click below
click below
Normal Size Small Size show me how
Security+
Term | Definition |
---|---|
CVE | Common vulnerabilities and exposures (publicly available) |
NVD | Govt repository of standards for vul. mgmt |
DBaaS | Database as a Service |
AIS | Automated indicator sharing - sharing between public and private |
IoC | Indicators of Compromise - a system may have been infiltrated by a cyber threat |
TTP | Tactics, Techniques, and Procedures - Identify patterns against threat vectors |
CVSS | Common Vulnerability Scoring System - public framework for rating severity of security vulnerabilities |
ARO | Annual rate of occurrence - Estimated times a security incident is expected in a year |
SLE | Single loss expectancy - estimate of damage an asset will have from a single incident |
Cloud Computing | Provides reliable up-to-date computing access while being flexible for a growing company, SDN makes network configuration easy. |
Custom-built webmail | Rather expensive compared to hosted solutions |
Legal hold | Preservation order to ensure evidence cannot be modified. |
Order of volatility | Fragility of digital evidence as a result in the order that it is gathered. ex: RAM should be gathered first before powering off a HDD because the RAM will be lost. |
Data sovereignty | Applicable laws and regulations based on physical location of data. |
Chain of custody | Gathering evidence with secure documentation and storage |
Nonrepudiation | Closely associated with hashing; proves a message was sent by a certain user. |
Stream cipher | Encrypt data one bit at a time |
Block cipher | Encrypt data one block at a time |
Quantitative analysis | Identify assets and risk to with calculations Quantity = think dollar |
Qualitative analysis | Identify risk by ranking or other standards |
Threat, risk | Analysis reports should be completed this way |
Restricting network access | Should be limited to burned-in MAC addresses |
Recipient's public key | Used to send encrypted emails |
Your public key | Used by a sender to send encrypted emails to you |
Your private key | Digitally sign outgoing messages / encrypt a file |
Recipient's private key | Sign their outgoing messages |
RAID 0 | Disk striping to two or more drives - a single loss of a disk renders all data unreadable |
RAID 1 | Mirroring - Data is duplicated onto a second disk in the array. - you can tolerate the loss of 1 drive |
Server clustering | Two or more servers work together to offer servers. |
Spear phishing | Target a specific individual - not targeted at a high-profile person |
Whaling | Target high-profile end user |
Phishing | Trick people into providing information |
Vishing | Data disclosure over voice. |
Smishing | Data disclosure over text. |
Software updates | Critical to be applied to a system or else it could be vulnerable |
TPM | Store cryptographic keys for encryption |
Private key in a session | Decrypt a client session key |
Gloves | Prevent PII from being left behind. |
Anonymous proxy server | Mask IP address |
Business impact analysis | How personnel, data systems, and clients will be affected if a threat is realized |
Risk analysis | Conducted before business impact analysis |
Incident analysis | What should be done when a threat is realized |
Security audit | Identify vulnerabilities and policy non-compliance |
Encryption | Scrambles communications |
Steganography | Hides communications so they cannot be detected |
DNS on local network | Cannot point to loopback (127.0.0.1) |
Default gateway + DHCP | Can be the same host. |
Fail secure | A server that blocks connections when log files run out of disk space. |
Blowfish | Symmetric / block cipher |
RC4 | Symmetric / stream cipher |
RSA | Asymmetric |
FTP Port | 20 (data) / 21 (control) |
SSH Port | 22 |
TACACS+ Port | 49 |
DNS Port | 53 |
DHCP Port | 67 (server) / 68 (client) |
HTTP Port | 80 |
HTTPS Port | 443 |
Kerberos Port | 88 |
Post Office Protocol 3 (POP3) Port | 110 |
IMAP Port | 143 |
IMAP4 Secure Port | 993 |
SNMP Port | 161 (listen) / 162 (trap) |
LDAP Port | 389 |
LDAPS Port | 636 |
FTPS Port | 989 (data) / 990 (control) |
POP3S Port | 995 |
RADIUS | UDP - 1812 (authentication) / 1813 (accounting) 1645 (authentication) / 1646 (accounting) |
SRTP Port | 5004 - Audio/Video Traffic |
L2TP Port | 1701 |
PPTP Port | 1723 |
RDP Port | 3389 |
CUSS | Assess severity of computer vulnerabilites |
STIX | (Structured Threat Information eXpression) Common language (XML) for describing cyber threat information |
TAXII | (Trusted Automation eXchange of Intelligence Information) Transport mechanism for transmission of intelligence data |
RFQ | Request for Quote - Request for a vendor to submit a quote |
MaaS | Malware as a Service - The offering of on-demand malware |
IV Attack | Attack on Wireless |
Xmas Attack | Every single option is enabled for the selected protocol |
UC Server | Unified Communications - combines voice, im, video, etc. |
ICS Server | Industrial Control Systems - combines integrated hardware and software |
PCAP | Packet capture |
SOAR | (Security orchestration, automation, and response), automated response to security incidents |
Red team | Initiate attacks |
Purple team | Brings together red + blue to improve cybersecurity |
Blue team | Defend against attacks |
White team | Engagement between red/blue - witness |
Honeypot | Divert attention from the network |
DNS Sinkhole | Fake telementry / Prevent infected devices from communicating externally |
Fog computing | Local infrastructure between IoT and cloud/speeds up computing and processing |
Microservice | Independent/self-contained code to form an application |
Normalization | Remove duplicate entires |
Dead code | Not used elsewhere in an application |
RAID 5 | Minimum of three disks. Disk striping with parity . If a drive fails, the data can be rebuilt from the other two. |
RAID 10 (RAID 1+0) | Minimum of four disks. Disk mirroring and striping to protect data. As long as one disk in each mirror is functional, data can be retrieved. |
Code obfuscation | Make code harder to understand |
XaaS | Anything as a Service - All encompassing term for Cloud services |
Telemetry | Collection, transmission, and measurement of data. |
MSP | Managed Service Provider - delivers services via ongoing and regular support |
MSSP | Managed Security Service Provider - Monitoring and management of security devices and systems. |
Edge computing | Devices or networks near the end user ex: Smartwatch, smartphone |
SDP | Software-defined perimeter - hide infrastructure from attackers - base the network on software rather than hardware |
SDV | Software-defined Visibility - Visibility (GUI) of infrastructure |
VPC | Virtual Private Cloud - Secure isolated cloud hosted within a public cloud. |
Passive reconnaissance | Gain information without actively engaging systems |
Active reconnaissance | Actively engage systems for information |
SAN | Storage area network - These appear as local OS drives. They support encryption. |
DHCP - Security? | Disabling DHCP means that clients must manually configure the appropriate networking settings to connect. This increases security posture. |
Wireless routers | Most behave as hubs - wireless clients exist within a single collision domain. |
802.1x | Network authentication. |
Securing virtualized operating systems | Apply patches for extra security. |
IPSec | A set of rules to ensure network traffic is accepted only from appropriate systems. |
Honeypot | Intentionally vulnerable computer or single client to attract attacks for logging or analysis. |
Honeynet | Intentionally vulnerable network, could consist of many hosts. |
BTU | British thermal unit. These measure heat. |
DNS poisoning | Redirects legitimate requests to another webserver/website. |
ARP poisoning | Relies on victims having malicious MAC addresses so that malicious users receive legitimate victim traffic. |
ALE | Annual Loss Expectancy. (SLE ((chance x time)) x ARO) |
IP header | Contains source IP address and the TTL value. |
Common botnet activites | Spam and DDoS |
Benefits of server virtualization | -Centralized storage -Efficient application of software updates |
SHA-1 | Integrity algorithm |
MD5 | Integrity algorithm |
PKI information | Public key infrastructure - Could be stored in a password-protected file and on a smartcard. |
SOC 2 Type 1 | Document cybersecurity at a specific point in time |
SOC 2 Type 2 | Documents how well systems perform over a period of time More expensive than type 1 and take more time to complete. |
SOC 2 Type 3/4 | Invalid SOC types |
DLP | Data loss prevention. Ensures that data leaving the network is tracked/stays private. |
DRP | Disaster recovery plan - Redirect available resources to restore data after a disasater. |
A5 | Stream cipher |
Key escrow | A third party holds decryption keys in trust that is unrelated to the original holder. |
Mandatory vacations | Enable potential discoveries of irregularities in a job role via audit or associated reports |
SQL Server Port | 1433 |
Fuzz Test | Automated testing with invalid/unexpected input |
Sideload | Install apps through unofficial channels |
Shimming | Small piece of code to monitor data that is difficult to detect |
Cross-site scripting (XSS) | eXploit Trust (web browser to website) - initiated by attacker |
Cross-site request forgery (CSRF/XSRF) | Request forgery where a user is already authenticated (i.e. bank funds transfer) -initiated by victim |
Server-side request forgery (SSRF) | Unofficial app makes requests to unintended locations (spoof as organization mail server) |
Buffer overflow | Write to unauthorized places in memory |
Null-pointer dereference | Read from an invalid address |
Hash collision | Two different files produce the same hash |
Birthday attack | Closely related to probability theory. |
Rainbow table | Precomputed list of hashes and passwords |
Spraying attack | Using the same common password list to try to access many accounts |
Rootkit | Admin-level computer access |
C2 Server | Botnet control |
Fileless virus | Resides in RAM |
Grayware | Doesn't necessarily have spyware, but is an annoying program. |
Spyware | Track user actions without their awareness |
SPIM | Spam over Instant Messaging |
SPIT | Spam over Internet Telephony - elicitation over phone |
Elicitation | The act of forcing someone to reveal information through casual conversation |
Vishing | Phishing over voice |
Spear phishing | Targeting and phishing a certain user |
Whaling | Phishing by targeting a specific set of users (ex: high ranking executives) |
Smishing | Phishing over SMS |
SMTP + SSL/TLS Port | 465/587 |
iSCSi Target Port | 3260 |
iSCSi Port | 860 |
Data Confusion | Ensures Ciphertext is very different than plaintext |
Data Masking | Partial omission (blanking out credit card numbers) |
Bluejacking | Sending unsolicited messages |
Bluesnarfing | Hacking a bluetooth device (access / steal data) |
WPA | Wi-fi protected access, associated with TKIP and RC4. |
Honeyfile | Bait files for an attacker to access - alerts a successful attack |
2.4GHz | B, G, N |
5.0GHz | A, N, AC |
Promiscuous mode | Capture all traffic to a specific port |
HSM | Hardware security module - store/manage keys (ex: MicroSD) |
IPSec VPN | Site-to-site and always on |
Cuckoo | Malware sandbox testing tool |
FCIP Port | 3225 |
Diameter Port | 3868 |
Syslog Port | 514 |
Syslog over TLS | 6514 |
TFTP Port | 69 |
Attribute-based access control | Evaluate objects based on attributes/characteristics - restudy this |
HOTP | HMAC (hash) - based onetime password |
CHAP | Challenge Handshake Authentication Protocol - must shake more than once |
Network Switches | Each port has a separate collision domain |
FAR | False acceptance rate - how many times a system will accept an invalid login. |
Smurf attack | Sending spoofed broadcast packets to a router |
TOTP | Time-based one time password - time-limited with open authentication |
Diffusion | Small change in ciphertext results in a large change in the plaintext |
RPC/DCOM-scm Port | 135 |
Telnet Port | 23 |
Tokenization | Replace sensitive data with an entirely different dataset |
NetBIOS Port | 137 - 139 |
SMB Port | 445 |
SYN Flood | Half-open connections |
NNTP Port | 119 |
WEP | Wired Equivalent Privacy - IV |
WPA2 | CCMP / AES |
sn1per | Conduct penetration testing automatically |
SMTP | 25 |
Registered Ports | 1,024 - 49,151 |
Well-known Ports | 0 - 1023 |
Dynamic / Private Ports | 49, 152 - 65,535 |
Pass the Hash | Generate the hash of a password to reuse later to gain access to a system |
SIEM | Security Information and Event Management - Software/services combine security information management and event management. |
Runbook | A set of rules that can be largely automated - generally related to security orchestration, automation, and response |
Playbook | Step-by-step actions that need to occur within the SOAR process - usually involving human intervention. |
CIS Controls | Center for Internet Security Controls - 20 control groups covering hardware inventory to penetration testing - pare controls to those most critical to reduce risk |
NIST RMF | National Institute of Standards and Technology - Risk Management Framework - seven-step methodology that provides risk management through the information systems lifecycle |
PCI DSS | Payment Card Industry Data Security Standard - standard for the payment card industry to process payment card information |
Behavioral-based monitoring | Using a baseline of normal behavior, detect anomalies to the baseline. |
Rule-based monitoring | Dependent on administrator-created rules that search for specific behavior |
Signature-based monitoring | Examine network traffic against known signatures. This can easily become out of date and is vulnerable to zero-day attacks. |
Active-based monitoring | Actively monitor systems for suspicious activity. No specific protection against zero-day. (ie http traffic) |
Protocol analyzer | Examine network packets sent from server to server |
RTO | Recovery time objective. Maximum amount of time considered tolerable for a service/business function to be unavailable. |
RPO | Recovery point objective. Maximum amount of lost data because of an outage. |
MTBF | Mean Time Between Failures - Average length of time a specific device is expected to work until it fails |
MTTR | Mean Time to Repair - Average length of time from component failure until it is repaired |
Kiting | Attack domain name registrations |
IPFIX | IP Flow Information Export - Common representation of flow data - based on NetFlow v9 |
NXLog | Open source universal log collector |
sFlow | Sampled flow - Random sampling of packets |
Digital certificates refer to what information assurance objective | Authentication |
MITRE ATT&CK | Catalog emerging tactics, techniques, and procedures being used in attacks globally |
Diamond Model of Analysis | Categorizes attacks - an attacker attacks victim's infrastructure |
NIST CSF | Set of controls to reduce risk |
Cyber Kill Chain | Lockheed's model to describe how attackers step through actions to reach their final goal. Assumes a unidirectional workflow. |
UPS and battery backup | Provide backup power for a short amount of time |
Gas-powered generator | Will provide power continuously until electrical power is restored |
SNMP community name | Is insecure by default, should be changed from "public". |
Escaping | A coding technique that ensures any system commands are not processed and just recognized as text. |
Transitive access | Unauthorized user access from one software component to another without proper authorization. |
Cryptographic erase | Data is encrypted by default, when the erase process is started, the encryption key is deleted with the data |
Overwrite | Overwrite data with random patterns of 1s and 0s. |
Secure erase | Securely delete data, but causes wear and tear. |
Zero fill | Fill the entire storage device with zeros |
Preparation phase | Conduct training, prepare incident response kits, and research threats/intel |
Detection and analysis phase | Monitor and detect any possible malicious events/attacks |
Containment, eradication, and recovery | Preserve forensic and incident information |
Post-incident activity | After-action reports, lessons learned, follow-up actions to prevent further incidents |
Uncredentialed scans | Unable to detect many vulnerabilities on devices |
Authenticated scans | Accurately determine the vulnerability posture of a network |
Cloud service investigations | Challenging due to the rapid creation/deletion of cloud servers |
APT | Advanced Persistent Threats - A group of hackers with great capability and intent, often backed by nation-states/large orgs. |
Hacktivist | Someone who uses hacking to bring about political and social change |
Traceroute | ICMP |
Hping | Sends custom ICMP, UDP, or TCP packets |
nc -l -p 8080 | nc 192.168.1.76 443 | Netcat listens on port 8080, outputs to remote connection 192.168.1.76, port 443 |
Community cloud | A cloud shared manually among different organizations that belong to the same community/area |
AlienVault | Avoid the rigidity of the Lockheed Martin cyber kill chain. |
Proximity Card | Uses RFID to communicate with readers |
Mandatory vacation | Requires an employee to fill in for another - an audit could reveal fraud or abuse |
Network tap | Copy data for later analysis; passive reconnaissance |
RP | Relaying party - provides services to members of a federation |
IdP | Identity provider - provides identities, makes assertions about them, and releases information about identity holders |
flow: to_client,established | Only inbound traffic will be analyzed. |
Metasploit | Security vulnerabilities and penetration testing |
Nessus | Vulnerability scanner |
nmap | Port scanner |
Endpoint security | monitor endpoints against cyberthreats |
PGP | asymmetric |
3DES | symmetric |
AES | symmetric |
FISMA | Federal Information Security Management Act - federal framework to protect govt information |
HIPPA | Protect privacy |
COPPA | Children's online privacy protection act - law imposing restrictions on websites directed to children under 13 |
SOX | Sarbanes-oxley - US law for requirements of public companies |
reverse proxy | directs traffic to cloud services if the traffic complies with policy |
DNS blackholing | Using a list of known malicious domains, internal dns creates a fake reply |
Route poisoning | prevents networks from sending data when the destination is invalid |