Misc Vocabulary

Question 1

Zigbee

Answer 1

communication technology often found in a home automation system

Question 2

Collision attack

Answer 2

This happens when a hacker discovers an input that generates the same hash value as a legitimate input. The attacker can then replace the legitimate content with the altered content and the digital signature will still say it’s good. This similar to how a rainbow table works, although in that case the hacker finds the hash of a lot of common passwords then looks for those hashes in the database table containing hashed passwords.

Question 3

Flood guard

Answer 3

technology used to block DoS attacks. Does not help prevent routing loops.

Question 4

eDiscovery

Answer 4

reference model. Phases include identification, collection, processing, review, and production. Attorney review of collected material takes place in the Review phase.

Mnemonic: I collect peer review processes.

Question 5

Nessus

Answer 5

vulnerability scanner that can also perform compliance auditing such as PCI DSS audit scans.

Question 6

Lockheed Martin cyber kill chain

Answer 6

Analysis framework that implicitly assumes that adversaries never retreat during an attack. Compare to AlienVault, MITRE ATT&CK, and Diamond Model of Intrusion Analysis, each of which allow for a broader range of adversary behaviors.

Question 7

Iris recognition tech

Answer 7

Biometric auth technique. Nonintrusive, low false positive rate. Iris patterns remain stable throughout a person’s life and may be scanned from a distance. Unfortunately the scanners can be fooled by an image of a person’s face.

Question 8

Purple team

Answer 8

In a pen test, the purple team includes all participants: red, blue and white team.

Question 9

Man-in-the-browser attack

Answer 9

Attack made on a web application, typically by exploiting a browser extension. This gives the attacker access to all the information accessed by the browser. Best defense is to disable browser extensions, but that has to be done on the client, not the web server. This is a type of proxy Trojan.

Question 10

DOM-based XSS attack

Answer 10

Type of cross site scripting attack where the attack code is hidden within a Document Object Model. Viewing the HTML on the page would not show this attack code.

Question 11

Identity provider

Answer 11

In Federated authentication, the identity provider (IdP) is the organization where the user logs in. this organization then asserts to the other members of the federation that the user is valid.

Question 12

Digital signature

Answer 12

The sender of the email encrypts a message digest (usually a hash of the email message) using the sender’s private key. This has to be decrypted using the sender’s public key, which verifies that the sender is the one who sent it.

Contrast that to sending an encrypted email: there the message itself is encrypted using the recipient’s public key, and the recipient decrypts it using the recipient’s private key.

Question 13

Confusion, diffusion

Answer 13

In the context of encryption algorithms, “confusion” ensures that any relationship between the algorithm and the key is extremely complex. Diffusion is another property, that takes any statistical patterns in the plaintext and prevents them from appearing in the ciphertext.

Question 14

Vendor diversity

Answer 14

Having similar components in the same network but coming from different vendors. This reduces risk - if an attack works against one of them, the second is unlikely to have the same vulnerability so it prevents the attacker from getting further into the network. CompTIA really likes vendor diversity.

Question 15

Embedded system constraints

Answer 15

NOT a constraint: physical form factors, heat.

Common constraints: power, compute, network, crypto, inability to patch, authentication, range, cost, implied trust.

Question 16

Restoration Order Documentation

Answer 16

Used when restoring operations after a disaster. Specifies the order for restoring systems and services to insure that dependencies are available before those that depend on them, and that mission-critical services are restored first.

Question 17

Vertical Scaling

Answer 17

Adding additional capacity to an existing server, such as more hard drive space or another CPU. Compare to horizontal scaling which adds an additional server of the same type.

Question 18

Incident Response Process

Answer 18

Cycle steps are preparation, identification, containment, eradication, recovery, lessons learned. It’s a cycle so it continues back at preparation.

Mnemomic: Perhaps I Can Eat Rice Later

Question 19

Walkthrough

Answer 19

Typical part of yearly incident response preparations. The team goes through a sample incident step by step, making sure each person knows what they would need to do. Compare to a tabletop exercise, which has each person being asked what they would do at each step and has more flexibility.

Question 20

Cyber Kill Chain

Answer 20

Attack model created by Lockheed Martin. Phases are: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions on Objective.

Mnemonic: Real Women Date Engineers In Commando Armor

NOTE: this model never has the attacker retreating. Several other popular models are more flexible.

Question 21

pathping

Answer 21

Windows command line tool that shows network latency and loss at each step along a route. Tracert gives the route but not the extra information.

Question 22

Out-of-band management

Answer 22

Security technique that places the administration interface of a switch, router, or other device on a separate network, or else requires direct connectivity to the device to access and manage it. This prevents an attacker that gains access to the organization’s network from making changes to the network devices.

Question 23

Jailbreaking

Answer 23

For a mobile device, jailbreaking allows enhanced third-party operating systems or applications to be used. This can be considered a privilege escalation attack.

Question 24

Blowfish

Answer 24

Symmetric key block cipher. Used in the Bcrypt key stretching function.

Question 25

Diamond Model of Intrusion Analysis

Answer 25

Incident response approach. Core elements are:

• Adversary (the attacker)
• Capability (tools and techniques used by the adversary)
• Infrastructure (what the adversary uses to attack)
• Victim (who or what was attacked)

Question 26

journalctl

Answer 26

Linux command available in CentOS and Red Hat Enterprise Linux that allows you to view journal logs that contain application information.

Question 27

Data custodian

Answer 27

Individual charged with safekeeping of information under the guidance of the data owner. Often this is a sys admin.

Question 28

pagefile

Answer 28

The Windows paging file, or pagefile, is sometimes called Windows 10 virtual memory. It supports system crash dumps and enables the system to use physical RAM more efficiently by writing some file content to a hard disk if the main memory is near capacity. It is stored on disk.

Question 29

WinHex

Answer 29

Commercial disk editor that provides a number of useful forensic tools.

Question 30

Pass-the-hash

Answer 30

technique where an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems. The threat actor doesn’t need to decrypt the hash to obtain a plain text password. This is most commonly done using a Windows domain workstation.

Question 31

Purpose limitation

Answer 31

Organizations should only use data for the purpose disclosed during the collection of that data.

Question 32

Data controller

Answer 32

Person who determines the reasons for processing personal information and direct the methods of processing that data. Used primarily in EU law.

Question 33

Data processor

Answer 33

processes data given to them by the data controller (or data owner). Often this is a third party. The data processor does not own the data that they process nor do they control it. This means that the data processor will not be able to change the purpose and the means in which the data is used. Furthermore, data processors are bound by the instructions given by the data controller.

Question 34

Interactive testing

Answer 34

application testing that analyzes code while a tester manipulates inputs to the application. This combines static and dynamic analysis.

Question 35

Boot attestation

Answer 35

The system attests to a verification platform about the trustworthiness of the software it is running after it completes the boot process

Question 36

Shared responsibility model

Answer 36

This applies between a cloud service provider and the customer (organization buying the cloud services from the cloud service provider). The customer always retains either full or partial responsibility for data security. The cloud provider is always responsible for hardware and physical datacenters. Responsibility for applications is customer’s under IaaS, provider’s under SaaS, and shared under PaaS.

Question 37

Opal

Answer 37

Opal storage specification defines how devices protect the confidentiality of user data. This is provided by Trusted Computing Group. For example, it would define self-encrypting drives.

Question 38

Input whitelisting

Answer 38

Technique that defines the specific input type or range that users may provide for an app. When developers can write clear business rules defining allowable user input, whitelisting is the most effective way to prevent injection attacks.

Question 39

sFlow

Answer 39

sFlow is a multi-vendor, packet sampling technology used to monitor network devices including routers, switches, host devices and wireless access points. sFlow is an embedded technology – it is implemented through dedicated hardware chips embedded in the router/switch.

Concern: sFlow samples only network traffic, so some detail will be lost.
Good point: it scales well, because it just samples the data.

Question 40

Standard

Answer 40

In the context of security controls, a standard is a document that describes acceptable mechanisms for doing a particular task, such as obtaining remote administrative access to servers. This information is too nuts and bolts to be a policy, and not detailed enough to be a procedure. Guidelines are not mandatory.

Question 41

Volatility

Answer 41

a memory forensics toolkit that includes memdump

Question 42

Certificate stapling

Answer 42

attaches a current OCSP response to the certificate to allow the client to validate the cert without contacting the OCSP server.

Compare to certificate pinning which is used to provide an expected key, not to check cert status.

Question 43

Inline CASB

Answer 43

Inline CASB solutions require either network configuration or the use of a software agent. They intercept requests from users to cloud providers, so they are able to both monitor activity and enforce policy.

Question 44

proxy Trojan

Answer 44

intercepts traffic and modifies it for malicious purposes. typical example is a man-in-the-browser attack.

Question 45

Password spraying

Answer 45

Attack that uses known usernames and passwords to attempt to log in as the same user on other services and sites. For example, if site A gets the user info stolen, the attacker would then try those usernames and passwords on site B, C, D, etc. because a lot of people use the same username and password on multiple sites.

According to a different source, it’s just using a list of common passwords, and trying one on all the usernames you can guess for a given network (from OSINT or dumpster diving), then trying another on all the accounts. Repeat until you find one that works. This gets around password lockout policies usually.

Question 46

Watermarking

Answer 46

identification technique for sensitive data. Tag all your sensitive files with digital watermarks to flag them to the DLP system.

Question 47

theHarvester

Answer 47

security tool designed to help collect open source intelligence from search engines, including SHODAN security search engine. This lets it build lists of info like email addresses, domains, systems, open ports, and banners.

Question 48

SSL/TLS Inspection

Answer 48

When enabled, all TLS traffic will be intercepted, decrypted, inspected, reencrypted, then sent on to the destination. (unless blocked of course)

Question 49

NIST SP 500-292

Answer 49

Reference model for cloud computing, at a high level. Explains interactions between different organizations and services in a cloud deployment.

Question 50

Tap

Answer 50

A tap is a device that independently sends a copy of network traffic to another path or location. Both active and passive taps exist, and they don’t add any additional load to the switch or router that the traffic is passing through.

Question 51

BitLocker

Answer 51

Microsoft BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. It requires either a TPM or a removable drive to store elements of the encryption key.

Question 52

FTK Imager

Answer 52

Proprietary tool used to create forensic disk images. The forensic image is identical to the original including copying the slack, unallocated, and free space.

A similar but non-proprietary tool is dd.

Question 53

CIS Controls

Answer 53

Center for Internet Security Critical Security Controls, aka “Top 20 Controls” or “CIS Controls”.
This is a framework composed of 20 control groups covering topics ranging from hardware inventory to penetration testing.

Question 54

IPFIX

Answer 54

IP Flow Information Export protocol

based on NetFlow v9. Groups traffic into flows which are then sent to a centralized collection point

Question 55

Transitive access

Answer 55

Security issue that inadvertently gives an end user advanced access to another part of the application or system on which it is hosted.

Question 56

IP spoofing

Answer 56

common type of on-path attack, where the attacker splits a connection between the client and server into two connections, by spoofing the IP address of one of them.

Question 57

Smurf attack

Answer 57

Attacker sends a single ping with a spoofed source address to the broadcast address of a network. This results in each device on that network getting a ping and responding to it, which floods the spoofed source address with ping responses. This can be prevented by blocking external ICMP requests at the firewall to the internet for the network with the broadcast address. It’s harder to prevent on the victim.

Question 58

Data steward

Answer 58

Responsible for implementing a set of data quality guidelines and ensuring that they are being carried out on a day-to-day basis.