Glossary

Numbers

5-tuple The 5-tuple refers to the following five elements:

Source IP address

Source port

Destination IP address

Destination port

Protocol

A

Adversary An attacker, hacktivist, disgruntled employee, and so on.

Attack vector According to NIST, an attack vector is “a segment of the entire pathway that an attack uses to access a vulnerability. Each attack vector can be thought of as comprising a source of malicious content, a potentially vulnerable processor of that malicious content, and the nature of the malicious content itself.”

Availability Availability means that systems, applications, and data must be available to users without impacting productivity.

B

Bandwidth The data rate supported by a network connection or interface.

C

Cardholder data environment (CDE) The people, processes, and technologies that store, process, or transmit cardholder data or authentication data.

Command and control (C2) In terms of the kill chain, C2 occurs when the attacker accesses the breached system. It represents the attacker having keyboard access to inside the breached system or network.

Committee of Sponsoring Organizations (COSO) An auditing framework. COSO publishes periodic updates to its internal control framework and serves as the basis for the auditing standards developed by PCAOB.

Confidentiality Confidentiality is the promise that data is not unveiled to unauthorized users, applications, or processes. Depending on the type of information, a higher level of confidentiality might be required, depending on how sensitive it is. You must have adequate control mechanisms in order to enforce and ensure that data is only accessed by the individuals who should be allowed to access it, and nobody else.

CSIRT CSIRT is typically the team that is in charge of working hand-in-hand with the information security teams (often called InfoSec). In smaller organizations, InfoSec and CSIRT may be the same team. In large organizations, the CSIRT is specialized in the investigation of computer security incidents, and the InfoSec team is tasked with the implementation of security configurations, monitoring, and policies within the organization.

CVSS The Common Vulnerability Scoring System (CVSS) is one of the most widely adopted standards to calculate the severity of a given security vulnerability.

Cyber Kill Chain Model A model representing the steps taken by an adversary to accomplish an intrusion.

D

Data normalization Data normalization is the process of capturing, storing, and analyzing data so that it exists in only one form. One of the main goals of data normalization is to purge redundant data while maintaining data integrity.

Delivery In terms of the kill chain, delivery is the method of contact used to transmit an attack. Examples are email, across a network, and physically plugging in a device.

Diamond Model of Intrusion A trusted approach to categorizing security incidents.

Domain name server (DNS) Responsible for resolving IP addresses to domain names.

Dynamic Host Configuration Protocol (DHCP) Automatically provisions IP hosts with an IP address and other related configurations such as a subnet mask and default gateway.

E

Electronic protected health information (e-PHI) The first process during the boot sequence.

Exploitation Involves attacking a weakness or vulnerability within a system, application, network, and so on.

Ext4 Ext4 is one of the most used Linux file systems. It has several improvements over its predecessors Ext3 and Ext2. Ext4 not only supports journaling but also modifies important data structures of the file system, such as the ones destined to store the file data. This is done for better performance, reliability, and additional features.

F

False negative False negative is the term used to describe a network intrusion device’s inability to detect true security events under certain circumstances—in other words, a malicious activity that is not detected by the security device.

False positive The term false positive is a broad term that describes a situation in which a security device triggers an alarm but there is no malicious activity or an actual attack taking place. In other words, false positives are “false alarms.” They are also called “benign triggers.” False positives are problematic because by triggering unjustified alerts, they diminish the value and urgency of real alerts. If you have too many false positives to investigate, it becomes an operational nightmare and you most definitely will overlook real security events.

FAT FAT was the default file system of the Microsoft DOS operating system back in the 1980s. Then other versions were introduced, including FAT12, FAT16, FAT32, and exFAT. Each version overcame some of the limitations of the file system until the introduction of the New Technology File System (NTFS). One of the FAT file system limitations is that no modern properties can be added to the file, such as compression, permissions, and encryption. The number after each version of FAT, such as FAT12, FAT16, or FAT32, represents the number of bits that are assigned to address clusters in the FAT table.

Flow collector A device that collects, processes, and stores NetFlow records from infrastructure devices.

H

Health Insurance Portability and Accountability Act (HIPAA) Protects health-care-related data being transferred in digital form. This is the focus of the HIPAA security rules.

I

Incident response The process and tools defenders use to respond to a cybersecurity incident.

Installation In terms of the kill chain, installation is what is delivered by a successful exploitation. Examples might be ransomware and remote access tools.

Integrity Integrity is the second component of the CIA triad. It is very important that systems and the data they maintain be accurate, complete, and protected from unauthorized modification. Integrity protection encompasses more than just data; it not only protects data, but also operating systems, applications, and hardware from being altered by unauthorized individuals.

IPFIX An industry flow-based standard that’s based on NetFlow v9.

J

Journaling A journaling file system maintains a record of changes not yet committed to the file system’s main part. This data structure is referred to as a “journal,” which is a circular log. One of the main features of a file system that supports journaling is that if the system crashes or experiences a power failure, it can be restored back online a lot quicker while also avoiding system corruption.

L

Latency Factors that slow down traffic performance.

Least privilege To provision the absolute least amount of access rights required to perform a job.

Listening port A port held open by a running application in order to accept inbound connections.

M

Master boot record The master boot record (MBR) is the first sector (512 bytes) of the hard drive. It contains the boot code and information about the hard drive itself. The MBR contains the partition table, which includes information about the partition structure in the hard disk drive. The MBR can tell where each partition starts, its size, and the type of partition.

Metadata Data about data, such as who created a file and the last time it was opened.

N

National CSIRT and CERTs Numerous countries have their own Computer Emergency Response (or Readiness) Teams. These national CERTs and CSIRTs aim to protect their citizens by providing security vulnerability information, security awareness training, best practices, and other information.

Network address translation (NAT) A method for remapping one IP address space into another by modifying network address information.

Network baseline Normal network throughput levels.

NTFS NTFS is the default file system in Microsoft Windows since Windows NT, and it is a more secure, scalable, and advanced file system when compared to FAT. NTFS has several components. The boot sector is the first sector in the partition, and it contains information about the file system itself, such as start code, sector size, cluster size in sectors, and the number of reserved sectors. The file system area contains many files, including the master file table (MFT), which includes metadata of the files and directories in the partition. The data area holds the actual contents of the files, and it is divided into clusters with a size assigned during formatting and recorded in the boot sector.

P

Payment Card Industry Data Security Standard (PCI DSS) Program designed to protect the customer cardholder data when it’s processed, stored, or transmitted. PCI DSS is required for any merchant, processor, acquirer, issuer, or service provider that handles payment card processing, along with outsourced or third parties involved with payment card processing.

Port scanner Probes a host system running TCP/IP to determine which TCP and UDP ports are open and listening.

PSIRT Software and hardware vendors may have separate teams that handle the investigation, resolution, and disclosure of security vulnerabilities in their products and services. Typically, these teams are called Product Security Incident Response Teams (PSIRTs).

Public Company Accounting Oversight Board (PCAOB) Develops auditing standards and trains auditors on best practices for assessing a company’s internal controls.

Q

Quality of Service (QoS) Tools designed to define different priority levels for applications, users, or data flows, with the goal of guaranteeing a certain level of performance to that data.

R

Reconnaissance Research on a target, such as available network ports, data on social media sources, learning about people at an organization, and so on.

Regular expression A regular expression (sometimes referred to as “regex”) is a text string for describing a search pattern.

S

Sarbanes-Oxley Act of 2002 (SOX) Forces any publicly held company to have internal controls and procedures for financial reporting to avoid future corporate fraud.

Security event An event is any observable occurrence in a system or network. Events include a user connecting to a file share, a server receiving a request for a web page, a user sending email, and a firewall blocking a connection attempt. Adverse events are events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data.

Security incident A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

Session duration In network access terms, session duration is the total time a user or device connects to a network and later disconnects from a network.

Sniffer A full packet capture software.

Standard operating procedure A delineation of the specific technical processes, techniques, checklists, and forms used by the incident response team.

Stream Control Transmission Protocol (SCTP) Protocol used by IPFIX that provides a packet transport service designed to support several features beyond TCP and UDP capabilities.

STRIDE STRIDE stands for spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. STRIDE was created by Loren Kohnfelder and Praerit Garg. It is a framework designed to help software developers identify the types of threats against the applications they are creating.

Swap space Extra memory on the hard disk drive or SSD that is an expansion of the system’s physical memory.

Switch port security Provides a method to limit what devices will be permitted to access and send traffic on individual switch ports within a switched network.

T

True negative A true negative is when the intrusion detection device identifies an activity as acceptable behavior and the activity is actually acceptable.

True positive A true positive is a successful identification of a security attack or a malicious event.

W

Weaponization The process of developing and testing how an attack will be executed.