Term
|
Definition
| memory segment used by a program and is allowed dynamically at run time with functions such as mailoc{}, calloc {}, realloc{} and using new operators in C# |
|
|
Term
|
Definition
| Attempts to store more bites than allows |
|
|
Term
| Extended Instruction Pointer |
|
Definition
| Points to the code that you are currently executing. When you call a function, this gets saved on the stack for later use. |
|
|
Term
|
Definition
| Points to the current position on the stack and allows things to be added and removed from the stack using the push and pop operations or direct stack pointer manipulations |
|
|
Term
|
Definition
| EBP serves as a static point for referencing stack based information like variables and data in a function using offsets. This almost always points to the top of the stack for a function. |
|
|
Term
|
Definition
| The "gets" command, which reads a string from the standard input to the specified memory location. Does not have a "length" configuration |
|
|
Term
| How to check for Buffer Overflow |
|
Definition
| 1) Attach a debugger to target application or process 2) Generate malformed input of the application 3) Subject the application to malformed input 4) Inspect responses in the debugger |
|
|
Term
|
Definition
| Program where code is hidden in a harmless program. The Trojan can take control of the computer. |
|
|
Term
|
Definition
| A legitimate communication patch within a computer system or network, for transferring data. The simplest form of covert channel is a Trojan |
|
|
Term
| Step 1 to Create A Trojan |
|
Definition
| Create new packet using a Trojan horse construction kit |
|
|
Term
| Step 2 to Create A Trojan |
|
Definition
| Create a dropper, which is planted in a Trojan package that installs the malicious code on the target system |
|
|
Term
| Step 3 to Create A Trojan |
|
Definition
|
|
Term
| Step 4 to Create A Trojan |
|
Definition
|
|
Term
| Step 5 to Create A Trojan |
|
Definition
|
|
Term
| Step 6 To Create A Trojan |
|
Definition
|
|
Term
|
Definition
| c:\nc -L -<port> -t -e cmd.exe |
|
|
Term
|
Definition
|
|
Term
|
Definition
| 1) Trojan creates fake form fields on ebanking pages 2) Additional fields elicit extranet information such as card number and date of birth 3) Attacker can use this information to impersonate and compromise victim's accounts |
|
|
Term
|
Definition
| 1) Trojan interceptor intercepts valid Transaction Authentication Numbers (TAN) entered by a user 2) Replaces the TAN with a random number that will be rejected by the bank 3) Attacker can misuse the intercepts TAN with user's login details |
|
|
Term
|
Definition
| 1) Trojan analyses POST requests and responses to the victim's browser 2) It compromises the scramble pad authentication 3) Trojan intercepts scrambled pad input as user enters Customer Number and Personal Access Code |
|
|
Term
|
Definition
| Very destructive Trojan that formats all storage |
|
|
Term
|
Definition
| 1) Modular Malware of MS Windows 2) From middle eastern countries 3) Records skype conversations and uses bluetooth on devices 4) Uses USB devices |
|
|
Term
|
Definition
| 1) Malware is packed with UPX and a polymorphic decryptor 2) Malware injected piece of code within winlogin.exe virtual address space |
|
|
Term
| View All Active Ports Using Netstat |
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| All communicating TCP/UDP Ports open |
|
|
Term
| Path to System Driver Services |
|
Definition
| Run > msinfo32 > Software Environment > System Drivers > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service |
|
|
Term
|
Definition
| HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folder, Current |
|
|
Term
|
Definition
| HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell User Folder, Current |
|
|
Term
|
Definition
| HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell User |
|
|
Term
|
Definition
| HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folder |
|
|
Term
|
Definition
| HKCU\Software\Microsoft\Windows NT\Current Version\Windows |
|
|
Term
| Windows Startup Settings Registry Key #1 |
|
Definition
| HKLM\Software\Microsoft\Windows\Current Version\Run |
|
|
Term
| Windows Startup Settings Registry Key #2 |
|
Definition
| HKCU\Software\Microsoft\Windows\Current Version\Run |
|
|
Term
| Windows Startup Settings Registry Key #3 |
|
Definition
| HKLM\Software\Microsoft\Windows\Current Version\RunOnce |
|
|
Term
| Windows Startup Settings Registry Key #4 |
|
Definition
| HKCU\Software\Microsoft\Windows\Current Version\RunOnce |
|
|
Term
| IE Startup Settings Key #1 |
|
Definition
| HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks |
|
|
Term
| IE Startup Settings Key #2 |
|
Definition
| HKLM\Software\Microsoft\Internet Explorer\Toolbar |
|
|
Term
| IE Startup Settings Key #3 |
|
Definition
| HKLM\Software\Microsoft\Internet Explorer\Extensions |
|
|
Term
|
Definition
| File Checksum Integrity Verifier - Command line utility to generate checksum |
|
|
Term
|
Definition
| Enterprise integrity verifier that scans and reports critical system files for changes |
|
|
Term
|
Definition
| Checks the integrity of critical files that have been digitally signed by Microsoft |
|
|
Term
|
Definition
| Used to check the integrity of file via MD5 checksum |
|
|
Term
|
Definition
|
|
Term
|
Definition
| Self replicating, infects other programs, and encrypting itself |
|
|
Term
|
Definition
| Design, replicate,Launch,Detection,Incorporation,Enlimination |
|
|
Term
|
Definition
| Moves MBR to another location on the hard disk and copies itself to the original location of the MBR |
|
|
Term
|
Definition
| Executed or intercepted files that are infected (require direct action or memory-resident) |
|
|
Term
|
Definition
| Infect the system boot sector and execs at the same time |
|
|
Term
|
Definition
| Infect files created by MS Word or Excel |
|
|
Term
|
Definition
| Modify directory table entries so that it points users or system processes to the virus code instead of the actual program and launches itself first when a program starts |
|
|
Term
|
Definition
| Virus evade the AV software by interpreting its request to the OS, intercepts the av request and passes the request to the uninfected file instead of the virus file |
|
|
Term
|
Definition
| uses simple encryption to encipher the code and uses different keys for each infection so that AV can not detect using signatures |
|
|
Term
|
Definition
| code that mutates while keeping the original algorithm intact and viruses much have a polymorphic engine (mutation engine) |
|
|
Term
|
Definition
| rewrite themselves completely each time they infect and reprogram itself by translating its own code into a temporary representation and back into normal code |
|
|
Term
|
Definition
| overwrites a par of the host file with a constant (usually null) without increasing the length of the file and preserving the functionality |
|
|
Term
|
Definition
| infects only occasionally (every 10th program executed) or only file of a length of narrow range and difficult to detect |
|
|
Term
|
Definition
| creates a companion files for each exe file the virus infects and therefore the companion file where notepad.com loads with notepad.exe |
|
|
Term
|
Definition
| former a shell around the target host program's code, making itself the original program and host as it sub-routine and almost all boot viruses are shell viruses |
|
|
Term
|
Definition
| File extension virus change the extension of files. Countermeasure - uncheck "hide file extension" |
|
|
Term
|
Definition
| Append their code to the host file without making any changes to the latter or relocate the host code to insert their own code at the beginning |
|
|
Term
|
Definition
| viruses that overwrite the host code partly or completely with the virus code |
|
|
Term
| Direct Action or Transient Virus |
|
Definition
| transfers all controls of the host code to where it resides and selects the target program to be modified and corrupt it. |
|
|
Term
| Terminate and Stay Resident Virus (TSR) |
|
Definition
| Stays permanently in the memory during the entire work session and can only be deleted by restarting and rebooting |
|
|
Term
|
Definition
| worms are special viruses that replicate themselves and use memory but can not attach itself to other programs. Worms spread throughout the network and viruses do not. |
|
|
Term
|
Definition
| Stuxnet hook is ntdll.dll and the wrapper program containing all components stored inside itself in a section called stub |
|
|
Term
|
Definition
| analysis of suspect files, incoming messages, etc for malware - a sheep dip computer is installed with port monitors, file monitors, network monitors, and antivirus software and connects to a network under strictly controlled conditions |
|
|
Term
|
Definition
| Perform static analysis when malware is innovative |
|
|
Term
|
Definition
|
|
Term
|
Definition
| Setup network connection and check that is not giving any error |
|
|
Term
|
Definition
| Run the virus and monitor the process actions and system info with help of process monitoring tools such as process monitor and process explorer |
|
|
Term
|
Definition
| Record network traffic information using the connectivity and log packet counter monitoring tools such as TCP View and NetResident |
|
|
Term
|
Definition
| Determine the files added, processes spawned, and changes to the registry with the help of registry monitoring tools such as Regshot |
|
|
Term
|
Definition
| Collect the following information using debugging tools OllyDbg and ProcDump |
|
|
Term
| Three Virus Detection Methods |
|
Definition
| Scanning, Integrity, Interruption |
|
|
Term
| Purpose of Incidence Management Process |
|
Definition
| Improve service quality, pre-active problem resolution, reduce impact of incidents on business/ organization. Meets service availability requirements, Increase staff efficiency and productivity, improves users/customers satisfaction, assists in handling future incidents |
|
|
Term
| Open Source or Passive Information Gathering |
|
Definition
| collect information about a target from the publicly accessible source |
|
|
Term
|
Definition
| Gathering information from sources where the author of the information can not be identified or traced |
|
|
Term
| Organizational or private footprinting |
|
Definition
| collect information from an organization's web-based calendar and email servers |
|
|
Term
| Active Information Gathering |
|
Definition
| Gathering information through social engineering on-site visits, interviews, and questionnaires |
|
|
Term
| Pseudonymous Footprinting |
|
Definition
| Collect information that might be published under a different name in an attempt to pursue privacy |
|
|
Term
|
Definition
| Collect information about a target from the internet |
|
|
Term
| Footprinting Process Step #1 |
|
Definition
| Collect basic information about the target and its network |
|
|
Term
| Footprinting Process Step #2 |
|
Definition
| Determine the OS used, platform running, web server, version, etc |
|
|
Term
| Footprinting Process Step #3 |
|
Definition
| Perform technique such as Whois, DNS, network and organizational queries |
|
|
Term
| Footprinting Process Step #4 |
|
Definition
| Find vulnerabilties and exploits for launching attacks |
|
|
Term
|
Definition
| Default ROM (OS) of an Android device supplied by the manufactuerer |
|
|
Term
|
Definition
| Modified device ROM without the restrictions imposed by the device's origonal ROM |
|
|
Term
| Bricking the Mobile Device |
|
Definition
| Altering the device OS using rooting and jailbreaking in a way that causes the device to become unstable or inoperatable |
|
|
Term
|
Definition
| Supports the complete mobile device management (MDM) lifecycle ofr smartphones and tablets including iPhone, iPad, Android, Windows Phone, BlackBerry, and Kindle Fire |
|
|
Term
|
Definition
| Has rapid deployment capabilties, comprehensive visibility and control that spans across multiple devices, applications, and documents. |
|
|
Term
|
Definition
| Urgent - Data contained in the packet should be processed immeadatly |
|
|
Term
|
Definition
| Finished - There will no more transmissions |
|
|
Term
|
Definition
| Push - Send all buffered data immeadately |
|
|
Term
|
Definition
| Reset - resets a connection |
|
|
Term
|
Definition
| Awknowledge - Awknowledeges the recipt of a packet |
|
|
Term
|
Definition
| Initualizes a connection between hosts |
|
|
Term
|
Definition
|
|
Term
| Hping Firewall and Timestamp |
|
Definition
| Hping3 -s <ip> -p <port> -- tcp - timestamp |
|
|
Term
| Hping Scan Entire Subnet for Live Host |
|
Definition
| hping 3 -1 <ip>.x --rand -dest -I <interface> |
|
|
Term
| Hping Intercept all traffic containing HPTTP signature |
|
Definition
| hping3 -9 <protocol> -1 <interface> |
|
|
Term
|
Definition
|
|
Term
|
Definition
| SYN/FIN Scnanning Using Frags |
|
|
Term
|
Definition
|
|
Term
| Inverse TCP Flag Scanning |
|
Definition
|
|
Term
|
Definition
| responses are collected to be compared with a database to determine the OS |
|
|
Term
| Four Phases of Social Engineering |
|
Definition
| Research on the target company Develop Relationship Select Victim Exploit the relationship |
|
|
Term
|
Definition
|
|
Term
|
Definition
| Denotes social engineering victims |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| NetBOIS Name Service (NBNS) |
|
|
Term
|
Definition
| NetBOIS Session Service (SMB over NEtBOIS) |
|
|
Term
|
Definition
| SMB over TCP (Direct Host) |
|
|
Term
|
Definition
| Simple Network Management Protocol (SNMP) |
|
|
Term
|
Definition
| Lightweight Directory Access Protocol (LDAP) |
|
|
Term
|
Definition
|
|
Term
|
Definition
| Simple Mail Transfer Protocol (SMTP) |
|
|
Term
|
Definition
|
|
Term
|
Definition
| agtorithm is designed to encypher and decypher blocks of dataconsisting of 64bits under control of a 56 bit key |
|
|
Term
|
Definition
| an algorithm that takes a fixed-length string of plan text bits and transforms it into a ciphertext bitstring of the same length |
|
|
Term
|
Definition
| a symmetrical-key algorithm for secruing senstivie but unclassified material by the U.S. Government agencies. AES is also iterated bit cipher, works by representing the same operation multiple times |
|
|
Term
|
Definition
| A permeterized algorithm with a variable block size, a variable key size, and a variable number of rounds. The key size is 128 bits. |
|
|
Term
|
Definition
| a 32-bit hexadecimal number |
|
|
Term
|
Definition
| produces a 160-bit digest from a message with a maximum length of (2^64th -1) bits, and resembles the MD5 algorithm |
|
|
Term
|
Definition
| Family of two smular hash functions, with different block sizes, namely SHA-256 that uses 32-bit wirds and SHA-512 that uses 64 bit words. |
|
|
Term
| Certificate Authority (CA) |
|
Definition
| Issues and verifies digital certificate |
|
|
Term
| Registration Authority (RA) |
|
Definition
| Acts as the verifyer for the certificate authority |
|
|
Term
|
Definition
| Establishing credentials of a person when doing online transactions |
|
|
Term
| Certificate Management System |
|
Definition
| Generates, distributes, stores,a nd verifies certificates |
|
|
Term
|
Definition
| Attacker has access to the ciper text; goal of this attack to recover encryption key from cipher text |
|
|
Term
|
Definition
| Attacker defines his own plaintext, feed it into the cipher, and analyzes the resulting cipher text |
|
|
Term
| Adaptive Chosen-plaintext Attack |
|
Definition
| Attack makes a series of intricate queries, choosing subsequent plaintexts bases on the information from previous encryption |
|
|
Term
|
Definition
| Attacker has knowledge of some parts of the plain text, using this information the used to generate cipher text is deduced so as to decipher other messages |
|
|
Term
|
Definition
| Attacker obtains the plaintexts corresponding to an arbitrary set of ciphertexts of his own choosing |
|
|
Term
|
Definition
| Extraction of cryptographic secrests (e.g. the password to an encrypted file) from a person by coercion or torture. |
|
|
Term
|
Definition
| A generalisation of the chosen-text attack |
|
|
Term
|
Definition
| It is based on repeatly measuring the execution times of the exponention operations |
|
|
Term
|
Definition
| Brute-Force attack is high resource and time intensive process, however, more likely to achieve results |
|
|
Term
|
Definition
| Success of brute force attack depeonds on length of key, time constraints, and system security mechanisms |
|
|
Term
|
Definition
| Known as misuse detection and tries to identify events that misuse the system |
|
|
Term
|
Definition
| Detects the intrustion based on fixed behavioral characteristics of the users and components in a computer system |
|
|
Term
| Protocol Anomonaly Detection |
|
Definition
| In this type of detection, models are built to explore anomalies in the way vendors deploy TCP/IP speccifictions |
|
|
Term
|
Definition
| Black box that is placed on the network in promiscous mode, listening for patterns indicating an intrustion |
|
|
Term
|
Definition
| mechanisms usually include auditing for events that occor on a specific host and not as common dude to the overhead they incur by having the monitor each system event |
|
|
Term
|
Definition
| checks for trojan horse, or files that have otherwise been modified, indicating an intruder has already been there, for example tripwire |
|
|
Term
|
Definition
| Mechanisms are typically programs that parse log files after an event has already occurred such as failed login attemps |
|
|
Term
|
Definition
| computer system designed and configured to protect network resources from attacks |
|
|
Term
|
Definition
| screened subnet or DMZ (additional zone) container hosts that offer public services. |
|
|
Term
|
Definition
| A firewall with three or more interfaces is present that allow for further subdividing the system based on specific security objective o the organization |
|
|
Term
| Packet Filtering Firewall |
|
Definition
| Work at the network level of the OSI model or IP (Layer 3) |
|
|
Term
| Circuit Level Gateway Firewall |
|
Definition
| work at the session layer and monitors requests to creat sesssions, and determine if those sessions will be allowed (Level 4) |
|
|
Term
| Application-level Gateway |
|
Definition
| filter packets of the application layer of the OSI model and incomming and outgoing traffic is restricted to services supported by proxy; all other service requests are denied. |
|
|
Term
| Stateful Multilayer Inspection Firewalls |
|
Definition
| combine the aspects of the other three types of firewalls and fileter packets at the ntwork layer to determine weather packets are legitimate, and they evaluate the contnet of packets at the application layer |
|
|
Term
|
Definition
| techniques that use TTL values to determine gateway ACL filters and map networks by analyzing IP packet responses. If the packet makes it through the gateway, it is forwarded to the next hop where the TTL equals one and elicits an ICMP "TTL exceeded in transit" to be returned as the origonal packet is disregarded. |
|
|
Term
|
Definition
| FTP, Telnet, and web servers send banners on 25 |
|
|
Term
|
Definition
| These honeypots simulate only a limited number of services and aplications of a target system or network and used to collect higher level information about attack vectors such as network probing and worm activities |
|
|
Term
|
Definition
| Honeypot simulates all services and applications and can be completely comporomised by attackers to get full access to the system in a controlled area. Used to capture information about attack vectors such as techniques, tools, and intent of the attack |
|
|
Term
|
Definition
| Can be used as a straight packet sniffer like tcpdump, packet logger (useful for network traffic debugger), and a network intrustion prevention system. |
|
|
Term
|
Definition
|
|
Term
| Does Snort rule parcer handle rules on multiple lines? |
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| Used to bypass IDS or encoding so that a computer will not understand it. |
|
|
Term
|
Definition
| An IDS blindly believes and accepts a packet that an end system rejects. An attacker exploits that condition and inserts data into the IDS. The attack occurs when NIDS is less strict in processing packets. Attacker observes extra and IDS concludes traffic is harmless.Hense the IDS gets more pakcets than the destination. |
|
|
Term
|
Definition
| If fragment timeout is 10 seconds of the IDS and 20 seconds at the target system, attacker will send the second fragmentation after 15 seconds of sending the first fragmentation. |
|
|
Term
|
Definition
| These attacks requre the attacker to have previous knowledge of the topology of the victim's network. Information can be obtained with tools like tracert to determine the numebr of hops between the attacker and the victim |
|
|
Term
|
Definition
| the urgency pointer causes one byte |
|
|
Term
|
Definition
| Used to bypass signature detection by encoding shellcode containing a stob that decodes the shellcode that follows |
|
|
Term
|
Definition
| contains a special DNS server and a special dns client and the client and the server wil work in tandem to provide a TCP (and UDP) tunnel through the standard DNS protocol |
|
|
Term
|
Definition
| Attackers use botnets and carry out DDoS attacks by flooding the network with ICMP Echo packets |
|
|
Term
|
Definition
| Service request flood attacks flood servers with a a high rate of connections for a valid source |
|
|
Term
|
Definition
| The source address is fake, hense the target meeting does not get the response back |
|
|
Term
| Permananet Denial of Service Attack (Phlashing) |
|
Definition
| Permanent DOS, also known as phlashing, refer to attacks that can cause irreversible dammage to system hardware |
|
|
Term
|
Definition
| software applications that run automated tasks over the Internet and perform simple repatetive tasks, such as web spdiering and search engine indexing. A botnet is a huge network of the compromised stystem and can be used by an intruder to create a denial-of-service attack |
|
|
Term
|
Definition
| There is a good probably that that the spoofed source address of a DDoS attack packets will not represent a valid source address of the specific subnetwork |
|
|
Term
|
Definition
| Providers can increate the bandwith on critical connections to prevent them from going down in the event of an attack |
|
|
Term
|
Definition
| This method sets up routers that access a server with logic to adjust (throttle) incomming traffic to levels that will be safe for the server to process |
|
|
Term
|
Definition
| Any traffic coming from unused or reserved IP address is bogus and should be filtered out by the ISP between it enters the Internet link |
|
|
Term
|
Definition
| Administrators can request Ips to block the origonal affected IP and move their site to another IP after performing DNS propagation |
|
|
Term
|
Definition
| Can operate in either active intercept mode or passive watch mode. The default is intercept mode. |
|
|
Term
| Session ID Brute Force Attack |
|
Definition
| knows as session prediction attack if the predicted range of values for a session ID is very small |
|
|
Term
|
Definition
| Network level can be defined as the interception of the packets during the transmission between the client and the server in a TCP and UDP session |
|
|
Term
| Application Level Hijacking |
|
Definition
| Application level is about gaining control on the HPTTP's user session by optaining the session ID |
|
|
