| security | Enforcing a desired property in the presence of an attacker | 1 |
| threat model | A thread model is a model of who your attacker is and what resources they have | 1 |
| tcb | TCB (Trusted Computing Base) are the components of a system that security relies upon | 1 |
| kiss principle | Keep It Simple, Stupid | 1 |
| deterrence | Deterrence refers to stopping the attack before it happens | 1 |
| prevention | Prevention refers to stopping the attack as it happens | 1 |
| detection | Detection refers to learning that there was an attack after the attack has taken place | 1 |
| response | Response refers to doing something about the attack after the attack has taken place | 1 |
| securities is economics | Securities is economics is a security principle that says that defenses are not free and are often less than the sum of their parts | 1 |
| least privilege | Least Privilege is a security principle wherein one should consider what permissions an entity or program needs to be able to do its job correctly and only grant privileges that are needed for correct functioning and nothing more | 1 |
| separation of responsibility | Separation of responsibility is a security principle wherein if you need to have a privilege, consider requiring multiple parties to work together (collude) to exercise it | 1 |
| ensure complete mediation | Ensure complete mediation is a security principle wherein you ensure that every access point is monitored and protected | 1 |
| reference monitor | A reference monitor is a single point through which all access must occur, like a network firewall, for example | 1 |
| shannon’s maxim | Shannon’s Maxim is a security principle wherein the enemy knows the system, meaning that you should assume that the attacker knows every detail about the system you are working with | 1 |
| know your threat model | Knowing your threat model is a security principle wherein you should understand your attacker, their resources, and their motivation | 1 |
| consider human factors | Consider human factors is a security principle wherein if your system is unusable, it will be unused | 1 |
| defense in depth | Defense in depth is a security principle wherein you should layer multiple types of defenses | 1 |
| use fail-safe defaults | Use fail-safe defaults is a security principle that states you should construct systems that fail in a safe state, balancing security and usability | 1 |
| design in security from the start | Design in security from the start is a security principle wherein you should consider all security principles when designing a new system, rather than patching it afterwards | 1 |
| bit | A bit is a binary digit, either 0 or 1 | 2 |
| nibble | A nibble is 4 bits | 2 |
| byte | A byte is 8 bits | 2 |
| compiler | A compiler converts C code into assembly code | 2 |
| assembler | An assembler converts assembly code into machine code (raw bits) | 2 |
| linker | A linker deals with dependencies and libraries | 2 |
| loader | A loader sets up memory space and runs the machine code | 2 |
| heap | The heap is a section of memory that stores dynamically allocated memory and grows upwards | 2 |
| stack | The stack is a section of memory that stores local variables and stack frames and grows downwards | 2 |
| esp | The ESP is the stack pointer in x86 and points to the bottom of the current stack frame, similar to the sp in RISC-V | 2 |
| ebp | The EBP is the base pointer in x86 and points to the top of the current stack frame, similar to the fp in RISC-V | 2 |
| eip | The EIP is the instruction pointer in x86 and points to the current instruction, similar to the PC in RISC-V | 2 |
| rip | The RIP (return instruction pointer) is the old EIP and is saved on the stack when calling a function | 2 |
| sfp | The SFP (saved frame pointer) is the old EBP and is saved on the stack when calling a function | 2 |
| callee-saved | Registers are callee-saved when the called function (the callee) must not change the value of the register when it returns | 2 |
| caller-saved | Registers are caller-saved when the called function (the callee) may overwrite the register without saving or restoring it | 2 |
| shellcode | Shellcode is malicious code inserted by the attacker into memory, to be executed using a memory safety exploit | 3 |
| buffer overflow | A buffer overflow is a memory safety vulnerability wherein an attacker overwritten unintended parts of memory | 3 |
| stack smashing | Stack smashing is a type of buffer overflow attack wherein the attacker overwrites saved registers on the stack | 3 |
| integer memory-safety vulnerabilities | Integer memory-safety vulnerabilities occur when an attacker exploits how integers are represented in C memory | 3 |
| format string vulnerabilities | Format string vulnerabilities occur when an attacker exploits the arguments to printf | 3 |
| heap vulnerabilities | Heap vulnerabilities occur when an occur exploits the heap layout | 3 |
| memory-safe languages | Memory safe languages are design to check bounds and prevent undefined memory-accesses and, are therefore not vulnerable to memory safety vulnerabilities | 4 |
| defensive programming | Defensive programming is a technique of writing memory safe code wherein you always add checks in you code just in case | 4 |
| exploit mitigations | Exploit mitigations, also known as code hardening, are compiler and runtime defenses that make common exploits harder | 4 |
| non-executable pages | Non-executable pages is a defense against memory safety vulnerabilities wherein portions of memory are either executable or writable but not both | 4 |
| return-to-libc | Return to libc is an exploit technique that overwrites the RIP to jump to a function in the standard C library (libc) or a common operating system function | 4 |
| rop | ROP (Return Oriented Programming) consists of constructing custom shellcode using pieces of code that already exist in memory | 4 |
| gadget | A gadget is a small set of assembly instructions that already exist in memory | 4 |
| stack canary | A stack canary is a defense against memory safety vulnerabilities wherein a random, secret value is added to the stack and is later checked to see if it has been changed | 4 |
| pointer authentication | Pointer authentication is a defense against memory safety vulnerabilities wherein instead of storing a pointer in memory, the unused bits are replaced with a pointer authentication code (PAC) | 4 |
| pac | A PAC (Pointer Authentication Code) is a random value that replaces the unused bits when storing a pointer in memory | 4 |
| aslr | ASLR (Address Space Layout Randomization) is a defense against memory safety vulnerabilities wherein each segment of memory is placed in a different location each time the program is run | 4 |
| cryptography | Cryptography is the study of secure communication over insecure channels | 5 |
| eavesdropper | An eavesdropper, commonly known as Eve, can read any data sent over the channel | 5 |
| manipulator | A manipulator, commonly known as Mallory, can read and modify any data sent over the channel | 5 |
| confidentiality | Confidentiality is a goal of cryptography wherein the adversary cannot read our messages. Essentially, the ciphertext should not give the attacker any additional information about the plaintext | 5 |
| integrity | Integrity is a goal of cryptography wherein the adversary cannot change any messages without being detected | 5 |
| authenticity | Authenticity is a goal of cryptography wherein one can prove that a message came from the person who claims to have written it | 5 |
| key | They key is the most basic building block of cryptography and can be used in algorithms to secure messages | 5 |
| symmetric key model | In a symmetric key model, both Alice and Bob know the value of the secret key | 5 |
| asymmetric key model | In an asymmetric key model, everybody has two keys, a secret key and a public key | 5 |
| kerckhoff’s principle | Kerckhoff’s Principle is a security principle that is closely related to Shannon’s Maxim that states that cryptosystems should remain secure even when the attacker knows all the internal details of the system, except the key | 5 |
| plaintext | Plaintext is the original message | 5 |
| ciphertext | Ciphertext is the encrypted message | 5 |
| encrypt | Encrypting a message uses the key to change the message from its original form into a scrambled form | 5 |
| decrypt | Decrypting a message uses the key to change the message from its scrambled form back to its original form | 5 |
| caesar cipher | The Caesar cipher encrypts the plaintext by replacing each letter with the letter K positions later in the alphabet | 5 |
| traffic analysis | Traffic analysis is analyzing who is talking to whom and when | 5 |
| side channels | Side channels are when information about the plaintext is revealed as a result of the implementation of the scheme, not the scheme itself | 5 |
| chosen-plaintext attack | In a chosen-plaintext attack, Eve tricks Alice into encrypting plaintext of her (Eve’s) choice | 6 |
| correctness | Correctness is a property we want from a symmetric encryption scheme wherein decrypting a ciphertext should result in the message that was originally encrypted | 6 |
| efficiency | Efficiency is a property we want from a symmetric encryption scheme wherein encryption and decryption should be fast | 6 |
| security | Security is a property we want from a symmetric encryption scheme which is essentially the same as confidentiality | 6 |
| ind-cpa | A scheme is IND-CPA (Indistinguishability Under Chosen Plaintext Attack) secure when even if Eve can trick Alice into encrypting some messages of Eve’s choosing, given the encryption of either M0 or M1, Eve cannot distinguish which message was sent with probability greater than ½ | 6 |
| block cipher | A block cipher is an encryption/decryption algorithm that encrypts a fixed-size block of bits | 6 |
| permutation | A permutation, or a bijective function, is a function such that each input must correspond to exactly one unique output | 6 |
| ecb | ECB (Electronic Code Book) is a mode of symmetric encryption where Ci = Enc(K, Mi) | 6 |
| iv | An IV (Initialization Vector) is a random, but public, one-use value used in combination with a secret key as a means to introduce randomness into the algorithm | 6 |
| nonce | A nonce, or a number used once, can be thought of like an IV, except the value has to be unique but not necessarily random | 6 |
| cbc | CBC (Cipher Block Chaining) is a mode of symmetric encryption where Ci = E_K(Mi ⊕ Ci-1) and C0 = IV | 6 |
| padding | Padding is adding dummy bytes at the end of the message until it is the proper length | 6 |
| ctr | CTR (Counter) is a mode of symmetric encryption where Ci = E_K(IV || counter) ⊕ Mi | 6 |
| hash function | A hash function takes in an arbitrary length message and outputs a fixed-length fingerprint over the input | 7 |
| preimage resistance | Preimage resistance, also known as one-way-ness, is a property of a hash function where given an output, y, it is infeasible to find any input, x, such that H(x) = y | 7 |
| second preimage resistance | Second preimage resistance is a property of a hash function where given an input, x, it is infeasible to find another input, x’, where x ≠ x’, such that H(x) = H(x’) | 7 |
| collision | A collision is when two different inputs get hashed to the same output | 7 |
| collision resistance | Collision resistance is a property of hash functions where it is infeasible to find any pair of inputs, x and x’, such that H(x) = H(x’) | 7 |
| birthday attack | The birthday attack is an attack on hash functions wherein finding a collision on an n-bit output requires only 2n/2 tries on average | 7 |
| length extension attack | The length extension attack is an attack on hash functions where given H(x) and the length of x, but not x, an attacker can create H(x || m) for any m of the attacker’s choosing | 7 |
| mac | A MAC (Message Authentication Code) is a fixed-length, deterministic tag that is created on an arbitrary length message using a secret key | 8 |
| existentially unforgeable | A secure MAC is existentially unforgeable meaning that without the key, an attacker cannot create a valid tag on a message | 8 |
| authenticated encryption | Authenticated Encryption (AE) is a scheme that simultaneously guarantees confidentiality and integrity (and authenticity, depending on your threat model) on a message | 8 |
| key reuse | Key reuse is using the same key in two different algorithms (e.g. AES-CBC and HMAC) | 8 |
| authenticated encryption with additional data | Authenticated Encryption with Additional Data (AEAD) is an algorithm that provides both confidentiality and integrity over the plaintext and integrity over additional data | 8 |
| gcm | GCM (Galois Counter Mode) is an AEAD block cipher mode of operation | 8 |
| entropy | Entropy is a measure of uncertainty (i.e. a measure of how unpredictable the outcomes are) | 9 |
| prngs | PRNGs (Pseudorandom Number Generators), also known as deterministic random bit generators, are algorithms that use a little but of true randomness to generate a lot of random-looking output | 9 |
| rollback resistance | Rollback resistance states that if an attacker learns in the internal PRNG state, they cannot learn anything about previous states or outputs | 9 |
| stream ciphers | A stream cipher is a symmetric encryption algorithm that uses pseudorandom bits as the key to a one-time pad | 9 |
| discrete log problem | The discrete logarithm problem states that given ga mode p, it is computationally hard to find a | 10 |
| diffie-hellman problem | The Diffie-Hellman problem states that given ga mod p and gb mod p, it is computationally difficult to find gab mod p | 10 |
| ephemeral | Short-term and temporary, not permanent | 10 |
| elliptic-curve diffie-hellman | Elliptic-Curve Diffie-Hellman is a variation of Diffie-Hellman that uses elliptic curves instead of modular arithmetic | 10 |
| forward secrecy | Forward secrecy is a property of Diffie-Hellman wherein even if Eve records everything that was sent over the insecure channel and later steals all of Alice and Bob’s secrets, she can’t decrypt any messages that she recorded. Essentially, nothing is saved or can be recorded that can ever recover the key | 10 |
| rsa problem | The RSA problem states that given n and C = Me mod N, it is computationally hard to find M | 11 |
| oaep | OAEP (Optimal Asymmetric Encryption Padding) is a variation of RSA that introduces randomness | 11 |
| hybrid encryption | Hybrid encryption is a scheme wherein you encrypt data under a randomly generated key, K, using symmetric encryption, and encrypt K using asymmetric encryption | 11 |
| elgamal encryption | ElGamal encryption is public-key encryption where the ciphertext is (gr mod p, m × Br mod p) and the decryption is R-b × S mod p | 11 |
| active attacks | An active attacker, commonly known as Attila, can send a spoofed broadcast message that appears to be from Bob, but contains something that Attilla generated, thus fooling Alice into thinking the message came from Bob | 11 |
| session key | Session keys are the keys used to actually encrypt and authenticate the message | 11 |
| digital signatures | Digital signatures are the asymmetric way of providing integrity/authenticity to data | 12 |
| key generation | Key generation is a randomized algorithm that outputs a matching public key and private key | 12 |
| signing | Signing is an algorithm that outputs a signature on the message, M, using the secret key | 12 |
| verification | Verification is an algorithm that takes in the signature, message, and public key and returns true if the signature is a valid signature on the message, and false otherwise | 12 |
| Euler's totient function of n | Euler's totient function of n is the number of positive integers less than n that share no common factors with n | 12 |
| trust anchor | A trust anchor is someone that we implicitly trust | 13 |
| trusted directory service | A trusted directory service is some organization that maintains an association between the name of each participant and their public key | 13 |
| trust-on-first-use | Trust-on-first-use states that the first time you communicate, trust the public key that is used and warn the user if it changes in the future | 13 |
| certificate | A certificate is a signed endorsement of someone’s public key | 13 |
| digital certificates | Digital certificates are a way to represent an alleged association between a person's name and their public key, as attested by some certifying party | 13 |
| certificate authority | A certificate authority (CA) is a party who issues certificates | 13 |
| rainbow tables | A rainbow table is an algorithm for computing hashes that makes brute-force attacks easier | 14 |
| salt | A salt is a random, public value that is designed to make brute-force attacks harder | 14 |
| Password-based key derivation function 2 | A password-based key derivation function 2, or PBKDF2, is a slow hash function | 14 |
| offline attack | An offline attack is when the attacker performs all of the computations themselves | 14 |
| online attack | An online attack is when the attacker interacts with a service | 14 |
| snake oil security | Snake oil security, also known as snake oil cryptography, is when useless security products are advertised to uninformed buyers | 14 |
| hash chain | A hash chain is a linked list where each node contains the has of the previous node | 16 |
| append-only structure | An append-only structure is a structure wherein changing a node causes the hashes in all future nodes to change | 16 |
| consensus | Consensus is a way to reach agreement on something as a group, without placing trust in any individual | 16 |
| 51% attack | A 51% attack is when an attacker who controls 51% of mining power can effectively rewrite history and perform a forking attack | 16 |
| forking attack | An attack where the attacker creates their own branch of the chain | 16 |
| mining pools | A mining pool is a team of users mining together | 16 |
| private blockchain | A private blockchain is when only blocks signed by trusted private keys are valid | 16 |
| pseudonymity | Pseudonymity is when multiple actions can be linked to a single identity which is not your real identity | 16 |
| anonymity | Anonymity is when actions cannot be linked to your real identity | 16 |
| proof-of-work | Proof of work is when the blockchain only accepts blocks whose hashes start with a sequence of n 0s | 16 |
| sql | SQL (Structured Query Language) is a language that is used to interact with and manage data that is stored in a database | 17 |
| sql injection | A sequel injection (SQLi) is an attack that injects SQL into queries constructed by the server to cause malicious behavior | 17 |
| blind sql injection | A blind sql injection is a SQL injection attack where little to no feedback is provided | 17 |
| escape inputs | One way of defending against SQL injection is to escape any potential input that could be used in an attack. Escaping a character means that you tell SQL to treat this character as part of the string, not actual SQL syntax | 17 |
| input sanitization | Input sanitization is a SQLi defense that either disallows or escapes certain special characters | 17 |
| prepared statements | Prepared statements, also known as parameterized SQL, is a SQLi defense that compiles the query first, and then plugs in the user input after the query as already been interpreted by the SQL parser, ensuring there is no way for any attacker input to be treated as SQL code | 17 |
| web | The World Wide Web is a collection of data and services | 18 |
| url | A URL (Uniform Resource Locator) is a string that uniquely identifies one piece of data on the web | 18 |
| http | HTTP (Hypertext Transfer Protocol) is a protocol used to request and retrieve data from a web server | 18 |
| html | HTML is a markup language for creating structures documents | 18 |
| css | CSS (Cascading Style Sheets) is a style sheet language for defining the appearance of web pages | 18 |
| javascript | JavaScript is a client-side programming language for running code in the web browser | 18 |
| client-side | Client side is when code is sent by the server as part of the response and runs in the browser, not on the web server | 18 |
| ftp | File Transfer Protocol | 18 |
| domain | The domain is a part of the URL that defines which web server to contact | 18 |
| path | The path is a part of the URL that defines which file on the web server to fetch | 18 |
| get request | A GET request is a request that does not change the server-side state | 18 |
| post request | A POST request is a request that updates the server-side state | 18 |
| dom | DOM (Document Object Model) is a cross-platform model for representing and interacting with objects in HTML | 18 |
| same-origin policy | The same-origin policy (SOP) is a rule that prevents one website from tampering with other unrelated websites and is enforced by the web browser | 19 |
| origin | The origin of a web page is defined by its URL and is comprised of its protocol, domain, and port | 19 |
| cookie | A cookie is a piece of data used to maintain state across multiple requests | 20 |
| cookie jar | The cookie jar is the browser’s cookie storage | 20 |
| domain attribute | The domain attribute is a part of the cookie and usually looks like the domain in a URL | 20 |
| path attribute | The path attribute is a part of the cookie and usually looks like a path of the URL | 20 |
| secure attribute | The secure attribute is a part of the cookie; if True, then the browser only sends the cookie if the request is made over HTTPS, not HTTP | 20 |
| httponly attribute | The httpOnly attribute is a part of the cookie; if True, then the JavaScript in the browser is not allowed to access the cookie | 20 |
| expired attribute | The expired attribute is a part of the cookie and it defines when the cookie is no longer valid | 20 |
| cookie policy | Cookie policy (not the same as the SOP) is a set of rules that is enforced by the browser that defines when the cookie should be accepted and when it should be attached | 20 |
| session | A session is a sequence of requests and responses associated with the same authenticated user | 20 |
| session token | A session token is a secret value that is used to associate requests with an authenticated user | 20 |
| csrf | CSRF (Cross Site Request Forgery), also known as XSRF) is an attack that exploits cookie-based authentication to perform an action as the victim | 21 |
| csrf token | A CSRF token is a secret value provided by the server to the user that has to be attached in any following requests for the server to accept the request | 21 |
| referer validation | Referer validation is one way to defend against CSRF tokens by having the server check the referer header on each request and reject any requests that have untrusted or suspicious referer headers | 21 |
| same-site flag | The SameSite flag is a flag on a cookie that specifies it should be sent only when the domain of the cookie exactly matches the domain of the origin | 21 |
| xss | XSS (Cross Site Scripting) is an attack that subverts the same-origin policy wherein an attacker injects JavaScript into websites that are viewed by other users | 22 |
| stored xss | Stored, or persisted, XSS is a type of XSS attack where the attacker’s JavaScript is stored on the legitimate server and sent to browsers | 22 |
| reflected xss | Reflected XSS is a type of XSS attack where the attacker causes the victim to input JavaScript into a request, and the content is reflected in the response from the server | 22 |
| input sanitization | Input sanitization is a defense against XSS by checking for malicious input that might cause JavaScript to run, such as <script> tags | 22 |
| html sanitization | HTML sanitization is a defense against XSS wherein certain special characters are represented as data rather than HTML | 22 |
| csp | CSP (Content Security Policy) is a defense against XSS wherein the browser is instructed to only use resources loaded from specific places | 22 |
| ui attacks | A UI (User Interface) attack is one wherein the attacker tricks the victim into thinking they are taking an intended action, when they are actually taking a malicious action | 23 |
| clickjacking | Clickjacking is a type of UI attack wherein the attacker tricks the victim into clicking on something from the attack | 23 |
| clickjacking temporal attack | A clickjacking temporal attack is one where JavaScript can detect the position of the cursor and change the website right before the user clicks on something | 23 |
| enforce visual integrity | Enforcing visual integrity is a defense against clickjacking wherein we ensure clear visual separation between important dialogues and content | 23 |
| enforce temporal integrity | Enforcing temporal integrity is a defense against clickjacking wherein we ensure that there is sufficient time for a user to register what they are clicking on | 23 |
| frame-busting | Frame-busting is a defense against clickjacking wherein the legitimate website forbids other websites from embedding it in an iframe | 23 |
| phishing | Phishing is tricking the victim into sending the attack personal information | 23 |
| homograph attack | A homograph attack creates malicious URLs that look similar (or the same) to legitimate URLs | 23 |
| browser-in-browser attack | A browser-in-browser attack is one where the attacker simulates the entire web browser with JavaScript | 23 |
| 2fa | 2FA (2 Factor Authentication) is where the user must prove their identity in two different ways before successfully authenticating | 23 |
| relay attacks | Relay attacks, or transient phishing attacks, are when the attacker steals both factors in a phishing attack | 23 |
| authentication token | An authentication token is a device that generates secure second-factor codes | 23 |
| security key | A security key is a second factor that is designed to defend against phishing | 23 |
| captcha | A CAPTCHA (Completely Automated Public Turing Test to tell Computers and Humans Apart) is a challenge that is easy for a human to solve but hard for a computer to solve | 24 |
| network | A network is a set of connected machines that can communicate with each other | 25 |
| internet | The internet is a global network of computers | 25 |
| protocol | A protocol is an agreement on how to communicate that specifies syntax and semantics | 25 |
| syntax | Syntax is how a communication is specified and structured (i.e. that format and order of messages) | 25 |
| semantics | Semantics is what a communication means (i.e. what actions have to be taken when sending and receiving messages) | 25 |
| osi model | The OSI (Open Systems Interconnection) model is a layered model of internet communication | 25 |
| physical layer | The physical layer is the first layer in the OSI model and it sends bits from one device to another over a physical link | 25 |
| link layer | The link layer is the second layer in the OSI model and it sends frames directly from one service to another | 25 |
| lan | LAN (Local Area Network) is a set of computers on a shared network that can directly address one another | 25 |
| ethernet | Ethernet is a common, layer 2 protocol that most endpoint devices use | 25 |
| mac | The MAC address is a 6-byte address that identifies a piece of network equipment | 25 |
| network layer | The network layer is the third layer in the OSI model and it sends packets from any device to another device and it allows packets to be routed across different devices to reach the destination | 25 |
| ip | IP (Internet Protocol) is the universal layer 3 protocol that all devices use to transmit data over the internet | 25 |
| ip address | An IP address is an address that identifies a device on the internet | 25 |
| reliability | Reliability ensures that packets are received correctly, or, if random errors occur, not at all | 25 |
| transport layer | Transport layer is the fourth layer in the OSI model and it provides the transportation of variable length data from any point to any other point | 25 |
| spoofing | Spoofing is lying about the identity of the sender | 26 |
| promiscuous mode | Most ethernet devices can enter promiscuous mode where it will receive all packets in a process known as packet sniffing | 26 |
| arp | ARP (Address Resolution Protocol) translates layer 3 IP addresses into layer 2 MAC addresses | 26 |
| race condition | A race condition is when two different machines are attempting to communicate with one machine that is expecting only one response so the requester will accept whichever response arrives first | 26 |
| switches | Modern wired Ethernet networks defend against ARP spoofing by using switches rather than hubs which keep track of the IP address to MAC address pairings | 26 |
| wifi | WiFi is a layer 2 protocol that wirelessly connects machines in a LAN | 27 |
| access point | An access point (AP) is a machine that will help you connect to the network | 27 |
| ssid | The SSID (Service Set Identifier) is the name of the WiFi network | 27 |
| wpa2 | WPA2 (WiFi Protected Access 2) is a protocol for securing WiFi network communications with cryptography | 27 |
| psk | A PSK (Pre-Shared Key) is a key that is derived by applying a password-based key derivation function on the SSID and password | 27 |
| wpa2-enterprise | WPA2-Enterprise gives authorized users a unique username and password by having the client connect to a secure authentication server and provides its identity to that server by providing a username and password | 27 |
| dhcp | DHCP (Dynamic Host Configuration Protocol) gives the user a configuration when they first join the network | 28 |
| nat | NAT (Network Address Translation) allows multiple computers on a local network to share an IP address | 28 |
| subnet | A subnet is a group of addresses with a common prefix | 29 |
| autonomous systems | An autonomous system (AS) is comprised of one or more LANs and is uniquely identified by its ASN (autonomous system number) | 29 |
| bgp | BGP (Border Gateway Protocol) is the protocol for communicating between different Autonomous Systems | 29 |
| ip spoofing | IP spoofing is when malicious clients can send IP packets with source IP values set to a spoofed value | 29 |
| bgp hijacking | BGP hijacking is where malicious autonomous systems can lie and claim themselves to be responsible for a network which it isn’t | 29 |
| port | Ports help us distinguish between different applications on the same server | 30 |
| tcp | TCP (Transmission Control Protocol) is a protocol that is built on top of IP that provides a byte stream abstraction, ordering, and reliability | 30 |
| initial sequence numbers | Initial Sequence Numbers (ISNs) are different, random numbers for every connection that the client and server both agree upon | 30 |
| tcp hijacking | TCP hijacking is an attack on TCP where an attacker tampers with an existing session to modify or inject data into a connection | 30 |
| data injection | Data injection is a type of TCP hijacking attack where the attacker spoofs packets to inject malicious data into a connection | 30 |
| rst injection | RST injection is a type of TCP hijacking attack where the attacker spoofs an RST packet to forcibly terminate a connection | 30 |
| tcp spoofing | TCP spoofing is an attack on TCP where the attacker spoofs the TCP connection to appear to come from another source IP address | 30 |
| udp | UDP (User Datagram Protocol) is a protocol that is built on top of IP that does not have reliability or ordering guarantees, but adds ports | 30 |
| tls | TLS (Transport Layer Security) is a protocol that is built on top of TCP for creating a secure communications channel over the Internet | 31 |
| ssl | SSL (Secure Sockets Layer) is the old, deprecated version of TLS | 31 |
| end-to-end security | End to end security is a property that is provided by TLS wherein secure communications exist between the two endpoints with no need to trust intermediaries | 31 |
| https | HTTPS is the HTTP protocol run over TLS | 31 |
| ssl stripping | SSL stripping forces a user to use unencrypted HTTP instead of HTTPS | 31 |
| certificate pinning | Certificate pinning is when the browser restricts which CAs are allowed to issue a certificate for each website | 31 |
| certificate transparency | Certificate transparency are public logs provided by CAs | 31 |
| replay attack | A replay attack involves an attacker recording old messages and sending them to the server | 31 |
| dns | DNS (Domain Name System) is an internet protocol for translating human-readable domain names to IP addresses | 32 |
| name server | A name server is a server on the Internet that is responsible for answering DNS requests | 32 |
| stub resolver | A stub resolver is the resolver on your computer that only contacts the recursive resolver and receives the answer | 32 |
| recursive resolver | A recursive resolver is the resolver that makes the actual DNS queries | 32 |
| resource records | Resource Records (RR) is a name-value pair which is a part of the DNS payload and contains answer and name server type records | 32 |
| id number | The ID number is 16 bits and is part of the DNS payload and is used to associate queries with responses | 32 |
| counts | Counts store the number of records of each type in the DNS payload | 32 |
| cache poisoning attack | A cache poisoning attack is an attack that returns a malicious record to the client | 32 |
| bailiwick checking | Bailiwick checking is a DNS defense where the resolver only accepts records if they are in the name server’s zone | 32 |
| kaminsky attack | The Kaminsky Attack queries non-existent domains and puts the poisoned record in the additional section (which will still be cached), and lets the off-path attacker try repeatedly until succeeding | 32 |
| channel security | Channel security is securing the communication channel between two end hosts | 33 |
| object security | Object security is securing a piece of data (in transit or in storage) | 33 |
| downgrade attack | A downgrade attack is an attack wherein the attacker blocks the TLS connection, forcing the browser to fall back on ordinary DNS | 33 |
| dnssec | DNSSEC (DNS Security Extensions) is an extension of the DNS protocols that ensures integrity on the results | 33 |
| edns0 | EDNS0 (Extension Mechanisms for DNS) is a protocol that adds the OPT pseudosection | 33 |
| rrset | RRSET (Resource Record Set) is a group of DNS records with the same name and type form | 33 |
| ksk | KSK (Key Signing Key) is used to sign only the zone-signing key | 33 |
| zsk | ZSK (Zone Signing Key) is aused to sign all other records | 33 |
| domain enumeration | Domain enumeration makes it easy for an attacker to find every single subdomain of a domain | 33 |
| dos | DoS (Denial of Service) is an attack that disrupts a network service, making the service unavailable for legitimate users | 34 |
| resource exhaustion | Resource exhaustion is wherein the attacker consumes all the limited resources so legitimate users can’t use them | 34 |
| amplification | Amplification exploits asymmetry between the attacker and the victim so that the attacker spends few resources but the victim has to spend a lot of resources, thus making DoS attacks easier for the attacker | 34 |
| bottleneck | A bottleneck is the part of the system with the least resources | 34 |
| application-level dos | Application level DoS targets the high-level application running on the end host by overwhelming the processing capacity of the service | 34 |
| content delivery network | Content delivery network is a service that allocates a huge amount of resources for you | 34 |
| algorithmic complexity attack | Algorithmic complexity attack is an attack that supplies inputs that trigger worst-case complexity of algorithms and data structures | 34 |
| network-level dos | Network-level DoS targets network level protocols to affect the victim’s internet access to affect the victim’s Internet access | 34 |
| dns amplification attack | DNS amplification attack is an attack that sends small spoofed requests to overwhelm the victim with large responses | 34 |
| packet filter | Packet filters discard any packets that are a part of the DoS attack | 34 |
| ddos | DDoS (Distributed Denial of Service) attacks are a type of DoS attack where the attacker uses multiple systems to overwhelm the target system | 34 |
| botnet | A botnet is a collection of compromised computers controlled by the attacker | 34 |
| firewall | A firewall is used to enforce a specific kind of access control policy, one where insider users are permitted to connect to any network service desired, whereas external users are restricted | 35 |
| default-allow | A default-allow, or blacklist, policy is one wherein by default, every network service is permitted unless it has been specifically listed as denied | 35 |
| default-deny | A default-deny, or whitelist, policy is one wherein by default, every network service is denied to external users, unless it has been specifically listed as allowed | 35 |
| fails-open | A default-allow policy fails-open meaning that if any mistake is made, the result is likely to be some form of an expensive security failure | 35 |
| fails-closed | A default-deny policy fails closed meaning that if any mistake is made, then the result is the loss of functionality or availability, but not a security breach | 35 |
| stateful packet filter | A stateful packet filter is a router than checks each packet against the provided access control policy | 35 |
| stateless packet filters | Stateless packet filters tend to operate on the network level and generally only look at TCP, UDP, and IP headers | 35 |
| path traversal attack | A path traversal attack is an attack wherein unauthorized files are accessed on a remote server by exploiting Unix file path semantics | 36 |
| nids | NIDS (Network Intrusion Detection Systems) is a detector installed on the network, between the local network and the rest of the Internet | 36 |
| evasion attack | An evasion attack exploits inconsistencies and ambiguities to provide malicious inputs that are not detected by the NIDS | 36 |
| hids | HIDS (Host Based Intrusion Detection System) is a detector installed on each end system | 36 |
| logging | logging is a process wherein you analyze log files generated by end systems | 36 |
| false positive | A false positive is when the detector alerts when there is no attack | 36 |
| false negative | A false negative is when the detector fails to alert when there is an attack | 36 |
| false positive rate | False positive rate (FPR) is the probability the detector alerts, given there is no attack | 36 |
| false negative rate | False negative rate (FNR) is the probability the detector does not alert, given there is an attack | 36 |
| signature-based detection | ‘Signature-based detection flags any activity that matches the structure of a known attack" | 36 |
| blacklisting | Signature based detection is blacklisting wherein you keep a list of patterns that are not allowed, and alert if we see something on the list | 36 |
| specification-based detection | Specification based detection specifies allowed behavior and flags any behavior that isn’t allowed behavior | 36 |
| whitelisting | Specification-based detection is whitelisting, which keeps a list of allowed patterns, and alerts if we see something that is not on the list | 36 |
| anomaly-based detection | Anomaly based detection develops a model of what normal activity looks like and alerts on any activity that deviates from normal activity | 36 |
| vulnerability scanning | Vulnerability scanning uses a tool that proves your own system with a wide range of attacks (and fixes any successful attacks) | 36 |
| honeypot | Honeypot is a sacrificial system with no real purpose | 36 |
| forensics | Forensics is analyzing what happens after a successful attack | 36 |
| ips | Intrusion Prevention System (IPS) is an intrusion detection system that also blocks attacks | 36 |
| malware | Malware (also known as malcode or malicious software) is an attacker code running on victim computers | 38 |
| self-replicating code | Self-replicating code is a code snippet that outputs a copy of itself | 38 |
| virus | A virus is code that requires user action to propagate | 38 |
| worm | A worm is code that does not require user action to propagate | 38 |
| polymorphic code | Polymorphic code is code such that each time the virus propagates, it inserts an encrypted copy of the code | 38 |
| metamorphic code | Metamorphic code is code such that each time the virus propagates, it generates a semantically different version of the code | 38 |
| morris worm | The Morris Worm is considered the first internet worm and exploits multiple buffer overflows to guess common passwords to exploit common user accounts across different machines | 38 |
| rootkit | A rootkit is malcode in the operating system that hides its presence | 38 |
| proxy | A proxy is a third party that relays our Internet traffic | 39 |
| collusion | Collusion is when multiple proxies work together and share information | 39 |
| tor | Tor is a network that uses onion routing to enable anonymous communications | 39 |
| tor hidden services | Tor hidden services are websites that are only accessible through the Tor network | 39 |
| dark markets | Dark markets are marketplaces for buying and selling illegal goods | 39 |
| cybercrime forums | Cybercrime forums are websites for discussing illegal activity | 39 |