Misc Vocabulary Flashcards
Zigbee
communication technology often found in a home automation system
Collision attack
This happens when a hacker discovers an input that generates the same hash value as a legitimate input. The attacker can then replace the legitimate content with the altered content and the digital signature will still say it’s good. This similar to how a rainbow table works, although in that case the hacker finds the hash of a lot of common passwords then looks for those hashes in the database table containing hashed passwords.
Flood guard
technology used to block DoS attacks. Does not help prevent routing loops.
eDiscovery
reference model. Phases include identification, collection, processing, review, and production. Attorney review of collected material takes place in the Review phase.
Mnemonic: I collect peer review processes.
Nessus
vulnerability scanner that can also perform compliance auditing such as PCI DSS audit scans.
Lockheed Martin cyber kill chain
Analysis framework that implicitly assumes that adversaries never retreat during an attack. Compare to AlienVault, MITRE ATT&CK, and Diamond Model of Intrusion Analysis, each of which allow for a broader range of adversary behaviors.
Iris recognition tech
Biometric auth technique. Nonintrusive, low false positive rate. Iris patterns remain stable throughout a person’s life and may be scanned from a distance. Unfortunately the scanners can be fooled by an image of a person’s face.
Purple team
In a pen test, the purple team includes all participants: red, blue and white team.
Man-in-the-browser attack
Attack made on a web application, typically by exploiting a browser extension. This gives the attacker access to all the information accessed by the browser. Best defense is to disable browser extensions, but that has to be done on the client, not the web server. This is a type of proxy Trojan.
DOM-based XSS attack
Type of cross site scripting attack where the attack code is hidden within a Document Object Model. Viewing the HTML on the page would not show this attack code.
Identity provider
In Federated authentication, the identity provider (IdP) is the organization where the user logs in. this organization then asserts to the other members of the federation that the user is valid.
Digital signature
The sender of the email encrypts a message digest (usually a hash of the email message) using the sender’s private key. This has to be decrypted using the sender’s public key, which verifies that the sender is the one who sent it.
Contrast that to sending an encrypted email: there the message itself is encrypted using the recipient’s public key, and the recipient decrypts it using the recipient’s private key.
Confusion, diffusion
In the context of encryption algorithms, “confusion” ensures that any relationship between the algorithm and the key is extremely complex. Diffusion is another property, that takes any statistical patterns in the plaintext and prevents them from appearing in the ciphertext.
Vendor diversity
Having similar components in the same network but coming from different vendors. This reduces risk - if an attack works against one of them, the second is unlikely to have the same vulnerability so it prevents the attacker from getting further into the network. CompTIA really likes vendor diversity.
Embedded system constraints
NOT a constraint: physical form factors, heat.
Common constraints: power, compute, network, crypto, inability to patch, authentication, range, cost, implied trust.
Restoration Order Documentation
Used when restoring operations after a disaster. Specifies the order for restoring systems and services to insure that dependencies are available before those that depend on them, and that mission-critical services are restored first.
Vertical Scaling
Adding additional capacity to an existing server, such as more hard drive space or another CPU. Compare to horizontal scaling which adds an additional server of the same type.
Incident Response Process
Cycle steps are preparation, identification, containment, eradication, recovery, lessons learned. It’s a cycle so it continues back at preparation.
Mnemomic: Perhaps I Can Eat Rice Later
Walkthrough
Typical part of yearly incident response preparations. The team goes through a sample incident step by step, making sure each person knows what they would need to do. Compare to a tabletop exercise, which has each person being asked what they would do at each step and has more flexibility.
Cyber Kill Chain
Attack model created by Lockheed Martin. Phases are: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions on Objective.
Mnemonic: Real Women Date Engineers In Commando Armor
NOTE: this model never has the attacker retreating. Several other popular models are more flexible.
pathping
Windows command line tool that shows network latency and loss at each step along a route. Tracert gives the route but not the extra information.
Out-of-band management
Security technique that places the administration interface of a switch, router, or other device on a separate network, or else requires direct connectivity to the device to access and manage it. This prevents an attacker that gains access to the organization’s network from making changes to the network devices.
Jailbreaking
For a mobile device, jailbreaking allows enhanced third-party operating systems or applications to be used. This can be considered a privilege escalation attack.
Blowfish
Symmetric key block cipher. Used in the Bcrypt key stretching function.
Diamond Model of Intrusion Analysis
Incident response approach. Core elements are:
- Adversary (the attacker)
- Capability (tools and techniques used by the adversary)
- Infrastructure (what the adversary uses to attack)
- Victim (who or what was attacked)
journalctl
Linux command available in CentOS and Red Hat Enterprise Linux that allows you to view journal logs that contain application information.
Data custodian
Individual charged with safekeeping of information under the guidance of the data owner. Often this is a sys admin.
pagefile
The Windows paging file, or pagefile, is sometimes called Windows 10 virtual memory. It supports system crash dumps and enables the system to use physical RAM more efficiently by writing some file content to a hard disk if the main memory is near capacity. It is stored on disk.
WinHex
Commercial disk editor that provides a number of useful forensic tools.
Pass-the-hash
technique where an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems. The threat actor doesn’t need to decrypt the hash to obtain a plain text password. This is most commonly done using a Windows domain workstation.
Purpose limitation
Organizations should only use data for the purpose disclosed during the collection of that data.
Data controller
Person who determines the reasons for processing personal information and direct the methods of processing that data. Used primarily in EU law.
Data processor
processes data given to them by the data controller (or data owner). Often this is a third party. The data processor does not own the data that they process nor do they control it. This means that the data processor will not be able to change the purpose and the means in which the data is used. Furthermore, data processors are bound by the instructions given by the data controller.
Interactive testing
application testing that analyzes code while a tester manipulates inputs to the application. This combines static and dynamic analysis.
Boot attestation
The system attests to a verification platform about the trustworthiness of the software it is running after it completes the boot process
Shared responsibility model
This applies between a cloud service provider and the customer (organization buying the cloud services from the cloud service provider). The customer always retains either full or partial responsibility for data security. The cloud provider is always responsible for hardware and physical datacenters. Responsibility for applications is customer’s under IaaS, provider’s under SaaS, and shared under PaaS.
Opal
Opal storage specification defines how devices protect the confidentiality of user data. This is provided by Trusted Computing Group. For example, it would define self-encrypting drives.
Input whitelisting
Technique that defines the specific input type or range that users may provide for an app. When developers can write clear business rules defining allowable user input, whitelisting is the most effective way to prevent injection attacks.
sFlow
sFlow is a multi-vendor, packet sampling technology used to monitor network devices including routers, switches, host devices and wireless access points. sFlow is an embedded technology – it is implemented through dedicated hardware chips embedded in the router/switch.
Concern: sFlow samples only network traffic, so some detail will be lost.
Good point: it scales well, because it just samples the data.
Standard
In the context of security controls, a standard is a document that describes acceptable mechanisms for doing a particular task, such as obtaining remote administrative access to servers. This information is too nuts and bolts to be a policy, and not detailed enough to be a procedure. Guidelines are not mandatory.
Volatility
a memory forensics toolkit that includes memdump
Certificate stapling
attaches a current OCSP response to the certificate to allow the client to validate the cert without contacting the OCSP server.
Compare to certificate pinning which is used to provide an expected key, not to check cert status.
Inline CASB
Inline CASB solutions require either network configuration or the use of a software agent. They intercept requests from users to cloud providers, so they are able to both monitor activity and enforce policy.
proxy Trojan
intercepts traffic and modifies it for malicious purposes. typical example is a man-in-the-browser attack.
Password spraying
Attack that uses known usernames and passwords to attempt to log in as the same user on other services and sites. For example, if site A gets the user info stolen, the attacker would then try those usernames and passwords on site B, C, D, etc. because a lot of people use the same username and password on multiple sites.
According to a different source, it’s just using a list of common passwords, and trying one on all the usernames you can guess for a given network (from OSINT or dumpster diving), then trying another on all the accounts. Repeat until you find one that works. This gets around password lockout policies usually.
Watermarking
identification technique for sensitive data. Tag all your sensitive files with digital watermarks to flag them to the DLP system.
theHarvester
security tool designed to help collect open source intelligence from search engines, including SHODAN security search engine. This lets it build lists of info like email addresses, domains, systems, open ports, and banners.
SSL/TLS Inspection
When enabled, all TLS traffic will be intercepted, decrypted, inspected, reencrypted, then sent on to the destination. (unless blocked of course)
NIST SP 500-292
Reference model for cloud computing, at a high level. Explains interactions between different organizations and services in a cloud deployment.
Tap
A tap is a device that independently sends a copy of network traffic to another path or location. Both active and passive taps exist, and they don’t add any additional load to the switch or router that the traffic is passing through.
BitLocker
Microsoft BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. It requires either a TPM or a removable drive to store elements of the encryption key.
FTK Imager
Proprietary tool used to create forensic disk images. The forensic image is identical to the original including copying the slack, unallocated, and free space.
A similar but non-proprietary tool is dd.
CIS Controls
Center for Internet Security Critical Security Controls, aka “Top 20 Controls” or “CIS Controls”.
This is a framework composed of 20 control groups covering topics ranging from hardware inventory to penetration testing.
IPFIX
IP Flow Information Export protocol
based on NetFlow v9. Groups traffic into flows which are then sent to a centralized collection point
Transitive access
Security issue that inadvertently gives an end user advanced access to another part of the application or system on which it is hosted.
IP spoofing
common type of on-path attack, where the attacker splits a connection between the client and server into two connections, by spoofing the IP address of one of them.
Smurf attack
Attacker sends a single ping with a spoofed source address to the broadcast address of a network. This results in each device on that network getting a ping and responding to it, which floods the spoofed source address with ping responses. This can be prevented by blocking external ICMP requests at the firewall to the internet for the network with the broadcast address. It’s harder to prevent on the victim.
Data steward
Responsible for implementing a set of data quality guidelines and ensuring that they are being carried out on a day-to-day basis.