Link Search Menu Expand Document

Glossary

Term Definition Chapter
security Enforcing a desired property in the presence of an attacker 1
threat model A thread model is a model of who your attacker is and what resources they have 1
tcb TCB (Trusted Computing Base) are the components of a system that security relies upon 1
kiss principle Keep It Simple, Stupid 1
deterrence Deterrence refers to stopping the attack before it happens 1
prevention Prevention refers to stopping the attack as it happens 1
detection Detection refers to learning that there was an attack after the attack has taken place 1
response Response refers to doing something about the attack after the attack has taken place 1
securities is economics Securities is economics is a security principle that says that defenses are not free and are often less than the sum of their parts 1
least privilege Least Privilege is a security principle wherein one should consider what permissions an entity or program needs to be able to do its job correctly and only grant privileges that are needed for correct functioning and nothing more 1
separation of responsibility Separation of responsibility is a security principle wherein if you need to have a privilege, consider requiring multiple parties to work together (collude) to exercise it 1
ensure complete mediation Ensure complete mediation is a security principle wherein you ensure that every access point is monitored and protected 1
reference monitor A reference monitor is a single point through which all access must occur, like a network firewall, for example 1
shannon’s maxim Shannon’s Maxim is a security principle wherein the enemy knows the system, meaning that you should assume that the attacker knows every detail about the system you are working with 1
know your threat model Knowing your threat model is a security principle wherein you should understand your attacker, their resources, and their motivation 1
consider human factors Consider human factors is a security principle wherein if your system is unusable, it will be unused 1
defense in depth Defense in depth is a security principle wherein you should layer multiple types of defenses 1
use fail-safe defaults Use fail-safe defaults is a security principle that states you should construct systems that fail in a safe state, balancing security and usability 1
design in security from the start Design in security from the start is a security principle wherein you should consider all security principles when designing a new system, rather than patching it afterwards 1
bit A bit is a binary digit, either 0 or 1 2
nibble A nibble is 4 bits 2
byte A byte is 8 bits 2
compiler A compiler converts C code into assembly code 2
assembler An assembler converts assembly code into machine code (raw bits) 2
linker A linker deals with dependencies and libraries 2
loader A loader sets up memory space and runs the machine code 2
heap The heap is a section of memory that stores dynamically allocated memory and grows upwards 2
stack The stack is a section of memory that stores local variables and stack frames and grows downwards 2
esp The ESP is the stack pointer in x86 and points to the bottom of the current stack frame, similar to the sp in RISC-V 2
ebp The EBP is the base pointer in x86 and points to the top of the current stack frame, similar to the fp in RISC-V 2
eip The EIP is the instruction pointer in x86 and points to the current instruction, similar to the PC in RISC-V 2
rip The RIP (return instruction pointer) is the old EIP and is saved on the stack when calling a function 2
sfp The SFP (saved frame pointer) is the old EBP and is saved on the stack when calling a function 2
callee-saved Registers are callee-saved when the called function (the callee) must not change the value of the register when it returns 2
caller-saved Registers are caller-saved when the called function (the callee) may overwrite the register without saving or restoring it 2
shellcode Shellcode is malicious code inserted by the attacker into memory, to be executed using a memory safety exploit 3
buffer overflow A buffer overflow is a memory safety vulnerability wherein an attacker overwritten unintended parts of memory 3
stack smashing Stack smashing is a type of buffer overflow attack wherein the attacker overwrites saved registers on the stack 3
integer memory-safety vulnerabilities Integer memory-safety vulnerabilities occur when an attacker exploits how integers are represented in C memory 3
format string vulnerabilities Format string vulnerabilities occur when an attacker exploits the arguments to printf 3
heap vulnerabilities Heap vulnerabilities occur when an occur exploits the heap layout 3
memory-safe languages Memory safe languages are design to check bounds and prevent undefined memory-accesses and, are therefore not vulnerable to memory safety vulnerabilities 4
defensive programming Defensive programming is a technique of writing memory safe code wherein you always add checks in you code just in case 4
exploit mitigations Exploit mitigations, also known as code hardening, are compiler and runtime defenses that make common exploits harder 4
non-executable pages Non-executable pages is a defense against memory safety vulnerabilities wherein portions of memory are either executable or writable but not both 4
return-to-libc Return to libc is an exploit technique that overwrites the RIP to jump to a function in the standard C library (libc) or a common operating system function 4
rop ROP (Return Oriented Programming) consists of constructing custom shellcode using pieces of code that already exist in memory 4
gadget A gadget is a small set of assembly instructions that already exist in memory 4
stack canary A stack canary is a defense against memory safety vulnerabilities wherein a random, secret value is added to the stack and is later checked to see if it has been changed 4
pointer authentication Pointer authentication is a defense against memory safety vulnerabilities wherein instead of storing a pointer in memory, the unused bits are replaced with a pointer authentication code (PAC) 4
pac A PAC (Pointer Authentication Code) is a random value that replaces the unused bits when storing a pointer in memory 4
aslr ASLR (Address Space Layout Randomization) is a defense against memory safety vulnerabilities wherein each segment of memory is placed in a different location each time the program is run 4
cryptography Cryptography is the study of secure communication over insecure channels 5
eavesdropper An eavesdropper, commonly known as Eve, can read any data sent over the channel 5
manipulator A manipulator, commonly known as Mallory, can read and modify any data sent over the channel 5
confidentiality Confidentiality is a goal of cryptography wherein the adversary cannot read our messages. Essentially, the ciphertext should not give the attacker any additional information about the plaintext 5
integrity Integrity is a goal of cryptography wherein the adversary cannot change any messages without being detected 5
authenticity Authenticity is a goal of cryptography wherein one can prove that a message came from the person who claims to have written it 5
key They key is the most basic building block of cryptography and can be used in algorithms to secure messages 5
symmetric key model In a symmetric key model, both Alice and Bob know the value of the secret key 5
asymmetric key model In an asymmetric key model, everybody has two keys, a secret key and a public key 5
kerckhoff’s principle Kerckhoff’s Principle is a security principle that is closely related to Shannon’s Maxim that states that cryptosystems should remain secure even when the attacker knows all the internal details of the system, except the key 5
plaintext Plaintext is the original message 5
ciphertext Ciphertext is the encrypted message 5
encrypt Encrypting a message uses the key to change the message from its original form into a scrambled form 5
decrypt Decrypting a message uses the key to change the message from its scrambled form back to its original form 5
caesar cipher The Caesar cipher encrypts the plaintext by replacing each letter with the letter K positions later in the alphabet 5
traffic analysis Traffic analysis is analyzing who is talking to whom and when 5
side channels Side channels are when information about the plaintext is revealed as a result of the implementation of the scheme, not the scheme itself 5
chosen-plaintext attack In a chosen-plaintext attack, Eve tricks Alice into encrypting plaintext of her (Eve’s) choice 6
correctness Correctness is a property we want from a symmetric encryption scheme wherein decrypting a ciphertext should result in the message that was originally encrypted 6
efficiency Efficiency is a property we want from a symmetric encryption scheme wherein encryption and decryption should be fast 6
security Security is a property we want from a symmetric encryption scheme which is essentially the same as confidentiality 6
ind-cpa A scheme is IND-CPA (Indistinguishability Under Chosen Plaintext Attack) secure when even if Eve can trick Alice into encrypting some messages of Eve’s choosing, given the encryption of either M0 or M1, Eve cannot distinguish which message was sent with probability greater than ½ 6
block cipher A block cipher is an encryption/decryption algorithm that encrypts a fixed-size block of bits 6
permutation A permutation, or a bijective function, is a function such that each input must correspond to exactly one unique output 6
ecb ECB (Electronic Code Book) is a mode of symmetric encryption where Ci = Enc(K, Mi) 6
iv An IV (Initialization Vector) is a random, but public, one-use value used in combination with a secret key as a means to introduce randomness into the algorithm 6
nonce A nonce, or a number used once, can be thought of like an IV, except the value has to be unique but not necessarily random 6
cbc CBC (Cipher Block Chaining) is a mode of symmetric encryption where Ci = E_K(Mi ⊕ Ci-1) and C0 = IV 6
padding Padding is adding dummy bytes at the end of the message until it is the proper length 6
ctr CTR (Counter) is a mode of symmetric encryption where Ci = E_K(IV || counter) ⊕ Mi 6
hash function A hash function takes in an arbitrary length message and outputs a fixed-length fingerprint over the input 7
preimage resistance Preimage resistance, also known as one-way-ness, is a property of a hash function where given an output, y, it is infeasible to find any input, x, such that H(x) = y 7
second preimage resistance Second preimage resistance is a property of a hash function where given an input, x, it is infeasible to find another input, x’, where x ≠ x’, such that H(x) = H(x’) 7
collision A collision is when two different inputs get hashed to the same output 7
collision resistance Collision resistance is a property of hash functions where it is infeasible to find any pair of inputs, x and x’, such that H(x) = H(x’) 7
birthday attack The birthday attack is an attack on hash functions wherein finding a collision on an n-bit output requires only 2n/2 tries on average 7
length extension attack The length extension attack is an attack on hash functions where given H(x) and the length of x, but not x, an attacker can create H(x || m) for any m of the attacker’s choosing 7
mac A MAC (Message Authentication Code) is a fixed-length, deterministic tag that is created on an arbitrary length message using a secret key 8
existentially unforgeable A secure MAC is existentially unforgeable meaning that without the key, an attacker cannot create a valid tag on a message 8
authenticated encryption Authenticated Encryption (AE) is a scheme that simultaneously guarantees confidentiality and integrity (and authenticity, depending on your threat model) on a message 8
key reuse Key reuse is using the same key in two different algorithms (e.g. AES-CBC and HMAC) 8
authenticated encryption with additional data Authenticated Encryption with Additional Data (AEAD) is an algorithm that provides both confidentiality and integrity over the plaintext and integrity over additional data 8
gcm GCM (Galois Counter Mode) is an AEAD block cipher mode of operation 8
entropy Entropy is a measure of uncertainty (i.e. a measure of how unpredictable the outcomes are) 9
prngs PRNGs (Pseudorandom Number Generators), also known as deterministic random bit generators, are algorithms that use a little but of true randomness to generate a lot of random-looking output 9
rollback resistance Rollback resistance states that if an attacker learns in the internal PRNG state, they cannot learn anything about previous states or outputs 9
stream ciphers A stream cipher is a symmetric encryption algorithm that uses pseudorandom bits as the key to a one-time pad 9
discrete log problem The discrete logarithm problem states that given ga mode p, it is computationally hard to find a 10
diffie-hellman problem The Diffie-Hellman problem states that given ga mod p and gb mod p, it is computationally difficult to find gab mod p 10
ephemeral Short-term and temporary, not permanent 10
elliptic-curve diffie-hellman Elliptic-Curve Diffie-Hellman is a variation of Diffie-Hellman that uses elliptic curves instead of modular arithmetic 10
forward secrecy Forward secrecy is a property of Diffie-Hellman wherein even if Eve records everything that was sent over the insecure channel and later steals all of Alice and Bob’s secrets, she can’t decrypt any messages that she recorded. Essentially, nothing is saved or can be recorded that can ever recover the key 10
rsa problem The RSA problem states that given n and C = Me mod N, it is computationally hard to find M 11
oaep OAEP (Optimal Asymmetric Encryption Padding) is a variation of RSA that introduces randomness 11
hybrid encryption Hybrid encryption is a scheme wherein you encrypt data under a randomly generated key, K, using symmetric encryption, and encrypt K using asymmetric encryption 11
elgamal encryption ElGamal encryption is public-key encryption where the ciphertext is (gr mod p, m × Br mod p) and the decryption is R-b × S mod p 11
active attacks An active attacker, commonly known as Attila, can send a spoofed broadcast message that appears to be from Bob, but contains something that Attilla generated, thus fooling Alice into thinking the message came from Bob 11
session key Session keys are the keys used to actually encrypt and authenticate the message 11
digital signatures Digital signatures are the asymmetric way of providing integrity/authenticity to data 12
key generation Key generation is a randomized algorithm that outputs a matching public key and private key 12
signing Signing is an algorithm that outputs a signature on the message, M, using the secret key 12
verification Verification is an algorithm that takes in the signature, message, and public key and returns true if the signature is a valid signature on the message, and false otherwise 12
Euler's totient function of n Euler's totient function of n is the number of positive integers less than n that share no common factors with n 12
trust anchor A trust anchor is someone that we implicitly trust 13
trusted directory service A trusted directory service is some organization that maintains an association between the name of each participant and their public key 13
trust-on-first-use Trust-on-first-use states that the first time you communicate, trust the public key that is used and warn the user if it changes in the future 13
certificate A certificate is a signed endorsement of someone’s public key 13
digital certificates Digital certificates are a way to represent an alleged association between a person's name and their public key, as attested by some certifying party 13
certificate authority A certificate authority (CA) is a party who issues certificates 13
rainbow tables A rainbow table is an algorithm for computing hashes that makes brute-force attacks easier 14
salt A salt is a random, public value that is designed to make brute-force attacks harder 14
Password-based key derivation function 2 A password-based key derivation function 2, or PBKDF2, is a slow hash function 14
offline attack An offline attack is when the attacker performs all of the computations themselves 14
online attack An online attack is when the attacker interacts with a service 14
snake oil security Snake oil security, also known as snake oil cryptography, is when useless security products are advertised to uninformed buyers 14
hash chain A hash chain is a linked list where each node contains the has of the previous node 16
append-only structure An append-only structure is a structure wherein changing a node causes the hashes in all future nodes to change 16
consensus Consensus is a way to reach agreement on something as a group, without placing trust in any individual 16
51% attack A 51% attack is when an attacker who controls 51% of mining power can effectively rewrite history and perform a forking attack 16
forking attack An attack where the attacker creates their own branch of the chain 16
mining pools A mining pool is a team of users mining together 16
private blockchain A private blockchain is when only blocks signed by trusted private keys are valid 16
pseudonymity Pseudonymity is when multiple actions can be linked to a single identity which is not your real identity 16
anonymity Anonymity is when actions cannot be linked to your real identity 16
proof-of-work Proof of work is when the blockchain only accepts blocks whose hashes start with a sequence of n 0s 16
sql SQL (Structured Query Language) is a language that is used to interact with and manage data that is stored in a database 17
sql injection A sequel injection (SQLi) is an attack that injects SQL into queries constructed by the server to cause malicious behavior 17
blind sql injection A blind sql injection is a SQL injection attack where little to no feedback is provided 17
escape inputs One way of defending against SQL injection is to escape any potential input that could be used in an attack. Escaping a character means that you tell SQL to treat this character as part of the string, not actual SQL syntax 17
input sanitization Input sanitization is a SQLi defense that either disallows or escapes certain special characters 17
prepared statements Prepared statements, also known as parameterized SQL, is a SQLi defense that compiles the query first, and then plugs in the user input after the query as already been interpreted by the SQL parser, ensuring there is no way for any attacker input to be treated as SQL code 17
web The World Wide Web is a collection of data and services 18
url A URL (Uniform Resource Locator) is a string that uniquely identifies one piece of data on the web 18
http HTTP (Hypertext Transfer Protocol) is a protocol used to request and retrieve data from a web server 18
html HTML is a markup language for creating structures documents 18
css CSS (Cascading Style Sheets) is a style sheet language for defining the appearance of web pages 18
javascript JavaScript is a client-side programming language for running code in the web browser 18
client-side Client side is when code is sent by the server as part of the response and runs in the browser, not on the web server 18
ftp File Transfer Protocol 18
domain The domain is a part of the URL that defines which web server to contact 18
path The path is a part of the URL that defines which file on the web server to fetch 18
get request A GET request is a request that does not change the server-side state 18
post request A POST request is a request that updates the server-side state 18
dom DOM (Document Object Model) is a cross-platform model for representing and interacting with objects in HTML 18
same-origin policy The same-origin policy (SOP) is a rule that prevents one website from tampering with other unrelated websites and is enforced by the web browser 19
origin The origin of a web page is defined by its URL and is comprised of its protocol, domain, and port 19
cookie A cookie is a piece of data used to maintain state across multiple requests 20
cookie jar The cookie jar is the browser’s cookie storage 20
domain attribute The domain attribute is a part of the cookie and usually looks like the domain in a URL 20
path attribute The path attribute is a part of the cookie and usually looks like a path of the URL 20
secure attribute The secure attribute is a part of the cookie; if True, then the browser only sends the cookie if the request is made over HTTPS, not HTTP 20
httponly attribute The httpOnly attribute is a part of the cookie; if True, then the JavaScript in the browser is not allowed to access the cookie 20
expired attribute The expired attribute is a part of the cookie and it defines when the cookie is no longer valid 20
cookie policy Cookie policy (not the same as the SOP) is a set of rules that is enforced by the browser that defines when the cookie should be accepted and when it should be attached 20
session A session is a sequence of requests and responses associated with the same authenticated user 20
session token A session token is a secret value that is used to associate requests with an authenticated user 20
csrf CSRF (Cross Site Request Forgery), also known as XSRF) is an attack that exploits cookie-based authentication to perform an action as the victim 21
csrf token A CSRF token is a secret value provided by the server to the user that has to be attached in any following requests for the server to accept the request 21
referer validation Referer validation is one way to defend against CSRF tokens by having the server check the referer header on each request and reject any requests that have untrusted or suspicious referer headers 21
same-site flag The SameSite flag is a flag on a cookie that specifies it should be sent only when the domain of the cookie exactly matches the domain of the origin 21
xss XSS (Cross Site Scripting) is an attack that subverts the same-origin policy wherein an attacker injects JavaScript into websites that are viewed by other users 22
stored xss Stored, or persisted, XSS is a type of XSS attack where the attacker’s JavaScript is stored on the legitimate server and sent to browsers 22
reflected xss Reflected XSS is a type of XSS attack where the attacker causes the victim to input JavaScript into a request, and the content is reflected in the response from the server 22
input sanitization Input sanitization is a defense against XSS by checking for malicious input that might cause JavaScript to run, such as <script> tags 22
html sanitization HTML sanitization is a defense against XSS wherein certain special characters are represented as data rather than HTML 22
csp CSP (Content Security Policy) is a defense against XSS wherein the browser is instructed to only use resources loaded from specific places 22
ui attacks A UI (User Interface) attack is one wherein the attacker tricks the victim into thinking they are taking an intended action, when they are actually taking a malicious action 23
clickjacking Clickjacking is a type of UI attack wherein the attacker tricks the victim into clicking on something from the attack 23
clickjacking temporal attack A clickjacking temporal attack is one where JavaScript can detect the position of the cursor and change the website right before the user clicks on something 23
enforce visual integrity Enforcing visual integrity is a defense against clickjacking wherein we ensure clear visual separation between important dialogues and content 23
enforce temporal integrity Enforcing temporal integrity is a defense against clickjacking wherein we ensure that there is sufficient time for a user to register what they are clicking on 23
frame-busting Frame-busting is a defense against clickjacking wherein the legitimate website forbids other websites from embedding it in an iframe 23
phishing Phishing is tricking the victim into sending the attack personal information 23
homograph attack A homograph attack creates malicious URLs that look similar (or the same) to legitimate URLs 23
browser-in-browser attack A browser-in-browser attack is one where the attacker simulates the entire web browser with JavaScript 23
2fa 2FA (2 Factor Authentication) is where the user must prove their identity in two different ways before successfully authenticating 23
relay attacks Relay attacks, or transient phishing attacks, are when the attacker steals both factors in a phishing attack 23
authentication token An authentication token is a device that generates secure second-factor codes 23
security key A security key is a second factor that is designed to defend against phishing 23
captcha A CAPTCHA (Completely Automated Public Turing Test to tell Computers and Humans Apart) is a challenge that is easy for a human to solve but hard for a computer to solve 24
network A network is a set of connected machines that can communicate with each other 25
internet The internet is a global network of computers 25
protocol A protocol is an agreement on how to communicate that specifies syntax and semantics 25
syntax Syntax is how a communication is specified and structured (i.e. that format and order of messages) 25
semantics Semantics is what a communication means (i.e. what actions have to be taken when sending and receiving messages) 25
osi model The OSI (Open Systems Interconnection) model is a layered model of internet communication 25
physical layer The physical layer is the first layer in the OSI model and it sends bits from one device to another over a physical link 25
link layer The link layer is the second layer in the OSI model and it sends frames directly from one service to another 25
lan LAN (Local Area Network) is a set of computers on a shared network that can directly address one another 25
ethernet Ethernet is a common, layer 2 protocol that most endpoint devices use 25
mac The MAC address is a 6-byte address that identifies a piece of network equipment 25
network layer The network layer is the third layer in the OSI model and it sends packets from any device to another device and it allows packets to be routed across different devices to reach the destination 25
ip IP (Internet Protocol) is the universal layer 3 protocol that all devices use to transmit data over the internet 25
ip address An IP address is an address that identifies a device on the internet 25
reliability Reliability ensures that packets are received correctly, or, if random errors occur, not at all 25
transport layer Transport layer is the fourth layer in the OSI model and it provides the transportation of variable length data from any point to any other point 25
spoofing Spoofing is lying about the identity of the sender 26
promiscuous mode Most ethernet devices can enter promiscuous mode where it will receive all packets in a process known as packet sniffing 26
arp ARP (Address Resolution Protocol) translates layer 3 IP addresses into layer 2 MAC addresses 26
race condition A race condition is when two different machines are attempting to communicate with one machine that is expecting only one response so the requester will accept whichever response arrives first 26
switches Modern wired Ethernet networks defend against ARP spoofing by using switches rather than hubs which keep track of the IP address to MAC address pairings 26
wifi WiFi is a layer 2 protocol that wirelessly connects machines in a LAN 27
access point An access point (AP) is a machine that will help you connect to the network 27
ssid The SSID (Service Set Identifier) is the name of the WiFi network 27
wpa2 WPA2 (WiFi Protected Access 2) is a protocol for securing WiFi network communications with cryptography 27
psk A PSK (Pre-Shared Key) is a key that is derived by applying a password-based key derivation function on the SSID and password 27
wpa2-enterprise WPA2-Enterprise gives authorized users a unique username and password by having the client connect to a secure authentication server and provides its identity to that server by providing a username and password 27
dhcp DHCP (Dynamic Host Configuration Protocol) gives the user a configuration when they first join the network 28
nat NAT (Network Address Translation) allows multiple computers on a local network to share an IP address 28
subnet A subnet is a group of addresses with a common prefix 29
autonomous systems An autonomous system (AS) is comprised of one or more LANs and is uniquely identified by its ASN (autonomous system number) 29
bgp BGP (Border Gateway Protocol) is the protocol for communicating between different Autonomous Systems 29
ip spoofing IP spoofing is when malicious clients can send IP packets with source IP values set to a spoofed value 29
bgp hijacking BGP hijacking is where malicious autonomous systems can lie and claim themselves to be responsible for a network which it isn’t 29
port Ports help us distinguish between different applications on the same server 30
tcp TCP (Transmission Control Protocol) is a protocol that is built on top of IP that provides a byte stream abstraction, ordering, and reliability 30
initial sequence numbers Initial Sequence Numbers (ISNs) are different, random numbers for every connection that the client and server both agree upon 30
tcp hijacking TCP hijacking is an attack on TCP where an attacker tampers with an existing session to modify or inject data into a connection 30
data injection Data injection is a type of TCP hijacking attack where the attacker spoofs packets to inject malicious data into a connection 30
rst injection RST injection is a type of TCP hijacking attack where the attacker spoofs an RST packet to forcibly terminate a connection 30
tcp spoofing TCP spoofing is an attack on TCP where the attacker spoofs the TCP connection to appear to come from another source IP address 30
udp UDP (User Datagram Protocol) is a protocol that is built on top of IP that does not have reliability or ordering guarantees, but adds ports 30
tls TLS (Transport Layer Security) is a protocol that is built on top of TCP for creating a secure communications channel over the Internet 31
ssl SSL (Secure Sockets Layer) is the old, deprecated version of TLS 31
end-to-end security End to end security is a property that is provided by TLS wherein secure communications exist between the two endpoints with no need to trust intermediaries 31
https HTTPS is the HTTP protocol run over TLS 31
ssl stripping SSL stripping forces a user to use unencrypted HTTP instead of HTTPS 31
certificate pinning Certificate pinning is when the browser restricts which CAs are allowed to issue a certificate for each website 31
certificate transparency Certificate transparency are public logs provided by CAs 31
replay attack A replay attack involves an attacker recording old messages and sending them to the server 31
dns DNS (Domain Name System) is an internet protocol for translating human-readable domain names to IP addresses 32
name server A name server is a server on the Internet that is responsible for answering DNS requests 32
stub resolver A stub resolver is the resolver on your computer that only contacts the recursive resolver and receives the answer 32
recursive resolver A recursive resolver is the resolver that makes the actual DNS queries 32
resource records Resource Records (RR) is a name-value pair which is a part of the DNS payload and contains answer and name server type records 32
id number The ID number is 16 bits and is part of the DNS payload and is used to associate queries with responses 32
counts Counts store the number of records of each type in the DNS payload 32
cache poisoning attack A cache poisoning attack is an attack that returns a malicious record to the client 32
bailiwick checking Bailiwick checking is a DNS defense where the resolver only accepts records if they are in the name server’s zone 32
kaminsky attack The Kaminsky Attack queries non-existent domains and puts the poisoned record in the additional section (which will still be cached), and lets the off-path attacker try repeatedly until succeeding 32
channel security Channel security is securing the communication channel between two end hosts 33
object security Object security is securing a piece of data (in transit or in storage) 33
downgrade attack A downgrade attack is an attack wherein the attacker blocks the TLS connection, forcing the browser to fall back on ordinary DNS 33
dnssec DNSSEC (DNS Security Extensions) is an extension of the DNS protocols that ensures integrity on the results 33
edns0 EDNS0 (Extension Mechanisms for DNS) is a protocol that adds the OPT pseudosection 33
rrset RRSET (Resource Record Set) is a group of DNS records with the same name and type form 33
ksk KSK (Key Signing Key) is used to sign only the zone-signing key 33
zsk ZSK (Zone Signing Key) is aused to sign all other records 33
domain enumeration Domain enumeration makes it easy for an attacker to find every single subdomain of a domain 33
dos DoS (Denial of Service) is an attack that disrupts a network service, making the service unavailable for legitimate users 34
resource exhaustion Resource exhaustion is wherein the attacker consumes all the limited resources so legitimate users can’t use them 34
amplification Amplification exploits asymmetry between the attacker and the victim so that the attacker spends few resources but the victim has to spend a lot of resources, thus making DoS attacks easier for the attacker 34
bottleneck A bottleneck is the part of the system with the least resources 34
application-level dos Application level DoS targets the high-level application running on the end host by overwhelming the processing capacity of the service 34
content delivery network Content delivery network is a service that allocates a huge amount of resources for you 34
algorithmic complexity attack Algorithmic complexity attack is an attack that supplies inputs that trigger worst-case complexity of algorithms and data structures 34
network-level dos Network-level DoS targets network level protocols to affect the victim’s internet access to affect the victim’s Internet access 34
dns amplification attack DNS amplification attack is an attack that sends small spoofed requests to overwhelm the victim with large responses 34
packet filter Packet filters discard any packets that are a part of the DoS attack 34
ddos DDoS (Distributed Denial of Service) attacks are a type of DoS attack where the attacker uses multiple systems to overwhelm the target system 34
botnet A botnet is a collection of compromised computers controlled by the attacker 34
firewall A firewall is used to enforce a specific kind of access control policy, one where insider users are permitted to connect to any network service desired, whereas external users are restricted 35
default-allow A default-allow, or blacklist, policy is one wherein by default, every network service is permitted unless it has been specifically listed as denied 35
default-deny A default-deny, or whitelist, policy is one wherein by default, every network service is denied to external users, unless it has been specifically listed as allowed 35
fails-open A default-allow policy fails-open meaning that if any mistake is made, the result is likely to be some form of an expensive security failure 35
fails-closed A default-deny policy fails closed meaning that if any mistake is made, then the result is the loss of functionality or availability, but not a security breach 35
stateful packet filter A stateful packet filter is a router than checks each packet against the provided access control policy 35
stateless packet filters Stateless packet filters tend to operate on the network level and generally only look at TCP, UDP, and IP headers 35
path traversal attack A path traversal attack is an attack wherein unauthorized files are accessed on a remote server by exploiting Unix file path semantics 36
nids NIDS (Network Intrusion Detection Systems) is a detector installed on the network, between the local network and the rest of the Internet 36
evasion attack An evasion attack exploits inconsistencies and ambiguities to provide malicious inputs that are not detected by the NIDS 36
hids HIDS (Host Based Intrusion Detection System) is a detector installed on each end system 36
logging logging is a process wherein you analyze log files generated by end systems 36
false positive A false positive is when the detector alerts when there is no attack 36
false negative A false negative is when the detector fails to alert when there is an attack 36
false positive rate False positive rate (FPR) is the probability the detector alerts, given there is no attack 36
false negative rate False negative rate (FNR) is the probability the detector does not alert, given there is an attack 36
signature-based detection ‘Signature-based detection flags any activity that matches the structure of a known attack" 36
blacklisting Signature based detection is blacklisting wherein you keep a list of patterns that are not allowed, and alert if we see something on the list 36
specification-based detection Specification based detection specifies allowed behavior and flags any behavior that isn’t allowed behavior 36
whitelisting Specification-based detection is whitelisting, which keeps a list of allowed patterns, and alerts if we see something that is not on the list 36
anomaly-based detection Anomaly based detection develops a model of what normal activity looks like and alerts on any activity that deviates from normal activity 36
vulnerability scanning Vulnerability scanning uses a tool that proves your own system with a wide range of attacks (and fixes any successful attacks) 36
honeypot Honeypot is a sacrificial system with no real purpose 36
forensics Forensics is analyzing what happens after a successful attack 36
ips Intrusion Prevention System (IPS) is an intrusion detection system that also blocks attacks 36
malware Malware (also known as malcode or malicious software) is an attacker code running on victim computers 38
self-replicating code Self-replicating code is a code snippet that outputs a copy of itself 38
virus A virus is code that requires user action to propagate 38
worm A worm is code that does not require user action to propagate 38
polymorphic code Polymorphic code is code such that each time the virus propagates, it inserts an encrypted copy of the code 38
metamorphic code Metamorphic code is code such that each time the virus propagates, it generates a semantically different version of the code 38
morris worm The Morris Worm is considered the first internet worm and exploits multiple buffer overflows to guess common passwords to exploit common user accounts across different machines 38
rootkit A rootkit is malcode in the operating system that hides its presence 38
proxy A proxy is a third party that relays our Internet traffic 39
collusion Collusion is when multiple proxies work together and share information 39
tor Tor is a network that uses onion routing to enable anonymous communications 39
tor hidden services Tor hidden services are websites that are only accessible through the Tor network 39
dark markets Dark markets are marketplaces for buying and selling illegal goods 39
cybercrime forums Cybercrime forums are websites for discussing illegal activity 39