Security+ Terms

Need to know

Threat Hunting

The practice of proactively (manually) searching for cyber threats that are lurking undetected in a network. (Evidence of TTPs).

Intelligence fusion

In threat hunting, using sources of threat intelligence data to automate detection of adversary IoCs and TTPs.

Maneuver

In threat hunting, the concept that a threat actor or defender may use deception or counter attacking strategies to gain an advantage

Common Vulnerability Scoring System (CVSS)

Open protocol for scoring new vulnerabilities

Credentialed Scan

A scan in which user accounts are given logon rights to various hosts, plus permissions appropriate for testing routines. This also shows what an insider attack, or where an attacker has compromised a user account, may be able to achieve.

Active Scanning

Probing the device's configuration using some sort of network connection with the target. Consumes more network bandwidth and runs the risk of crashing the target of the scan or causing some sort of outage.

Security Content Automation Protocol (SCAP)

NIST framework that outlines various accepted practice for automating vulnerability scanning.

Footprinting

scanning for hosts, IP ranges, and routes between networks to map out the structure of the target network

Advanced Persistent Threat (APT)

the ongoing ability of an adversary to compromise network security - to obtain and maintain access - using a variety of tools and techniques.

PCI DSS (Payment Card Industry Data Security Standard)

Defines the safe handling and storage of financial information.
Covers the technical and operational system components included in or connected to cardholder data

GDPR (General Data Protection Regulation)

A regulation in EU law on data protection and privacy. Personal data cannot be collected, processed, or retained without the individual's informed consent.

Hacktivist

A threat actor that is motivated by a social issue or political cause.

Bug Bounty

Reward scheme operated by software and web services vendors for reporting vulnerabilities.

Purple Team

A mode of penetration testing where red and blue teams share information and collaborate throughout the engagement.

UAV

Unmanned Aerial Vehicle

Persistance

The ability of a threat actor to maintain covert access to a target host or network and use it as a RAT or backdoor.

Pivoting

The act of an attacker moving from one compromised system to one or more other systems within the same or other organizations

Pen Testing may involve:

Verify a threat exists
Bypass security controls
Actively tests security controls
Exploits vulnerabilities

OSINT tools

Basic tools include web searches/queries plus sites that scan/scrape/monitor vulnerabilities in internet-facing services and devices

Digital Signature

A message digest encrypted using the sender's private key that is appended to a message to authenticate the sender and prove message integrity. In other words; an encrypted hash of a message used to validate the sender

DSA (Digital Signature Algorithm)

The sender's private key encrypts the hash of the message to create the digital signature. The recipient decrypts the hash with the sender's public key, and, if successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation is used with online transactions and prevents the sender from later denying they sent the e-mail.

Elliptic Curve Cryptography (ECC)

An algorithm that uses elliptic curves instead of prime numbers to compute keys. More commonly used than RSA due to shorter key length but same level of security

Perfect Forward Secrecy (PFS)

An encryption method that ensures that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. To work properly, this requires two conditions: Keys must not be reused, and new keys must not be derived from previously used keys. Refers to a solution designed to strengthen the security of session keys.

Cipher Suite

Lists of cryptographic algorithms that a server and client can use to negotiate a secure connection.

Counter Mode (CTM/CM)

An encryption mode of operation where a numerical counter value is used to create a constantly changing IV

Birthday Attack

A type of password attack that exploits weaknesses in the mathematical algorithms used to encrypt passwords, in order to take advantage of the probability of different password inputs producing the same encrypted output. (also a type of brute force attack. encryption algorithms must use collision avoidance to protect against this attack)

Cryptographic Primitive

A single hash function, symmetric cipher, or asymmetric cipher.

Lunchtime Attack

If a user leaves a workstation unattended while logged on, an attacker can physically gain access to the system

Remote Access Trojan (RAT)

backdoor malware that mimics the functionality of legitimate remote control programs, but is designed specifically to operate covertly.

Message Authentication Code (MAC)

Proving the integrity and authenticity of a message by combining its hash with a shared secret. Prevents Man-in-the-middle tampering with the checksum.

netstat

Shows the network statistics for the local computer. Displays TCP and UDP sessions by computer name (or IP) and port.

Netcat

Utility for reading from and writing raw data over a network connection. Can be used for port scanning and fingerprinting.

Fingerprinting

The detailed analysis of services on a particular host

Data Breach

When confidential data is read, transferred, modified, or deleted without authorization

Privacy Breach

Where personal data is not collected, stored or processed in full compliance with the laws or regulations governing personal information

Data Loss

Where information becomes unavailable, either permanently or temporarily

Data Exfiltration

The methods and tools by which an attacker transfers data without authorization from the victim's systems to an external network or media.

Sn1per

Software utility designed for penetration testing, reporting, and evidence gathering that can also run automated test suites. Integrates other tools like ping, whois, nmap, etc. for vulnerabilities

curl (Client URL)

CLI tool to transfer data to a server through supported protocols like HTTP, FTP, SMTP, IMAP, POP3, etc.

hping

an open-source spoofing tool that provides a penetration tester with the ability to craft network packets to exploit vulnerable firewalls and IDSs. Can perform Host/port detection, firewall testing, traceroute, dos, etc.

Sandbox

A system configured to be completely isolated from its host so that the malware cannot "break out"

Cuckoo

Implementation of a sandbox for malware analysis.

Symmetric Encryption features:

Fast (depends), used for bulk encryption of large amounts of data, used for confidentiality

File Encryption

The process of encrypting individual files on a storage medium and permitting access to the encrypted data only after proper authentication is provided. (data-at-rest)

Transport Encryption

The technique of encrypting data that is in transit, usually over a network like the Internet. (Data-in-transit)

Asymmetric Encryption features:

mostly used for authentication and non-repudiation, involves substantial computing overhead, can be used for key agreement and exchange

Certificate Authority (CA)

A trusted third-party that is responsible for issuing and guaranteeing certificates

Single CA trust model

A single CA issues certificates to users; users trust certificates issued by the CA and no other

Hierarchical Trust Model

A single (root) CA issues certificates to several intermediate CAs. The intermediate CAs issue certificates to subjects (leaf or end entities).

Certificate Chaining

A method of validating a certificate by tracing each CA that signs the certificate, up through the hierarchy to the root CA. Also referred to as chain of trust.

Registration Authority (RA)

In PKI, an authority that accepts requests for digital certificates and authenticates the entities making those requests.

Digital Certificate

An X.509 digital certificate is issued by a CA that proves it was issued to the subject by a particular CA. It contains information about the subject and the certificate's issuer or guarantor.

Common Name (CN)

An X500 attribute expressing a host or user name, also used as the subject identifier for a digital certificate; used to identify the FQDN by which the server is accessed such as www.comptia.org

Subject Alternative Name (SAN)

AKA Unified Communication Certificate (UCC); Extension field in a digital certificate that allows a host to be identified by multiple host names/subdomains

Wildcard Certificate

A certificate that starts with an asterisk (*) in the domain name field. (*.google.com). This allows the certificate to secure multiple sub domain names (hosts) pertaining to the same base domain.

Domain Validation

proving the ownership of a particular domain. This may be proved by responding to an email to the authorized domain contact or by publishing a text record to the domain. This process can be highly vulnerable to compromise.

Extended Validation (EV)

Subjecting to a process that requires more rigorous checks on the subject's legal identity and control over the domain or software being signed.

Code Signing Certificate

The method of using a digital signature to ensure the source and integrity of programming code.

self-signed certificate

A digital certificate that has been signed by the entity that issued it, rather than by a CA.

Escrow

In key management, the storage of a backup key with a third party

Online Certificate Status Protocol (OCSP)

Allows clients to request the status of a digital certificate, to check whether it is revoked

OCSP Stapling

Mechanism used to mitigate performance and privacy issues when requesting certificate status from an OSCP responder. (Check status of digital certificate without contacting the CA)

Certificate pinning

Refers to a mechanism that ensures that when a client inspects the certificate presented by a server or code-signed application, it is inspecting the proper certificate. Defends against impersonation attacks performed with fraudulent digital certificates. Tries to minimize mitm attacks.

OpenSSL

Software library for applications that provide secure communications over computer networks against eavesdropping or need to identify the party at the other end.

NT LAN Manager (NTLM) authentication

A challenge-response authentication protocol created by Microsoft for use in its products. Legacy network applications might use this.

Password Authentication Protocol (PAP)

Obsolete (no longer used/out of date) authentication mechanism used with PPP (point-to-point protocol). This protocol transfers the password in plaintext and is therefore vulnerable to eavesdropping.

Point-to-Point Protocol (PPP)

TCP/IP protocol that is used to connect one computer system to another. Transfers TCP/IP data overt serial or dial-up connections.

Challenge Handshake Authentication Protocol (CHAP)

Attention scheme developed for dial-up networks that uses an encrypted three-way handshake to authenticate the client to the server. A challenge-response is repeated throughout the connection to guard against replay attacks.

MS-CHAPv2

Microsoft’s implementation of CHAP. Because of the way it uses vulnerable NTLM hashes, MS-CHAP should not be deployed without the protection of a secure connection tunnel so the credentials being passed are encrypted.

Hardware Security Module (HSM)

An appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage

Extensible Authentication Protocol (EAP)

Framework for negotiating authentication methods that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication

802\.1X Port -based Network Access Control protocol

A standard for encapsulating EAP communications over a LAN (EAPoL) to implement port-based authentication. Provides the means of using an EAP method when a device connects to an Ethernet switch port, wireless access point, or VPN gateway.

Network access server (NAS)

Edge network appliances such as switches, access points, and VPN gateways. These are also referred to as RADIUS (Remote Authentication Dial-In User Service) clients or authenticators.

Initiative for Open Authentication (OATH)

An industry body established with the aim for developing an open, strong authentication framework. Open meaning a system that any enterprise can link into to perform authentication of users and devices across different networks. Strong meaning the system is based not just on password but also 2 or 3 factor authentication

HMAC-based One Time Password (HOTP)

Token based authentication. An algorithm that generates a one-time password using a hash-based authentication code to verify the authenticity of the message

Smart-card authentication

A device similar to a credit card that can store authentication information, such as a user’s private key, digital certificate, and PIN number on an embedded microchip

Remote Authentication Dial-In User Service (RADIUS)

A standard protocol used to manage and remote wireless authentication infrastructures. A device or server that accepts use connections. Often referred to as NAS or as the authenticator.

False Rejection Rate (FRR)

Biometric assessment metric. Where a legitimate user is not recognized. Also referred to as a Type 1 error or false non-match rate. This is measured as a percentage.

False Acceptance Rate (FAR)

Biometric assessment metric. Where an interloper is accepted. Also referred to as a Type 2 error.

Crossover Error Rate (CER)

Biometric evaluation factor. The point at which FRR and FAR meet. The lower this is, the more efficient and reliable the technology.

Gait analysis

Biometric mechanism that identifies a subject based on movement pattern

Nondisclosure Agreement (NDA)

An agreement that stipulates that entities will not share confidential information, knowledge, or materials with unauthorized third parties

Service account

A host or network account that is designed to run a background service, rather than to log on interactively

Geofencing

Refers to accepting or rejecting access requests based on location. Can also be used for push notification to send alerts or advice when a user enters a specific area.

Geotagging

Refers to the addition of location metadata to files or devices. Often used for asset management to ensure devices are kept with the proper location

Discretionary access control (DAC)

Access control model where each resource is protected by an ACL managed by the resource’s owner. Most flexible model and currently implemented widely in terms of computer and network security

Role-based access control (RBAC)

Access control model where resources are protected by ACLs that are managed by administrators and that provide user permissions based on job functions

Mandatory access control

Access control model where resources are protected by inflexible, system defined rules. Resources (objects) and users (subjects) are allocated a clearance level (or label)

Attribute-based access control (ABAC)

An access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted

Rule-based access control

can refer to any sort of access control model where access control policies are determined by system rules rather than system users

Lightweight Directory Access Protocol (LDAP)

Application protocol for access and maintaining distributed directory information services over an IP network.

Directory Service

A network service that stores identity information about all the objects in a particular network, including users, groups, servers, client computers, and printers

Federation

A process that provides a shared login capability across multiple systems and enterprises. It essentially connects the identity management services of multiple systems

Security Assertions Markup Language (SAML)

XML-based data format used to exchange authentication information between a client and a service

Simple Object Access Protocol (SOAP)

XML-based web services protocol that is used to exchange messages

Open Authorization (OAuth)

A standard for federated identity management, allowing resource servers or consumer sites to work with user accounts created and managed on a separate identity provider. Designed to facilitate sharing of information (resources) within a user profile between sites.

Code of conduct

Professional behavior that depends on basic ethical standards, such as honesty and fairness

Honeypot

Designed to attract a hacker by appearing to be security holes that are ripe and ready for exploitation.

Honeynet

Used to observe hackers in action while not exposing vital network resources

Elasticity

The ability of a cloud to grow or shrink capacity for CPU, memory, and storage resources to adapt to the changing demands of an organization