Vocab Drills Flashcards

1
Q

Application

A

A type of software that allows users to perform specific tasks and activities.

Example: Web browsers, picture viewers and games are all applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Utilities

A

Applications designed to help analyze, configure, optimize or maintain a computer. Unlike applications software (which focuses on benefiting the user) utilities are used to support the computer

Example: An application that allows you to customize how the button work on your mouse

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Operating System

A

Software that manages the computer hardware and software. It is system between the application and hardware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Platform

A

The environment in which a piece of software is executed. It may be the hardware, operating system, a web browser or other underlying software.

For example, Microsoft Windows is a platform for MS Word

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

feature

A

a distinctive characteristic of software or hardware

Example: facial recognition is a feature of the Iphone X

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

plugin

A

A component that adds a specific feature to software. Also referred to as an extension.

Example: you can add a plugin to your web browser that allows you to change the theme colors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Software as a Service

A

Software licensed on a subscription basis. The software is stored centrally on a server. It’s sometimes referred to as “on-demand” software.

Example: Google apps are SaaS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

API (Application Program Interface)

A

A set of clearly defined methods of communication between software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Console

A

A user interface that manages and controls software and/or hardware.

Example: KnowBe4 customers access our products through a console

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Dashboard

A

-At-a-glance, goal, grapical images
At-a-glance view of key info, relevant to a particular goal or business objective. They are often displayed as charts and/or other graphical images on a web page
Example: KnowBe4 uses dashboards to display sales data on monitors placed around the company.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Server

A

A computer or program that manages access to centralized resources.

Example: A file server would store and manage all the user files for a group of computers and users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Domain

A

Short for “domain name” a unique name that identifies a website
Example: KnowBe4.com is the domain for KB4

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Directory

A
  1. Like physical folders a directory organizes files or data on a hard drive in a program. Directories can contain other directories, which are then called sub-directories.
    Most operating systems display directories as folders.
  2. Software that stores all resources on a network. Example resources are users , groups, permissions, devices and management policies. A directory is also reffered to as a directory service.

Example: When a directory is given a username, it will return the profile of the user which may include permissions for data access as well as employee information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

AD (Active Directory)

A

A directory service developed by Microsoft for use on Windows operating systems.
If you were in charge of all computers on a network that are using a Windows server you would use AD to set up the users, their passwords and what devices they could access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Protocol

A

A specific set of communication rules between computers
Example: A web browser accessing a website will have a different protocol than an email server talking to an email application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

HTTP (Hypertext Transfer Protocol)

A

One of the protocols used to transfer information over the Internet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

HTTPS (Hypertext Transfer Protocol Secure)

A

The same as HTTP but secure. This protocol secures the data by changing it to a special code that requires special translation. If you were inputting credit card data on a website, you would want that data to transmit securely using HTTPS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

White paper

A

A report that describes how a technology or product solves a problem. It’s a marketing and technical document that doesn’t go too far in either direction.

Example: An organization creates a new solution for poor cell phone reception. That organization would release a white paper to advertise the technology’s effectiveness and describe how it works.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Whitelist

A

A list of trusted email adresses, domains and/or internet adresses that are permitted to pass through a system or filter.

Use: During a sales call with a prospect it’s often necessary to have the prospect add the rep’s email adress to their whitelist so the spam filter doesn’t block the test email.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Phishing

A

The process of attempting to acquire sensitive information such as usernames, passwords and bulk credit card details. It’s done by masquerading as a trustworthy entity on bulk email which tries to evade spam filters. Email claiming to be from popular social websites, banks, auction sites or IT administrators are commonly used to lure the unsuspecting public.
It’s a form of criminally fraudulent social engineering.

Example: cyber criminals put together and send an email that looks like it comes from Chase Bank saying you need to pay your credit card. This is phishing because it’s an attempt by the bad guys to get you to click on something or fill out something that gives them your information - in this case your banking information.
Phishing is the major tool used by the bad guys to get users to click on something and lead them to confidential information like usernames, passwords, social security numbers, names etc. It’s not the only way to get the information but it’s one of the main ways.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Spear phishing

A

A small focused targeted phishing attack on a specific person or organization with the goal to penetrate their defences. The attack is done after research has been done on the target and has a specific personalized component designed to make the target do something against his or her own interest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Phishing attack surface

A

The quantity of emails exposed on the internet. The more email adresses exposed the bigger the attack footprint is and the higher the risk for phishing attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Phish-prone percentage

A

A term coined by KnowBe4 that indicates the percentage of employees that are prone to click on phishing links

The customer starts with a baseline percentage which is the percentage of users who click on phishing links before being trained. Once trained the test is done again 12 months later to see the improvement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Social engineering

A

The act of manipulating people into performing actions or divulging confidential information.
The term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access.
Phishing and spear phishing are forms of social engineering. The user is tricked into opening an email and clicking on links that open a way into the computer. This allows the bad guy to enter the user’s computer and computer network. The bad guys end up taking out valuable and confidential content like names, adresses, phone numbers, social security numbers, usernames and passwords.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

CEO fraud

A

A spear phishing attack that targets high risk users - people in accounting, HR or exec assistants - in which the hacker claims to be the CEO (or another Exec) and urges an employee to do something that would not be authorized by the legitimate sender.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Vishing

A

A phishing attack conducted by phone, Vishing is the phone equivalent of a phishing attack.
There are two forms of this: human and automated. In the human example a scam artist uses the anonymity of a phone call and pretends to be a representative of their target’s bank or credit card company, etc.
They manipulate the victim to enter their PIN, credit card number or bank account with the phone keypad. This allows the scammer to get instant access to another person’s bank credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Smishing

A

Phishing conducted via SMS. A Smishing text for example attempts to entice a victim into revealing personal information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Email spoofing

A

Spoofing (tricking or deceiving) computer systems or computer users. Email spoofing involves sending messages from a bogus email adress or faking the email adress of another user. It’s a tactic used in phishing because people are likely to open an email when they think it has been sent by a legitimate source.
Spoofing is a common tactic in CEO fraud attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Trojan

A

Malicious software that seems to perform a desirable function for the user but instead facilitates unauthorized access to the user’s computer system. The term is derived from the Trojan Horse story in Greek mythology.

Example: An email with a link to a news article about a disastrous storm or major political news that installs sortware to slow the computer down and any other computers it connects with

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Worm

A

A self-replicating computer program. It sends copies of itself to other computers and may do so without any user intervention. Unlike a virus it doesn’t need to attach itself to an existing file. Worms almost always cause at least some harm to the network.

Example: An email that has a love letter attached which when opened changes files on a computer and sends itself to all the email addresses in the user’s contact list.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Virus

A

A malicious program that infects a file. A true virus can only spread from one computer to another when its host (infected file) is sent to the target computer. The word virus is incorrectly used as an umbrella term for many flavors of viruses, worms and trojans, etc.

Example: A virus gets installed on a laptop. It then inserts itself into several operating system files, causing the computer to restart automatically every 10 minutes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Anti-Virus

A

Software that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents. Sometimes referred to as AV, which is short for antivirus.

Example: Software that scans email attachments for viruses when they’re downloaded.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Malware

A

Short for the term “malicious software”. It’s an umbrella term used to refer the various types of viruses, worms and trojans, etc. Most malware is installed without the infected person ever realizing it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Ransomware

A

Vicious malware that locks users out of their devices and blocks access to files until a sum of money or ransom is paid. Attacks cause downtime, data loss, possible intellectual property theft, and data breaches. Ransomware is also reffered to as “cryptoware”.
How it works: Once the malware is on the machine, it starts to encrypt all the data files it can find on the computer and on any computers it can access within the network. When a user attempts to access one of these files they’re locked out. Then two files are found in that same folder indicating the files have been taken ransom. The two files inform the user of the ransom and instruct them on thow to pay it.

35
Q

Rootkit

A

Mailcious code that loads into the early loading stages of a computer. The code hides itself from the operating system and other applications that load in the later stages like AV and sytem utilities. This gives the bad guy full access to alter the system.
Note: Root is the basic source of something and kit is a set of tools, hence the name “rootkit.”

Example: Code that changes a configuration file when the computer starts up. It then alters the file so the user’s AV software won’t detect additional malware that tracks the user’s keyboard inputs. (to steal passwords)

36
Q

Botnet

A

Short for “robot network” it’s a collection of software robots or bots that live on infected computers and are controlled by bad guys. Botnets do many bad things like spew out spam, attack other computers or send back confidential data to the botnet controller.

37
Q

Data breach

A

The intentional or unintentional release of secure information to an untrusted environment. Other terms for events like these are unintentional information disclosure, data leak and data spill.

Example: In 2013 and 2014 Yahoo was hacked by bad guys who stole data from every Yahoo account, 3 billion in all. They took names, email addresses, phone numbers, dates of birth, passwords, etc

38
Q

DoS attack

A

Stands for “denial of service attack”. The attackers seek to make a computer or network unavailable to it’s intended user(s) by temporarily or indefinitely disrupting service.
DoS attacks are done by flooding the targeted sytem with unnecessary service requests which overload the system. When the attack comes from multiple sources it’s called DDoS, “distributed denial of service”.

Analogy: A group of people crowding around the entryway of a store making it hard for actual customers to enter.

39
Q

Security vulnerability

A

A weakness on a network or software which allows a bad guy to gain access. A security vulnerability has three elements:
a flaw
acces to the flaw
capability to exploit that flaw

Example: A computer with outdated security updates. This vulnerability would allow an attacker to easily bypass the login password.

40
Q

Exploit

A

Software or code -usually malicous- that takes advantage of a flaw or vulnerability. The purpose is to cause unintended or unanticipated behavior to occur with the software or hardware. Such behavior would be unauthorized access to control of a computer or DoS

Example: Malware designed to take advantage of an outdated operating system that allows the attacker to control the user’s webcam.

41
Q

Zero-day

A

The name of a vulnerability unknow to those who would be interested in securing it which includes the software vendor or user. The bad guys use these vulnerabilities to launch an attack.

Example: A new Iphone is released on Jan 1st. The phone has a security flaw that allows someone to get around the passcode. Nobody knows about this flaw except some bad guys who have already broken into Iphones with the flaw. Why is it calles a zero-day. Because the flaw was discovered and taken advantage before the good guys could fix it. The good guys had no warning, they had zero-days to fix it.

42
Q

Zero-day exploit

A

Also known as “zero-day attack” is an exploit that takes advantage of a zero-day vulnerability on its first day of release, before the vendor knows about it.

Example: A bad guy who hacks into a celebrity’s Iphone -using the zero-day vulnerability- and steals personal photos. Hackers are then able to do similar damage until Apple becomes aware and fixes the flaw.

43
Q

Advanced persistent threat

A

Also known as APT, is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The bad guy goal is to go undetected and steal data rather then cause damage to the network of organization.

Example: A bad guy hacks into a computer. Instead of slowing it down or demanding payment to unlock your files the bad guy continues to observe your web browsing to steal as many passwords as possible.

44
Q

Tailgating

A

Also known as piggybacking tailgating is a method used by bad guys to gain access to a building or other protected areas. A tailgater waits for an authorized user to open and pass through a secure entry and then follows right behind.

Note: Tailgating is a form of social engineering.

45
Q

Keylogger

A

Malware or hardware that observes what someone types on their keyboard which is sent back to the bad guys.

46
Q

Bitcoin

A

A digital currency in which encryption techniques are used to regulate the generation of units of currency and verify the transfer of funds operating independently of a central bank.
Some ransomware uses Bitcoin as the form of payment because it’s very hard to trace.

47
Q

Money mule

A

A person recruited by a criminal or criminal organization to quickly receive and turnaround funds involved in scams. The person is often unaware of their role in the criminal act.

48
Q

Firewall

A

Hardware or software designed to block unauthorized network access while permitting authorized communications

49
Q

Cloud computing

A

The practice of using remote servers on the Internet to store, manage and process data rather than a local server or a personal computer.
Cloud servers get all the latest software and security updates making them less vulnerable to attack.

Example: The use of Google Apps

50
Q

Security Awareness Training (SAT)

A

Any training that raises the awareness of a user to potential threats and how to avoid them.
The goal of SAT is to get users to make smarter security decisions and help their organization manage the ongoing problem of social engineering.
The user is the last line of defense in an attack by the bad guys

51
Q

Kevin Mitnick

A

In the mid-nineties he was know as the “World Most Wanted Hacker”. Kevin is a very succesfull Fortune 500 security consultant, part owner and Chief Hacking Office of KnowBe4.
Based on his 30+ years of first hand experience with hacking and social engineering KnowBe4 created KMSAT, Kevin Mitnicks Security Awareness Training.
Kevin’s main contribution to KB4 is his experience.

52
Q

Learning management system (LMS)

A

A system for the administration, documentation, tracking, reporting and delivery of e-learning education courses or training programs. KMSAT uses an LMS. Bridge is an LMS

53
Q

Return on investment

A

Measures the amount of return on an investment relative to the investor’s cost.
In IT Security ROI is measured as reduction in risk not as a concrete financial gain. Without proper SAT a company can experience loss of reputation, productivity and revenue

54
Q

Shareable Content Object Reference Model (SCORM)

A

A technical standard that governs how online learning content and LMS communicate with each other.
Note: Our customers access our SAT modules through an LMS. Those modules are follow the SCORM standard.

55
Q

The six steps to succesfull SAT

A

Step 1: Have a security policy and have each employee read and sign it
Step 2: Have all employees take mandatory SAT with a clear deadline and reasons why there’re taking the training
Step 3: Make SAT part of the onboarding proces.
Step 4: Regularly test employees to reinforce the SAT its application.
Step 5: Have employees who fail phising tests meet privately with a supervisor or HR: reward employees with low failure rates.
Step 6: Send regular security hints and tips via email to all employees.

56
Q

Why organizations outsource SAT

A
  1. Reduce costs, it’s cheaper for organizations to purchase training than to create it
  2. Access to talent, Organizations use professionals rather than internal staff who may have limited skills and understanding
  3. Geographic reach and scalability, Online training can be done anywhere there’s an internet connection. It’s easier for organizations to grow and manage demands for training by using a provider who has content on demand.
  4. Compliance, Training is required for organizations who must comply with specific laws or industry guidelines including SAT
  5. Mitigate risk, There are less risks and problems with training when using a professional service.
  6. Business focus, Training is not the main focus for most organizations
  7. Leverage the cost of technology, Using an LMS for training and other SaaS type apps streamlines training and reduces costs.
57
Q

Defense in depth

A

Defense in depth is a security discipline that refers to having layers of protection in an IT infrastructure. It is designed this way so that security is not dependent on any single layer especially in the event of an attack.

Examples:
Policies, Procedures and Awareness, Published policies, implemented security procedure and trained employees.
Perimeter: A firewall to prevent unauthorized acces to the network
Internal network: Software or hardware tools that can scan the network for attackers and traffic that shouldn’t be there
Host: The individual computers on the network, running AV
Application: Correct config, securely written code and access privileges
Data: Encrypting confidential data or passwords protecting databases.

58
Q

EZXploit

A

A tool used in simulated phishing campains to point out how easy it is for a bad guy to obtain the user’s information providing the user was tricked into clicking the link in the phishing mail.

How it works: An email is sent containing a link which if clicked on opens a landing page. Then a pop-up opens that requests a Java update. If the user clicks on the OK button to update Java. EZXploit collects up to 12 data points about that user and the user’s computer. Some of those data points include: network info, system info, device info, user data and a screenshot of the user’s desktop.

59
Q

Vulnerable plugin option

A

A tool that gathers information about the plugins users have installed on their browsers and if any of them are vulnerable. This info is gathered automatically during a simulated phishing campain.

How it works: When a user clicks a link in a phishing email it takes them to a landing page which gathers information about the plugins installed on their browser. The result are then compared to a database of known vulnerable plugins. Any browser plugins found to be vulnarable are provided in the result of the company’s phishing test.

60
Q

Social engineering indicators (SEI)

A

A feature of KnowBe4’s simulated phishing campaigns that shows a user the red flags they missed when clicking on a link in a simulated phishing campaign.

How it works: When a user clicks on a link in a phishing email they’re taken to a landing page. The landing page then shows the user the red flags they missed.

61
Q

Artificial Intelligence Driven Agent (AIDA)

A

A tool that uses AI to automatically create integrated campains that send emails, text and voicemail to an employee simulating a multi-vector social engineering attack.

How it works: All the phishing campain decisions of how to phish the users are handled by the AI component. The only information that needs to be specified is when the campain is to start and to whom the campain will be sent.

62
Q

Compliance

A
  1. The action of meeting requirements of accepted practices, specific standards, laws, prescribed rules and regulations ans terms of a contract.
    Sentence: To save money, Acme Inc is improving compliance procedures
  2. That state of having met required regulations for the industry one is in.
    Sentence: Acme Inc received their certification for dental compliance.
    The purpose of compliance is to show that proper procedures and protections are in place to meet certain standards, requirements, laws, etc.
    KB4 offers a service called KCM, which stands for KB4 Compliance Manager.

What is it?
KCM is a SaaS that simplifies the complexity of getting compliant and eases the burden of staying compliant.
Most organizations track compliance using spreadsheets, word processors or self-maintained software such as Sharepoint (MS platform for document management and storage). This is inefficient, error prone and risky.

63
Q

Protected health information (PHI)

A

All recorded information about an individual’s health status including their health care coverage

64
Q

Personally indenifiable information (PII)

A

Any information that can be used on its own or with other information to identify, contact or locate a single person

65
Q

PCI DSS (Payment card industry data security standard

A

A document published by PCI. The publication lists all requirements for securely handling credit cards and credit card information. Organizations who accept credit cards must be PCI compliant.
One of the requirements includes SAT

66
Q

HIPAA (Health insurance portability and accountability act

A

A law enacted by the U.S. Congress and signed by Bill Clinton in 1996 that requires healthcare organizations to protect personal health information (PHI)

67
Q

GDPR (General data protection regulation)

A

A regulation in the EU law on data protection and privacy for all individuals in the EU

68
Q

Channel

A

A KB4 department that creates relationships with partners who sell our products to their customers.

69
Q

CSM (Customer Succes Manager)

A

A KB4 department that helps customers set up and continue using the KMSAT platform.

70
Q

CSO (Chief Security Officer)

A

A top-level executive responsible for an organization’s security both physical and digital

71
Q

CISO ( Chief information security officer)

A

An executive responsible for protecting an organization’s information and technologies.

72
Q

Enterprise

A

A department at KB4 that deals with organizations which have 1.000 or more employees

73
Q

SMB (Small and Medium Businesses)

A

A department at KB4 that deals with organizations which have 999 or less employees

74
Q

Phishing Security Test (PST)

A

A simulated phishing attack performed by KB4 on email adresses an organization provided us. The purpose of the test is to see how prone the organization’s employees are to click on phishing links.

How it works: The PST user selects a phishing template then a landing page. Employees who click on phishing links are taken to that landing page and shown the red flags they overlooked. The PST user will then receive a report with their Phish-prone percentage.

75
Q

Automated Security Awareness Program (ASAP)

A

A tool that simplifies the process of creating customized Security Awareness Programs

How it works: The user completes a questionnaire about their organization and goals. ASAP then generates a custom plan based on the user’s specific needs.

76
Q

Breached password test

A

A tool that checks to see if organization’s users are currently using passwords that are in publicly available breaches associated with the organization’s domain

How it works: BPT checks to see if an organization has been part of a data breach that included passwords. Then it checks to see if those passwords still exist in the organization’s AD.

77
Q

Phish Alert Button (PAB)

A

An email plugin that gives users a safe way to handle actual or potential phishing emails.

How it works: PAB forwards the suspect email to the organization’s security team for analysis. It also deletes the email from the user’s inbox to prevent future exposure.

78
Q

Email Exposure Check Pro (EEC Pro)

A

Identifies the at-risk users in an organization by searching business social media information and hundreds of data breach databases. The EEC Pro works in two stages:

  1. Does deep web searches to find any publicly available organizational data. This shows what an organizational structure looks like to an attacker
  2. Finds any users that have had their account information exposed in any of several hundred data breaches. These users are particularly at risk because an attacker knows more about that user up to and including their actual passwords.
79
Q

Domain Spoof Test (DST)

A

A test that checks domain name to see if it can be spoofed.
Example: A bad guy could send an email from badguy@attacker.com but it would be spoofed to look it came from goodguy@knowbe4.com

80
Q

Second Chance

A

A tool that checks links originated in email messages including embedded links within attached Office Documents and PDF’s. It asks the user if they’re sure they want to follow the link giving them a second chance to evaluate the link

81
Q

USB Security test

A

A tool that finds out how users react to unknown USB drives. The purpose is to see how many users will pick up the USB drive plug them into their computer and open files.

How it works: When an employee opens the file it will “call home” and report a “fail” to their KB4 console. If the user opens a doc and also enables macro’s additional data is tracked.

82
Q

Weak Password test

A

Checks an organization’s AD for several types of weak password related threats.

How it works: Once the test is complete it generates a report of the users who have weak passwords. It does not report the actual passwords of the users rather it highlights which ones should be adressed.

83
Q

Mailserver Security Assessment (MSA)

A

Tests a user’s mailserver configuration to check the effectiveness of the mail filtering rules.
MSA gives the user a quick insight at how their mailserver handles test messages that contains a variety of different message types, email with attachments or emails with spoofed domains

84
Q

Ransomware Simulator (RanSim)

A

Simulates 13 ransomware infection scenarios to determine if a user’s workstation is vulnerable to infection. RanSim also allows users to see if their AV is incorrectly blocking files.