Resources
Understanding the vocabulary of the domain I am focusing on requires a basic understanding of the domain’s terminology. Providing the necessary context for interaction and sharing, I offered a link covering important networking and technology terms through an updated web publication under the National Institute of Standards and Technology (NIST) found within the glossary. Furthermore, several PDF documents with additional networking information, a security-specific glossary, and informative vendor briefs for applications or products used within this publication are available for download and reference.
Speaking of NIST, which provides web publication resources, it is the leading subject matter expert concerning information security standards and practices. What’s nice about the NIST web glossary is that a link is available to the NIST special publication where the term appears in context after clicking on a particular word. Furthermore, NIST lists its many publications in a condensed format, such as NIST SP 800-192.
PDFs
Network Tables & Charts
Security Terms
YubiKey 5 Series
Open Source Personal Use Tools & Select Vendor List
Web Links:
Glossary
Please use these resources as they are both comprehensive and educational. Any gaps found will be covered within this page and linked within the post directly. An active running glossary of selected terms within the blog for convenient look-up, correct information understanding, and support of readers with diverse backgrounds and topic familiarity compiles as needed.
0-9
1
2
3
3-2-1 Backup Strategy: The 3-2-1 rule backup practice requires three copies of your managed data. The production data resides on the active machine, another data copy on a local read device like a NAS, and another copy of the data off-site like the cloud for disaster recovery. An example found within PD001 demonstrates the backup of a password database. The KeePass database resides on the primary computer with the application, is backed up to the local NAS, and then the password database folder is backed up to the cloud.
4
5
6
7
8
9
A
Application Programming Interface (API): An API is a software intermediary that allows two or more separate applications to talk to each other through a set of definitions and protocols. The contract between the two applications defines how the apps communicate concerning application requests and replies. So, for example, an application like a mobile phone app will send a request to another application containing data the app wants to update its output. Hence, users have the latest information available to them.
B
Bit: The smallest computer information unit is composed of a single digit. In base two, the binary number is expressed as the binary digit 0 or 1.
Byte: A unit of digital information that contains eight binary bits and typically is used to represent a single ASCII character or one octet of an IPv4 network address. With an IPv4 address, an octet is one byte long (i.e., 192.168.1.10 first octet 192 equivalent to 11000000.)
C
Chief Information Security Officer (CISO): A senior-level executive responsible for developing and implementing an information security program for the organization.
Cloud Service Provider (CSP): A firm that offers and establishes public clouds and manages private and on-demand cloud computing components. The data center services typically include Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service(SaaS).
Common Platform Enumeration (CPE): A standard machine-readable format for encoding names of IT products and platforms. An authoritative CPE dictionary is maintained by NIST and used in its Security Content Automation Protocol program.
Common Vulnerabilities and Exposures (CVE): It is a glossary that classifies vulnerabilities. The dictionary analyzes vulnerabilities and then uses the Common Vulnerability Scoring System (CVSS) to evaluate the threat level of a device or system vulnerability.
Computer Security Incident Response Team (CSIRT): This group of cybersecurity professionals respond to IT security incidents quickly and efficiently using a prescribed methodology like PICERL and log data to minimize damage and restore service delivery. Often, this team will be a subdivision within the Security Operations Center and employ a standard response protocol, which includes preparation, identification, containment, eradication, recovery, and lessons learned.
Credential Stuffing: The automated injection of stolen username and password pairs, collectively labeled account credentials, into website login forms to gain fraudulent access to user accounts.
Cybersecurity Engineer: Someone who manages hardware and software tools, and security policies for the protection of systems, networks, and data.
D
Data Exfiltration: A threat agent plants malware for unauthorized data removal or transfer from a computer or mobile device. Both external and internal threat agents can engage in such illicit activity.
Development_Security_Operations (DevSecOps): This collaborative framework and ensuing teams make security an integral part of the software development life cycle (SDLC), So security tool practices and logging become an essential part of software development, thereby improving secure coding so vulnerabilities are minimized further down the CI/CD pipeline, resulting in much less exploitable deliverables.
Dynamic DNS (DDNS): A service that automatically and periodically updates your DNS's A (IPv4) or AAAA (IPv6) records when your IP address changes. This service overcomes the dynamic IP assigned by the ISP automatically. A fixed hostname/domain name on the DDNS service provider site is created as an A record for IPv4 addresses. The home firewall/router or server will run a service that will update the DDNS-provided account (configured on the Firewall) as your Public IP changes, so the hostname always points to the correct site.
Dynamic IP Address: A dynamic IP address is a temporary address and the most common type of IP address. They are provided by internet service providers (ISPs) and are assigned using DHCP or PPPoE. In contrast, a Static IP requires extra setup with additional fees from the ISP.
E
Endpoint Detection and Response (EDR): This integrated endpoint security solution or agent combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities. Often an EDR is part of a more extensive system and beacons back to a gateway firewall or central web-based console that allows you to detect, investigate, and remediate advanced threats that are sophisticated and persistent enough to evade traditional perimeter defenses.
Extensible File Allocation Table (exFAT): Microsoft introduced this file system in 2006 and optimized it for flash memory, such as USB flash drives and SD cards. This newer version of FAT32 is a middle ground between FAT32 and NTFS.
F
Full Tunnel VPN: Routes and encrypts ALL traffic or requests for services through the VPN tunnel. Use for public WIFI, so no traffic is available to be snooped. Your IP address for internal and external requests will be your home network.
G
H
Hash-based message authentication code (HMAC): HMAC is a cryptographic authentication technique that uses a hash function and a secret key.
I
J
K
L
Log: An event log is a generated message or record containing information about activities within a computer operating system, application, network appliance, server, or cloud service. They can be used to recreate past events, find security flaws, or troubleshoot a computer, cloud, application, or network operational issues.
LUN (logical unit number): This unique identifier defines a storage partition or slice of disk storage on a network device like a NAS. LUNs map to host machines as a network drive, allowing clients/servers to read or write to external storage space depending on set permissions.
M
MagicDNS (Tailscale): A feature that automatically registers DNS names for devices in your Tailnet.
Man in the Middle (MitM) Attacks: An information attack in which communication between two parties, like a user and some resource, is intercepted. For example, a client PC and web server. Attacker goals vary from stealing login credentials or account details or sabotaging communication. Identity theft, unapproved fund transfers, or an illegal password change can result. Several attack types are available, including IP spoofing, DNS cache poisoning, and ARP spoofing. Post traffic interception, an attacker will choose from several methods to control the session. For example, Session Hijacking or SSL Stripping to forge a secure handshake or downgrade the HTTPS connection without alerting the end-user or application.
Managed Security Service Provider (MSSP): The business provides security monitoring and incident response for an organization’s networks and endpoints. In addition, this outsourced firm helps protect a business from security threats and will offer various security services.
N
National Institute of Standards and Technology (NIST): Computer Security Resource Center cybersecurity web glossary with source reference to the NIST Special Publication: https://csrc.nist.gov/glossary
Network Attached Storage (NAS): A NAS is a data storage device accessed over the network from internal clients, typically by a standard Ethernet (802.3) connection. A NAS supports access from networks beyond the Local Area Network or the WAN. Additionally, most NAS servers come with many practical applications for data backup and sharing and can connect to the cloud allowing for a complete 3-2-1 backup strategy.
Next Generation Firewall (NGFW): A network security appliance that is used as the gateway firewall or edge device and improves upon standard firewall capabilities like stateful inspection. The firewall includes additional features like application awareness and control (Layer 7), integrated intrusion prevention, deep-packet inspection, cloud-delivered threat intelligence, and a host of applicable onboard packages that can be applied for improved security.
New Technology File System (NTFS): This NT file system is the primary file system for recent versions of Windows and Windows Server—it provides a complete set of features, including security descriptors, encryption, disk quotas, and rich metadata. The benefits of NTFS are bullied below:
File compression performance
Security access control
Reliable file system consistency
Improved disk space utilization
File system journaling (MFT)
New Technology LAN Manager (NTLM): This is a suite of security protocols offered by Microsoft to authenticate users’ identity and protect the integrity and confidentiality of their activity. NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user's password. NTLM hashes are stored into the Security Account Manager database on the machine, or on domain controller's NTDS database.
O
Open Authentication (OATH): OATH time-based one-time password (TOTP) is an open standard that specifies how one-time password (OTP) codes are generated. Specifies two open authentication standards: TOTP and HOTP.
Open-source intelligence (OSINT): Collecting information from published or publicly available sources. Many OSINT tools have been developed to discover public-facing assets and identify relevant sensitive information outside a tightly defined network. Several OSINT tools are listed: Maltego, Metagoofil, Shodan, SpiderFoot, theHavester, and Recon-ng.
P
Q
R
Ransomware: A malicious actor plants malware on a computer that encrypts files on the device, thereby making data unavailable to the legitimate user. The threat actor then demands the victim pay some fee by some deadline to download a key to unlock or decrypt the files on the hard drive. This notification typically appears as a lock screen with details on the victim’s computer screen. The vector for the malware typically is through an email attachment or URL and is accompanied by a message of urgency to prompt the user to take action and click the URL or open the attachment. So, this type of attack has a social engineering component.
RFC1918: These are private IP addresses that a network device (Router’s DHCP server) or an enterprise assigns for internal hosts that make up your LAN. Private networks are not reachable from the Internet. The RFC1918 address space includes the following networks:
10.0.0.0 – 10.255.255.255 (10/8 prefix)
172.16.0.0 – 172.31.255.255 (172.16/12 prefix)
192.168.0.0 – 192.168.255.255 (192.168/16 prefix)
Routers employ NAT to map multiple local private addresses to a public one before transferring information to the WAN.
S
Security Accounts Manager (SAM): The SAM database file is found within C:\Windows\System32\config, and is often a target for hackers using tools from Metasploit Framework, Powershell Empire (Mimikatz/sam), LaZAgne, CrackMapExec, and others. System password hashes obtained from a SAM dump are the user account credentials which are fed into a decrypting tool like John The Ripper to expose the plaintext password.
Security Operations Center (SOC Teams): A group of highly skilled individuals who maintain security monitoring tools and investigate suspicious activities using SIEM to correlate and analyze log data. Additional activities include triaging and prioritizing incidents as well as remediation orchestration.
Service Set Identifier (SSID): The SSID is the name for a WIFI network or network name you see on your mobile device that is available for connection. The SSID comprises the 1-32 byte alphanumeric name given to each ESS. Each AP advertises its presence several times per second by broadcasting beacon frames that carry the ESS name (SSID).
Security Information and Event Management (SIEM): An essential tool for SOC teams that relies on the data logs within a logging server to inspect event data and contextual data for analysis, reports, monitoring, anomaly detection (ML), incident investigation, and threat hunting.
Small Office Home Office (SOHO): They are typically associated with small, private businesses or self-employed individuals running their own office from home and point to limited office size and the number of employees.
Small Message Service (SMS): This is commonly known as a text message. People use this service when texting messages to each other between phones. Malicious actors also use this service when trying to gather information from you or drop malware as part of a social engineering campaign.
Split Tunnel VPN: IP traffic is only sent through a VPN tunnel if it is attempting to access an internal resource. When navigating to a site outside of your network (the Internet), your Public IP address will be the gateway address you are currently using.
T
Taildrop (Tailscale): This feature makes sending files between your personal devices on a Tailscale network easy. For example, sending files from your laptop or mobile device on your tailnet to your NAS allows quick data backup, much like a Dropbox.
Tailnet (Tailscale): This is your private network. For personal users, you are a tailnet of many devices and one person. Each device gets a private Tailscale IP address in the CGNAT range and every device can talk directly to every other device, wherever they are on the internet. And, for businesses and organizations, a tailnet is many devices and many users. It can be based on your Microsoft Active Directory, your Google Workspace, a GitHub organization, Okta tenancy, or other identity provider namespace. All of the devices and users in your tailnet can be seen by the tailnet administrators in the Tailscale admin console, link here: admin console.
Tailscale SSH: A feature that allows Tailscale to manage the authentication and authorization of SSH connections on your tailnet.
Time-based one-time password (TOTP): The TOTP application generates a one-time code used as the second factor for login authentication. The unique six-digit code takes its input from the current time to generate the numeric password.
U
Unmanaged Devices: A device inside the assessment boundary that is unauthorized or unassigned and is only known to networking infrastructure. They present significant security risks for organizations as they provide attackers with an entry point into a corporate network. IP cameras, smart devices, connected printers, and personal mobile devices are examples of unmanaged devices.
User Interface (UI): It is a system of interactive visual components for computer software that displays objects that convey information and represent actions the user can take. Icons and other visual elements change color, size, or visibility when the user interacts with them. A GUI is a specific instance of UI.
User Space: This refers to all of the code in an operating system that lives outside of the kernel. Most Unix-like operating systems (including Linux) come pre-packaged with all kinds of utilities, programming languages, and graphical tools - these are user space applications.
V
Virtual Machine (VM): It is a digital version of a physical computer. Virtual machine software can run programs and operating systems, store data, connect to networks, and do other computing functions. Also, it requires maintenance, such as updates and system monitoring.
W
X
Y
YubiKey: The hardware security token allows users to add a second authentication factor to online services from tier 1 vendor partners. The YubiKeys form resembles a USB thumb drive with models that will connect to either Type-A or Type-C ports. A YubiKey typically has two logical slots and supports authentication and public key encryption protocols (U2F, FIDO, FIDO2, NFC, OATH-HOTP, OpenPGP, PIV, etc.).
Z
Zero Trust: Because threat actors find their way into the LAN and network boundaries are now distributed, implicit trust is no longer valid. Least privilege access is the norm or headed in that direction. Continuously monitoring all users, applications, and devices on the network, zero trust assumes every endpoint is a threat.
Looking for another way to support this publication, click any of these 3-links below.