Ogolne

SCAP

Security Content Automation Protocol is an effort by the security community, led by the National Institute of Standardu and Technology to create a standarized sporach for communicating cyber security related information.

22/TCP

Secure Shell (SSH). Windows - uncommon, Linux - common

53/TCap and UDP

DNS. Windows - common (servers). Linux - common (servers)

80/TCP

HTTP. Windows - common (servers). Linux - common (servers)

125-139/TCP and UDP

NetBIOS. Windows - common. linux-occasional

38/TCP and UDP

LDAP. Windows - common (servers). Linux - common (servers)

3389/TCP and UDP

Remote Desktop Protocol. Windows - Common. Linux - uncommon

PowerShell

Built-in management, automation and scripting language tool for Windows

OpenSSL

An implementation of the TLS protocol and is often used to protect other services. if VPN or SSH arent a good much for protecting a trafić being sent through a network, OpenSSL is used

Real-time operating system (RTOS)

A RTOS is an operating system that is used when priority needs to be placed on processing data as it comes in

SCADA

A type of system architekture that combines data acquisition and Control devices, computers, communications capabilities, and an interface, to control and monitor the entire architecture.

RTU

Remote Telemetry Units (RTUs) collects data from sensors

PLC

Programmable Logic Controllers that controls and collects data from industrial devices like machines or robots

Internet of Things (IoT)

is a broad term that describes network-connected devices that are used for automation, sensors, security and similar tasks.

ephermal key

key that lasts long only to establish connection

Defense in depth

built around multiple controls design to ensure that a failure in a single or event multiple controls is unlikely to cause a security breach

Open Systems Interconnection (OSI)

this model is used to conceptually describe how devices and software operator together through networks

port security

a capability that allows you to limit the bimber of MAC addresses that can be used on a single port

fuzz testing

Fuzz testing or fuzzing is an automated software testing method that injects invalid, malformed, or unexpected inputs into a system to reveal software defects and vulnerabilities.

Risk mitigation

is the process of applying security controls to reduce the probability and/or magnitudę of a risk

Wireshark

a packet analyzer that can be used to capture and analyse network traffic for forensics purposes

UEM, MDM, MAM

In summary, MDM primarily deals with managing mobile devices, UEM extends this management to various endpoint devices, and MAM focuses specifically on managing mobile applications and their associated data.

Bluesnarfing

theft od information from bluetooth enabled device

Bluejacking

when unwanted messages are sent to a device through bluetooth

evil maid

evil maid attack are inperson attack where attacker Tales advantage of physical Access to hardware to acquire information or to insert malicious software on a device

Multithread

Multithreading in IT refers to a programming technique where multiple threads within a single process execute independently, allowing tasks to run concurrently. It enables applications to perform multiple tasks simultaneously,

Variable

In information technology (IT), a variable is a symbolic name associated with a value or data storage location in computer memory. Variables are used to store and manipulate data within a program or a script

Nonce

In information technology (IT), a nonce (which stands for "number used once") is a value that is used only once within a specific context or session. Nonces are commonly used in security protocols to prevent replay attacks

Group Policy

group Policy is the easiest way to restrict the Access to the OS components and resources by defining a set of rules that control the working environment of user account and computer accounts

SET

Secure Electronic Transaction or SET is a system that ensures the security and integrity of electronic transactions done using credit cards in a scenario. SET is not some system that enables payment but it is a security protocol applied to those payments.

Failover

Failover is the process of automatically switching to a standby or backup system in case the primary system fails. This ensures continuity of service and minimizes downtime.

Redundancy

Redundancy involves having duplicate or backup components in a system to provide resilience against failures. Redundancy can be implemented at various levels, such as hardware redundancy

Cable lock

Cable locks typically consist of a flexible steel cable with a locking mechanism at one end. They are commonly used to secure items like bicycles, laptops, or luggage. Cable locks often have a combination or key-operated locking mechanism.

Keypad locks

Keypad locks, also known as electronic or digital locks, utilize a keypad for entry instead of a traditional key. Users enter a pre-set code or PIN to unlock the device. Keypad locks are often found on doors, safes,

Padlocks

Padlocks are traditional locks that consist of a detachable locking mechanism (the shackle) and a body. The shackle is typically secured through a loop or hasp and can be locked in place using a key or combination.

STIX vs TAXII

In summary, STIX is a language for describing cyber threat information, while TAXII is a protocol for exchanging that information between organizations. They work together to enable standardized and automated sharing of threat intelligence cyber threats.

backdoors

ar methods or tools that provide Access that bypass normal authenticstion and authorization procedures

Bots

Bots are remotely controlled Systems or devices that have a malware infection. Many botnet command and Control Systems operate in a client-server mode

TCB

TCB stands for Trusted Computing Base. It's the core components of a computer system responsible for enforcing security policies and maintaining system integrity. Security Kernel is the core of TCB and consist of hardware software and firmware

SPIM

Messaging spam, sometimes called SPIM,[1][2][3] is a type of spam targeting users of instant messaging (IM) services, SMS, or private messages within websites

Digital signature

mathematical way of veryfing the authenticity of the document

Fast flux

is a domain name system(DNS) based evasion technique used by cyber criminals to hide phishing and malware delivery websites behind an ever-changing network of compromised hosts acting as reverse proxies to the backend botnet master

Bastion Host

is the first line of defence for a networks security and is another name for a lock down system. A bastion Host is usually a highly exposed device because IT is a first line in a network security

UEM

Universal Endpoint management tool can manage desktops, laptops, mobile devices, primters and other devices

Wireshark

can be used to capture and analyse Session Initiation Protocol (SIP) traffic on a network.

Stateful inspection

Stateful inspection is a firewall technology that monitors the state of active connections and tracks the state of network connections in order to determine whether incoming packets are allowed or denied

Tools to search for rootkits

chkrootkit and rkhunter

How to get rid of rootkit?

Rootkits are designed to hide from antimalware scanners and can often defeat locally run scans. 1. Mounting the drive in another system in read-only mode. 2. Booting from a USB drive and scanning using a trusted, known good operating system

Stealth virus

A stealth virus is a type of virus that actively hides its presence from detection by antivirus software or other security measures. It achieves this by altering its code or behavior to evade detection.

Polymorphic virus

is a virus that can change its appearance or signature each time it infects a new file or system. This makes it difficult for antivirus software to detect because the virus presents a different pattern or signature each time it infects a new file.

Pharming

Pharming attacks redirect traffic away from legitimate websites to malicious versions. Pharming typically requires a successful technical attack that can changed DNS entries on a Local PC or on a trusted Local DNS server

Pretexting vs prepending

Pretexting involves creating a fabricated scenario or false identity to deceive someone into providing information or taking action. prepending involves adding content or data at the beginning of something, adding text to the beginning of document

Virus hoax

virus hoax is a false warning about a computer virus. Typically, the warning arrives in an email note or is distributed through a note in a company's internal network.

Hybrid warfare

the use of a range of different methods to attack an enemy, combines active cyberwarfare, influence campaigns, and real world direct action. This makes hybrid warfare almost exclusively the domain of nation stare actors

brute force vs dictionary attack

A brute force attack systematically tries every possible combination of characters until it finds the correct password. a dictionary attack uses a list of commonly used passwords or words from a dictionary to attempt to gain unauthorized access.

Hash

one way cryptographic function that takes an inout and generates a unique and repeatble output from that input. no two inputs should be same, it shouldnt be reversible

Malicious flash drive

any storage device, not necessarily limited to USB drives, that has been altered or infected with malware. These devices can include SD cards, external hard drives, or any other type of removable storage.

Skimming attack

is a type of cybercrime in which a malicious actor uses a device to steal sensitive information, typically payment card data, from unsuspecting individuals. This is often done at point-of-sale terminals, ATMs, or other payment processing systems.

Pharming

pharming attacks use web pages that are designed to look like a legitimate site but that attemot to capture information like credential

what is safest protocol replacing Telnet?

Secure Shell (SSH)

what is more secure solution instead of FTP?

Secure File Transfer Protocol (SFTP) and FTP-Secure

footprinting

Footprinting (also known as reconnaissance) is the technique used for gathering information about computer systems and the entities they belong to. To get this information, a hacker might use various tools and technologies.

war driving

when testers drive by facility in a car ewuipped with high-end antenas and attemot to eavesdrop on or connect to wireless network

UAV

unmanner aerial vehicle

Exploitation framework

such as Metasploit simplify the use od Vulnerabilities by providing a modular approach to configuring and deploying vulnerability exploits

Techniques used by IDS

1. Anomaly detection,2. Signature detection, 3. Target monitoring,4. Stealth probes

OAuth

is an open standard for token based authenticstion and authorization on the internet that allows this party services that a user account information is used without sharing a password

DNS poisoning

also known as cache poisoning. Here a rough machine caches the DNS replies from a DNS server and uses the information fraudulently to redirect the victims browser to attacker site

ARP poisoning

Address Resolution Protocol (ARP) poisoning, convinces the network that the attacker's MAC address is the one Associated with the victims address IP. in the result the traffic sent to that IP address is wrongly sent to attacker machine

88 port

Kerberos

SNMP

161

HTTPS

443 port

FTP

21 port

Infraded images

refers to the use of infrared (IR) cameras or sensors to capture images in the infrared spectrum. These cameras are capable of detecting thermal radiation emitted by objects, allowing them to produce images even in low light or complete darkness.

DNS vs domain hijacking

domain hijacking involves unauthorized changes to the registration information of a domain name, while DNS hijacking involves unauthorized modifications to the DNS records that map domain names to IP addresses.

SDLC

1. Gather requirenents 2. Design 3. Implement 4. Test/Validate 5. Deploy 6. Maintain

Spiral

1. Identification 2. Design 3. Build 4. Evaluation

toolchain

colection of tools that improve coding, bulding and test, packaging, releass, Configuration and Configuration management and monitoring ekements of a software developement life cycle

CI / CD

Continuous Integration - a developemtn practice that checks code into a share repository on a comsistent ongoing basis. Continuous Deployment - rolls out tested changes inti production automatically as soon as they have been tested

API

Application Progrmaming interface interfaces between clients and servers or applications and operating systems that define how the client should ask for information from the server and how the server will respond. programs written in any language canuseit

Blind Time based SQL injection attack

uses the amount of time required to process a query as a channel for retriving information from a database

what tools can be used for automated blind time based attacks?

SQLmap and Metasploit

Session reply attack

Once the attacker has the cookies, they may perform cookie manipulation to alter the details sent back to the website or simply use the cookie as the badge required to gain Access to the website

NTML

NTLM jest jednym z popularnych protokołów używanych przez komputery z systemem Windows do uwierzytelniania się w sieci. Jego wersja druga stworzona została przez Microsoft i wypuszczona na świat razem z premierą Windows 2000

how to protect against Session reply attack?

by using secure cookies, that are never transmited over unencrypted HTTP connection

NTLM pash the hash attack

form of reply attack that takes place against the operating system rather than web app. the attacker begins by gaining access to windows system and then harvest stored NTLM password hashes. they can try use hashes to gain user or admin Access to AD domain

Insecure Direct Object References

if app is design to directly retrieve information from database based on argument provided by user on either query string or POST request, if the app doesnt perform authorization checks user may be permitted to view information that exeeds their authority

Directory traversal attacks

when web server allow to navigate directory paths and filesystem access controls dont properly restrict acces to files stored elsewhere on the server jn the same directory

Shadow password

A shadow password file, also known as /etc/shadow, is a system file in Linux that stores encrypted user passwords and is accessible only to the root user, preventing unauthorized users or malicious actors from breaking into the system.

reflected XSS

reflected cross site scripting attack occur when app allows reflected input, that allows to oerform HTML injection and insert attacker HTML code into webcpage

Stored/persistent XSS attack

they remain on the server even when the attacker isn't actively waginf an attack

Request forgery attack

exploit trust relationships and attemot to have users unwittingly execute commands against a remote system. two forma: cross site rewuest forgery (CSRF/XSRF) and server side request forgery (SSRF)

difference between XSS and CSRF attacks

In summary, XSS attacks focus on injecting malicious scripts into web pages to exploit other users' browsers, while CSRF attacks exploit the trust a website has in a user's authenticated session to perform unauthorized actions on behalf of the user.

difference between SSRF and CSRF attacks

In essence, CSRF attacks manipulate user-initiated actions, while SSRF attacks manipulate the server's ability to make requests.

how to protect against CSRF/XSRF attacks?

1) create web application that uses secure tokens 2) sites should chęck the refering URL in requests receivwd from end users and only accept requests originated from their own site

Parameter pollution

one technique that attackers have successfully used to defeat input validation controls it works by sending a web application more than one value for the same inout variable

WAF

Web Application Firewall - function similarly to network firewalla but they work at the application layer. WAF sits in front of web server and receives all network traffic headed to that server. It then scrutinizes the jnput headed to the application

database normalization

set of design principles that database designers should follow when building and modifying databases. Advantages: 1. prevent data inconcistnecy 2. prevent update anomalies 3. reduce the need for restructuring existing DB 4. make DB schema more infomrative

Parameterized Queries

protect applications against injection attack, the client doesnt directly send SQL code to DB server. instead the client sends argument to the server, which then inserts those arguments info a precompiled query template. example: stored procedures

Code signing

provides developer with a way to confirm the authenticity of their code with their own private key and then browsers can use the developer's public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized

SDK

Software developement kits - collections of software libraries combined with documentation, examples and other resources designed to help programmers get up and running quickly in a developement environment.

Code integrity measurement

use cryptographic hash functions to verify that the code being released into production matches the code that was previously approved

Buffer overflow

when an attacker manipulates a program into placing more data into an area of memory than is allocated for that programs use. The goal is to over-write other information in memory with instructuins that may be executed by a different proces running on it

Integer overflow

variant of a buffer overflow where the result of an arithmetic operation attempts to store an integer that is top large to fir in the specific buffer

Race condition

when the security of code segment depends upon the sequence of events occuring within the system. Time-of-check-to-time-of-use (TOCTTOU or TOC/TOU) is a race condition when a program checks Access permission too far in advance of a resources request

what is the protection against malicious drivers?

code signing

Device drivers

serve as the software interface between hardware and the operating system. They require low-level Access to the operating system and run with administrator priviledges.

Shimming

one of the driver manipulation attacks- attackers without the Access to the driver source code can use this technique, take a legitimate driver and wraps a malicious driver around the outside of it. Shim -malicious driver

SDN

SDN stands for Software Defined Network which is a networking architecture approach. It enables the control and management of the network using software applications

Space and time partitioning

Space and time partitioning are techniques used in computer science and engineering to allocate resources (such as memory, processing time, or network bandwidth) among multiple users or applications.

Jamming

Jamming refers to the intentional interference with wireless communications, such as radio signals, Wi-Fi networks, or cellular networks, to disrupt their normal operation