Just in time to organize a course on the introduction of cybersecurity terminology, referencing Common Terms in Cybersecurity, the content is generated based on GPT.
Penetration Testing#
POC (Proof of Concept)#
POC refers to code or methods used to verify the feasibility of a security vulnerability, attack method, or technique. POCs are typically used to demonstrate that an attack can be successful, but they may not include code for actual exploitation. In security research, researchers often write POCs to prove that the vulnerabilities they find are real and exploitable, but they usually do not cause actual damage.
EXP (Exploit)#
EXP is code specifically designed to attack a particular vulnerability. Compared to POC, EXP is more mature and complete, and can be directly used to attack target systems to gain unauthorized access or perform other malicious actions. EXP typically contains a complete set of attack logic that can achieve specific attack objectives on the target system.
PAYLOAD#
PAYLOAD refers to the specific code or data that an attacker attempts to execute during an attack. It is part of the EXP, used to achieve the attacker's ultimate goals, such as popping a reverse shell, installing a backdoor, stealing data, etc. PAYLOAD can be customized according to the attacker's needs to fit different attack scenarios and targets.
Shellcode#
Shellcode is a special type of PAYLOAD that contains a piece of code used to control the victim's computer. Typically, the purpose of shellcode is to open a command-line interface, allowing the attacker to remotely control the attacked machine. Shellcode usually needs to be very compact and efficient because it often needs to execute within very limited memory space.
Vulnerability#
A vulnerability refers to a weakness in software, hardware, or network systems that an attacker can exploit to perform unauthorized actions. These actions may include stealing data, gaining illegal access, or causing system crashes. Vulnerabilities can arise from various reasons, such as design flaws, programming errors, or configuration mistakes.
Zero-day Vulnerability#
A zero-day vulnerability refers to a security flaw that has been discovered and exploited by attackers before developers or the public are aware of it. The term "zero-day" comes from the "zero day" that developers become aware of the vulnerability, at which point no patches or mitigations are available. Zero-day vulnerabilities are extremely dangerous for security defenses because when an attack occurs, system administrators and users have no ready solutions.
One-day Vulnerability#
A one-day vulnerability refers to a vulnerability that has been publicly disclosed by developers (possibly including a patch), but many systems and applications have not yet applied this patch when exploited by attackers. In this case, a solution already exists, but for various reasons (such as update delays, users not applying patches in time, etc.), the vulnerability is still exploited.
N-day Vulnerability#
N-day vulnerability is a more general term used to describe vulnerabilities that are exploited at any time after public disclosure. "N" can be any number, indicating how many days have passed since the vulnerability was made public. This term is often used to emphasize that the vulnerability has been public for some time, but attackers can still exploit it, especially against systems that have not patched in time.
Attack Terminology#
Bot#
This is hacker jargon referring to a computer that has been compromised by a hacker. These computers are usually infected with malware, allowing hackers to control them remotely, while the true owners of the computers remain unaware. Bots can be used for various malicious activities, such as sending spam, participating in distributed denial-of-service (DDoS) attacks, etc.
Botnet#
A botnet is a network of compromised bots controlled by hackers. Hackers use these infected computers (i.e., "zombies") to execute commands and distribute malware. These networks are often used to carry out automated large-scale attacks, such as DDoS attacks, spam sending, etc.
Trojan#
A Trojan is a type of malware that hides within seemingly legitimate software, tricking users into downloading and installing it. Once installed, a Trojan can perform various malicious actions, such as stealing sensitive information, downloading more malware, or providing hackers with remote access to the victim's computer.
Web Trojan#
A web Trojan is malware that spreads through web pages. When users visit a page containing malicious code, this code may execute automatically, installing a Trojan or other malware on the user's device, often without the user's knowledge.
Rootkit#
A rootkit is malware designed to hide the existence of software, processes, or files within a computer system, making malicious activities difficult to detect by users and antivirus software. Rootkits are often used to maintain control over infected systems while hiding malicious activities.
Worm Virus#
A worm is a standalone type of malware that can self-replicate and automatically spread across networks to other computers without attaching itself to other files or programs. Unlike traditional viruses, worms exploit network vulnerabilities to spread, potentially causing widespread damage, such as network congestion and decreased system performance.
Cryptojacking Malware#
Cryptojacking malware is a type of malicious software designed to use the victim's computing resources to mine cryptocurrency without their consent. This type of software typically runs in the background, consuming CPU and GPU resources, leading to decreased device performance.
Backdoor#
A backdoor refers to a hidden entry intentionally set in software, operating systems, or hardware, allowing remote access to the system without going through normal authentication processes. Attackers can control infected computers through backdoors, executing commands, stealing data, etc.
Weak Password#
A weak password refers to a password that is easy to guess or crack, typically consisting of common words, simple number combinations (like 123456), or default passwords. Weak passwords make accounts vulnerable to brute force or dictionary attacks.
Malware#
Malware refers to any software designed to cause damage to computers, servers, clients, or computer networks. It includes viruses, worms, Trojans, ransomware, spyware, etc.
Spyware#
Spyware is software designed to secretly monitor user activities without their consent. It can record keystrokes, browsing history, passwords, and other personal information.
Sniffer#
A sniffer is a tool used to monitor and analyze network traffic. Attackers use sniffers to capture packets to steal information, monitor user activities, or look for security vulnerabilities in the network.
SQL Injection#
SQL injection is an attack technique where an attacker inputs malicious SQL commands into an application's input fields, exploiting security vulnerabilities in the application's backend database to perform unauthorized database operations. This attack can be used to read or modify data in the database, or even execute administrative operations, such as deleting database tables or gaining server permissions.
Command Injection#
Command injection attacks allow attackers to execute arbitrary commands on the target system. This is typically achieved by exploiting improper handling of input data by the application, allowing malicious commands to be injected at the system level. Successful command injection attacks can lead to data leaks, server control, and other serious consequences.
Code Injection#
Code injection is an attack in which an attacker injects malicious code into an application, causing unexpected operations to be executed on the application or backend server. This attack can be implemented through scripting languages (like JavaScript), SQL commands, or other programming language code.
Cross-Site Scripting (XSS)#
Cross-site scripting is a technique that executes malicious scripts in the user's browser. Attackers inject malicious scripts into web pages, and when other users browse those pages, the embedded scripts execute in their browsers. This can lead to user data being stolen, sessions being hijacked, or malware being distributed.
Webshell#
A webshell is a script file that executes server commands through a web interface, typically implanted by attackers on compromised web servers. Through webshells, attackers can remotely manage servers, execute various commands, such as data theft and further network penetration. Webshells can be written in various languages, such as PHP, ASP, JSP, etc.
Web Shell Planting / Drive-by Download#
Web shell planting is a type of web attack where attackers implant malicious code or software on a website. When users visit these web pages with implanted malicious code, the malware automatically downloads and executes, usually without any interaction from the user. This method is commonly used to spread malware, such as Trojans and spyware.
AV Evasion#
AV evasion refers to various techniques used to prevent malware, viruses, or tools from being detected by antivirus software. These techniques may include code obfuscation, encryption, and exploiting vulnerabilities in antivirus software. The goal of AV evasion techniques is to allow the attacker's malicious actions to bypass security detection and successfully execute their attacks.
Port Scanning#
Port scanning is a technique used to probe target computers or network devices for open services and listening ports. By scanning ports, attackers can discover exploitable service vulnerabilities, leading to further attacks. Port scanning is usually the preliminary step in network penetration testing, used to gather information about the target system.
Website Takeover#
Website takeover refers to when attackers successfully gain control of a target website's administrative privileges through various means, allowing them to modify, delete, or implant malicious code into the website's content. Website takeover is typically achieved by exploiting vulnerabilities in web applications, database injections, server vulnerabilities, etc. After a successful takeover, attackers can engage in data theft, spread malware, conduct phishing attacks, and other malicious activities.
DDoS#
Flood Attack#
A flood attack is a method of making network services unavailable by sending a large number of useless requests to the target, exhausting the target's resources (such as bandwidth and processing power). This prevents legitimate users from accessing the service. Flood attacks are typically used in DoS (Denial of Service) or DDoS (Distributed Denial of Service) attacks.
SYN Flood Attack#
A SYN flood attack is a specific type of DoS attack that exploits the TCP protocol's three-way handshake process. Attackers send a large number of TCP/SYN (connection request) packets but deliberately do not complete the handshake process. This causes the target server's resources to be exhausted, preventing it from processing legitimate requests.
Denial of Service Attack#
A DoS attack aims to make network services or resources unavailable to intended users. Attackers exhaust the target's resources through various means, such as flood attacks, SYN attacks, etc., leading to service interruptions.
Distributed Denial of Service Attack#
A DDoS attack is a form of DoS attack, with the difference being that the attack comes from distributed systems—typically composed of many infected machines (botnets). This makes the attack harder to defend against because the traffic sources are numerous and dispersed.
ARP Spoofing Attack#
ARP spoofing, or ARP deception, is an attack that exploits vulnerabilities in the ARP protocol within a network. Attackers send forged ARP messages into the local area network to associate the attacker's MAC address with the legitimate host's IP address. This can be used for man-in-the-middle attacks, intercepting, modifying, or redirecting network traffic.
Phishing#
Watering Hole Attack#
A watering hole attack is a method targeting specific groups, where attackers infect a website frequently visited by members of that group to spread malware among users visiting that site. This attack method is similar to a predator waiting at a watering hole for prey.
Advanced Persistent Threat#
An APT attack is a complex cyber attack characterized by prolonged stealth and strong targeting. Attackers are usually organized teams aiming to continuously access the target network undetected to steal data or monitor activities.
Supply Chain Attack#
A supply chain attack refers to an attack where attackers target an organization's suppliers or service providers. Since the security of the supply chain may not be as robust as that of the target organization itself, attackers exploit this as a foothold to enter the target network.
Spam#
Spam refers to unsolicited, bulk emails typically used for advertising, phishing attacks, or spreading malware. Although spam itself does not directly exploit system vulnerabilities, it is a common means of spreading malicious content and conducting social engineering attacks.
Spoofing Attack#
A spoofing attack refers to when an attacker impersonates another user or device to deceive users, steal information, or bypass access controls. Spoofing attacks can take various forms, including IP spoofing, email address spoofing, and ARP spoofing.
Man-in-the-Middle Attack (MITM)#
A man-in-the-middle attack refers to when an attacker inserts themselves between two communicating parties, secretly listening to, intercepting, or altering the exchanged information. This attack is common in unencrypted network communications, where attackers can use ARP spoofing, DNS spoofing, and other techniques to achieve this.
Challenge Collapsar Attack#
A CC attack is a type of distributed denial-of-service attack (DDoS) that overwhelms a target website's resources with a large number of requests, causing the server to overload and preventing normal users from accessing it. CC attacks specifically refer to a large number of HTTP requests initiated through proxy servers or botnets to simulate normal user behavior, making defense more challenging.
Database Cracking#
Database cracking refers to obtaining access to a database through various means and then stealing the information stored in that database. This is typically achieved by exploiting vulnerabilities in database management systems, SQL injection, and other techniques.
Data Breach#
A data breach refers to when attackers successfully steal sensitive data from a database, including user personal information, passwords, financial information, etc. Data breach incidents usually refer to large-scale data leaks, significantly impacting user privacy and corporate reputation.
Credential Stuffing#
Credential stuffing is a cyber attack method where attackers obtain leaked username and password databases from other websites and then attempt to log into other sites using those credentials. Since many users reuse the same usernames and passwords across different sites, credential stuffing attacks can succeed in some cases.
Social Engineering#
Social engineering is a security attack technique that does not rely on traditional hacking techniques but instead exploits human psychological weaknesses to induce individuals or employees to disclose sensitive information or perform specific actions. This technique includes phishing attacks, pretexting, impersonating trusted individuals or institutions, etc.
Hidden Link#
A hidden link refers to links on a website that are concealed from normal users but can be crawled by search engines. Attackers implant hidden links on victim websites to improve the search engine ranking of malicious or related websites.
Defacement#
Defacement is an attack where attackers alter the content of a website, typically to spread political messages, hacker tags, or malicious code. This attack not only damages the website's reputation but can also be used to spread malware.
Command and Control#
C2 servers are used by attackers to maintain control over already compromised systems and issue subsequent commands. This mechanism allows attackers to remotely manipulate malware or botnets to execute data theft, distributed denial-of-service attacks, and other activities.
Spear Phishing#
Spear phishing is a more targeted form of phishing attack where attackers collect and utilize personal information to customize deceptive emails or messages, aiming to induce specific individuals or organizations to disclose sensitive information or install malware.
Phishing#
Phishing is a fraudulent method where attackers disguise themselves as trusted entities to send emails or messages, tricking victims into clicking malicious links or attachments to steal sensitive information such as login credentials, credit card information, etc.
Pivoting#
Pivoting is a technique used in network penetration testing or attacks, where attackers use a compromised system as a stepping stone to further penetrate or attack other systems within the network. This allows attackers to bypass firewalls or security measures and delve deeper into the network.
Internal Network Attacks#
Lateral Movement#
Lateral movement refers to the process of attackers moving from one system to another within a network, aiming to expand their influence, search for valuable targets, or gain higher access privileges. This often involves exploiting credentials and vulnerabilities within the network.
Privilege Escalation#
Privilege escalation refers to the process where attackers gain higher privileges (such as administrative privileges) from lower-privileged accounts by exploiting system vulnerabilities, configuration errors, or design flaws during an attack. This is a key step for attackers to expand their access and control.
Reverse Engineering#
Overflow#
In programming and network security, overflow refers to data exceeding the boundaries of a predetermined storage space or container. This often occurs in buffer overflow attacks, where excessive data written to a buffer may overwrite adjacent memory areas, leading to undefined behavior, such as executing malicious code.
Buffer Overflow Attack#
A buffer overflow attack occurs when a program attempts to write more data to a buffer than its capacity, which may lead to data overwriting adjacent memory areas, allowing attackers to exploit this behavior to execute arbitrary code or compromise the system.
Shellcoding#
Shellcoding typically refers to developers or attackers adding a layer of shell code to software before release to protect the program from reverse engineering analysis. In the security field, shellcoding can also refer to creating and using shell code, which is a small code used to exploit software vulnerabilities, designed to provide attackers with command-line access to the victim's system.
Unpacking#
Unpacking refers to the process of removing shell code protection from software, usually for malware analysis or reverse engineering. By unpacking, analysts can see the original program's true code, allowing for a better understanding of its functionality and potential threats.
Obfuscation#
Obfuscation is a code obfuscation technique used to make software's machine code difficult to understand. This technique is achieved by replacing, adding, or modifying instructions in the code, aiming to hinder reverse engineering and analysis, making it more challenging to analyze malware behavior or protect copyrights. In the security field, obfuscation can be used to hide the true intent of malicious code, helping it avoid detection by security software.
Black and Gray Hat#
Domain Hijacking#
Domain hijacking refers to attackers gaining control over a domain through illegal means and then changing the domain name system (DNS) settings to redirect users to malicious websites. This attack may be used for phishing, distributing malware, or conducting other malicious activities.
Pig Butchering#
Pig butchering is a type of online scam that primarily targets victims through social platforms or dating websites. Scammers typically establish an emotional connection with victims and then induce them to transfer money under the guise of investment or financial management, ultimately defrauding them. The term comes from the idea that scammers "feed" their targets like pigs until the "harvest" moment.
Telecom Fraud#
Telecom fraud refers to fraudulent activities conducted using telephone, internet communication, and other telecommunication tools. Scammers use various means to gain victims' trust and then induce them to transfer money or provide sensitive information, such as bank account details and passwords.
Wool Pulling#
Wool pulling refers to exploiting vulnerabilities, policy loopholes, or promotional activities in online platforms, applications, or services to gain profits through legal or semi-legal means. This behavior may involve bulk account registrations, using automated scripts, or exploiting system vulnerabilities to obtain improper benefits.
Cybercrime as a Service#
Cybercrime as a service refers to illegal activities conducted using network technology, such as selling or renting malware, providing hacking services, and selling data leaks. These activities typically occur on the dark web or encrypted platforms to hide identities and activity traces.
Dark Web#
The dark web is a hidden part of the internet that is not indexed by conventional search engines and can only be accessed through special software like the Tor browser. The dark web is often used to protect user privacy and freedom of speech, but it also contains many places for illegal transactions and activities.
Attackers#
Black Hat Hacker#
A black hat hacker refers to hackers who conduct network attacks, data theft, system destruction, and other activities for illegal purposes and personal gain. They typically exploit discovered vulnerabilities for malicious attacks rather than reporting them.
White Hat Hacker#
A white hat hacker, also known as an ethical hacker, refers to professionals who use their skills to help organizations discover and fix security vulnerabilities. They typically conduct penetration testing with authorization to ensure system security.
Red Hat Hacker#
A red hat hacker typically falls between black hats and white hats, and they may take more aggressive measures against black hat hackers. Unlike white hat hackers who focus on defense and reporting vulnerabilities, red hat hackers may attack systems used by black hat hackers to stop their illegal activities.
Red Team#
The red team refers to a group that plays the role of attackers in simulated attacks, using various techniques and strategies to attempt to breach an organization's security defenses. The goal of the red team is to reveal security weaknesses that could be exploited by real attackers.
Blue Team#
The blue team refers to the group responsible for defense, tasked with detecting, preventing, and responding to red team attack attempts. The blue team focuses on strengthening security measures and improving the organization's security posture.
Purple Team#
The purple team is not a separate team but a concept of collaboration between the red team and the blue team. Purple team activities aim to enhance overall security posture through close cooperation, sharing knowledge and experience between the red and blue teams. The purple team bridges the gap between attack and defense, enhancing security capabilities through collaboration.
Defense#
Firewall#
A firewall is a network security system that monitors and controls the data packets entering and leaving a network. Based on predetermined security rules, a firewall can allow or block specific data flows, thereby protecting the internal network from unauthorized access. Firewalls can be hardware, software, or a combination of both.
Intrusion Prevention System (IPS)#
An intrusion prevention system is a proactive network security device that monitors network traffic to identify and block potential malicious activities. Compared to intrusion detection systems (IDS), IPS can not only detect attacks but also take real-time measures to block them, such as disconnecting malicious traffic.
Intrusion Detection System (IDS)#
An intrusion detection system is a passive monitoring tool used to detect and report malicious activities or policy violations in a network or system. Compared to IPS, IDS primarily focuses on detection and alerting, without directly taking action to block attacks.
Antivirus Software#
Antivirus software is a program used to detect, prevent, and remove malware. By scanning files and programs on a computer system, antivirus software can identify and delete viruses, Trojans, spyware, and other malicious software, protecting devices from damage.
Antivirus Gateway#
An antivirus gateway is a network security device located at the enterprise boundary, used to scan incoming and outgoing network traffic for malicious software. It typically combines the functions of a firewall and antivirus software, providing comprehensive network security protection.
Situational Awareness#
Situational awareness in the field of cybersecurity refers to a comprehensive understanding and awareness of the network environment and security threats. By collecting, analyzing, and synthesizing network data, security teams can gain a clear view of the current network security status, enabling them to more effectively identify, defend against, and respond to security threats.
Security Operations Center (SOC)#
A security operations center is a dedicated department responsible for managing an organization's information security. SOC teams use various technologies and processes to monitor and analyze the organization's security posture to promptly detect, assess, respond to, and mitigate security incidents and threats.
Jump Server/Bastion Host#
A jump server is a specially configured server placed at the security boundary of a network, serving as the only entry point for accessing internal networks or systems. Through the jump server, remote access can be strictly controlled and monitored, enhancing security. Users must first authenticate through the jump server to access internal resources.
Database Audit#
Database audit is the process of recording and examining database operations to ensure data integrity, confidentiality, and availability. Auditing can help identify unauthorized data access, data modifications, or other potential security issues. Audit logs typically include user actions, access times, and accessed data.
Vulnerability Scanning#
Vulnerability scanning is an automated process used to identify and report security vulnerabilities in networks, systems, or applications. Through vulnerability scanning, organizations can understand their security risks and take measures to remediate them to prevent potential attacks.
Data Diode/Gate#
A data diode is a network security device that provides unidirectional communication between two networks. It ensures that data can only flow in one direction, preventing potential threats and data leaks. Data diodes are commonly used in high-security environments, such as military or critical infrastructure.
Unified Threat Management (UTM)#
Unified Threat Management is a network security solution that integrates multiple security functions into a single device. These functions may include firewalls, antivirus, intrusion detection and prevention, web filtering, and anti-spam. UTM provides a simplified approach to managing network security threats.
Internet Behavior Management#
Internet behavior management refers to using various technologies and strategies to monitor and manage users' online behavior to ensure compliance, improve productivity, and protect network security. This may include restricting access to specific websites, monitoring network traffic, and preventing data leaks.
Virtual Private Network (VPN)#
A virtual private network is a technology that allows users to securely access private networks over public networks through encrypted tunnels. VPNs hide users' IP addresses and encrypt data transmissions, thereby protecting users' privacy and security on public networks.
Web Application Firewall (WAF)#
A web application firewall is a firewall specifically designed to protect web applications. It monitors, filters, and blocks malicious HTTP/HTTPS traffic to prevent various attacks against web applications, such as SQL injection and cross-site scripting (XSS).
Honeypot#
A honeypot is a security mechanism designed to lure attackers. It appears to be a valuable target (for example, a server that seems to contain sensitive data), but it is actually isolated and monitored, aiming to entice attackers to attack this system, thereby revealing their techniques, methods, and intentions.
Sandbox#
A sandbox is a security technology used to execute or run programs in an isolated environment to test untrusted code or programs without affecting the main system. Sandboxes provide a secure environment to analyze malware behavior or test unknown software.
Sandbox Evasion#
Sandbox evasion refers to malicious software or code recognizing that it is running in a sandbox environment and taking measures to avoid detection or limit its behavior to escape security analysis. This often involves detecting characteristics of the sandbox environment or simulating user behavior to avoid being analyzed.
Cyber Range#
A cyber range is a simulated network environment used for training and assessing the security of networks and systems. It provides a practical operational environment where security professionals can practice penetration testing, security defense, incident response, and other skills without risking the real environment.
Network Access Control (NAC)#
Network access control is a network security solution used to prevent unauthorized access. NAC can enforce policies, such as checking the security status of devices (e.g., whether the latest security patches are installed) before allowing devices to connect to the network.
False Positive#
In cybersecurity, a false positive refers to a situation where a security system incorrectly identifies legitimate activities or data as malicious. This type of false alarm can lead to unnecessary disruptions and resource waste, as security teams need to investigate each alert.
Alert#
An alert is a notification issued by a security system when a potential security event or policy violation is detected. The purpose of an alert is to draw the attention of the security team so they can respond to and address potential security threats in a timely manner.
Log Auditing System#
A log auditing system is a technology that monitors and records the activities of operating systems, applications, and other system components. These logs provide detailed records of system operations, user activities, system errors, security events, etc. By analyzing these logs, security experts can detect potential security threats, non-compliance actions, or system failures, allowing them to take appropriate preventive or corrective measures.
Traffic Scrubbing#
Traffic scrubbing is a network security measure used to protect networks from distributed denial-of-service (DDoS) attacks. During traffic scrubbing, incoming traffic is routed through a scrubbing center or device that identifies and filters out malicious traffic, allowing only legitimate traffic to pass through. This helps ensure the normal operation of the network and prevents service interruptions.
Security Information and Event Management (SIEM)#
SIEM is a security management approach that combines the functions of security information management (SIM) and security event management (SEM). SIEM solutions can collect and analyze security data and event logs in real-time from various sources (such as network devices, security devices, servers, databases, etc.). By analyzing this information, SIEM can identify anomalous behavior or potential security threats, triggering alerts and aiding in rapid response.
Hardware Security Module (HSM)#
A hardware security module (HSM) is a physical device used to generate, store, and manage digital keys, perform encryption and decryption operations on sensitive data, and create digital signatures and certificates. HSMs provide a highly secure way to protect and manage keys, typically used for high-security tasks such as financial transaction processing, data protection, authentication, and digital signatures. HSMs are designed to resist various attacks, ensuring the security of key materials.