (EAP) over IEEE 802 (EAP over LAN…or “EAPOL”).
Internet zones
The EC-Council has defined five distinct zones:
- the public Internet
- an Internet DMZ
- the Production network
- an Intranet zone
- the Management network
hacking phases
The act of hacking consists of five main phases:
- Reconnaissance and Footprinting
- Scanning and Enumeration
- Gaining Access
- Maintaining Access
- Covering Tracks
TOE
The Target of Evaluation (TOE) is the software or system that is the subject of a penetration test and serves as a key aspect of the Common Criteria (CC). Can include a Protection Profile (PP), Security Target (ST) and Security Functional Requirements (SFRs).
ECPA
The Electronic Communications Privacy Act (ECPA) of 1986 was a law passed to extend government wiretaps to include transmissions of electronic data by computer. The ECPA has since been amended by CALEA in 1994, the PATRIOT Act in 2001 and 2006 and FISA Amendments Act in 2008.
USA PATRIOT Act
The USA PATRIOT Act is an act of Congress that was signed into law by President GW Bush on 10/26/2001. It stands for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001. It was passed in response to the September 11th attacks and the anthrax attacks in 2001. It allows for indefinite detention of immigrants; permission for law enforcement to search a home or business without consent or knowledge; expands use of FBI searches of telephone, email and financial records without a court order (Title II: Enhanced Surveillance Procedures).
The Domestic Security Enhancement Act of 2003 (Patriot Act II) was drafted but never introduced to Congress after it was published by the Center for Public Integrity.
CISPA
The Cyber Intelligence Sharing and Protection Act (CISPA) is a proposed law that garnered favor from corporations and lobbying groups for Microsoft, Facebook, AT&T, IBM and the Chamber of Commerce. It ostensibly provides an effective means of sharing cyber threat information with the government. It has been criticized by privacy advocates (EFF, ACLU on the left and FreedomWorks and ACU on the right) because the powers would be used to spy on the general public rather than pursue malicious hackers.
Computer Security Act of 1987
U.S. federal law intended to improve the security and privacy of sensitive information in federal computer systems and to establish baseline security practices. It required the creation of computer security plans and appropriate training of system users or owners. It was repealed and superceded by the Federal Information Security Management Act (FISMA) in 2002.
SOX
The Sarbanes-Oxley Act (SOX) was U.S. federal law enacted in 2002 that set new and expanded requirements for all U.S. public companies. A number of provisions apply to private held companies such as the willful destruction of evidence to impede a federal investigation. Section 404: Assessment of internal control is the most contentious aspect of SOX and requires mgmt and the external auditor to report on the company’s internal control on financial reporting (ICFR).
COBIT
The Control Objects for Information and Related Technologies (COBIT) was created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI).
Categorizes control objectives into these domains:
- planning and organization
- acquisition and implementation
- delivery and support
- monitoring and evaluation
NIST special publications
The National Institute of Standards and Technology (NIST) has published these special guidelines:
- 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security.
- 800-66 provides a resource guide for implementing the HIPAA Security Rule.
- 800-88 provides guidelines for media sanitization based on the categorization of confidentiality of data.
- FIPS 140-2 provides security requirements for cryptographic modules.
FIPS
Federal Information Processing Standard (FIPS) are publicly announced standards developed by Uncle Sam for use in computer systems by non-military agencies and contractors. Many FIPS standards are derived from ANSI, IEEE and ISO versions.
- FIPS 140 (crypto modules)
- FIPS 197 (Rijndael / AES cipher)
EAL
The Evaluation Assurance Level (EAL1 thru EAL7) of a product or system is a numerical grade assigned following the completion of a Common Criteria (CC) security evaluation. An international standard since 1999.
EAL1: Functional Tested
EAL4: Methodically Designed, Tested and Reviewed
whois
A query and response protocol that is widely used for querying databases that store registered users or company for domain names, IP address blocks or an autonomous system (AS). Drafted by the Internet Society and documented under RFC 3912.
RIR
A regional Internet registry (RIR) is an organization that manages the allocation and registration of IP addresses and AS numbers on a by-region basis:
- AFRINIC serves Africa
- ARIN serves North America (except Mexico)
- APNIC serves East Asia, Oceania and Southeast Asia
- LACNIC serves Latin America and the Caribbean
- RIPE serves Europe, Central Asia and Russia
IANA
The Internet Assigned Numbers Authority (IANA) is a function of ICANN, a non-profit private US corporation that oversees global IP address allocation, AS number allocation, DNS root zone management, media types, IP related symbols and Internet numbers.
Firewalking
A technique for vulnerability testing a firewall in order to map the routers of a network. Port scans are disguised by having a time-to-live (TTL) set at one hop greater than the targeted firewall, hoping to generate a TTL “exceeded in transit” error message.
Footprinting
Also known as reconnaissance, a technique used for gathering info on systems and their owners. Utilizes various tools and technologies during the pre-attack phase including nslookup, traceroute, Nmap and neotrace, along with DNS and WHOIS queries, O/S fingerprinting, ping sweeps, port scans, SNMP queries and WWW spidering or crawling.
Evil Twin attack
A fraudulent WiFi access point that appears to be legitimate but is setup to eavesdrop on wireless communication. The wireless equivalent of a phishing scam. Used to steal passwords of unsuspecting users.
EliteWrap
An .exe. wrapper used to pack files into an archive executable that can extract and run file in specific ways when the packfile is run. Programs in the packfile can be extracted without starting. Script files can be written to automate the creation of packfiles. Default password is “p4ssw0rd”
NetStumbler
A software tool for Windows that detects WLANs using 802.11a/b/g standards. Belongs to the Win2000 to WinXP generation of O/S. Used for WarDriving or for detecting rogue access points.
Kismet
A free, open-source network detector, packet sniffer and intrusion detection system (IDS) for 802.11 WLANs. Works with any wireless card that supports raw monitoring mode. Can sniff 802.11a/b/g/n traffic on Linux, Mac OS X or Windows.
Social Engineering
Psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for information gathering, fraud or system access.
Usually involves one of four key vectors:
- vishing (phone)
- phishing (email)
- smishing (text)
- impersonation (in person)
Six key principles used for manipulative purposes:
- reciprocity, consistency, social proof, authority, liking and scarcity
YARA
A malware research and detection tool that provides a rule-based approach for creating descriptions of malware families based on textual or binary patterns. A description is a Yara rule name with sets of strings and a boolean expression. Similar to regular expressions in Perl.
Tailgating
When a person follows along with an unknowing authorized person when gaining entry to a restricted area or checkpoint. Does not involve consent.
Piggybacking
When a person tags along with an authorized person when gaining entry to a restricted area or checkpoint. Can be performed in a electronic or physical manner. Involves consent.
watering hole attack
An attack strategy aimed at a group (org, industry or region). The attacker observes which websites the group uses often and infects one of them with malware, which then infects the targeted group. Popular with Chinese hackers as a country-level attack used by LuckyMouse / Iron Tiger / APT27.
hping
A command-line software tool for ping sweeps and port scans, similar to Nmap.
Syntax example: hping3 -1 192.168.5.0
Switches:
- 1 (ICMP mode)
- 2 (UDP mode)
- -flood (SYN flood)
- S (SYN flag)
- R (RST flag)
- X (XMAS scan flags)
ASLR
Address Space Layout Randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from jumping to a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.
DEP
Data Execution Prevention (DEP) is a method for protecting executable space protection on Windows. Leverages ASLR and Microsoft’s Safe Structured Exception Handling (SafeSEH).
XSS
Cross-site scripting (XSS) is a web application attack that enables an attacker to inject client-side scripts into web pages viewed by other users. XSS exploits the trust a user has for a site.
Types of XSS include non-persistent (reflected), persistent (stored), server-side (DOM-based), self-XSS and mutated XSS.
CSRF
Cross-site request forgery (CSRF) is the malicious exploit of a website whereby unauthorized commands are transmitted from a user that the web application trusts. Ways that a malicious user can transmit such commands: specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user’s interaction or even knowledge. CSRF exploits the trust that a site has in a user’s browser.
NIST SP 800-115
A special publication from the National Institute of Standards and Technology (NIST) designed to assist organizations in planning and conducting InfoSec audits, analyzing the findings and developing mitigation strategies.
Kismet
A network detector, packet sniffer and IDS for 802.11 WLANs. Working with any wireless card that supports raw monitoring mode, Kismet can sniff 802.11a/b/g/n traffic. Distributed under the GNU general public license. Runs on Linux or Mac OS X.
SDN
Software Defined Networking (SDN) enables dynamic, programmatically efficient network configuration in order to improve network performance and monitoring, making it more like cloud computing than traditional network management. Overcomes the restrictions of static network architecture in traditional networks using an abstraction layer to separate the data plane (packets) from the control plane (routing process). OpenFlow is one protocol used for remote communication within SDN.
Foren6
A wireless forensics tool that leverages passive sniffer devices to reconstruct a visual and textual model of network information to support Internet of Things applications where other means of debug are too costly or impractical.
netcat
A computer networking utility for reading and writing to network connections using TCP or UDP. Designed to be a dependable backend that can be used by other programs and scripts. Netcat is also a network debugging and investigation tool and can produce almost any kind of connection. Works as a pipe, proxy or port scanner.
Nikto
An open-source command-line vulnerability scanner for web servers, used to find malicious files, CGIs, outdated software and cookies. Released under GNU GPLv2.
netstat
A command-line network utility that displays network connections for inbound and outbound TCP, routing tables and network protocol statistics. Works under Linux, macOS, Windows and OS/2.
netstat -an
(displays all active TCP and UDP connections and open ports)
ifconfig
A system administration utility in Unix and Linux operating systems for network interface configuration. A command-line interface tool that can be used in system startup scripts. Has features for configuring, controlling and querying TCP/IP network interface parameters. Originally released in August of 1983.
ipconfig
A console application in Windows, ReactOS and macOS that displays all current TCP/IP network configuration values along with DHCP and DNS settings.
Cryptcat
A discontinued open-source application that enables encrypted online chatting for Windows, Mac OS X and Linux. Uses end-to-end encryption to secure commmunications to other Cryptocat users. Was publised under the GPLv3 license.
CSPP
A connection string parameter pollution (CSPP) attack takes advantage of web applications that communicate with databases by using semicolons to separate parameters.
CCMP
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) was created to fix the tiny flaws in Temporal Key Integrity Protocol (TKIP). Functions as the integrity method for Wi-Fi Protected Access v2 (WPA2).
