Hello everyone!
Today, we will explore the essential terminology that should you learn if you are in a Cybersecurity, Information Security, or Penetration testing domain. Let's get started.
Cyber Security
Information Security
Network Security
Application Security
Information protection:
Information Assurance:
Hacking
Hacker
- Black hat hacker: malicious or destructive user, offensive approach
- White hat hacker: defensive approach known as Security Analyst
- Gray hat hacker: who works both defensive and offensive
- Suicide Hacker: not worried about consequences of breaks cyber law terms
- Script kiddies: Unskilled hacker, compromise system by other knowledge and tools
- Cyber Terrorist: a group of hackers, motivated by religious or political beliefs
- State Sponsored: employed by governments
- Hacktivists: who promote a political agenda.
Vulnerability
Vulnerability Scanning
It is the process of scanning for known vulnerabilities in a network using automated tools, such as Nessus, Nexpose, OpenVAS. etc.
Methodology of VA (Vulnerability Assessment): A security tester will run a vulnerability scan against a defined scope on an internal or external network. The security tester will prepare a report, based on the vulnerability scan findings.
- Helps identify risks, vulnerabilities and patch management
- Fully automated approach
- Scope and time restrictions
- Testing frequency as per Compliance standards i.e., Quarterly or Annually
Penetration Testing
Methodology of PT (Penetration Testing): A security tester will go beyond the vulnerability scan and attempt to find additional vulnerabilities through manual testing. The tester will also attempt to exploit all vulnerabilities found, try to breaking into systems and gaining sensitive access.
- Confirms exploitation and helps reduce false positives
- Hands-on approach that goes beyond automation
- Significantly more expensive than a vulnerability scan, depending on network size and scope
- Testing frequency as per Compliance standards i.e., Quarterly, Bi-Annually or Annually.
Threat
Impact
Risk
- Risk = Threat (likelihood) + Vulnerability Impact
Exploit
Payload
Hack Value
It is a brief notion among hackers that something is worth or is interesting.
Zero-day Attack
An attack that exploits computer application vulnerability before the software developer releases a patch for the vulnerability.
Daisy-chaining
It involves gaining access to the network or computer and then using the same information to gain access to multiple networks or computers that contain desirable information.
Doxing
Publishing personally identifiable information about an individual collected from publicly available databases and social media.
Bot
A bot is a software application that can be controlled remotely to execute or automate predefined tasks.
IP Address
- IP Address stands for Internet Protocol Address.
- IP Address is either a four-byte (IPv4) or an eight-byte (IPv6) address. IPv4 uses 32-bit addresses in dotted notations, whereas IPv6 uses 128-bit addresses in hexadecimal notations.
- A device attached with IP Address can retrieve by RARP protocol.
- IP Address is the logical address of the computer.
- IP Address identifies the connection of the device on the network.
- IP Address operates in the network layer.
- IPv4 uses A, B, C, D, and E classes for IP addressing.
- Class A: 1-126
- Loopback range: 127
- Class B: 128-191
- Class C: 192-223
- Class D: 224-239
- Class E: 240-254
MAC Address
- MAC Address stands for Media Access Control Address.
- MAC Address is a six byte hexadecimal address. It is a 48-bit address that contains 6 groups of 2 hexadecimal digits, separated by either hyphens (-) or colons(;)
- A device attached with MAC Address can retrieve by ARP protocol.
- MAC Address is the physical address of a computer.
- MAC Address helps in simply identifying the device.
- MAC Address operates in the data link layer.
Ping
- PING: Packet Internet Groper.
- Ping is a computer utility tool to test the reachability of a host on a Internal Protocol Network.
- Ping uses only ICMP echo requests under ICMP protocol, which is a layer 3 protocol.
Port
Port Scanning
Traceroute/Tracert
When do we use traceroute/tracert?
CIA Triad
- Confidentiality: Ensure the sensitive information is accessed only by an authorized user.
- Integrity: It means that, the information is in the right format
- Availability: Ensure the data and resources are available for users who need them.
Cryptography
Symmetric Algorithm
- When same key is used for encryption & decryption. Encryption is fast but more vulnerable. DES, 3DES, AES and RC4 are the example of symmetric algorithm.
- Confidentiality can be assured with symmetric encryption.
- Examples:
- DES
- Data Encryption Standard.
- Takes 64 bit blocks input to encrypt.
- Key size (56-bit + 8-bit).
- 3DES
- Triple DES (Data Encryption Standard).
- 3DES uses 3 different key, of 56-bit key size each.
- First encrypt with 1st key, then decrypt with 2nd key and then again encrypt the decrypted text with 3rd key.
- AES
- Advanced Encryption Standard
- AES uses 128-bit, 192-bit, and 256-bit of block size as well as same key size.
- IDEA
- International Data Encryption Algorithm
- Takes 64 bit blocks input to encrypt.
- IDEA uses 1028-bit key size.
- Blowfish
- Takes 64 bit blocks input to encrypt.
- Blowfish uses variable length of key size (32-bit - 448-bit)
- Twofish
- Replaced blowfish algorithm
- Takes 64 bit blocks input to encrypt.
- Twofish uses 128-bit, 192-bit, and 256-bit key size.
- RC4
- Rivest Cipher
- It uses Stream Cipher
- RC4 uses variable key size from 40-bits to 2048-bits
- RC5
- Rivest Cipher
- It uses Block Cipher
- RC5 uses variable key size upto 2048-bits
- RC6
- Rivest Cipher, replacement of DES
- It uses Block Cipher
- RC6 uses variable key size upto 2048-bits
Asymmetric Algorithm
- When different key (a pair of public and private key) is used for encryption & decryption. Encryption is slow due to high computation. DH (Diffie-Hellman) and RSA are the example of asymmetric algorithm. It is often used for securely exchanging secret keys.
- Key distribution can be challenging with the asymmetric encryption.
Encoding
Encryption
Hashing
SSL/TLS Handshake
- The 'client hello' message: The client initiates the handshake by sending a "hello" message to the server with TLS version the client supports, the cipher suites supported, and a string of random bytes known as the client random.
- The 'server hello' message: In reply to the client hello message, the server sends a message containing the server's SSL certificate, the server's chosen cipher suite, and the "server random," another random string of bytes that's generated by the server.
- Authentication: The client verifies the server's SSL certificate with the certificate authority that issued it. This confirms that the server is who it says it is, and that the client is interacting with the actual owner of the domain.
- The premaster secret: The client sends one more random string of bytes, the "premaster secret." The premaster secret is encrypted with the public key and can only be decrypted with the private key by the server. (The client gets the public key from the server's SSL certificate.)
- Private key used: The server decrypts the premaster secret.
- Session keys created: Both client and server generate session keys from the client random, the server random, and the premaster secret. They should arrive at the same results.
- Client is ready: The client sends a "finished" message that is encrypted with a session key.
- Server is ready: The server sends a "finished" message encrypted with a session key.
- Secure symmetric encryption achieved: The handshake is completed, and communication continues using the session keys.
TLS Algorithm
TLS 1.2 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, a cipher suite is made up of four ciphers:
- Key exchange algorithm: ECDHE (Elliptic Curve Diffie Hellman), others are RSA and DH.
- Authentication algorithm: ECDSA (Elliptic Curve Digital Signature Algorithm), others are RSA and DHA.
- Bulk Data Encryption: AES_256_GCM
- Message authentication code (MAC) algorithm: SHA384
Cipher Suite
Block Cipher
- Both block cipher and stream cipher belongs to the symmetric key cipher. These methods are used for converting the plain text into ciphertext.
- Block cipher converts the plain text into cipher text by taking a block (such as 64 bit block) of plain text at a time. AES, DES, 3DES, etc. are the examples of Block Cipher.
Stream Cipher
- Both block cipher and stream cipher belongs to the symmetric key cipher. These methods are used for converting the plain text into ciphertext.
- Stream cipher converts the plain text into cipher text by taking 1 byte (8 bit) of plain text at a time. RC4 algorithm is the example of Stream Cipher.
Confusion
Diffusion
Wireless Encryption and Protocols
- WEP - Wired Equivalent Privacy
- WPA - WiFi Protected Access
- WPA-PSK, also called WPA-Personal. It uses both TKIP as well as AES
- WPA2 - WiFi Protected Access 2
- WPA2-PSK uses CCMP and AES.
- WPA3 - WiFi Protected Access 3
- EAP - Extensible Authentication Protocol
- TKIP - Temporal Key Integrity Protocol, with 128-bit key size.
- CCMP - Counter Mode Cipher Block Chaining Message Authentication Code Protocol.
- AES - Advanced Encryption Standard.
OSI Model
TCP/IP Model
TCP/IP stands for Transmission Control Protocol/ Internet Protocol. It is specifically designed as a model to offer highly reliable and end-to-end byte stream over an unreliable internetwork.
Difference between OSI and TCP/IP Model
Authenticated Scan
Unauthenticated Scan
Reverse Shell
Bind Shell
Encrypted Shell
CVSS
Base Score
- Attack vector
- Attack Complexity
- Privileges required
- User Interaction
- Confidentiality
- Integrity
- Availability
- Scope
Temporal Score
- Exploitability
- Remediation Level
- Report Confidence
Environmental Score
- Confidentiality Requirement
- Integrity Requirement
- Availability Requirement
- Modified Attack vector
- Modified Attack Complexity
- Modified Privileges required
- Modified User Interaction
- Modified Scope
- Modified Confidentiality
- Modified Integrity
- Modified Availability
CVE
- CVE stands for Common Vulnerabilities and Exposures.
- CVE is simply a list of currently known issues regarding specific systems and products with a ID.
CWE
- CWE stands for Common Weakness Enumeration
- CWE categorizes types of software vulnerabilities.
CVE vs CWE
- CVE tells about the vulnerability regarding associated with the specific systems and product, however CWE tells about the different types of vulnerabilities exist.
- CVE has to do with the specific instance within a product or system—not the underlying flaw, however CWE has to do with the vulnerability—not the instance within a product or system.
CWE vs OWASP
Types of Pentesting Methodology
- White Box Pentesting: White box penetration testing, sometimes referred to as clear, crystal or oblique box pen testing. In this, security tester may have full network and system information of the target host, including network maps and credentials.
- Black Box Pentesting: In this, no information is provided to the tester at all. The pentester follows the approach of an unprivileged attacker, from initial access and execution through to exploitation.
- Gray Box Pentesting: Combination of both of black-box and white-box testing. The pentester has some advanced knowledge on the targets (only limited information is shared with the tester) they plan to attack.
- Tiger Box Pentesting: This hacking is usually done on a laptop which has a collection of OSs and hacking tools. This testing helps penetration testers and security testers to conduct vulnerabilities assessment and attacks. Tiger box means, a machine assembled using specific hardware and software to be used for hacking and penetration testing.
SAST
- Static Application Security Testing.
- SAST is a white-box security testing methodology in which an security tester will have application source code.
- A security tester examines an application when it is not running and tries to identify the range of vulnerabilities in application's source code.
- SAST Tools:
- Fortify
- Appscan
DAST
- Dynamic Application Security Testing.
- DAST is a black-box security testing methodology in which an application is tested from the outside.
- A security tester examines an application when it is running and tries to hack it just like an attacker.
- DAST Tools:
- BurpSuite
- Acunetix
- Nikto
- OWASP ZAP
IAST
- Interactive Application Security Testing.
- IAST is a black-box security testing methodology, which combines the benefits of black-box and white-box methodologies.
- A security tester examines an application's source code as well as application when it is running and tries to hack it just like an attacker.
- IAST Tools:
- Both SAST and DAST Tools
Same Origin Policy (SOP)
Cross-Origin Resource Sharing (CORS)
Content Security Policy (CSP)
Difference between SOP and CSP?
- SOP: which foreign source is allowed to interact with the webpage/service.
- CORS: CORS allows a site A to give permission to site B to read (potentially private) data from site A.
- CSP: which location for script/images is allowed to be integrated in the webpage. CSP set a policy of what content can run on the current site.
Cryptographic Protocols
VPN
Compliance
- Compliance involves meeting(follow) various controls (usually enacted by a regulatory authority, law, or industry group) to protect the confidentiality, integrity, and availability of data.
- Compliance requirements vary and can be imposed by law, regulatory bodies, and even private industry groups such as the Payment Card Industry
PCIDSS
- Payment Card Industry Data Security Standard.
- PCI DSS compliance is mandatory for the organization who store. process and transmit credit card data.
PADSS
- Payment Application Data Security Standard.
- PA DSS is one of the matured standards in the industry to evaluate the application (payment application) against, showcases the security index of your application.
PCI PIN
- PCI Personal Identification Number.
- PCI PIN is a set of requirements defined by the PCI Security Standards Council for the secure handling of personal identification number (PIN) data during payment processing at ATMs or over point-of-sale (POS) terminals.
- PCI PIN and PCI PTS (PIN Transaction Security) requirements emphasize on maintaining physical and logical security of the POS (point-of-sale) devices, PIN pad services, and UPTs.
- The intention of this standard is to reduce the number of credit card frauds around Point-of-Sale devices.
PCI SAQ
- PCI Self-Assessment Questionnaire.
- PCI SAQ is a blueprint for merchants and service providers to become PCI DSS compliant.
- PCI SAQ is something like a checklist to ensure you don’t miss on the security requirements applicable to your business.
- PCI SAQ is applicable for small merchants and service providers who do not need to go for an onsite audit and submit a report on compliance to their acquiring Banks or Payment brands, but need to comply with all the applicable requirements in PCI DSS standard.
HIPAA
- Health Insurance Portability and Accountability Act.
- HIPAA provides rules and regulations for protecting the privacy of Patient Health Information (PHI - Protected Health Information) and the security of Electronic records stored or transmitted.
- This includes PHI in any form - physical copy, electronic or oral. PHI consists of individually identifiable patient information such as Name, health records, demographic information, contact information, Social Security Number, etc.
GDPR
- General Data Protection Regulation.
- GDPR is for Data Privacy and Protection. The European Union brought GDPR into enforcement on 25th May 2018.
- GDPR provides specific guidance on how Personally Identifiable Information (PII) should be recorded, stored, and transferred without invasion of the right to privacy of the EU citizens.
ISO 27001
- International Standard Organization.
- ISO 27001, a globally recognized standard for managing information security-related risks.
- It specifies a set of standardized requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).
- The standard provides the framework to manage the confidentiality, availability, and integrity of organizational assets such as financial data, intellectual property, employee details, customer confidential data, or information entrusted by third parties.
NIST
SANS
CIS
Protocols
FTP
SSH
TELNET
SMTP
DNS
DHCP
- IP address
- Subnet mask
- Default Gateway
- DNS Server
HTTP
- Hyper Text Transfer Protocol
- It is a way to protect sensitive data—like your credit card number while HTTPS uses TLS to encrypt the communications between clients and servers, preventing people from intercepting and reading your data in flight.
- It also preserves the integrity of data, helping to prevent it from being broken or corrupted.
- While HTTP is not naturally problematic, but its use for the transmission of sensitive data is definitely a major risk. When plaintext credentials are transmitted over HTTP, those credentials are left exposed, the internet equivalent of shouting passwords across a crowded room, making it trivial for anyone to intercept and steal those credentials.
HTTP 1.0
- HTTP 1.0 is non-persistent
- HTTP 1.0 requires multiple connections to serve a single request.
- HTTP 1.0 serves the response and disconnects the connection
HTTP 1.1
- HTTP 1.1 is persistent.
- Head of line blocking, only 6 TCP connections parallelly (Limitation)
- Header information is repeated with every request (Limitation)
- Keep-alive option enables re-using the same TCP connection for multiple HTTP request
HTTP 2.0
- HTTP 2.0 is also persistent.
- HTTP 2.0 is same as HTTP 1.1 with some additional features
- HTTP 2.0 uses the single TCP connection pipeline with multiple streams for different request.
- HTTP 2.0 requires the TLS setup as a mandatory requirement
- HTTP 2.0 uses HPACK, where header data is separated from actual request data, allows compression for header data, reduces the entire request size
- HTTP 2.0 uses PUSH Frames to send necessary resource in advance
- HTTP 2.0 is built top of HTTP 1.1 and will be work if client is using HTTP 1.1
POP3
IMAP
What is the difference between POP3 and IMAP?
NetBIOS
SMB
SNMP
ARP
NTLM
New Technology LAN Manager (NTLM) is a proprietary Microsoft protocol introduced in 1993 to replace Microsoft LAN Manager (LANMAN). NTLM is part of a cohort of Microsoft security protocols designed to collectively provide authentication, integrity, and confidentiality to users.
NTLM is what is known as a challenge-response protocol used by servers to authenticate clients using password hashes. In its original incarnation NTLMv1 used a fairly simple (and easily compromised) authentication method.
Using NTLM for authentication exposes organizations to a number of risks. A skilled attacker can easily intercept NTLM hashes that are equivalent to passwords or crack NTLMv1 passwords offline. A successful exploit against NTLMv1 authentication can enable an attacker to launch machine-in-the-middle (MITM) attacks or take complete control of a domain.
LLMNR
Link-Local Multicast Name Resolution (LLMNR) is a protocol that allows name resolution without a DNS server. Essentially, LLMNR is a layer 2 protocol that provides a hostname-to-IP resolution on the basis of a network packet that's transmitted via Port UDP 5355 to the multicast network address (224.0.0.0 through 239.255.255.255). The multicast packet queries all network interfaces looking for any that can self-identify authoritatively as the hostname in the query.
LLMNR was originally created as a temporary solution to enable name resolution in environments in which DNS servers would be impractical, such as small private networks. LLMNR was created as a way to achieve name resolution without the difficult requirements of DNS. The protocol has been (and still is) used by operating systems, including Microsoft Windows, to identify networked devices like file servers.
We are Updating everyday...
Comments
Post a Comment