COMPTIA SEC+ !!
Confidentiality: encryption. Ensures that data is not disclosed to unintended people
Integrity: hashing. Ensures data not messed with
Availability: uptime of system to make data available.
Non-repudiation: digital signature enforced. Validation of a message’s origin.
Security: protection against danger, damage, loss and criminal activity
Asset: value to individual/organization
Threat: Anything that has the potential to cause the loss of an asset.
Threat Agent: person/entity that attempts to carry out a threat
Vulnerability:weakness in system
Exploit: act/procedure/piece of software that takes advantage of vulnerability to carry out attack.
Seven layers of Security:
Policies, procedures, and awareness: user ed. Manage network plans, employee onboarding/off-bourding
Physical: Locks, cameras, motion detectors, environ controls
Perimeter: Firewalls using ACLs and securing wireless network
Network: installation/configuration OS switches/routers, usings VLANs, penetration testing, and virtualization use
Host: log management, OS hardening(using security measures and patching for operating systems) auditing, anti-malware, password attack prevention on everything.
Application: authentication/authorization, user management, group policies, web application
Data:proper data storage, destroying and classifying data, cryptography, and data transmission security.
2.1
Threat Actor Types:
Targeted attack: threat actors actively pursue and compromise a target entities infrastructure while remaining anonymous
Opportunistic attack: as fast as possible with minimal effort
Insider: threat agent who has authorized access to an organization and either on purpose or not, carries out an attack
Competitor: carries out attack on behalf of organization and targets competing companies
Hacker: threat agent who uses technical knowledge to bypass security, exploit a vulnerability and gain access to protected information
Cybercriminal: subcategories of hacker threat agents. Willing to take more risk and use more extreme tactics for financial gain.
National state: sovereign state threat agent that could wage all-out war on a target and have significant resources for the attack.
Internal threat: threat from individuals (insiders) who exploit assigned privileges and inside info to carry out attack
External threat: threat from individuals/groups not associated with organization. Seek unauthorized access to data.
Persistent threat: seeks access to network + remain there undetected
Non-persistent threat: focusses on getting into the system and stealing info. Usually one-time event, atter not concerned with detection
Open-Source intelligence (OSINT): info that is available to public and doesn't require malicious activity to obtain
White hat: uses skills/knowledge for defensive purposes only. Interacts with systems when permission is given
Black hat: uses skills/knowledge for illegal/malicious purposes
Grey hat: middle of black and white hat hacker. Usually has good intentions.
Script kiddie: uses scripts/programs made by more skilled hackers
Hacktavist: politically motivated. Seek information or to cripple an organization/gov. usually work alone
Organized crime: group of cybercriminals whose main goal is financial gain.
Nation state: most organized, well-funded, and dangerous type of threat actor. Two types, obtaining info and crippling systems.
The steps in a general attack strategy are reconnaissance, breaching, escalating privileges, staging, and exploiting.
2.2
Vocab:
Malware: software designed to take over/damage a computer without user knowledge/consent
Virus: program which attempts to damage computer systems and replicate itself to other computers
Worm: self-replicating malware program
Trojan horse: malicious program that’s disguised as legitimate/desirable software
Zombie: computer that’s infected with malware and controlled by command/control center called zombie master
Botnet: group of zombie computers that are commanded from central control infrastructure
Rootkit: set of programs that allow attackers to maintain hidden, admin level access
Logic Bomb: malware designed to execute only under predefined conditions. Dominant until predefined conditions met
Spyware: software installed without users consent/knowledge. Designed to intercept or take particle control of user’s computer
Adware: Malware that monitors user’s person preferences and sends pop-up ads that match preferences
Ransomware: malware that denies access to computer system until user pays ransom
Scareware: scam to fool user into thinking there is some form of malware on the system
Crimeware: malware designed to perpetuate id theft. Allows hacker access to online accounts at financial services, such as banks and online retailers
Crypto-Malware/Cryptojacking: malicious software that uses a computer’s resources to mine cryptocurrency in the background undetected.
Remote-Access Trojan (RAT): malware that includes a back door to allow a hacker admin control over target computer
Potentially Unwanted Program (PUP): software inadvertently installed that contains adware, installs toolbars/has other objectives
Fileless virus: uses legit programs to infect computer
2.3
Vocab:
Social engineering: an attack involving human interaction to get info or access
Footprinting: uses social engineering to obtain as much info as possible about an organization
Pretexting: fake scenario to persuade someone to perform an action or give info
Elicitation: technique to extract info from a target without arousing suspicion
Preloading: influencing target’s thoughts opinions and emotions before something happens
SMiShing/SMS phishing: phishing through SMS message. Ergo, tricking user to download virus/trojan horse/malware onto cell phone
Impersonation: pretending to be someone else and approaching target to extract info
SPIM: like spam, but link is sent over instant messaging instead of email
Hoax:type of malicious email with some type of urgent or alarming message to deceive target
Manipulation Types:
Moral Obligation: an attacker uses moral obligation {ROLL CREDITS} and sense of responsibility to exploit target’s willingness to help
Innate Human Trust: exploit target’s tendency to trust others. EX: right clothes, demeanor, uses words/terms the target knows so target will comply with requests out of trust
Threatening: try to intimidate the target with threats to make the target comply with a request. Usually happens after moral obligation and innate huma trust fail
Offering something for little to nothing (Bartering): attacker promising big reward for small favor EX: sharing what target thinks is small piece of info for something attacker offers
Social Engineering Process: Research>Development>Exploitation
Social Engineering Attacks:
Shoulder surfing: looking over someone’s shoulder while they work on a computer or review documents. Purpose is to obtain usernames, passwords, account numbers, or other sensitive info
Eavesdropping: unauthorized person listening to private conversation between authorized people when topics are being discussed.
USB and Keyloggers: On site, social engineers also can steal data through USB flash drive or keystroke loggers. Employs keystroke logger to capture usernames and passwords. As target logs in, username and password are saved and later attacker uses username and password to conduct exploit.
Spam and Spim: Spam uses email/banner ad embedded with compromised URL that entices users to click. Spim uses malicious link through IM
Hoax: often bad spelling/bad grammar. Hoax emails use a variety of tactics to convince the target they’re real.
Pharming (phishing without a lure): attacker executing malicious programs on target’s computer so URL traffic redirects to attacker’s website. Attackers now have access to the user's data. EX: IDs, passwords, banking details. Pharming usually comes in the form of malware EX: Trojan horse/worms. Pharming commonly used during DNS cache poisoning or host file modifying
Social Media: attackers use social applications EX: Facebook/Twitter/IG. To steal Identities and info. Also used to scam users, entices user to click link. Site usually requests personal info and sensitive data.
Typosquatting(URL hijacking): relies on mistakes, when user enters incorrect website address, squatter can lead them to any URL
Hybrid warfare: political warfare and blends conventional warfare with cyberwarfare. Goal is to influence others with fake news/diplomacy/lawfare/foreign electoral intervention
Watering Hole Attack: passive computer attack technique where attacker anticipates the websites and organization often and infect them with malware. Hacker could look for specific info to narrow attack from users that come from specific IP address (5 main steps The attacker identifies the sites visited by a victim and then infects the sites with malicious code.>The attacker identifies the vulnerabilities with the sites and injects it with malicious code. This could be JavaScript or code into the ads and banners used on the website.>The malicious code redirects the victims to a phishing site where there is malware.>When the victims visit these websites, the script containing malware is automatically downloaded to the victim’s machines without their knowledge.>The malware then collects personal information from the victims and sends it back to the server operated by the attacker.)
Credential/password harvesting: process of gathering usernames/passwords/email addresses/etc through breaches. Hackers can then sell personal and financial data on the dark web, use info to gain access to company networks for illegal purposes. Could use cloned websites or phishing emails.
Phishing types:
Spear phishing: attacker gathers info about victim, then sends email to victim that appears to be from the place of info gathered. Email usually contains a link that sent user to site to look legit, intended to capture victims personal info
Whaling: targets senior executives and high-profile victims
Vishing: attacker uses Voice Over IP (VoIP) to gain sensitive info. Combo of voice and phishing
SMS phishing (Smishing): text message to trick victim into taking immediate action, usually contains link that may install malware on victims phone or extracts persona; info
Types of Attackers:
Insider
Hacker
Nation State
Attack Types:
Opportunistic
Targeted
Types of Motivation Techniques:
Authority and fear
Social proof
Scarcity
Likeability
Urgency
Common ground and shared interest
Elicitation:
Compliments
Misinformation
Feigning Ignorance
Being a good listener
2.4
Vocab:
Zero-day vulnerability: software vulnerability that is unknown to vendor
Data loss: loss of files/documents either by accident or through malicious acts
Data breach: exposure of confidential/protected data either by accident or through malicious acts
Data exfiltration: unauthorized transfer of info/files from a computer
ID theft: attacker commits fraud by using someone else’s name/existing account to obtain money or purchase things
Availability loss: loss of access to computer resources due to network being overwhelmed/crashing
Network Vulnerabilities:
Default accounts/passwords
Weak passwords
Privilege escalation (taking advantage of software bug/flaw to gain higher access)
Backdoor
Cloud-based and third-party systems (org don’t own the system if cloud-based> not legal for penetration testing. If systems interconnected, penetration tester needs to ensure they don’t access third party systems)
Inherent vulnerabilities
Application flaws
Misconfiguration
Root account
Adversarial Artificial Intelligence (AI)
Weak Artificial Intelligence/Narrow AI:designed to perform one job EX: smart speakers, spam/web filtering, search engine, automated chats, image/facial recognition
Strong Artificial intelligence/Full AI: systems that carry out human-like tasks, typically complex. Include ability to reason, make judgements, solve puzzles, learn, plan and communicate. EX: advanced video games, software to assist docs in surgery, self-driving cars, disease diagnosis
AI Risks:
Data
Tech
Interaction with humans
Security
models
3.1
Vocab:
Physical security: protection of corporate assets from threats such as unauthorized entry/theft/damage
Prevention: taking necessary steps to avoid unauthorized access/theft/damage/etc
Detection: Identifying that a breach has happened/is happening
Recovery: process of returning a system to a functioning state/repairing any damage
Mantrap: specialized entrance with two locking doors that create a security buffer zone between two areas
Turnstile: barrier that permits entry in one direction (Cuz I want it That > way)
Double-entry door: 2 doors that are locked from the outside but have crash bars on the inside for easy exit
Bollard: short sturdy posts used to prevent a vehicle from crashing into a secure area
Smart card: access cards that have encrypted access info. Smart cards can be contactless/require contact
Proximity card/radio frequency identification/RFID: subset of smart cards that use the 125 kHz frequency to communicate with proximity readers
Biometric lock: increase security by using fingerprints/iris scanners. Reduce the threat from lost keys/cards
3.2
Vocab:
Air gap: security method that physically isolates a portion of the network(computer/server/small network of computers) from the internet/other unsecured networks
Faraday cage: designed to block all electromagnetic emissions
3.3
Vocab:
Infrastructure: systems that support the site. EX: AC, Power, water
Cold Aisle: created by having the front of the equipment face towards the centre of the aisle. Usually, face air conditioner output ducts.
Hot Aisle: created by having the back of the equipment face the aisle. Usually, hot aisles face air conditioner return ducts.
Electro-Magnetic Interference/EMI:
4.2
Vocab:
Hardening: process of securing devices and software by reducing the security exposure and tightening security controls
Hotfix: quick fix for a specific software problem
Patch: fix that is more thoroughly tested than a hotfix and designed for a wider deployment
Service pack: collection of patches, hotfixes, and system enhancements that have been tested by the manufacturer for wide deployment.
Trusted Operating System/TOS: comes hardened and validated to s specific security level. Several TOS provide sufficient support for multilevel security, a system where many levels of classified data reside within the same system, Users are not permitted to access data at different classification levels. Additionally, all personnel must have access approval on a need-to-know basis
Config baseline: set of consistent requirements for a workstation/server.
Security baseline: component of config baseline that ensures all workstations and servers comply with security goals of the organization.
Standard Operating Environment/SOE: implemented as a standard disk image/master image. Disk image is used when dep;loying new computers to the network. AUtomation is used when deploying the master image and when running config scripts. Gives the computer a name, joins the domain and during any other customization. Master image is to be based on TOS and be fully patched.
Manage software:
Check all software has up-to-date licenses.
Install security software EX: anti-virus, anti-spyware, anti-rootkit, and firewall
Install only needed software
Avoid installing freeware/software from untrusted publishers
Reduce the attack surface of the device by limiting applications and services running on the device/removing unnecessary software/features/non-essential services.
5.1
Vocab:
Security zone: portion of the network/system that have specific security concerns/requirements
Wireless network: network that doesn’t require physical connection
Guest network: grants internet access to only guest users; has a firewall to regulate access
Honeynet: special zone/network created to trap potential attackers
Ad hoc: decentralized network that allows connections without traditional base station/router. Allows users to connect two+ devices directly to each other for a specific purpose
Intranet zone: private network that employs internet info services for internal use only
Internet: public network that includes all publicly available web servers/FTP servers/etc
Extranet: privately controlled network distinct from however located between the internet and a private LAN
Demilitarized zone: network that contains publicly accessible resources and is located between the private network and an untrusted network. Protected by firewall. EX: internet
Proxy server: type of firewall that stands as an intermediary between clients requesting sources from other servers
Internet content filter: software used to monitor and restrict content delivered across the web to an end user
Network access control: software that controls access to the network by not allowing computers to access network resources unless they meet certain predefined security requirements
All-in-one security appliance: combines many security functions into a single device
Application-aware device: has the ability to analyze/manage network traffic based on the application-layer protocol.
5.6
Vocab:
Web filter: content filter that prevents users from visiting restricted websites
Web threat filter: prevents users from visiting websites with known malicious content
5.8
Vocab:
Active attack: attack in which perpetrators attempt to compromise or affect the operations of a system in some way
Passive attack: attack in which perpetrators gather info without affecting target network flow of info
External attack: attack in which unauthorized individuals try to breach a network from outside the network
Inside attack: attack initiated by authorized individuals inside the network's security perimeter who attempt to access systems or resources to which they're not authorized
Entry point: entry point is a location or device that allows network access and is vulnerable to attacks
Network baseline: normal network activity including typical traffic patterns, data usage, and server loads. Activity that deviates from the baseline can indicate an attack
Network segmentation: division of a network into smaller networks or pieces for performance or security reasons
5.9
Vocab:
Backdoor: unprotected and usually lesser known access method/pathway that could allow attackers access to system resources. Backdoors include hard-coded passwords and hidden service accounts, often added during development
MITRE: Massachusetts Institute of Technology Research and Engineering
Common Vulnerabilities and Exposures (CVEs): repository of vulnerabilities hosted by MITRE Corporation
National Institution of Science and Technology/NIST: Maintains national database, CVSS scoring.
8.2
Vocab:
Rogue access points/AP: any authorized access point added to a network
Initialization vector/IV: Seed value used in encryption. Seed value and key are used in an encryption algorithm to generate additional keys or encrypt data
Radio frequency identification/RFID: Nfc allows two-way communication between two devices. Devices must be within a few centimeters of each other. NFC is a newer tech that is build on RFID
Interference: signal that corrupts/destroys wireless signal. Interference can affect communication of access points and other wireless devices
Wifi Attacks:
Rogue Access Points: unauthorized AP added to a network. can allow the unauthorized capture of credentials and other sensitive information. Attackers also use this type of attack to conduct phishing and man-in-the-middle attacks.
Evil Twin Attack: Rogue APs placed by an attacker can be used to run an evil twin attack.To protect against this attack, conduct an radio frequency (RF) noise analysis to detect a malicious rogue AP that uses jamming to force wireless clients to connect to it, instead of legitimate APs.
IV Attack: seed value used in encryption. seed value and the key are used in an encryption algorithm to generate additional keys or to encrypt data.
Jamming attack: wireless networks, interference is a signal that corrupts or destroys the wireless signal sent by APs and other wireless devices. Non-malicious interference
Disassociation/deauthentication attack: Wireless devices are vulnerable
9.2
Vocab:
Virtual network: computer network consisting of virtual and physical devices
Virtual Area Network/VAN: Virtual LAN running on top of a physical LAN
Virtual Private Network/VPN: secure tunnel to another network that connects multiple remote end-points
Virtual Machine/VM: virtual computer that functions like a physical computer
Virtual Switch/VSwitch: software that facilitates communication between VMs by checking data packets before moving them to a destination
Virtual router/VRouter: software that replicates how a physical router works
Virtual Firewall Appliance/VFA: software that functions as a network firewall device. VFA provides packet filtering and monitoring functionality.
Virtual Machine Monitor/VMM/Hypervisor: software/firmware/hardware that creates/runs VMs
Software-defined networking: architecture that allows network/security professionals to manage/control/make changes to a network
9.4
Vocab:
Cloud: a metaphor for the internet.
Cloud computing: software, data access, computation, storage services provided to clients through the internet
Public cloud: Platforms, applications, or other resources that are made available to the general public by a cloud service provider
Private cloud: Platforms, applications, storage, or other resources that are made available to a single organization
Community cloud: platforms, applications, storage or other resources that are shared by several organizations
Hybrid cloud: A combo of public, private, and community cloud resources from different service providers
9.5
Vocab:
Cloud access security broker/CASB: on-premises cloud-based software tool or service that sits between an organization and a cloud service provider
Virtual networks: Vms connected through software
Segmentation: division of a network into smaller networks through a virtual local area network (VLAN) and firewalls
Security group: works like a firewall to control traffic to and from network resources
Virtual private cloud endpoint/VPC: provides a private connection between virtual private clouds and a cloud provider's services. A VPC endpoint keeps traffic secure with a private link resource
Container: standard unit of software that holds the complete runtime environment including an application, all application dependencies, libraries, binaries, and configuration files
Cloud-based firewall: deployed in the cloud that protects against unwanted access to a private network
9.9
Vocab:
Supervisory control and data acquisition/SCADA: industrial computer system that monitors and controls a process
Arduino: open source hardware and software platform for building electronic projects
Raspberry Pi: low-cost device the size of a credit card that is powered by Python. Manufactured into single system on a chip (SoC)
Field Programmable Gate Array/FPGA: integrated circuit that the customer configures
Subscriber Identity Module/SIM card: encrypts data transmission/stores info
Zigbee: ratio protocol that creates low-rate private area network.
10.3
Vocab:
Dereference: obtain from (a pointer) the address of a data item held in another location.
Pointer/object dereferencing: attack that retrieves a value stored in memory that can be exploited through a NULL pointer dereference
Buffer overflow: attack that exploits an operating system/application that doesn’t enforce boundaries for inputting data EX: amount of data/type of data
Resource exhaustion: attack that focuses on depleting the resources of a network to create a denial of service to legit users
Memory leaks: happens when dynamic memory is allocated in a program, but no pointers are connected to it causing it to never return even when requested
Race conditions: sequence of events with dependencies that a system is programmed to run in a certain order which can lead to a time-of-check to time-of-use bug vulnerabilities
Error handling: procedure in program that responds to irregular input/conditions
Improper input handling: lack of validation, sanitation, filtering, decoding, or encoding of input data
Replay attack: happens when network traffic is intercepted by an unauthorized person who delays/replays communication to its og receiver, acting as og sender. Og sender unaware of it
Pass the hash: attack in which an attacker obtains a hashed password and uses it to gain unauthorized access
API attack: bad use of API (Application Programming Interface)
SSL stripping: attack that focuses on stripping the security from HTTPS-enabled website
Driver manipulation: attack focuses on device drivers, uses refactoring/shimming
Privilege Escalation
Horizontal: when attacker gains data that belongs to another user with the same privilege level as themselves
Vertical: when attacker uses system vulnerabilities to escalate privileges to gain admin access
10.4
Vocab:
Normalization: Data re-organized in a relational database to eliminate redundancy by having all data stored in one place and storing all related items together
Stored procedures: One or more database to eliminate redundancy by having all data stored in one place and storing all related items together
Code obfuscation: deliberate act of creating source/machine code that is difficult for humans to understand. To remember: CamoCode :)
Dead code x-x: non-executable at run-time/source code in a program that is executed but is not used in any other computation
Memory management: resource management process applied to computer memory. Allows computer system to assign portions of memory (blocks) to various running programs to optimize overall system performance
Third-party libraries: code is not maintained in-house
Software Development Kits/SDKs: set of software dev tools that can be installed as one unit
Data exposure: unintended exposure of personal/confidential data
Fuzz testing: software testing technique that exposes security problems by providing invalid, unexpected, or random data to the inputs of an application
Code signing: process of digitally signing (encrypting) executables and scripts to confirm the software author and guarantee that the code has not been altered/corrupted since it was signed.
11.1
Vocab:
Bottleneck: condition that occurs when a system is unable to keep up with the demands placed on it
Latency: the speed that data packets travel from source to destination and back. All packets experience some level of latency. When packets are sent together; arrive at different times and out of order. Called a jitter.
Bandwidth: The amount of data that could be transferred from one place to another in a specific amount of time
Bandwidth Utilization: percent of available bandwidth that is being used. Network should not regularly utilize all its available bandwidth. Systems perform best when additional bandwidth is available for usage spikes
Error rate: calculation of how often bits are damaged in transit due to electromagnetic interference or any other interference. If a packet is damaged too much, it is dropped.
Throughput: amount of data that is transferred from one place to another in a specific amount of time
11.2
Simple Network Management Protocol/SNMP:protocal designed for managing complex networks. SNMP lets networks hosts exchange configuration and stat info, info is gathered by management software to monitor and manage the network and network events
Manager: computer used to perform management tasks, queries agents and gathers response by sending messages
Agent: runs on managed network devices, communicated info to the manager and can send dynamic messages to it as well
Trap: event config on agent, when event occurs, agent logs details regarding the event
Management Information base/MIB: database of host config info. Agents report data to the MIB. Manager can view info by requesting data from the MIB
Packet sniffing: process of capturing data packets that are flowing across the network and analyzing them for important info. Modern networks should have good protection against network sniffing attacks, however occasional circumstances allow an attacker to gather sensitive info from data packet
11.3
Vocab:
Intrusion detection system/IDS: Device/software that monitors/logs/detects security breaches, takes no action to stop/prevent the attack
Intrusion prevention system: Device monitors/logs/detects/reacts to stop/prevent security breaches
Sensor: IDS component that passes data from the source to the analyzer
Engine: IDS component analysis sensor data and events/generates alerts/logs all
Signature-based detection/pattern matching/dictionary recognition/misuse-detection (MD-IDS): looks for patterns in network traffic and compares them to known attack patterns/signatures
Heuristic-based detection/behavior/anomaly/statistical-based detection: defines baseline of normal network traffic and then monitor traffic looking for anything that falls outside baseline
11.4
Vocab:
Threat hunting: human-based, methodical search and monitoring of the network, systems, and software in order to detect any malicious activity that’s evaded automated tools
Threat Feed: service that tracks cyber threats across the world and provides real-time updates with IP addresses, URLs, and other relevant info regarding the threats
Advisories/Bulletins: detailed updates on cyber threats. Usually updated weekly
Intelligence fusion: sharing info between many gov agency and private security firms
Vulnerability scan: process of capturing/analyzing packets to ID any security weaknesses in a network/computersystem/local applications/web applications
Common Vulnerability Scoring System(CVSS): system that ranks vulnerabilities based on severity
Security info and event management (SIEM): tool that gathers network info and groups it into a central place. SIEM systems can actively read network info and determine if threat
Security Orchestration, Automation and Response (SOAR): solution stack of compatible software programs that collect data about security threats from many sources and respond to low-level security events without human assistance.
11.6
Vocab:
Man-In-The-Middle (MITM) attack: hacker intercepts communication between 2 devices
ARP poisoning: targets ARP protocol, attacker changes ARP cache by spoofing the IP address of a target
MAC spoofing: hacker spoofs MAC address of the gateway, results in spoofed address overwriting the gateway’s MAC address in the switch’s CAM table
MAC flooding: network switch where attacker sends large number of ethernet frames with various MAC addresses, overwhelming the switch. Overloaded and sends traffic to all ports
DNS attack: attack that targets DNS service
Distributed denial of service (DDoS): attack designed to bombard target with more data than it can handle, causing shut down
Macros: code used to perform a series of steps or functions inside application.
11.7
Vocab:
Brute Force Attack: password attack where cracking tool submits every possible letter, number and symbol combination in short amount of time
Password Spraying: brute force attack that uses same password with multiple user accounts instead of different passwords for the same account
Dictionary attack: brute force attack where hacker uses list of words/phrases to try to guess the password
Rainbow attack: uses special tables that have common passwords and generated hashes of each password
Dumperster diving: social engineering attack where attacker goes through trash to find important docs or info that was thrown out
Social Engineering:
Password guessing
User manipulation
Physical access
Dumpster diving
Shoulder surfing
Brute Force Attacks
Online attack
Offline attack
Password spraying
Dictionary attack
12.6
Vocab:
Packet capture: process of collecting Layer3 (Network) info over the wire (like IP address)
TCPDUMP: Linux tool that collects packet data which can be stored for later analysis
Wireshark: network protocol analyzer
TCPReplay: a tool to repeatedly simulate an attack
Secure Shell (SSH): remote admin protocol that allows admins to securely connect to remote systems
PuTTY: open source software that supports many protocols, including SSh and Telnet
Secure Sockets Layer (SSL): encryption protocol that allows secure connections to remote systems
Public Key Infrastructure (PKI): provides system secure data transmission. Uses a key pair, one public one private, and can be used to encrypt data. Uses certificates to verify ID
12.7
Vocab:
Fault tolerance: ability to respond to an unexpected hardware/software failure without loss of data or operation
Redundancy: method for providing fault tolerance by using duplicate/multiple components that perform the same function
Geo dispersion: Multiple locations to store data to mitigate downtime due to loss of availability at a location
Multipath: fault-tolerance technique that gives multiple physical paths between a CPU and a mass-storage device
Load balancers: process that distributed processing among multiple nodes
Uninterrupted power supply/UPS: stand-alone power supply that allows servers to be gracefully shutdown during a power outage
Active/Active: two load balancers working in tandem to distribute network traffic
Active/Passive: Two load balancers with one actively working and the second in listening mode to take over if the active machine fails
Virtual IP: IP address that can be used by multiple endpoints. Commonly used in failover systems and for load balancing
Storage Area Network/SAN: high speed network of storage devices, usually used for file shares
12.8
Vocab:
Full backup: captures all data on a machine. Always the first backup that should be ran
Incremental backup: contains all changes since the last incremental backup
Differential backup: contains all changes since the last full backup
Snapshot: instant copy of an individual computer. Normally used on virtual Machines when changes may need to be reverted
Network Storage Appliance/NAS: often used to store backups or other files
SAN: network of fast storage appliances. Stores file shares and other data is created. Offline storage is part of 3-2-1 rule
Scalability: ability to increase/decrease data storage space
Restoration order: pre-planned order in which servers will be restored following a disastrous event. Order is determined by the server’s importance to the company’s operation.
3-2-1 rule: Always have 3 copies of each complete back up. 2 are kept on site on two different appliances. One is kept off site
Confidentiality: encryption. Ensures that data is not disclosed to unintended people
Integrity: hashing. Ensures data not messed with
Availability: uptime of system to make data available.
Non-repudiation: digital signature enforced. Validation of a message’s origin.
Security: protection against danger, damage, loss and criminal activity
Asset: value to individual/organization
Threat: Anything that has the potential to cause the loss of an asset.
Threat Agent: person/entity that attempts to carry out a threat
Vulnerability:weakness in system
Exploit: act/procedure/piece of software that takes advantage of vulnerability to carry out attack.
Seven layers of Security:
Policies, procedures, and awareness: user ed. Manage network plans, employee onboarding/off-bourding
Physical: Locks, cameras, motion detectors, environ controls
Perimeter: Firewalls using ACLs and securing wireless network
Network: installation/configuration OS switches/routers, usings VLANs, penetration testing, and virtualization use
Host: log management, OS hardening(using security measures and patching for operating systems) auditing, anti-malware, password attack prevention on everything.
Application: authentication/authorization, user management, group policies, web application
Data:proper data storage, destroying and classifying data, cryptography, and data transmission security.
2.1
Threat Actor Types:
Targeted attack: threat actors actively pursue and compromise a target entities infrastructure while remaining anonymous
Opportunistic attack: as fast as possible with minimal effort
Insider: threat agent who has authorized access to an organization and either on purpose or not, carries out an attack
Competitor: carries out attack on behalf of organization and targets competing companies
Hacker: threat agent who uses technical knowledge to bypass security, exploit a vulnerability and gain access to protected information
Cybercriminal: subcategories of hacker threat agents. Willing to take more risk and use more extreme tactics for financial gain.
National state: sovereign state threat agent that could wage all-out war on a target and have significant resources for the attack.
Internal threat: threat from individuals (insiders) who exploit assigned privileges and inside info to carry out attack
External threat: threat from individuals/groups not associated with organization. Seek unauthorized access to data.
Persistent threat: seeks access to network + remain there undetected
Non-persistent threat: focusses on getting into the system and stealing info. Usually one-time event, atter not concerned with detection
Open-Source intelligence (OSINT): info that is available to public and doesn't require malicious activity to obtain
White hat: uses skills/knowledge for defensive purposes only. Interacts with systems when permission is given
Black hat: uses skills/knowledge for illegal/malicious purposes
Grey hat: middle of black and white hat hacker. Usually has good intentions.
Script kiddie: uses scripts/programs made by more skilled hackers
Hacktavist: politically motivated. Seek information or to cripple an organization/gov. usually work alone
Organized crime: group of cybercriminals whose main goal is financial gain.
Nation state: most organized, well-funded, and dangerous type of threat actor. Two types, obtaining info and crippling systems.
The steps in a general attack strategy are reconnaissance, breaching, escalating privileges, staging, and exploiting.
2.2
Vocab:
Malware: software designed to take over/damage a computer without user knowledge/consent
Virus: program which attempts to damage computer systems and replicate itself to other computers
Worm: self-replicating malware program
Trojan horse: malicious program that’s disguised as legitimate/desirable software
Zombie: computer that’s infected with malware and controlled by command/control center called zombie master
Botnet: group of zombie computers that are commanded from central control infrastructure
Rootkit: set of programs that allow attackers to maintain hidden, admin level access
Logic Bomb: malware designed to execute only under predefined conditions. Dominant until predefined conditions met
Spyware: software installed without users consent/knowledge. Designed to intercept or take particle control of user’s computer
Adware: Malware that monitors user’s person preferences and sends pop-up ads that match preferences
Ransomware: malware that denies access to computer system until user pays ransom
Scareware: scam to fool user into thinking there is some form of malware on the system
Crimeware: malware designed to perpetuate id theft. Allows hacker access to online accounts at financial services, such as banks and online retailers
Crypto-Malware/Cryptojacking: malicious software that uses a computer’s resources to mine cryptocurrency in the background undetected.
Remote-Access Trojan (RAT): malware that includes a back door to allow a hacker admin control over target computer
Potentially Unwanted Program (PUP): software inadvertently installed that contains adware, installs toolbars/has other objectives
Fileless virus: uses legit programs to infect computer
2.3
Vocab:
Social engineering: an attack involving human interaction to get info or access
Footprinting: uses social engineering to obtain as much info as possible about an organization
Pretexting: fake scenario to persuade someone to perform an action or give info
Elicitation: technique to extract info from a target without arousing suspicion
Preloading: influencing target’s thoughts opinions and emotions before something happens
SMiShing/SMS phishing: phishing through SMS message. Ergo, tricking user to download virus/trojan horse/malware onto cell phone
Impersonation: pretending to be someone else and approaching target to extract info
SPIM: like spam, but link is sent over instant messaging instead of email
Hoax:type of malicious email with some type of urgent or alarming message to deceive target
Manipulation Types:
Moral Obligation: an attacker uses moral obligation {ROLL CREDITS} and sense of responsibility to exploit target’s willingness to help
Innate Human Trust: exploit target’s tendency to trust others. EX: right clothes, demeanor, uses words/terms the target knows so target will comply with requests out of trust
Threatening: try to intimidate the target with threats to make the target comply with a request. Usually happens after moral obligation and innate huma trust fail
Offering something for little to nothing (Bartering): attacker promising big reward for small favor EX: sharing what target thinks is small piece of info for something attacker offers
Social Engineering Process: Research>Development>Exploitation
Social Engineering Attacks:
Shoulder surfing: looking over someone’s shoulder while they work on a computer or review documents. Purpose is to obtain usernames, passwords, account numbers, or other sensitive info
Eavesdropping: unauthorized person listening to private conversation between authorized people when topics are being discussed.
USB and Keyloggers: On site, social engineers also can steal data through USB flash drive or keystroke loggers. Employs keystroke logger to capture usernames and passwords. As target logs in, username and password are saved and later attacker uses username and password to conduct exploit.
Spam and Spim: Spam uses email/banner ad embedded with compromised URL that entices users to click. Spim uses malicious link through IM
Hoax: often bad spelling/bad grammar. Hoax emails use a variety of tactics to convince the target they’re real.
Pharming (phishing without a lure): attacker executing malicious programs on target’s computer so URL traffic redirects to attacker’s website. Attackers now have access to the user's data. EX: IDs, passwords, banking details. Pharming usually comes in the form of malware EX: Trojan horse/worms. Pharming commonly used during DNS cache poisoning or host file modifying
Social Media: attackers use social applications EX: Facebook/Twitter/IG. To steal Identities and info. Also used to scam users, entices user to click link. Site usually requests personal info and sensitive data.
Typosquatting(URL hijacking): relies on mistakes, when user enters incorrect website address, squatter can lead them to any URL
Hybrid warfare: political warfare and blends conventional warfare with cyberwarfare. Goal is to influence others with fake news/diplomacy/lawfare/foreign electoral intervention
Watering Hole Attack: passive computer attack technique where attacker anticipates the websites and organization often and infect them with malware. Hacker could look for specific info to narrow attack from users that come from specific IP address (5 main steps The attacker identifies the sites visited by a victim and then infects the sites with malicious code.>The attacker identifies the vulnerabilities with the sites and injects it with malicious code. This could be JavaScript or code into the ads and banners used on the website.>The malicious code redirects the victims to a phishing site where there is malware.>When the victims visit these websites, the script containing malware is automatically downloaded to the victim’s machines without their knowledge.>The malware then collects personal information from the victims and sends it back to the server operated by the attacker.)
Credential/password harvesting: process of gathering usernames/passwords/email addresses/etc through breaches. Hackers can then sell personal and financial data on the dark web, use info to gain access to company networks for illegal purposes. Could use cloned websites or phishing emails.
Phishing types:
Spear phishing: attacker gathers info about victim, then sends email to victim that appears to be from the place of info gathered. Email usually contains a link that sent user to site to look legit, intended to capture victims personal info
Whaling: targets senior executives and high-profile victims
Vishing: attacker uses Voice Over IP (VoIP) to gain sensitive info. Combo of voice and phishing
SMS phishing (Smishing): text message to trick victim into taking immediate action, usually contains link that may install malware on victims phone or extracts persona; info
Types of Attackers:
Insider
Hacker
Nation State
Attack Types:
Opportunistic
Targeted
Types of Motivation Techniques:
Authority and fear
Social proof
Scarcity
Likeability
Urgency
Common ground and shared interest
Elicitation:
Compliments
Misinformation
Feigning Ignorance
Being a good listener
2.4
Vocab:
Zero-day vulnerability: software vulnerability that is unknown to vendor
Data loss: loss of files/documents either by accident or through malicious acts
Data breach: exposure of confidential/protected data either by accident or through malicious acts
Data exfiltration: unauthorized transfer of info/files from a computer
ID theft: attacker commits fraud by using someone else’s name/existing account to obtain money or purchase things
Availability loss: loss of access to computer resources due to network being overwhelmed/crashing
Network Vulnerabilities:
Default accounts/passwords
Weak passwords
Privilege escalation (taking advantage of software bug/flaw to gain higher access)
Backdoor
Cloud-based and third-party systems (org don’t own the system if cloud-based> not legal for penetration testing. If systems interconnected, penetration tester needs to ensure they don’t access third party systems)
Inherent vulnerabilities
Application flaws
Misconfiguration
Root account
Adversarial Artificial Intelligence (AI)
Weak Artificial Intelligence/Narrow AI:designed to perform one job EX: smart speakers, spam/web filtering, search engine, automated chats, image/facial recognition
Strong Artificial intelligence/Full AI: systems that carry out human-like tasks, typically complex. Include ability to reason, make judgements, solve puzzles, learn, plan and communicate. EX: advanced video games, software to assist docs in surgery, self-driving cars, disease diagnosis
AI Risks:
Data
Tech
Interaction with humans
Security
models
3.1
Vocab:
Physical security: protection of corporate assets from threats such as unauthorized entry/theft/damage
Prevention: taking necessary steps to avoid unauthorized access/theft/damage/etc
Detection: Identifying that a breach has happened/is happening
Recovery: process of returning a system to a functioning state/repairing any damage
Mantrap: specialized entrance with two locking doors that create a security buffer zone between two areas
Turnstile: barrier that permits entry in one direction (Cuz I want it That > way)
Double-entry door: 2 doors that are locked from the outside but have crash bars on the inside for easy exit
Bollard: short sturdy posts used to prevent a vehicle from crashing into a secure area
Smart card: access cards that have encrypted access info. Smart cards can be contactless/require contact
Proximity card/radio frequency identification/RFID: subset of smart cards that use the 125 kHz frequency to communicate with proximity readers
Biometric lock: increase security by using fingerprints/iris scanners. Reduce the threat from lost keys/cards
3.2
Vocab:
Air gap: security method that physically isolates a portion of the network(computer/server/small network of computers) from the internet/other unsecured networks
Faraday cage: designed to block all electromagnetic emissions
3.3
Vocab:
Infrastructure: systems that support the site. EX: AC, Power, water
Cold Aisle: created by having the front of the equipment face towards the centre of the aisle. Usually, face air conditioner output ducts.
Hot Aisle: created by having the back of the equipment face the aisle. Usually, hot aisles face air conditioner return ducts.
Electro-Magnetic Interference/EMI:
4.2
Vocab:
Hardening: process of securing devices and software by reducing the security exposure and tightening security controls
Hotfix: quick fix for a specific software problem
Patch: fix that is more thoroughly tested than a hotfix and designed for a wider deployment
Service pack: collection of patches, hotfixes, and system enhancements that have been tested by the manufacturer for wide deployment.
Trusted Operating System/TOS: comes hardened and validated to s specific security level. Several TOS provide sufficient support for multilevel security, a system where many levels of classified data reside within the same system, Users are not permitted to access data at different classification levels. Additionally, all personnel must have access approval on a need-to-know basis
Config baseline: set of consistent requirements for a workstation/server.
Security baseline: component of config baseline that ensures all workstations and servers comply with security goals of the organization.
Standard Operating Environment/SOE: implemented as a standard disk image/master image. Disk image is used when dep;loying new computers to the network. AUtomation is used when deploying the master image and when running config scripts. Gives the computer a name, joins the domain and during any other customization. Master image is to be based on TOS and be fully patched.
Manage software:
Check all software has up-to-date licenses.
Install security software EX: anti-virus, anti-spyware, anti-rootkit, and firewall
Install only needed software
Avoid installing freeware/software from untrusted publishers
Reduce the attack surface of the device by limiting applications and services running on the device/removing unnecessary software/features/non-essential services.
5.1
Vocab:
Security zone: portion of the network/system that have specific security concerns/requirements
Wireless network: network that doesn’t require physical connection
Guest network: grants internet access to only guest users; has a firewall to regulate access
Honeynet: special zone/network created to trap potential attackers
Ad hoc: decentralized network that allows connections without traditional base station/router. Allows users to connect two+ devices directly to each other for a specific purpose
Intranet zone: private network that employs internet info services for internal use only
Internet: public network that includes all publicly available web servers/FTP servers/etc
Extranet: privately controlled network distinct from however located between the internet and a private LAN
Demilitarized zone: network that contains publicly accessible resources and is located between the private network and an untrusted network. Protected by firewall. EX: internet
Proxy server: type of firewall that stands as an intermediary between clients requesting sources from other servers
Internet content filter: software used to monitor and restrict content delivered across the web to an end user
Network access control: software that controls access to the network by not allowing computers to access network resources unless they meet certain predefined security requirements
All-in-one security appliance: combines many security functions into a single device
Application-aware device: has the ability to analyze/manage network traffic based on the application-layer protocol.
5.6
Vocab:
Web filter: content filter that prevents users from visiting restricted websites
Web threat filter: prevents users from visiting websites with known malicious content
5.8
Vocab:
Active attack: attack in which perpetrators attempt to compromise or affect the operations of a system in some way
Passive attack: attack in which perpetrators gather info without affecting target network flow of info
External attack: attack in which unauthorized individuals try to breach a network from outside the network
Inside attack: attack initiated by authorized individuals inside the network's security perimeter who attempt to access systems or resources to which they're not authorized
Entry point: entry point is a location or device that allows network access and is vulnerable to attacks
Network baseline: normal network activity including typical traffic patterns, data usage, and server loads. Activity that deviates from the baseline can indicate an attack
Network segmentation: division of a network into smaller networks or pieces for performance or security reasons
5.9
Vocab:
Backdoor: unprotected and usually lesser known access method/pathway that could allow attackers access to system resources. Backdoors include hard-coded passwords and hidden service accounts, often added during development
MITRE: Massachusetts Institute of Technology Research and Engineering
Common Vulnerabilities and Exposures (CVEs): repository of vulnerabilities hosted by MITRE Corporation
National Institution of Science and Technology/NIST: Maintains national database, CVSS scoring.
8.2
Vocab:
Rogue access points/AP: any authorized access point added to a network
Initialization vector/IV: Seed value used in encryption. Seed value and key are used in an encryption algorithm to generate additional keys or encrypt data
Radio frequency identification/RFID: Nfc allows two-way communication between two devices. Devices must be within a few centimeters of each other. NFC is a newer tech that is build on RFID
Interference: signal that corrupts/destroys wireless signal. Interference can affect communication of access points and other wireless devices
Wifi Attacks:
Rogue Access Points: unauthorized AP added to a network. can allow the unauthorized capture of credentials and other sensitive information. Attackers also use this type of attack to conduct phishing and man-in-the-middle attacks.
Evil Twin Attack: Rogue APs placed by an attacker can be used to run an evil twin attack.To protect against this attack, conduct an radio frequency (RF) noise analysis to detect a malicious rogue AP that uses jamming to force wireless clients to connect to it, instead of legitimate APs.
IV Attack: seed value used in encryption. seed value and the key are used in an encryption algorithm to generate additional keys or to encrypt data.
Jamming attack: wireless networks, interference is a signal that corrupts or destroys the wireless signal sent by APs and other wireless devices. Non-malicious interference
Disassociation/deauthentication attack: Wireless devices are vulnerable
9.2
Vocab:
Virtual network: computer network consisting of virtual and physical devices
Virtual Area Network/VAN: Virtual LAN running on top of a physical LAN
Virtual Private Network/VPN: secure tunnel to another network that connects multiple remote end-points
Virtual Machine/VM: virtual computer that functions like a physical computer
Virtual Switch/VSwitch: software that facilitates communication between VMs by checking data packets before moving them to a destination
Virtual router/VRouter: software that replicates how a physical router works
Virtual Firewall Appliance/VFA: software that functions as a network firewall device. VFA provides packet filtering and monitoring functionality.
Virtual Machine Monitor/VMM/Hypervisor: software/firmware/hardware that creates/runs VMs
Software-defined networking: architecture that allows network/security professionals to manage/control/make changes to a network
9.4
Vocab:
Cloud: a metaphor for the internet.
Cloud computing: software, data access, computation, storage services provided to clients through the internet
Public cloud: Platforms, applications, or other resources that are made available to the general public by a cloud service provider
Private cloud: Platforms, applications, storage, or other resources that are made available to a single organization
Community cloud: platforms, applications, storage or other resources that are shared by several organizations
Hybrid cloud: A combo of public, private, and community cloud resources from different service providers
9.5
Vocab:
Cloud access security broker/CASB: on-premises cloud-based software tool or service that sits between an organization and a cloud service provider
Virtual networks: Vms connected through software
Segmentation: division of a network into smaller networks through a virtual local area network (VLAN) and firewalls
Security group: works like a firewall to control traffic to and from network resources
Virtual private cloud endpoint/VPC: provides a private connection between virtual private clouds and a cloud provider's services. A VPC endpoint keeps traffic secure with a private link resource
Container: standard unit of software that holds the complete runtime environment including an application, all application dependencies, libraries, binaries, and configuration files
Cloud-based firewall: deployed in the cloud that protects against unwanted access to a private network
9.9
Vocab:
Supervisory control and data acquisition/SCADA: industrial computer system that monitors and controls a process
Arduino: open source hardware and software platform for building electronic projects
Raspberry Pi: low-cost device the size of a credit card that is powered by Python. Manufactured into single system on a chip (SoC)
Field Programmable Gate Array/FPGA: integrated circuit that the customer configures
Subscriber Identity Module/SIM card: encrypts data transmission/stores info
Zigbee: ratio protocol that creates low-rate private area network.
10.3
Vocab:
Dereference: obtain from (a pointer) the address of a data item held in another location.
Pointer/object dereferencing: attack that retrieves a value stored in memory that can be exploited through a NULL pointer dereference
Buffer overflow: attack that exploits an operating system/application that doesn’t enforce boundaries for inputting data EX: amount of data/type of data
Resource exhaustion: attack that focuses on depleting the resources of a network to create a denial of service to legit users
Memory leaks: happens when dynamic memory is allocated in a program, but no pointers are connected to it causing it to never return even when requested
Race conditions: sequence of events with dependencies that a system is programmed to run in a certain order which can lead to a time-of-check to time-of-use bug vulnerabilities
Error handling: procedure in program that responds to irregular input/conditions
Improper input handling: lack of validation, sanitation, filtering, decoding, or encoding of input data
Replay attack: happens when network traffic is intercepted by an unauthorized person who delays/replays communication to its og receiver, acting as og sender. Og sender unaware of it
Pass the hash: attack in which an attacker obtains a hashed password and uses it to gain unauthorized access
API attack: bad use of API (Application Programming Interface)
SSL stripping: attack that focuses on stripping the security from HTTPS-enabled website
Driver manipulation: attack focuses on device drivers, uses refactoring/shimming
Privilege Escalation
Horizontal: when attacker gains data that belongs to another user with the same privilege level as themselves
Vertical: when attacker uses system vulnerabilities to escalate privileges to gain admin access
10.4
Vocab:
Normalization: Data re-organized in a relational database to eliminate redundancy by having all data stored in one place and storing all related items together
Stored procedures: One or more database to eliminate redundancy by having all data stored in one place and storing all related items together
Code obfuscation: deliberate act of creating source/machine code that is difficult for humans to understand. To remember: CamoCode :)
Dead code x-x: non-executable at run-time/source code in a program that is executed but is not used in any other computation
Memory management: resource management process applied to computer memory. Allows computer system to assign portions of memory (blocks) to various running programs to optimize overall system performance
Third-party libraries: code is not maintained in-house
Software Development Kits/SDKs: set of software dev tools that can be installed as one unit
Data exposure: unintended exposure of personal/confidential data
Fuzz testing: software testing technique that exposes security problems by providing invalid, unexpected, or random data to the inputs of an application
Code signing: process of digitally signing (encrypting) executables and scripts to confirm the software author and guarantee that the code has not been altered/corrupted since it was signed.
11.1
Vocab:
Bottleneck: condition that occurs when a system is unable to keep up with the demands placed on it
Latency: the speed that data packets travel from source to destination and back. All packets experience some level of latency. When packets are sent together; arrive at different times and out of order. Called a jitter.
Bandwidth: The amount of data that could be transferred from one place to another in a specific amount of time
Bandwidth Utilization: percent of available bandwidth that is being used. Network should not regularly utilize all its available bandwidth. Systems perform best when additional bandwidth is available for usage spikes
Error rate: calculation of how often bits are damaged in transit due to electromagnetic interference or any other interference. If a packet is damaged too much, it is dropped.
Throughput: amount of data that is transferred from one place to another in a specific amount of time
11.2
Simple Network Management Protocol/SNMP:protocal designed for managing complex networks. SNMP lets networks hosts exchange configuration and stat info, info is gathered by management software to monitor and manage the network and network events
Manager: computer used to perform management tasks, queries agents and gathers response by sending messages
Agent: runs on managed network devices, communicated info to the manager and can send dynamic messages to it as well
Trap: event config on agent, when event occurs, agent logs details regarding the event
Management Information base/MIB: database of host config info. Agents report data to the MIB. Manager can view info by requesting data from the MIB
Packet sniffing: process of capturing data packets that are flowing across the network and analyzing them for important info. Modern networks should have good protection against network sniffing attacks, however occasional circumstances allow an attacker to gather sensitive info from data packet
11.3
Vocab:
Intrusion detection system/IDS: Device/software that monitors/logs/detects security breaches, takes no action to stop/prevent the attack
Intrusion prevention system: Device monitors/logs/detects/reacts to stop/prevent security breaches
Sensor: IDS component that passes data from the source to the analyzer
Engine: IDS component analysis sensor data and events/generates alerts/logs all
Signature-based detection/pattern matching/dictionary recognition/misuse-detection (MD-IDS): looks for patterns in network traffic and compares them to known attack patterns/signatures
Heuristic-based detection/behavior/anomaly/statistical-based detection: defines baseline of normal network traffic and then monitor traffic looking for anything that falls outside baseline
11.4
Vocab:
Threat hunting: human-based, methodical search and monitoring of the network, systems, and software in order to detect any malicious activity that’s evaded automated tools
Threat Feed: service that tracks cyber threats across the world and provides real-time updates with IP addresses, URLs, and other relevant info regarding the threats
Advisories/Bulletins: detailed updates on cyber threats. Usually updated weekly
Intelligence fusion: sharing info between many gov agency and private security firms
Vulnerability scan: process of capturing/analyzing packets to ID any security weaknesses in a network/computersystem/local applications/web applications
Common Vulnerability Scoring System(CVSS): system that ranks vulnerabilities based on severity
Security info and event management (SIEM): tool that gathers network info and groups it into a central place. SIEM systems can actively read network info and determine if threat
Security Orchestration, Automation and Response (SOAR): solution stack of compatible software programs that collect data about security threats from many sources and respond to low-level security events without human assistance.
11.6
Vocab:
Man-In-The-Middle (MITM) attack: hacker intercepts communication between 2 devices
ARP poisoning: targets ARP protocol, attacker changes ARP cache by spoofing the IP address of a target
MAC spoofing: hacker spoofs MAC address of the gateway, results in spoofed address overwriting the gateway’s MAC address in the switch’s CAM table
MAC flooding: network switch where attacker sends large number of ethernet frames with various MAC addresses, overwhelming the switch. Overloaded and sends traffic to all ports
DNS attack: attack that targets DNS service
Distributed denial of service (DDoS): attack designed to bombard target with more data than it can handle, causing shut down
Macros: code used to perform a series of steps or functions inside application.
11.7
Vocab:
Brute Force Attack: password attack where cracking tool submits every possible letter, number and symbol combination in short amount of time
Password Spraying: brute force attack that uses same password with multiple user accounts instead of different passwords for the same account
Dictionary attack: brute force attack where hacker uses list of words/phrases to try to guess the password
Rainbow attack: uses special tables that have common passwords and generated hashes of each password
Dumperster diving: social engineering attack where attacker goes through trash to find important docs or info that was thrown out
Social Engineering:
Password guessing
User manipulation
Physical access
Dumpster diving
Shoulder surfing
Brute Force Attacks
Online attack
Offline attack
Password spraying
Dictionary attack
12.6
Vocab:
Packet capture: process of collecting Layer3 (Network) info over the wire (like IP address)
TCPDUMP: Linux tool that collects packet data which can be stored for later analysis
Wireshark: network protocol analyzer
TCPReplay: a tool to repeatedly simulate an attack
Secure Shell (SSH): remote admin protocol that allows admins to securely connect to remote systems
PuTTY: open source software that supports many protocols, including SSh and Telnet
Secure Sockets Layer (SSL): encryption protocol that allows secure connections to remote systems
Public Key Infrastructure (PKI): provides system secure data transmission. Uses a key pair, one public one private, and can be used to encrypt data. Uses certificates to verify ID
12.7
Vocab:
Fault tolerance: ability to respond to an unexpected hardware/software failure without loss of data or operation
Redundancy: method for providing fault tolerance by using duplicate/multiple components that perform the same function
Geo dispersion: Multiple locations to store data to mitigate downtime due to loss of availability at a location
Multipath: fault-tolerance technique that gives multiple physical paths between a CPU and a mass-storage device
Load balancers: process that distributed processing among multiple nodes
Uninterrupted power supply/UPS: stand-alone power supply that allows servers to be gracefully shutdown during a power outage
Active/Active: two load balancers working in tandem to distribute network traffic
Active/Passive: Two load balancers with one actively working and the second in listening mode to take over if the active machine fails
Virtual IP: IP address that can be used by multiple endpoints. Commonly used in failover systems and for load balancing
Storage Area Network/SAN: high speed network of storage devices, usually used for file shares
12.8
Vocab:
Full backup: captures all data on a machine. Always the first backup that should be ran
Incremental backup: contains all changes since the last incremental backup
Differential backup: contains all changes since the last full backup
Snapshot: instant copy of an individual computer. Normally used on virtual Machines when changes may need to be reverted
Network Storage Appliance/NAS: often used to store backups or other files
SAN: network of fast storage appliances. Stores file shares and other data is created. Offline storage is part of 3-2-1 rule
Scalability: ability to increase/decrease data storage space
Restoration order: pre-planned order in which servers will be restored following a disastrous event. Order is determined by the server’s importance to the company’s operation.
3-2-1 rule: Always have 3 copies of each complete back up. 2 are kept on site on two different appliances. One is kept off site