Glossary
3DES (Triple DES) Newer version of DES that repeats the DES algorithm process three times.
A
acceptable use policy (AUP) Identifies network applications and uses that are acceptable to the organization as well as ramifications for violating the policy.
access attacks Attacks that exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive info.
access control list (ACL) A series of commands that control whether a device forwards or drops packets based on information found in the packet header.
access layer Provides endpoints and users direct access to the network.
Address Resolution Protocol (ARP) Provides dynamic address mapping between an IP address and a hardware address.
Advanced Encryption Standard (AES) Currently recommended symmetric encryption algorithm that offers nine combinations of key and block length.
adware Malware that typically displays annoying pop-ups to generate revenue for its author.
Alternate Data Streams (ADSs) Sometimes used by applications that are storing additional information about a file and can be used by threat actors to store malicious code.
amplification and reflection techniques A DoS attack in which the threat actor forwards packets, such as ICMP echo requests, that contain the source IP address of the victim to a large number of hosts (amplification), which in turn reply with ICMP echo replies (reflection), overwhelming the victim with traffic.
antivirus/antimalware Software that is installed on a host to detect and mitigate viruses and malware.
application gateway firewall (proxy firewall) Filters information at Layers 3, 4, 5, and 7; the proxy server connects to the remote server on behalf of the client.
Application layer OSI layer that contains protocols used for process-to-process communications.
ARP cache poisoning Attack in which the threat actor replies to ARP requests, spoofing the IP and MAC address of a desired device, such as the default gateway, in order to have the victim forward traffic to the threat actor instead of the legitimate default gateway.
ARP spoofing A technique used by an attacker to reply to an ARP request for an IPv4 address belonging to another device, such as the default gateway.
asset Anything of value to an organization that must be protected, including servers, infrastructure devices, end devices, and data.
asymmetric encryption Uses different keys to encrypt and decrypt data.
attack attribution Determining the individual, organization, or nation responsible for a successful intrusion or attack incident.
attack indicators The uniquely identifiable attributes of an attack.
attack surface Different points where an attacker could get into a system, and where they could get data out of the system.
attribute-based access control (ABAC) Access control model that allows access based on attributes of the object (resource) be to accessed, the subject (user) accessing the resource, and environmental factors regarding how the object is to be accessed.
Authentication, Authorization, and Accounting (AAA) An architectural framework for configuring a set of three independent security functions. Authentication confirms the identity of the user or device. Authorization determines what the user or device is allowed to do. Accounting records information about access attempts, including inappropriate requests.
authoritative server A DNS server that responds to query messages with information stored in Resource Records (RRs) for a domain name space stored on the server.
availability Element of the CIA triad (confidentiality, integrity, availability) that states authorized users must have uninterrupted access to important resources and data.
B
baiting Social engineering attack in which a threat actor leaves a malware-infected physical device with the hopes that someone will find it and insert it into a computer.
Basic Input-Output System (BIOS) Older version of a computer firmware that is responsible for hardware initialization, the power on self-test (POST), and locating the master boot record (MBR). See also Unified Extensible Firmware Interface (UEFI).
best evidence Evidence that is in its original state and can be proven to be unaltered.
black hat hackers Unethical criminals who violate computer and network security for personal gain, or for maliciousness reasons such as attacking networks.
blind spoofing Spoofing attack in which the threat actor cannot see the traffic that is being sent between the host and the target, such as in DoS attacks.
block ciphers Transform a fixed-length block of plaintext into a common block of ciphertext.
Boot Configuration Database (BCD) Contains any additional code needed to start the computer, along with an indication of whether this is a cold start or the computer is coming out of hibernation.
Bootstrap Protocol (BOOTP) Enables a diskless workstation to discover its own IP address, the IP address of a BOOTP server on the network, and a file to be loaded into memory to boot the machine. BOOTP is being superseded by Dynamic Host Configuration Protocol (DHCP).
botmaster A threat actor in control of the botnet and handlers.
botnet A group of zombies that have been infected using self-propagating malware and are controlled by handlers.
bots Malware that is designed to infect a host and communicate with a handler system.
Bring Your Own Device (BYOD) A policy that allows employees to use their own mobile devices to access company systems, software, networks, or information.
Bro An open source network security monitoring tool included in Security Onion.
broadcast A one-to-all delivery option where all hosts on the network are the destination for the message.
buffer overflow attack An attack that exploits a system’s buffer memory by overwhelming it with unexpected values usually rendering the system inoperable, creating a DoS attack.
C
CapME Web application that allows viewing of pcap transcripts rendered with the tcpflow or Bro tools.
chain of custody The documentation of the collection, handling, and secure storage of evidence.
cipher A secret way of encoding a message.
clients A program or application designed to communicate with a specific server.
command and control (CnC or C2) A threat actor’s online server to which compromised hosts (zombies) beacon out of the network to establish a channel of communications for launching other attacks or exfiltrating data.
command line interface (CLI) A text-based interface to the operating system that enables a user to enter commands to run programs, navigate the file system, and manage files and folders.
Compact Disc File System (CDFS) A file system created specifically for optical disk media.
Company policies Policies that protect the rights of workers as well as the business interests of employers.
Computer Emergency Response Teams (CERTs) Provides security awareness, best practices, and security vulnerability information to their populations. CERT is a trademarked acronym owned by Carnegie Mellon University.
Computer Security Incident Response Team (CSIRT) An internal group commonly found within an organization that provides services and functions to secure the assets of that organization.
confidentiality Element of the CIA triad (confidentiality, integrity, availability) that states only authorized individuals, entities, or processes should access sensitive information.
configuration files Used to manage the services offered by a server and can usually only be activated or modified by the administrator.
connectionless No dedicated end-to-end connection is created before data is sent.
content addressable memory (CAM) Similar to a MAC table, a special type of memory on a switch used in high-speed searching applications.
core layer Provides connectivity between distribution layers for large LAN environments.
corroborating evidence Evidence that supports an assertion that is developed from best evidence.
countermeasure A protection solution that mitigates a threat or risk.
cross-site scripting (XSS) An attack in which web pages that are executed on the client side, within their own web browser, are injected with malicious scripts.
cryptanalysis The practice and study of determining and exploiting weaknesses in cryptographic techniques.
cryptography The development and use of codes that are used for communicating privately.
cryptology The science of making and breaking secret codes.
CSMA/CA Carrier sense multiple access with collision avoidance; a media-access mechanism that defines how devices decide when they can send, with a goal of avoiding collisions as much as possible. IEEE WLANs use CSMA/CA.
CSMA/CD Carrier sense multiple access with collision detection; a media-access mechanism in which devices ready to transmit data first check the channel for a carrier. If no carrier is sensed for a specific period of time, a device can transmit. If two devices transmit simultaneously, a collision occurs and is detected by all colliding devices. This collision subsequently delays retransmissions from those devices for some random length of time.
cybercriminals Black hat hackers who are either self-employed or working for large cybercrime organizations.
Cyber Kill Chain A method, developed by Lockheed Martin, for identifying and preventing cyber intrusions. Specifies seven steps that an attacker must complete to accomplish their goal.
D
daemon A background process that runs without the need for user interaction.
dashboards An interactive interface that provides a combination of data and visualizations designed to improve the access of individuals to large amounts of information.
Data Encryption Standard (DES) An older legacy symmetric encryption algorithm that usually operates in block mode by encrypting data in 64-bit block size.
Data Link layer Uses protocols that describe methods for exchanging data frames between devices over a common media.
data normalization The process of combining data from a number of data sources into a common format.
debuggers Tools used to reverse engineer binary files when writing exploits or analyzing malware.
default gateway The local gateway that a device can use to reach remote networks.
demilitarized zone (DMZ) A firewall design where there is typically one inside interface connected to the private network, one outside interface connected to the public network, and one DMZ interface.
destination port Transport layer field value in the segment header which tells the destination server what service is being requested.
deterministic analysis An analysis approach in which all the steps for a successful exploit are known by the analyst and all steps must be done in sequence for the exploit to be successful.
device hardening Methods of securing a device and protecting its administrative access.
Diamond Model A model that breaks down an intrusion into for core features: adversary, capability, infrastructure, and victim.
Diffie-Helman (DH) Public key algorithm that allows two parties to agree on a key that they can use to encrypt messages they want to send to each other.
digital forensics The recovery and investigation of information found on digital devices as it relates to criminal activity.
Digital Signature Algorithm (DSA) A public key algorithm based on the ElGamal signature scheme.
Digital Signature Standard (DSS) Uses the Digital Signature Algorithm (DSA) for digital signatures.
discretionary access control (DAC) Access control model that allows users to control access to their data as owners of that data.
Disk Operating System (DOS) An operating system that the computer uses to enable data storage devices to read and write files.
distributed denial of service (DDoS) A type of denial of service (DoS) attack whose goal is to cause problems by preventing legitimate users from being able to access services, thereby preventing the normal operation of computers and networks. In a DDoS attack, as opposed to a DoS attack, the attack traffic originates from many sources.
distribution layer Aggregates access layers and provides connectivity to services.
distros A Linux distribution that includes the Linux kernel and customized tools and software packages.
DNS tunneling An attack in which threat actors place non-DNS traffic within DNS traffic as a way to exfiltrate stolen data.
DNS zone A database that contains information about the domain name space stored on an authoritative server.
domain Network service where all of the users, groups, computers, peripherals, and security settings are stored on and controlled by a database.
domain controllers (DCs) Stores all the domain databases and is used to authenticate users and computers and applies the security settings for each session.
domain generation algorithms Technique used in malware to randomly generate domain names that can then be used as rendezvous points to the threat actor’s command and control (CnC) servers.
Domain Name System (DNS) Translates domain names, such as cisco.com, into IP addresses.
domain shadowing A threat actor first compromises a domain and then creates multiple subdomains to be used to launch attacks.
dotted-decimal Four octets represented as a decimal value and separated by a decimal point.
double IP flux Technique used by threat actors to rapidly change the hostname-to-IP address mappings and to also change the authoritative name server.
Duplicate Address Detection (DAD) Ensures that a host’s assigned IPv6 address is unique. The host sends an NS message with its own IPv6 address as the destination IPv6 address. If another device on the network has this address, it will respond with an NA message.
Dynamic DNS (DDNS) Allows the IP address associated with a domain name to be changed and then dynamically propagated throughout the DNS hierarchy almost instantaneously.
Dynamic Host Configuration Protocol (DHCP) Dynamically assigns IP addresses to client stations at start-up. Allows the addresses to be reused when no longer needed.
dynamic routing protocol Protocol that exchanges network reachability information between routers and dynamically adapts to network changes.
E
edge router A router with basic permit and deny rules as a first line of defense that then passes all connections that are permitted to the internal network to the firewall.
EIGamal An asymmetric key encryption algorithm for public key cryptography which is based on the Diffie-Hellman key agreement.
Elliptical curve Used to adapt many cryptographic algorithms, such as Diffie-Hellman or ElGamal, so that the keys can be much smaller.
ELSA Enterprise Log Search and Archive, a tool that provides an interface to a wide variety of network security monitoring (NSM) data logs including logs from HIDS, NIDS, firewalls, syslog, etc.
employee policies Policies created and maintained by human resources staff to identify employee salary, pay schedule, benefits, work schedule, vacations, and more.
encryption Applying a specific algorithm to data to alter the appearance of the data, making it incomprehensible to those who are not authorized to see the information.
encryption tools Tools that use algorithm schemes to encode the data to prevent unauthorized access to the encrypted data.
endpoint A host on the network that can access or be accessed by other hosts on the network.
Enhanced Interior Gateway Routing Protocol (EIGRP) Cisco proprietary routing protocol that uses composite metric based on bandwidth, delay, load, and reliability.
Ethernet A computer network architecture of the OSI Physical and Data Link layers that defines the rules for wiring and signaling standards of the network access layer.
Event Viewer Windows security tool that logs the history of application, security, and system events.
exploit Mechanism used to leverage a vulnerability to compromise an asset.
ext2 Second extended file system, the default Linux file system until replaced by ext3; still used in flash-based storage media.
ext3 Third extended file system, designed to improve ext2; added a journaling feature.
ext4 Fourth extended file system, created based on a series of extensions to ext3.
Extended FAT (exFAT) An extended version of FAT that has even fewer restrictions than FAT32, but is not supported very well outside of the Windows ecosystem.
Extended File System (EXT) A file system used with Linux-based computers.
F
false negative An alert classification that means that an undetected incident has occurred.
false positive An alert classification that means the alert does not indicate an actual security incident.
fast flux Technique used by threat actors to hide their phishing and malware delivery sites behind a quickly changing network of compromised DNS hosts.
Federal Information Security Management Act of 2002 (FISMA) Security standards established by NIST for U.S. government systems and contractors to the U.S. government.
File Allocation Table (FAT) A simple file system supported by many different operating systems that has limitations to the number of partitions, partition sizes, and file sizes that it can address.
File Transfer Protocol (FTP) Sets rules that enable a user on one host to access and transfer files to and from another host over a network. A reliable, connection-oriented, and acknowledged file delivery protocol.
firewall A device that forwards packets between the less secure and more secure parts of the network, applying rules that determine which packets are allowed to pass, and which are not.
flow control The amount of data that the destination can receive and process reliably.
forensic tools Tools used to sniff out any trace of evidence existing in a particular computer system.
forking Method to allow a process to create a copy of itself.
fully qualified domain name (FQDN) The absolute name of a device within the distributed DNS database.
fuzzers Tools used by hackers when attempting to discover a computer system’s security vulnerabilities.
G
Generic Routing Encapsulation (GRE) A tunneling protocol developed by Cisco that can encapsulate a wide variety of network layer protocol packet types inside IP tunnels.
Gramm-Leach-Bliley Act (GLBA) Requires financial institutions to ensure the security and confidentiality of customer information.
gray hat hackers Hackers who do arguably unethical things, not for personal gain or to cause damage, but to expose vulnerabilities.
H
hacker Common term used to describe a threat actor but also includes other meanings such as gray hat hacker and white hat hacker.
hacking operating systems Specially designed operating systems preloaded with tools and technologies optimized hacking.
hacktivists Gray hat hackers who rally and protest against different political and social ideas by posting numerous articles and videos, leaking sensitive information, and performing DDoS attacks.
handler A master command-and-control (CnC or C2) server controlling groups of zombies.
hard link In Linux, a link that creates another version of a file with a different name linked to the same place in the file system (called an inode). See also symbolic link.
hardware abstraction layer (HAL) Windows code that handles all of the communication between the hardware and the kernel.
hashes A unidirectional process (rather than a reversible algorithm) that takes a variable-sized input and creates a fixed-size output.
Health Insurance Portability and Accountability Act (HIPAA) Requires that all patient personally identifiable healthcare information be stored, maintained, and transmitted in ways that ensure patient privacy and confidentiality.
hextet A segment of an IPv6 address that is made up of 16 bits and usually represented as four hexadecimal values.
Hierarchical File System Plus (HFS+) A file system used on macOS X computers that allows much longer filenames, file sizes, and partition sizes than previous file systems.
homoglyphs Text characters that are similar to legitimate text characters, used by threat actors to spoof legitimate domain names, company names, and so on.
host-based firewalls Stand-alone software program that controls traffic entering or leaving a computer; examples include Windows Firewall, iptables, nftables, and TCP Wrapper.
host-based intrusion detection system (HIDS) Software designed to protect hosts against known and unknown malware; examples include Cisco AMP, AlienVault USM, Tripwire, and Open Source HIDS SECurity (OSSEC).
host-based intrusion prevention system (HIPS) Software installed on a single host to monitor and analyze suspicious activity.
HTTP 302 cushioning Attack in which threat actors use the 302 Found HTTP response status code to direct the user’s web browser to the new location.
Hypertext Transfer Protocol (HTTP) Set of rules for exchanging text, graphic images, sound, video, and other multimedia files on the World Wide Web.
I
iFrame An HTML element that allows the browser to load another web page from another source.
impact The damage to the organization that is caused by the threat.
indirect evidence Evidence that, in combination with other facts, establishes a hypothesis; also known as circumstantial evidence.
Information Security Management System (ISMS) A management framework through which an organization identifies, analyzes, and addresses information security risks.
integrity Element of the CIA triad (confidentiality, integrity, availability) that refers to the protection of data from unauthorized alteration.
intermediary device A device that connects end devices to the network, connects multiple individual networks to form an internetwork, and provides connectivity to ensure that data flows across the network.
Internet Control Message Protocol (ICMP) Provides feedback from a destination host to a source host about errors in packet delivery.
Internet Message Access Protocol (IMAP) Enables clients to access email stored on a mail server. Maintains email on the server.
Internet Protocol (IP) Receives message segments from the transport layer. Packages messages into packets. Addresses packets for end-to-end delivery over an internetwork.
intrusion detection systems (IDSs) A security function that examines more complex traffic patterns against a list of both known attack signatures and general characteristics of how attacks may be carried out, rating each perceived threat and reporting the threats.
intrusion prevention systems (IPS) A security function that primarily uses signature matching, can alert administrators about an attack on the network, and can prevent the initial packet from entering the network.
J
journal A logging technique that keeps track of all changes made to the file system; used to minimize the risk of file system corruption in the event of sudden power loss.
K
Kali Linux A Linux distribution created to group many penetration tools.
kernel Core of the operating system that handles all of the input and output requests, memory, and peripherals connected to the computer.
Kernel Mode Code Signing (KMCS) Ensures that the drivers are digitally signed and safe to load as the Windows computer starts.
hash message authentication code (HMAC) Used to verify data integrity and authenticity of a message.
L
lightweight APs (LWAPs) An AP that is connected to a wireless LAN controller (WLC) and only forwards data between the WLAN and WLC.
Linux An operating system that is open source, fast, reliable, and small. It requires very little hardware resources to run, and is highly customizable.
load balancing Distributing traffic between devices or network paths to prevent overwhelming network resources with too much traffic.
log files Records that a computer stores to keep track of important events.
Logical Link Control (LLC) sublayer Data link sublayer that is responsible for communication with the network layer.
logical topology A depiction of the way a network transfers frames from one node to the next and includes addressing information.
M
malware Malicious software that is intended to gain unauthorized access to computers or computer systems.
mandatory access control (MAC) Access control model that has the strictest access control, typically used in military or mission-critical applications.
man-in-the-middle attack A threat actor positioned between two legitimate entities in order to read, modify, or redirect the data that passes between the two parties.
master boot record (MBR) Contains a small program that is responsible for locating and loading the operating system.
Master File Table (MFT) A table that contains the locations of all the files and directories on the partition, including file attributes such as security information and timestamps.
maximum transmission unit (MTU) The maximum size of the protocol data unit (PDU) that each medium can transport.
Media Access Control (MAC) sublayer Data link sublayer that is responsible for encapsulating the IP packet into a frame, converting the frame into bits, and sending the bits out on the media.
Message Digest 5 (MD5) Cryptographic function with a 128-bit hash.
mounting Assigning a directory to a specific partition so that it can be accessed.
MS-DOS A disk operating system (DOS) created by Microsoft.
multicast A one-to-many delivery option where there is more than one destination for the message.
multilayer switches Also known as a Layer 3 switch, this device not only performs Layer 2 switching, but also forwards frames based on Layer 3 and 4 information.
multiplexing Many different conversations interleaved on the network.
N
Neighbor Advertisement (NA) IPv6 message sent by a host to reply to an NS message and includes the host’s MAC address; similar to an ARP reply in IPv4.
Neighbor Discovery Protocol (ND or NDP) A protocol that is part of the IPv6 protocol suite, used to discover and exchange information about devices on the same subnet (neighbors). In particular, it replaces the IPv4 ARP protocol.
Neighbor Solicitation (NS) IPv6 message sent by a host to determine the MAC address for a destination; similar to an ARP request in IPv4.
NetFlow Cisco IOS technology that provides statistics on packets flowing through a Cisco router or multilayer switch.
netstat Command that displays all of the active TCP connections and can be used to look for inbound or outbound connections that are not authorized.
Network Address Translation (NAT) Translates IP addresses from a private network into globally unique public IP addresses.
Network File System (NFS) A network-based file system, allowing file access over the network.
Network layer Provides services to exchange the individual pieces of data over the network between identified end devices.
network protocols Dictates the message encoding, formatting, encapsulation, size, timing, and delivery options.
network scanning tools Tools used to probe network devices, servers, and hosts for open TCP or UDP ports.
network TAP A passive splitting device, implemented inline between a device of interest and the network, that forwards all traffic including physical layer errors to an analysis device.
Network Time Protocol (NTP) Allows routers on the network to synchronize their time settings with an NTP server.
New Technology File System (NTFS) Most commonly used file system when installing Windows.
NextGen IPS Extends network security beyond IP addresses and Layer 4 port numbers to the application layer and beyond.
NIST 800-61r2 NIST standard that provides guidelines for incident handling and can be followed independently of particular hardware platforms, operating systems, protocols, or applications.
non-blind spoofing Spoofing attack in which the threat actor can see the traffic that is being sent between the host and the target and can inspect the reply packet from the target victim.
non-discretionary access control Access control model in which access decisions are based on an individual’s roles and responsibilities within the organization.
O
Open Shortest Path First (OSPF) Link-state routing protocol. Hierarchical design based on areas. Open standard interior routing protocol.
Open Systems Interconnection (OSI) model A network architectural model developed by the ISO. The model consists of seven layers, each of which specifies particular network functions, such as addressing, flow control, error control, encapsulation, and reliable message transfer.
OS fingerprinting The process of using a variety of tools to identify the target’s operating system.
OSSEC Open Source SECurity; host-based intrusion detection system (HIDS) that is integrated into Security Onion.
P
packet analyzer Software that captures packets entering and exiting the network interface card (NIC).
packet crafting tools Tools used to probe and test a firewall’s robustness using specially crafted forged packets.
packet filtering (stateless) firewall Typically a router with the capability to filter some packet content, such as Layer 3 and sometimes Layer 4 information, according to a set of configured rules.
packet forwarding The process of switching that a router uses to accept a packet on one interface and forward it out of another interface.
packet sniffers Tools used to capture and analyze packets within traditional Ethernet LANs or WLANs.
Partition Boot Sector The first 16 sectors of the drive that contains the location of the Master File Table (MFT).
pass-the-hash An attack in which a threat actor with access to a user’s machine uses malware to gain access to the stored password hashes and then uses the hashes to authenticate to other remote servers or devices without using brute force.
password cracker A tool that repeatedly makes guesses in order to discover the password and access the system.
patches An operating system update released periodically to address known vulnerabilities.
path determination The process by which a router builds and maintains a routing table of known networks and uses it to decide the path to forward a packet.
Payment Card Industry Data Security Standard (PCI DSS) Proprietary, non-governmental standard that specifies requirements for the secure handling of customer credit card data by merchants and service providers.
penetration testing A penetration test; it is the process of looking for vulnerabilities in a network or computer by attacking it.
personally identifiable information (PII) Any information that can be used to positively identify an individual.
pharming An attack that compromises domain name services by injecting entries into local host files.
phishing Social engineering attack in which a threat actor sends enticing custom-targeted spam email to individuals with the hope the target user clicks a link or downloads malicious code.
Physical layer Uses protocols that describe the mechanical, electrical, functional, and procedural means to activate, maintain, and deactivate physical connections for bit transmission to and from a network device.
physical topology A depiction of the physical connections and how end devices and infrastructure devices such as routers, switches, and wireless access points are interconnected.
ping A testing utility that uses ICMP echo request and echo reply messages to test connectivity between hosts.
piping Chaining commands together, feeding the output of one command into the input of another.
Point-to-Point Protocol (PPP) Provides a means of encapsulating packets for transmission over a serial link.
port A reserved network resource used by a service.
Port Address Translation (PAT) The process of mapping many internal addresses to a single public address by using port numbers to keep track of each conversation.
port mirroring Allows a switch to make duplicate copies of traffic passing through a switch, and then send it out a port with a network monitor attached.
Post Office Protocol version 3 (POP3) Enables clients to retrieve email from a mail server. Downloads email from the mail server to the desktop.
PowerShell An integrated program within Windows that provides a CLI for initiating commands.
Presentation layer Provides for common representation of the data transferred between application layer services.
pretexting Social engineering attack in which a threat actor calls an individual and lies to them in an attempt to gain access to privileged data.
private IPv4 address An address that is not unique, can be used by any internal network, and cannot be routed on the Internet.
privilege escalation An attack in which vulnerabilities in servers or access control systems are exploited to grant an unauthorized user, or software process, higher levels of privilege than they should have.
probabilistic analysis An analysis approach that uses statistical techniques to predict the probability that an exploit will occur based on the likelihood that prior events will occur.
processes An instance of an application that is being executed.
profiling Providing a baseline to serve as a reference point such as for a device’s or network’s expected performance.
protected health information (PHI) A subset of PII created by the medical community and regulated in the United States by the Health Insurance Portability and Accountability Act (HIPAA) and in the EU by the regulation called Data Protection.
protocol data unit (PDU) The form that an encapsulated piece of data takes at each layer of the OSI model.
protocol suite A set of protocols that work together to provide comprehensive network communication services.
public IPv4 address A unique address that can be globally routed on the Internet.
Public Key Infrastructure (PKI) A scalable architecture that includes software, hardware, people, and procedures used to securely exchange information between parties.
Q
quid pro quo Social engineering attack in which a threat actor requests personal information from a party in exchange for something like a free gift.
R
ransomware A type of malware that compromises a system and then often demands a ransom from the victim to pay the attacker in order for the malicious activity to cease or for the malware to be removed from the affected system.
reconnaissance An attack used by threat actors to discover and map systems, services, and vulnerabilities.
recursion The action taken when a DNS server is asked to query on behalf of a DNS resolver.
recursive resolver A DNS server that recursively queries for the information asked in the DNS query.
registry A large database in which Windows stores all of the information about hardware, applications, users, and system settings.
Remote Authentication Dial-In User Service (RADIUS) An open AAA standard that provides the means for a router or switch to communicate with a AAA server.
resolver A DNS client that sends DNS messages to obtain information about the requested domain name space.
Resource Monitor Windows tool that provides more detailed information about the computer than the Task Manager, including process IDs, number of threads, memory, disk processes, and network processes.
resource record (RR) A format used in DNS messages that is composed of the following fields: NAME, TYPE, CLASS, TTL, RDLENGTH, and RDATA.
risk The likelihood that a particular threat will exploit a particular vulnerability of an asset and result in an undesirable consequence.
risk acceptance A decision that the cost of risk management options outweighs the cost of the risk itself.
risk avoidance An action that avoids any exposure to the risk.
risk limitation A strategy employing a bit of risk acceptance along with a bit of risk avoidance to limit a company’s risk exposure.
risk transfer Risk is transferred to a willing third party such as an insurance company.
Rivest ciphers (RC) A series of stream cipher encryption algorithms (RC2, RC4, RC5, and RC6) used to secure web traffic in SSL and TLS.
rootkit A set of software tools designed to increase a threat actor’s privileges, or grant access to portions of the software that should not normally be allowed.
rootkit detectors Directory and file integrity checkers used to detect installed rootkits.
round-trip time (RTT) The time a packet takes to reach the remote host and for the response from the host to return.
routed port A pure Layer 3 interface similar to a physical interface on a Cisco IOS router.
routers A device that operates at the network layer and uses the process of routing to forward data packets between networks.
Router Advertisement (RA) IPv6 message sent by routers to provide addressing information to hosts using Stateless Address Autoconfiguration (SLAAC).
Router Solicitation (RS) IPv6 message sent by hosts configured to use SLAAC requesting the addressing information sent in an RA message.
RSA An algorithm for public key cryptography, developed by Ron Rivest, Adi Shamir, and Leonard Adleman, based on the current difficulty of factoring very large numbers.
S
sandboxing A technique that allows suspicious files to be executed and analyzed in a safe environment.
Sarbanes-Oxley Act of 2002 (SOX) Designed to ensure the integrity of financial practices and reporting for all U.S. public company boards, management, and public accounting firms.
scareware Malware that includes scam software which uses social engineering to shock or induce anxiety by creating the perception of a threat.
script kiddies Amateur hackers who have little or no skill and use existing tools or instructions found on the Internet to launch attacks.
Secure Hash Algorithm 1 (SHA-1) Algorithm developed by the U.S. National Institute of Standards and Technology (NIST) that uses a 160-bit hashed message.
Secure Hash Algorithm 2 (SHA-2) More secure than SHA-1; includes next-generation algorithms such as SHA-256, SHA-384, and SHA-512.
security artichoke A defense-in-depth approach that considers the borderless nature of today’s networks in which attackers only have to peel away a few leaves to get at a target, such as a remote worker who has VPN access to the corporate network.
security information and event management system (SIEM) A specialized device or software for security event management. It typically includes logs collection, normalization, aggregation and correlation capabilities, and built-in reporting.
security onion A defense-in-depth approach that applies layers of defense that a threat actor must peel away to gain access to the assets of the organization
Security Onion An open source suite of network security monitoring (NSM) tools for evaluating alerts.
Security Operations Center (SOC) Provides a broad range of services, from monitoring and management, to comprehensive threat solutions and hosted security that can be customized to meet customer needs.
security policies Policies that identify a set of security objectives for a company, define the rules of behavior for users and administrators, and specify system requirements.
segmentation Dividing data into smaller, more manageable pieces to send over the network.
servers A computer with software that enables it to provide services to other computers.
Server Message Block (SMB) A client/server file sharing protocol that describes the structure of shared network resources, such as directories, files, printers, and serial ports.
service set identifier (SSID) A text value used in wireless LANs to uniquely identify a single WLAN.
services Programs that run in the background to support the operating system and applications.
session data A record of a conversation between two network endpoints.
session hijacking An attack in which a threat actor gains access to the physical network, and then uses a man-in-the-middle attack to hijack a session.
Session layer Provides services to the presentation layer to organize its dialogue and to manage data exchange.
Session Manager Subsystem (SMSS) Reads the registry to create the user environment, start the Winlogon service, and prepare each user’s desktop as they log on.
Sguil An open source console application for viewing alerts from IDSs, such as Snort.
Simple Mail Transfer Protocol (SMTP) Enables clients to send email to a mail server. Enables servers to send email to other servers.
Simple Network Management Protocol (SNMP) Allows administrators to manage end devices, such as servers, workstations, routers, switches, and security appliances, on an IP network.
smishing A phishing attack using SMS texting instead of email.
Snort An open source network-based intrusion detection system (NIDS) configured with rules for known exploits.
SOC Manager Professional who manages all the resources of the SOC and serves as the point of contact for the larger organization or customer.
social engineering A type of access attack that attempts to manipulate individuals into performing actions or divulging confidential information such as passwords and usernames.
socket The combination of the source IP address and source port number, or the destination IP address and destination port number.
Software-Optimized Encryption Algorithm (SEAL) A fast, alternative symmetric encryption algorithm to DES, 3DES, and AES that uses a 160-bit encryption key, has a lower impact on the CPU, but is still considered unproven.
source port Transport layer field value in the segment header dynamically generated by the sending device to identify a conversation between two devices.
Spanning Tree Protocol (STP) A protocol defined by IEEE standard 802.1d that allows switches and bridges to create a redundant LAN, with the protocol dynamically causing some ports to block traffic, so that the bridge/switch forwarding logic will not cause frames to loop indefinitely around the LAN.
spear phishing A phishing attack tailored for a specific individual or organization.
spoofing An attack in which one device attempts to pose as another by falsifying address data, such as an IP or MAC address, or spoofing a DHCP message.
spyware Malware used to gather information about a user and send the information to another entity without the user’s consent.
SQL injection An attack that consists of inserting a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data, execute administration operations on the database, and sometimes issue commands to the operating system.
stateful firewall A firewall that allows or blocks traffic based on state, port, and protocol.
Stateless Address Autoconfiguration (SLAAC) A feature of IPv6 in which a host or router can be assigned an IPv6 unicast address without the need for a stateful DHCP server.
state-sponsored hackers Hacking by either white hat or black hat hackers who steal government secrets, gather intelligence, and sabotage networks. Their targets are foreign governments, terrorist groups, and corporations.
static route A route manually entered in a router’s routing table.
statistical data Data created through the analysis of other forms of network data.
stream ciphers Encrypt plaintext one byte or one bit at a time.
subnet mask Used to identify the network/host portion of the IPv4 address.
subnetting The process of reducing the size of a network broadcast domain into a number of smaller broadcast domains.
superuser Administrator user in Linux who has absolute control over all aspects of the computer. Also known as the root user.
Suricata Network-based intrusion detection system (NIDS) that uses a signature-based approach.
swap file system Used by a Linux system to free up random access memory (RAM) by moving inactive RAM content to the swap partition on the disk.
Switch Port Analyzer (SPAN) Cisco version of port mirroring that is configured on the switch to select traffic of interest from an ingress port, copy it, and then forward it out the egress port.
switch virtual interface (SVI) A virtual VLAN interface for inter-VLAN routing. In other words, SVIs are the virtual-routed VLAN interfaces.
symbolic link Similar to a hard link; however, deleting a symbolic link will not delete the underlying file.
symmetric encryption Uses the same key to encrypt and decrypt data.
syslog protocol Allows networking devices to send their system messages across the network to syslog servers.
System Files Hidden files that store information about other volumes and file attributes.
T
tailgating A threat actor quickly follows an authorized person with a corporate badge into a badge-secure location.
Task Manager Windows tool that provides information about the current general performance of the computer.
tcpdump A command line packet analyzer that displays packet captures in real time or writes packet captures to a file.
TCP/IP protocol suite A common name for the suite of protocols developed by the U.S. Department of Defense in the 1970s to support the construction of worldwide internetworks. TCP and IP are the two best-known protocols in the suite.
Terminal Access Controller Access-Control System Plus (TACACS+) Cisco proprietary AAA standard that provides the means for a router or switch to communicate with a AAA server; considered more secure than RADIUS.
terminal emulator An application that provides the user access to the command line interface (CLI).
thread The smallest part of a process that is currently being executed by the computer.
threat A potential danger to an asset such as data or the network itself.
threat actor A person or entity that is responsible for the impact of a cybersecurity incident.
Tier 1 Alert Analyst A professional who monitors incoming alerts, verifies that a true incident has occurred, and forwards tickets to Tier 2, if necessary.
Tier 2 Incident Responder A professional who is responsible for deep investigation of incidents and advises remediation or action to be taken.
Tier 3 Subject Matter Expert (SME)/Hunter A professional who has expert-level skill in network, endpoint, threat intelligence, and malware reverse engineering. These professionals are experts at tracing the processes of the malware to determine its impact and how it can be removed. They are also deeply involved in hunting for potential threats and implementing threat detection tools.
Time to Live (TTL) A field in a packet which is decremented by one at each hop as the packet is routed from source to destination; if the value of the field reaches zero, the router drops the packet.
Tor A software platform and network of peer-to-peer (P2P) hosts that function as Internet routers and allows users to browse the Internet anonymously.
traceroute A utility that generates a list of hops that were successfully reached along the path from source to destination.
transaction data Consists of the messages that are exchanged during network sessions.
Transmission Control Protocol (TCP) Enables reliable communication between processes running on separate hosts. Provides reliable, acknowledged transmissions that confirm successful delivery.
Transport layer Defines services to segment, transfer, and reassemble the data for individual communications between the end devices.
Trivial File Transfer Protocol (TFTP) A simple, connectionless file transfer protocol. A best-effort, unacknowledged file delivery protocol. Utilizes less overhead than FTP.
Trojan horse Software that appears to be legitimate but contains malicious code which exploits the privileges of the user who runs it.
true negative An alert classification that means that no security incident has occurred.
true positive An alert classification that means the alert has been verified to be an actual security incident.
U
unicast A one-to-one delivery option where there is only a single destination for the message.
Unified Extensible Firmware Interface (UEFI) Designed to replace the Basic Input-Output System (BIOS) firmware.
unreliable Describes a protocol that does not have the capability to manage and recover from undelivered or corrupt data.
User Datagram Protocol (UDP) Enables a process running on one host to send packets to a process running on another host. Does not confirm successful datagram transmission.
V
virtual LANs (VLANs) A group of devices connected to one or more switches that are grouped into a single broadcast domain through configuration. VLANs allow switch administrators to place the devices connected to the switches in separate VLANs without requiring separate physical switches. This creates design advantages of separating the traffic without the expense of buying additional hardware.
virtual private network (VPN) A set of security protocols that, when implemented by two devices on either side of an unsecure network such as the Internet, can allow the devices to send data securely. VPNs provide privacy, device authentication, anti-replay services, and data integrity services.
virus A type of malware that propagates by inserting a copy of itself into another program.
vishing A phishing attack using voice and the phone system instead of email.
visual hacking Also called shoulder surfing, a social engineering attack in which a threat actor physically observes the victim entering credentials such as a workstation login, an ATM PIN, or the combination on a physical lock.
Vocabulary for Event Recording and Incident Sharing (VERIS) A set of metrics designed to create a way to describe security incidents in a structured and repeatable way.
vulnerability A weakness in a system or its design that could be exploited by a threat.
vulnerability brokers Usually gray hat hackers who attempt to discover exploits and report them to vendors, sometimes for prizes or rewards.
vulnerability exploitation tools Tools that identify whether a remote host is vulnerable to a security attack.
vulnerability scanners Tools that scan a network or system to identify open ports or known vulnerabilities.
W
watering hole An attack in which the threat actor determines websites that a target group visits regularly and then attempts to compromise those websites by infecting them with malware that can identify and target only members of the target group.
weaponization Embedding the vulnerabilities of a victim’s assets into a tool that can be deployed.
whaling A spear phishing attack focused on big targets such as top executives of an organization.
white hat hackers Ethical hackers who use their programming skills for good, ethical, and legal purposes such as network penetration tests.
WHOIS A TCP-based protocol that is used to identify the owners of Internet domains through the DNS system.
window size The number of bytes that the destination device of a TCP session can accept and process at one time.
Windows Defender A suite of protection tools built into Windows.
Windows Management Instrumentation (WMI) Management infrastructure that can retrieve information about computer components, display hardware and software statistics, and monitor the health of remote computers.
wireless access point (AP) A device that connects wireless devices to a WLAN.
wireless hacking tools Tools used to intentionally hack into a wireless network to detect security vulnerabilities.
wireless LAN controller (WLC) Centralizes the administration of multiple APs and WLANs.
wireless LANs (WLANs) Uses radio frequencies (RF) instead of cables at the physical layer and MAC sublayer of the data link layer to connect wireless devices to the network.
worms Similar to a virus, replicates itself by independently exploiting vulnerabilities in networks.
X, Y, Z
X Window System Graphical interface used in most Linux distros.
zombies A group of compromised hosts that run malicious code and continually attempts to self-propagate like a worm.
zone-based policy firewalls (ZPFs) Uses the concept of zones, which is a group of one or more interfaces that have similar functions or features.