Original by Bob Covello, CISSP / Modified with permission by BHIS //
ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.
Note: This glossary was started to answer questions related to information security. It will be updated as required. This is not an original work and it should not be treated as such. Most of the information herein has been gathered from many publicly available sources.
The number 42 is often referenced in hacker communities, and in various technical publications. It is intended as a humorous tribute to author Douglas Adams. Here is a short description of its origin:
The number 42 is, in The Hitchhiker’s Guide to the Galaxy by Douglas Adams, “The Answer to the Ultimate Question of Life, the Universe, and Everything”, calculated by an enormous supercomputer named Deep Thought over a period of 7.5 million years. Unfortunately, no one knows what the question is. Thus, to calculate the Ultimate Question, a special computer the size of a small planet was built from organic components and named “Earth”.
Advanced Persistent Threat (APT)
The APT acronym was first popularized in a 2013 Mandiant Corporation (now FireEye) report (“APT1: Exposing One of China’s Cyber Espionage Units” available at http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf) that outlined the habits of a group of government-sponsored hackers who targeted specific organizations with a specific goal. The sophistication, strategic direction, and often damaging characteristics of these attacks were given the name “Advanced Persistent Threat”.
Software that is provided for free but contains advertisements
See Advanced Persistent Threat.
Authorization creep occurs when an employee changes job functions and retains unnecessary permissions that were required for the previous job responsibilities. This may result in an employee with inappropriate access to data
Black Box Test
Testing done with very little or no information regarding target makeup, or internals, or protections.
Red team-blue team exercises take their name from their military antecedents. The idea is simple: One group of security pros–a red team–attacks something, and an opposing group–the blue team–defends it. Originally, the exercises were used by the military to test force-readiness. They have also been used to test physical security of sensitive sites like nuclear facilities and the Department of Energy’s National Laboratories and Technology Centers.
Abbreviation of “Robot Network”. This is a network of compromised computers administered by a person who controls the activity of the computers through a remote console.
See Command and Control
See Command and Control
See Computer Fraud and Abuse Act.
A type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. This technique could be used to Pivot from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email. See also: Phishing, Spear Phishing, Whaling, and Watering Hole Attack.
Command and Control
Command and control (C&C, also known as C2) is traffic flowing from compromised devices and the controllers of the botnet.
Common Vulnerabilities and Exposures (CVE)
A reference method for publicly known information security vulnerabilities and exposures. The system is maintained by MITRE Corporation with funding from various government agencies. CVE Identifiers (also referred to by the community as “CVE names,” “CVE numbers,” “CVE entries,” “CVE-IDs,” and “CVEs”) are unique, common identifiers for publicly known cyber security vulnerabilities. (Web Site: https://cve.mitre.org/.)
Common Vulnerability Scoring System (CVSS)
An open industry standard for assessing the severity of computer system security vulnerabilities. Under the custodianship of NIST, it attempts to establish a measure of how much concern a vulnerability warrants compared to other vulnerabilities so remediation efforts can be prioritized. The scores are based on a series of measurements (called metrics) based on expert assessment. The scores range from 0 to 10. Vulnerabilities with a base score in the range 7.0-10.0 are High, those in the range 4.0-6.9 as Medium, and 0-3.9 as Low. (Web Site: https://www.first.org/cvss.)
Computer Fraud and Abuse Act (CFAA)
Enacted by Congress in 1986 as an amendment to existing computer fraud law (18 U.S.C. § 1030), which had been included in the Comprehensive Crime Control Act of 1984. It was written to clarify and increase the scope of the previous version of 18 U.S.C. § 1030. In addition to clarifying a number of the provisions in the original section 1030, the CFAA also criminalized additional computer-related acts. Provisions addressed the distribution of malicious code and denial of service attacks. Congress also included in the CFAA a provision criminalizing trafficking in passwords and similar items.
The Act has been amended a number of times.
A small piece of data sent from a website and stored in a user’s web browser while the user is browsing that website. Every time the user loads the website, the browser sends the cookie back to the server to notify the website of the user’s previous activity. Cookies were designed to be a reliable mechanism for websites to remember stateful information (such as items in a shopping cart) or to record the user’s browsing activity.
A type of computer security attack that creates the capability to transfer informational objects between processes that are not supposed to be allowed to communicate by the computer security policy.
Cross-Site Scripting (XSS)
Crystal Box Test
Elements of Grey box (see below) with available documentation or even source code.
Cross-Site Request Forgery (CSRF, or XSRF)
A type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser. Cross-Site Request Forgery is often achieved through cookie and session hijacking.
See Common Vulnerabilities and Exposures.
See Common Vulnerability Scoring System.
In computer security, Discretionary Access Control (DAC) is a type of access control in which a user has complete control over all the programs it owns and executes, and also determines the permissions other users have to those files and programs. Because DAC requires permissions to be assigned to those who need access, DAC is commonly described as a “need-to-know” access model.
See Distributed Denial of Service Attack
Denial of Service Attack
Any action whether intentional, unintentional, malicious, or innocuous which results in a disruption or reduction in data services.
See Digital Forensics and Incident Response.
See Domain Generating Algorithm.
Digital Forensics and Incident Response (DFIR)
Digital forensics is the process of uncovering and interpreting electronic data for use in a court of law. The goal of the process is to preserve any evidence in its most original form while performing a structured investigation by collecting, identifying and validating the digital information for the purpose of reconstructing past events. Incident response is the act of preparing for and reacting to an emergent event, such as a natural disaster or an interruption of business operations.
Distributed Denial of Service Attack (DDoS)
The use of multiple machines to create a traffic flow that slows or halts data services on a targeted network.
Domain Name System (DNS)
The centralized resource for computer name to IP address resolution. This is the system that translates a “friendly name” such as google.com into the IP address that computers use to locate the associated site.
Domain Generating Algorithm
Domain Generating Algorithms are mathematical functions that automatically create ethereal domains with obscure names. These rogue domains are primarily used for ransomware payments and are quickly closed to evade law enforcement.
DNS Amplification attack
A Distributed Denial of Service attack whereby a group of computers (a botnet) issue DNS requests that appear to come from a single server (the target of the attack). The requests contain a spoofed IP source address, so all the DNS replies are directed to that source address, causing a flood of traffic which results in a Denial of Service at the targeted machine.
See Denial of Service Attack.
This is a program that installs (“Drops”) and infected program or other malicious code onto the target machine.
Ethical hacking is the process of identifying potential threats to a company’s security infrastructure and then trying to exploit it, but with permission from the company. An ethical hacker tries to bypass system security and find weak points that someone else might exploit. The benefit to a company is that the ethical hacker is a mock criminal. The goal is for the ethical hacker to find security holes before the real bad guys do. An ethical hacker understands how to respect privacy, what actions are legal and which are illegal, and how to perform the job without actually compromising the security of a company’s infrastructure.
See Rogue Access Point
A software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program.
Grey box test
Testing done wherein minimal information regarding the makeup, internals, protections and areas of concern are discussed.
A process that can be used to map digital data of arbitrary size to digital data of fixed size. The values returned by a hash function are called hash values, hash codes, hash sums, or simply hashes. A hash function allows one to easily verify that some input data matches a stored hash value, but makes it hard to construct any data that would hash to the same value or find any two unique data pieces that hash to the same value. This principle is used by many password checking systems. See also: Pass the Hash
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). More information may be found at http://heartbleed.com/
Host-based Intrusion Detection System (HIDS)
Software installed on an endpoint that monitors anomalous activity aimed at that endpoint. (cf. “Network-based Intrusion Detection System”.)
Hunt Team Exercise
A method used by penetration testers to examine if attackers are inside a target network. The Pen Testers “hunt” for evidence of the presence of intruders.
See Host-based Intrusion Detection System (HIDS) and Network-based Intrusion Detection System.
See International Electrotechnical Commission.
Any activity aligned with preparing and reacting to a security incident. Usually, a methodical approach used to prepare, respond, record and preserve a security event. The SANS Institute instructors use the acronym “PICERL” as a mnemonic device for the method; Preparation, Identification, Containment, Eradication, Recovery, Lessons-learned. See also: Incident Response Team.
Incident Response Team
This team is generally composed of specific members designated before an incident occurs, although under certain circumstances the team may be an ad hoc group of willing volunteers. Incident response teams are common in corporations as well as in public service organizations.
A method of ensuring that the individual characters provided through user input are consistent with the expected characters of one or more known primitive data types; as defined in a programming language or data storage and retrieval mechanism.
International Electrotechnical Commission (IEC)
A non-profit, non-governmental international standards organization that prepares and publishes International Standards for all electrical, electronic and related technologies – collectively known as “electrotechnology”.
International Organization for Standardization (ISO)
The world’s largest developer of voluntary international standards. It aims to facilitate world trade by providing common standards between nations.
A legal term that refers to creations of the mind. Examples of intellectual property include music, literature, and other artistic works; discoveries and inventions; and words, phrases, symbols, and designs. Under intellectual property laws, owners of intellectual property are granted certain exclusive rights. Some common types of intellectual property rights (IPR) are copyright, patents, and industrial design rights; and the rights that protect trademarks, trade dress, and in some jurisdictions trade secrets. Intellectual property rights are themselves a form of property, called intangible property.
Internet Protocol Address
A unique number assigned to every computer that communicates on the internet. This IP address is used to recognize your particular computer out of the millions of other computers connected to the Internet.
See Internet Protocol Address.
See Intellectual Property or Internet Protocol Address.
See International Organization for Standardization.
A joint technical committee of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its purpose is to develop, maintain and promote standards in the fields of information technology (IT) and Information and Communications Technology (ICT).
Network movement whereby the attackers systematically connect to devices on the network in order to get closer to the intended target.
Leet (or “1337”), also known as eleet or leetspeak, is an alternative alphabet for many languages that is used primarily on the Internet. It uses various combinations of ASCII characters to replace Latinate letters. For example, leet spellings of the word leet include 1337 and l33t; eleet may be spelled 31337 or 3l33t.
The term leet is derived from the word elite. The leet alphabet is a specialized form of symbolic writing. Leet may also be considered a substitution cipher, although many dialects or linguistic varieties exist in different online communities. The term leet is also used as an adjective to describe formidable prowess or accomplishment, especially in the fields of online gaming and in its original usage – computer hacking.
Abbreviation for Apple Macintosh® computers and / or the Apple Macintosh® Operating System (known as “Mac OS®”)
In computer security Mandatory Access Control (MAC) is a type of access control in which only the administrator manages the access controls. The administrator defines the usage and access policy, which cannot be modified or changed by users, and the policy will indicate who has access to which programs and files. MAC is most often used in systems where priority is placed on confidentiality.
A Media Access Control address (MAC address) is a 48-bit unique identifier assigned to network interfaces for communications on the physical network segment. A typical MAC address follows the numbering convention F0-1F-AF-02-20-60. The first 3 number pairs identify the unique manufacturer identifier (in this case, Dell). The following 3 number pairs are unique, as no two network cards should share the same MAC address on the same network or communication problems will occur.
A list of MAC identifiers may be found at: http://www.adminsub.net/mac-address-finder
A token or short packet of data passed between communicating programs, where the data is typically not meaningful to the recipient program. The contents are opaque (meaning that the data structure is not clearly defined) and not usually interpreted until the recipient passes the cookie data back to the sender or perhaps another program at a later time. The cookie is often used like a ticket – to identify a particular event or transaction.
Software that is written with the intent of causing intentional harm to, or data exfiltration from a system. The word comes from a combination of the word Malicious and Software. (Cf. Adware, Spyware.)
An attack whereby a device is used as a pass-through to capture all traffic before it is sent to its intended destination. A Man-in-the-Middle attack can be used to steal login credentials and other sensitive information that is transmitted over an unencrypted connection.
National Institute of Standards and Technology (NIST)
A measurement standards laboratory, also known as a National Metrological Institute (NMI), which is a non-regulatory agency of the United States Department of Commerce. The institute’s official mission is to “promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”
NIST documentation in the Computer Security arena is the infamous “800-xx” series) Prior to 1988, known as the National Bureau of Standards.
(NBS) (Web site: http://www.nist.gov/index.html.)
Network-based Intrusion Detection System
An appliance or application that monitors traffic across the entire network to alert against anomalous behavior. (cf. Host-based Intrusion Detection System.)
In recent years, new vulnerabilities have been given nicknames, such as Heartbleed, and POODLE. This has not been generally well-received in some security circles, as it minimizes the severity of the vulnerability without making the general public understand the gravity of the problem.
See National Institute of Standards and Technology.
Open Web Application Security Project (OWASP)
The Open Web Application Security Project (OWASP) is an online community dedicated to web application security. The OWASP community includes corporations, educational organizations and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies.
(Web site: https://www.owasp.org/index.php/Main_Page.)
See Open Web Application Security Project.
Pass the Hash
A technique that allows an attacker to authenticate to a remote server or service by using the underlying hash of a user’s password, instead of requiring the associated plaintext password as is normally the case.
A Penetration Test (a.k.a. Pen Test) is an attack on a computer system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data.
A pen test follows a formal structure, consisting of defined phases.
(cf. Vulnerability Assessment.)
Personally Identifiable Information (PII)
Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. PII is a legal concept, not a technical concept. Because of the versatility and power of modern re-identification algorithms, the absence of PII data does not mean that the remaining data does not identify individuals. While some attributes may be uniquely identifying on their own, any attribute can be identifying in combination with others. These attributes have been referred to as quasi-identifiers or pseudo-identifiers.
The illegal attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. The word is a neologism created as a homophone of fishing due to the similarity of using fake bait in an attempt to catch a victim. See also
See Incident Response.
A pivot is a method whereby access to a secured network is gained by compromising a machine that resides on a nearby network. In a typical scenario, Network A is accessible to all machines, but network B is only accessible by a few trusted machines and network B is not accessible from the internet. By compromising network A and gaining access to a trusted machine that has access to network B, a connection can be leveraged (or pivoted) to the secured network via the compromised machine.
POODLE is an Acronym for Padding Oracle On Downgraded Legacy Encryption. It is an attack that targets CBC-mode ciphers in SSLv3. The vulnerability allows an active MitM attacker to decrypt content transferred an SSLv3 connection. While secure connections primarily use TLS (the successor to SSL), most users were vulnerable because web browsers and servers will downgrade to SSLv3 if there are problems negotiating a TLS session.
An easy way to understand ports is to imagine your IP address is a cable box and the ports are the different channels on that cable box. The cable company knows how to send cable to your cable box based upon a unique serial number associated with that box (IP Address), and then you receive the individual shows on different channels (Ports).
Proof of Concept (POC)
A proof of concept is a demonstration of a flaw to prove the possibility of the flaw being exploited.
Red Team / Blue Team exercises take their name from their military antecedents. The idea is simple: One group of security pros–a red team–attacks something, and an opposing group–the blue team–defends it. Originally, the exercises were used by the military to test force-readiness. They have also been used to test physical security of sensitive sites like nuclear facilities and the Department of Energy’s National Laboratories and Technology Centers.
Remote Desktop Protocol (RDP)
The set of rules that allows connections to machines on the network from other connected machines. (RDP usually uses ports 3389.)
Rogue Access Point
A Wi-Fi hotspot that mimics a legitimate hotspot. Users who connect to a rogue access point (also known as an “evil twin”) are susceptible to attack.
The SANS Institute is a private U.S. company that specializes in information security and cybersecurity training. Since its founding in 1989, the SANS Institute has trained over 120,000 information security professionals in topics ranging from cyber and network defenses, penetration testing, incident response, digital forensics, and audit. The trade name SANS derives from SysAdmin, Audit, Networking, and Security. SANS also publishes the “Critical Security Controls for Effective Cyber Defense”. As defined by SANS, “The actions defined by the Controls are demonstrably a subset of the comprehensive catalog defined by the National Institute of Standards and Technology (NIST) SP 800-53. The Controls do not attempt to replace the work of NIST, including the Cybersecurity Framework developed in response to Executive Order 13636. The Controls instead prioritize and focus on a smaller number of actionable controls with high-payoff.
Secure Shell (SSH)
A network protocol for initiating text-based sessions on remote machines in a secure way. (Usually initiated over TCP port 22.)
Secure Sockets Layer (SSL)
SSL (Secure Sockets Layer) was the standard security technology for establishing an encrypted link between a web server and a browser. This link ensured that all data passed between the web server and browsers remain private and integral. SSL was an industry standard and was used by millions of websites in the protection of their online transactions with their customers. Dr. Taher Elgamal, chief scientist at Netscape Communications from 1995 to 1998, is recognized as the “father of SSL”.
As of 2014 the 3.0 version of SSL is considered insecure as it is vulnerable to the POODLE attack that affects all block ciphers in SSL; and RC4, the only non-block cipher supported by SSL 3.0, is also feasibly broken as used in SSL 3.0. TLS is now the recommended encryption standard for Web-based communications.
Server Message Block (SMB)
A protocol used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism. (SMB usually communicates over port 139.)
Also known as cookie hijacking, session hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim’s computer.
See Covert Channel.
See Server Message Block.
A type of confidence trick for the purpose of information gathering, fraud, or system access. It differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme.
A phishing attack that is directed at a specific individual or company. Attackers will gather information about the target when crafting the fraudulent message to increase the likelihood of success. See also: Phishing, Clone Phishing, Watering Hole Attack, Whaling.
Software that is installed in a computer without the user’s knowledge and transmits information about the user’s computer activities over the Internet. (Cf. Adware, Malware.)
See Secure Shell (SSH).
See Secure Sockets Layer
Structured Query Language
Commonly referred to as “SQL” (pronounced: see-Kwell), Structured Query Language is a special-purpose programming language designed for managing data held in a relational database management system (RDBMS), or for stream processing in a relational data stream management system (RDSMS).
See Structured Query Language.
A method of attack whereby false data is entered into a web form to see if a vulnerable SQL database is in use, and if so, commands may be entered (injected) into the web form field to force the SQL database to return unintended results (including full admin permission to the database). A common SQL injection command is: ‘ OR ‘1’=’1
See Transport Layer Security
Transport Layer Security
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are frequently referred to as ‘SSL’, are cryptographic protocols designed to provide communications security over a computer network. TLS is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.
Uniform Resource Indicator (URI)
A string of characters used to identify a name of a resource. Such identification enables interaction with representations of the resource over a network, typically the World Wide Web, using specific protocols. Schemes specifying a concrete syntax and associated protocols define each URI. The most common form of URI is the uniform resource locator (URL), frequently referred to informally as a web address.
Uniform Resource Locator (URL)
The addressing scheme used to locate a particular web site or web page,
See Uniform Resource Indicator.
See Uniform Resource Locator.
The criminal practice of using Social Engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward. The word is a combination of “voice” and phishing. Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals. See also Phishing,
The process of identifying, quantifying, and prioritizing the vulnerabilities in a system.
(cf. Penetration Test.)
Watering Hole Attack
An attack whereby the attacker compromises a site likely to be visited by a particular target group, rather than attacking the target group directly. Eventually, someone from the targeted group visits the “trusted” site (A.K.A. the “Watering Hole”) and becomes compromised. See Also: Phishing, Spear Phishing, Whaling, and Clone Phishing.
A Spear Phishing attack directed specifically at senior executives and other high profile targets within businesses. See also: Phishing, Spear Phishing, Watering Hole Attack and Clone Phishing.
See Cross-Site Scripting.
See Cross-Site Request Forgery.
A flaw for which a patch does not yet exist.
A tool that has been written to take advantage of a Zero-Day Vulnerability.