# 1/4 Tailgating - attacker following a legitimate employee with proper credentials thru the door ARP poisoning - redirecting an ip to an attacker's own MAC address ARP maps ip addresses to their respective MAC addresses 6 step incident response process 1) Prepare -> runbooks/playbooks 2) detection -> IPS/IDS finds it 3) containment -> sandbox machine/disconnect from malware 4) eradicate -> AV removal of malware 5) reconstruction -> restore to as close to original state as possible 6) lessons learned backdoor -> A mechanism for gaining access to a system bypassing normal methods of authentication - once in place, the original access point can be patched, and the attacker can still get it as they placed their own methods of accessing the system telnet - port 23 -> not as secure as 22 bollard -> physical security measure, for blocking vehicles for instance bind shell -> victim shell binds itself to a network port and the attacker connects to it - they key difference between a bind shell and a reverse shell is who is listening for the connection. A bind shell has the attacker connecting to the victim, and a reverse shell the attacker is waiting for the connection and the victim connects out on a specific port. buffer overflow -> execution of arbitrary code from an attacker that sent more information then expected - may allow execution of more code thus bypassing security mechanisms TOTP -> time based one time password -> small device generates a password code RAT -> malware that can control a computer using desktop sharing and other administrative functions Hardware security module -> high end cryptographic hardware that securely stores keys and certificates, used for multiple devices, - a TPM secures the certificates and keys for just one device PCI DSS Maintains standards required to maintain payment information and compliance - **payment card industry security standard** PenTest -> best way to discover if a system has vulnerabilities DLP -> an alert saying credit card info being transmitted, credit card info is just an example Rogue access point -> when connecting to a wireless access point , users receive an IP that is not part of the normal company domain. CASB - Cloud access security broker - provides ongoing visibility, data security, and control of cloud application OCSP - allows clients to check the status of a certificate # 2/4 snapshot -> helpful for backing up of virtual environment. Captures a full backup and incremental changes as well AAA -> authentication, authorization, accounting. Security concept where a centralized entity can manage. And associated permissions can be applied air gap -> PHYSICALLY separates a network from all other networks autopsy -> opensource digital forensics program duplicate MAC addresses in the arp cache -> ARP poisoning ISO 27701 -> protecting PII, PIMS (Privacy Information Management Systems) Full Disk Encryption -> FDE switch log -> could be used to confirm a rogue access point active footprinting -> could be scanning the actual network ports to see whats open, actually interacting with the host/network/target passive footprinting -> information available to the public rainbow tables -> prebuilt table of hashes for password cracking SOAR -> Security Orchestration, Automation, and response -> automates processes and integrates 3rd party security tools TPM -> trusted plat form module -> sits on MOBO and helps with security procedures. Holds certificates etc... HSM -> actual piece of hardware, can cover alot more devices and services # 3/4 - network based firewall -> filters traffic by port numbers or applications - operates at the network level to control and monitor incoming and outgoing network traffic - bluesnarfing -> attack on a bluetooth-enabled device and transfers data - exploiting security flaws in bluetooth protocol and gain access to data on the phone - stateless firewall -> **does not** keep track of traffic flows. - (packet filter firewall). Examines each packet and does not consider the context or state of the network connection. - statefull firewall -> remembers the state of the session. - analyzes complete network traffic and maintains connection state info - WAF firewall -> conversions between http and https - protects web applications and websites from attacks - Operates at the application layer of the network stack - Organized Crime -> Attack actor most likely to attack systems for direct financial gain - motivated by money. Usually focused on objectives that can be sold for financial gain - jump server -> aka bastion host. Server that hosts as an intermediary or gateway for accessing and managing other servers or network devices - raid 1 -> parity, can operate with 1 failure - watering hole -> several types of people together and one type of attack . Infects a 3rd party visited by victims. An industry convention is the perfect location to attack security professionals - bluejacking -> sending unsolicited messages via bluetooth. Exploits bluetooth functionality - SRTP -> secure voice and video **Secure Real-Time Transport Protocol**