Concepts, synonyms and abbreviations for PNPT and Cisco CCNA CyberOps

Not in alphabetical order. Updated regularly. Search with CTRL+F

Threat actors

  • Amateurs – Also known as scrips-kiddies. Little or no skills. Uses pre-made programs or scripts to create chaos or show off skills.
  • Hacktivists – Driven by political, religious or ideological purposes. Usually destroys, corrupts or steals data, but not for financial gain.
  • Criminals – Traditional criminals. Driven by financial gain. ”It’s just business”.
  • Nation states – Or criminal organisations paid by nation states. State-sponsored cyberespionage or cyberwarfare.
  • Vulnerability brokers – Refers to grey hat hackers who attempt to discover exploits and report them to vendors or companies, sometimes for prizes or rewards.
  • Black hats – Criminal hackers. Extremely unethical. For financial gain. Usually don’t distinguish between victims, this is why hospitals and other sensitive functions are somtimes their target.
  • Gray hats – Usually hack organisations in a criminal and unethical way buy later reveal their findings publicly or directly to the company so that security can be improved. Are sometimes rewarded financially for their findings.
  • White hats – Ethical hacker. Often working for security companies.

  • Red Team – Offensive.
  • Blue Team – Defensive. Most common.
  • Purple Team – SOC (Security Operation Center)
  • Botnet – A network of infected computers controlled as a group
  • C&C – Command and Control server. Often used to describe the node or controlling computer in botnets.

SOC – Security Operations Centre

Roles in the SOC:

  • Tier 1 – Monitor incidents, open tickets, basic threat mitigation
  • Tier 2 – Deep investigation
  • Tier 3 – In-depth knowledge, threat hunting, preventive measures
  • SOC manager – SOC admin overseeing operations.


  • Dwell Time – 
  • Mean Time to Detect (MTTD) – 
  • Mean Time to Respond (MTTR) – 
  • Mean Time to Contain (MTTC) – 
  • Time to Control – 

PDU = Protocol Data Units

  • Data = PDU at application layer
  • Segment = PDU at transport layer
    • TCP = Segments
    • UDP = Datagram
  • Packet = PDU at network layer
  • Frame = PDU at data link layer
  • Bits = PDU at physical layer

CIA Triad


Ensures that data is hidden per default and only accessible to authorized users. This is enforced via encryption when stored, transferred or processed. 


Ensures accuracy and completeness of stored data when stored, transferred or processed. Integrity makes sure that data has not been modified or omitted. Is enforced through hashes.


Ensures that data is available when required. Availability is enforced through redundancy and load balancing with multiple servers and several connections, e.g multiple incoming fiber-connections.

Access control


Anything of value to an organisation: computers, servers, network. The greatest asset is usually data like company secrets and customer information.


Weaknesses in a system that threat actors can take advantage of.


Any potential danger to an asset. 

Security Onion

How network security should be designed. Layered. The threat actor needs to penetrate every layer to get to the protected asset. 

Security Artichoke

This design benefits the threat actor. Only some leaves need to be removed/penetrated for the threat actor to gain a foothold inside the system or access to the asset.

AAA framework


Prove you are who you say you are. Usually password and username.


Based on your authentication, what access do you have? To what systems and information/data?


Traceability and resources used. Login/logout time. Amount of used data. Amount of money on your account. What doors you accessed and so on.

Four elements of secure communication

Data integrity

Data should not be modified, and if modified it should be detected.

Origin authorization/authentication

Guarantees that the data is from the sender that it appears to be from.

Data confidentiality

Data should only be read by authorized parties. Achieved by encrypting data.

Data non-repudiation

A sender can not deny having sent a message.

Risk Management

Risk identification

Identify assets, vulnerabilities and threats.

Risk assessment

Score, weigh and prioritize risks.

Risk response planning

Determine risk response. Planning.

Response implementation

Monitor and access results

Continuous risk monitoring and response assessment

Risk avoidance

Stop performing the activities that create risk. It is possible that as a result of a risk assessment, it is determined that the risk involved in an activity outweighs the benefit of the activity to the organization. If this is found to be true, then it may be determined that the activity should be discontinued.

Risk reduction

Decrease the risk by taking measures to reduce vulnerability. For example, if an organization uses server operating systems that are frequently targeted by threat actors, risk can be reduced through ensuring that the servers are patched as soon as vulnerabilities have been identified.

Risk sharing

Shift some of the risk to other parties. For example, a risk-sharing technique might be to outsource some aspects of security operations to third parties. Hiring a security as a service (SECaaS) CSIRT to perform security monitoring is an example. Another example is to buy insurance that will help to mitigate some of the financial losses due to a security incident.

Risk retention

Accept the risk and its consequences. This strategy is acceptable for risks that have low potential impact and relatively high cost of mitigation or reduction. Other risks that may be retained are those that are so dramatic that they cannot realistically be avoided, reduced, or shared.

Network Security Data

Alert data

Generated by a network-based IDPS system. Snort is a free and open source IDPS.

Network traffic logs – Session and transaction data.

Session data

Session data is a record of a connection between two endpoints. Metadata. Session data contains details of network flows including the 5-tuples, the amount of data transmitted and the duration of data transmission. It’s a record of conversation.

Transaction data 

Is the actual message exchanged during a network session. But not necessarily the payload. Transaction data includes device-specific server and host logs. It can be a GET request for a website and a response with the file path on the web server.

Full packet capture 

This capture includes detailed protocol and payload information for all traffic on a network segment. This is the most detailed network data generally captured. Wireshark is a common tool.

Statistical data

Is used to describe and analyze network flow or performance data.

Extracted content 

Includes files that are attached to emails or that were downloaded from the internet.

Alert data

Generated by IPS or IDS devices when suspicious traffic is detected.

Digital forensics

The recovery and investigation of information found on digital devices related with criminal activity.

NIST Special Publication 800-86: Guide to Integrating Forensic Techniques into Incident Response

Digital evidence forensic process

  1. Collection (Media)

Identification of potential sources of forensic data, handling and storage of that data. It’s important not to damage, change or lose this data.

  1. Examination (Data)

Assessing and extracting relevant information from the collected data. May involve decryption of the data. Irrelevant data should be removed. Can be very difficult and time consuming.

  1. Analysis (Information)

Draw conclusions from the data. Identify and document important people, places, times, devices, events and so on. This step involves correlation of data from multiple sources.

  1. Reporting (Evidence)

Preparation and presenting the results from the analysis. Reporting should be impartial. Problems and limitations encountered should be included. Suggestions for further investigations should also be made.

Types of evidence

Best evidence

Evidence in its original state.

Corroborating evidence

Evidence that supports an assertion developed from best evidence.

Indirect evidence

Evidence that in combination with other facts establishes a hypothesis.

Direct evidence

Evidence that was indisputably in the possession of the threat actor/accused, or is eyewitness evidence from someone 

Evidence collection

The most volatile evidence should be collected first, like RAM because this will be cleared when the computer is turned off.

  1. Memory registers, caches
  2. Routing tables, ARP cache, process table, kernel statistics, RAM
  3. Temporary file systems
  4. Non-volatile media, fixed and removable. HDDs and USBs
  5. Remote logging and monitoring data
  6. Physical interconnections and topologies
  7. Archival media, tape, CDs and other backups.

Attack attribution

Determining who the threat actor/adversary is.

Cyber Kill Chain

  1. Reconnaissance

The adversary gathers intelligence and selects targets.

  1. Weaponization

The adversary uses the vulnerabilities of the asset and builds a tool to exploit them.

  1. Delivery

The weapon is transmitted/delivered thru email attachment, USB-stick or malware on a website e.g

  1. Exploitation

The adversary exploits and gains control over the target.

  1. Installation
  2. Command & Control

The adversary communicates through a C&C server with IRC or DNS e.g to issue commands to the malware installed on the target.

  1. Actions on Objectives

Diamond Model

Core features:

Adversary – Represents the threat actor

Capability – The tools and techniques that are used by the adversary

Infrastructure – Represents the network paths that are used during an exploit.

Victim – A person, resource or asset.

Meta features:

Timestamp – The start and stop time of an event.

Phase – Refers the the steps in the Cyber Kill Chain

Result – What the adversary gained from a successful exploit

Direction – The path between parts in the Diamond Model that an exploit uses

Methodology – Classifies the general type of event. Port scan, syn flood etc.

Resources – The adversaries resources used to carry out an exploit.

Data normalization

The process of combining data from a number of data sources into a common format. Data normalization is required to simplify searching for correlated events. IPv6 addresses, MAC-addresses, subnet masks, DNS-records and date formats are examples of data that is displayed differently on different systems. 

Data reduction

Sorting out NSM traffic because the amount of log file entries and alerts can be enormous. Encrypted data, traffic generated by routing protocols, broadcast protocols and low severity syslogs are examples of data that can be eliminated.

Data Archiving

Long term storage. The amount of time or disk space used for storing NSM data. Sometimes it’s required by law or compliance framework to store some meta-data. For example, the Payment Card Industry Security Standards Council (PCI DSS) requires that an audit trail of user activities related to protected information should be stored for one year.


The science of making and using codes.

Cryptography – The development and use of codes.

Cryptanalysis – The breaking of these codes.

P = Plaintext

C = Ciphertext

K = Key

Cipher is an algorithm. Old technology that has been used for a long time. Enigma, Caesar Cipher and so on.

Plaintext = unencrypted text

Ciphertext = encrypted text

Encryption: P+K=C

Decryption: C+K=P

KDE = Key Derivation Function

KDE (password)  –>  K

Hashing: P –> C


Hashing a document e.g creates a fixed size summary no matter the size of the hashed document. It’s impossible to recreate a document based on hash. Different documents/input should create different hashes. It’s called collison when the hash is the same.

The sender/source calculates a hash and attaches it to the file. Then the destination/reciver independently generates a hash on the same file and compares it. Hash is only used for detecting accidental message change. A hacker can still modify a file and recalculate the hash.

Passwords should be stored in hashed format. During the login process, the hash for the entered password is compared with the stored hash. If hackers gain access to the database, only the hashed passwords are leaked, which are useless.

HMAC – Hash Message Authentication Code

HMAC can be used to add an additional secret key as input to the hash function, to ensure that the message is not altered in transit by a hacker, therefore protecting against man-in-the-middle.

Requires a pre-shared key.


Same key is used at both the sender and receiver for both encryption and decryption. Key length determines strength, longer is better. E.g AES, Twofish, DES/3DES, SEAL and RC (River Cipher).


  • Block ciphers: Encrypts data in blocks, usually 64 or 128 bits.
  • Stream ciphers: Encrypts bits one-by-one

Common ciphers:

  • Substitution (disposition) cipher – Character change x stages in the alphabet.
  • Transposition – Letters are rearranged rather than changed.
  • Polyalphabetic – Based on substitutions but uses different substitution alphabets.


Public key is used for encryption at the source/sender. When decrypting, a private key is used at the destination/receiver. Eg: Diffie-Hellman (DH), TLS/SSL and RSA.

Private and public keys are different. If a sender uses a private key to encrypt it’s not for privacy but for digitally signing.

In practicality, both symmetric and asymmetric encryption is used.


The art of breaking codes.

Brute force

Try every possible key.


Crack the crypto using different ciphertext.

Known plaintext

Leverage some knowledge about plaintext corresponding to ciphertext.

Chosen plaintext

Choose plaintext and observe ciphertext.

Chosen ciphertext

Use different ciphertext and observe the decrypted plaintext.


Know a portion of the plaintext and corresponding ciphertext.


Key length – The size of the key in bits.

Key space – The number of possible keys given the key length.

Key length examples:

  • Len 2: 4
  • Len 3: 8
  • Len 4: 16
  • Len 40: 1 000 000 000 000 (Not that long)

Key is derived from the password.

PKI – Public Key Infrastructure

Digital signatures – To sign stuff.

Authenticity – Who someone is.

Integrity – Downloaded executables for example. Assure that they haven’t been altered.

Trusted third-parties validate the authenticity of public keys using digital certificates.

PKI is such a third party.

PKI is a framework that Certificate Authorities (CA) use to issue digital certificates.

Code signing is used to verify the integrity of executable files downloaded from a vendor website. Code signing uses digital certificates to authenticate and verify the identity of a website.

SOC – Security Operations Centre

Tier 1 Alert Analyst

AKA Cyber Operations Analyst. Verifies that an alert from a SIEM and/or SOAR is a true security incident. If tier 1 can’t resolve, then the alert is escalated in a ticketing system.

Tier 2 Incident Responder

Responsible for deep investigation of incidents.

Tier 3 Threat Hunter/SME (Subject Matter Expert)

Works preventive. Hunts for potential threats and implements/updates threat detection tools.

SOC Admin

This professional manages all the resources of the SOC and serves as the point of contact for the larger organization or customer.


The automated process of clients requesting IP-addresses and handing them out. If the DHCP server resides outside the router it can be programmed to be a DHCP-relay.

DORA – A four step process.

  • Discover message – Is broadcasted from the device when connected to a new network.
  • Offer message – Sent from the DHCP server
  • Request – DHCP server formally allocated the IP-address to the client.
  • Acknowledgement – 

There is two types of allocation:

  • Dynamic allocation – Automatic
  • Static allocation – IP-addresses are pre-programmed by a network-administrator.

Unicast – Data is sent from one host to another.

Broadcast – Data is sent to all hosts on a network.

Multicast – Data is sent to a specific group of hosts.

Iptables is an application that allows Linux system administrators to configure network access rules. Default gateway is the closest router. Usually your home router which also functions as your switch and wireless access point WAP.

MAC – Media Access Control

MAC addresses are physical and fixed. They are “burned in” at the manufacturer. Bound to the NIC = Network Interface Controller

Resides at the data link layer and the link header contains both the source MAC and the destination MAC.


Two applications can not use the same port. Total of 65,000 ports. 1024 first ports are reserved. The rest are unreserved and to be used by anyone.

ICMP – Internet Control Message Protocol

Resides at the same network layer as the IP-protocol. Used for error reporting. Used for ping and traceroute. Ping is a series of packets/requests for troubleshooting. Collets network statistics like delay and packet loss.

Ping is often used for DDoS attacks that overwhelms the destination host with requests and choke the network. Some firewalls block ping-traffic.

Traceroute is a ICMP that pings and lists all hops a packet takes to reach its final destination. Used to identify issues. Discovers the route between two systems. Leverages the TTL (Time To Live) field in the IP-header. The process is repeated until the destination is reached.

First hop: TTL 1

Second hop: TTL 2

Third hop: TTL 3

ARP – Address Resolution Protocol

ARP table is a list of known local computers. ARP maps destination MAC to destination IP in ARP-cache.

Common attacks modify the ARP-table. Hackers can replace the default gateway at the victim computer with the hackers IP. ARP poisoning is a man in the middle attack.


A hub was used before switches and is not used anymore. A hub forwards traffic to all ports, for example a ping request, but also ping replies.

DNS – Domain Name System

Used to translate domain names e.g to an IP-address. DNS always use UDP to avoid TCP overhead, but that is not an issue.

Humans understand:

Computers understand:

DNS server hierarchy

  • DNS root: Lists top level domain (TLD) servers. 13 of them.
  • Top level domain: .com .edu .net .se and so on.
  • Authoritative: Has the specific domain. Auth servers.

Mail Exchange (MX) records are DNS records that are necessary for delivering email.

IP – Internet Protocol

Routes packets from source to destination using IP-addresses. IP protocol is a connection-less protocol, considered unreliable in terms of end-to-end delivery. It does not provide error control in the cases where receiving packets are out-of-order or in cases of missing packets. It relies on upper layer services, such as TCP, to resolve these issues.


  • No retransmission. That’s the application-layers responsibility. 
  • Packets can take multiple routes.
  • Packets can arrive out of order.

Types of IP-addresses:

  • Public IP-address
  • Private IP-address:
  • Loopback:
  • IP-multicast:

IP addresses (32 bits total) have one network part and one host part:

  • Network part is fixed.
  • Host past is changeable.

IP classes

  • Class A: Network part: 8 bits – Host part: 24 bits.
  • Class B: Network part: 16 bits – Host part: 16 bits.
  • Class C: Network part: 24 bits – Host part: 8 bits.

PDU = Protocol Data Units

  • Data = PDU at application layer
  • Segment = PDU at transport layer
    • TCP = Segments
    • UDP = Datagram
  • Packet = PDU at network layer
  • Frame = PDU at data link layer
  • Bits = PDU at physical layer

OSI and TCP/IP: Network models

TCP/IP (5 layers)

  • Application layer – HTTPS e.g. User layer. The last layer.
  • Transport layer – TCP or UDP. Sockets and ports (segments).
  • Network layer – IP addresses and router (packets) IPv4/IPv6
  • Data link layer – MAC addresses and switches (Frame)
  • Physical layer – Ethernet cables


Two extra layers at application layer:



Encapsulation – Think envelope inside envelope.

Decapsulation – Open the envelope and look at the next layer.

All layers consider the layers above its own as data or payload.

TCP – Transmission Control Layer

A stateful protocol. Reliable. Most common.

Used for mail, files, browsing, messaging when you can’t lose files. TCP is very reliable because every packet is acknowledged and resent if not delivered. TCP tolerates delay, but not loss. TCP will keep resending packages until acknowledged.

Three-way handshake

The handshake uses flags in the TCP header. After a handshake, data can be sent.

Starting connection:

  1. SYN (Synchronize)
  2. SYN/ACK (Acknowledgement)
  3. ACK – 

Closing connection:

  1. FIN/ACK
  2. ACK
  3. FIN/ACK
  4. ACK

Control bits:

  • URG – Urgent pointer field significant
  • ACK – Acknowledgment field significant
  • PSH – Push function
  • RST – Reset the connection
  • SYN – Synchronize sequence numbers
  • FIN – No more data from sender

UDP – User Datagram Protocol 

A stateless protocol. Unreliable but fast. Losses are acceptable. No acknowledgement. Used for multimedia, streaming, video, audio calls, zoom and so on.

Socket = IP+port

IP = destination

Port = Port on destination

HTTP status code

  • 1xx – Informational
  • 2xx – Success
  • 3xx – Redirection
  • 4xx – Client Error
  • 5xx – Server Error

Key Security Protocols

Application layer


HTTP transfers data in plain text which is susceptible to eavesdropping. HTTPS encrypts data.

Transport layer

SSL – Secure Sockets Layer. Phased out.

TLS – Transport Layer Security. Used instead of SSL.

Uses port 443 = MEaning HTTPS uses 443.


Network layer

IPSEC – Network layer encryption. Very popular for tunnels e.g VPN.

IPSEC provides CIA.

VPN – Virtual Private Network

A VPN extends a private network over the public network.

  • Transport mode: Encapsulates only the data/payload.
  • Tunnel mode: Encapsulates the entire IP-packet.


Uses two different protocols:

  • AH (Authentication header)
  • ASP (Encapsulation Security Payload)

NAT – Network Address Translation

NAT is used on network gateways (routers). NAT enables a single public IP to handle thousands of internal systems. Hides private IP of internal systems and network structures. Prevents connections from outside.

PAT – Port Address Translation

Traditional NAT was one-to-one mapping of public to private IP. PAT is what we actually use today. Both provide some security. 


First line of defence.

Can be software, hardware or both. Blocks or allows traffic based on set rules. Host-based or network-based. A list of firewall rules is called Access Control List (ACL) which filters packets.

Rules can block or allow traffic based on:

  • Source IP: Blocks known malicious addresses. Public databases are available.
  • Destination IP: Used for internal databases, PLCs or servers.
  • Source port
  • Destination port: Vulnerable ports like HTTP or TELNET.
  • Protocols: Vulnerable like ICMP/PING.

Example of an ACL table:

10 Permit tcp any any 443

20 Permit tcp

30 Deny tcp any any 80

40 Deny ip any

50 Permit icmp any any

The first match in the ACL “wins” and the packet is either approved or denied. All ACL ends with a deny since packets not included in the ACL should be denied. Permit is also sometimes referred to as “FORWARD” and denied as “DROP”.

Host-based firewall

Uses software on the end user’s computer, Microsoft Defender e.g. Protects only this computer.

Network-based firewall

Protects the entire network. Firewalls can be stand alone or be built into the computer. 

A combination of both host-based and network-based is typically used. 

Stateless vs stateful firewalls

Stateless: Packet filtering firewalls. Faster than stateful. Blocks or denies traffic based on layer 3 and 4 information.

Stateful: More intelligent and common than stateless. Allows incoming traffic based on traffic initiated by packets moving out of the network. Blocks or denies traffic on layer 3-5 information.

Next Generation Firewalls:

Operate at the application layer. Inspects data/payload and not just network headers. Can detect if the traffic is Skype, Torrents, Youtube and so on. Can detect payloads, patterns and block specific malicious domain names, malware and spam.

Can block these specific applications, like Skype. But also specific parts of an application, like downloading files inside of Skype.

IPS – Intrusion Prevention Systems

Actually blocks traffic compared to IDS that only detects it and informs the owner or network administrator.

Host-based IPS = HIPS

IDS – Intrusion Detection Systems

Older. Not real time.

Host-based malware protection

  • Signature-based recognize malware based on known malware files. Only old and already known malware can be stopped.
  • Heuristic-based recognize malware based on characteristics shared by several other malware types. (Tveksamt om rätt)
  • Behaviour-based uses analysis of suspicious behaviour. A process behaving out of place e.g
  • Policy-based compares the operations of a host against well-defined security rules. With the anomaly-based intrusion detection approach, a set of rules or policies are applied to a host. Violation of these policies is interpreted to be the result of a potential intrusion.

Distributed firewall

Describes when firewalls are implemented on all hosts (host-based) on a network. It’s a coordinated, centrally managed firewall.


Five values that comprise a TCP/IP connection

  • Source and destination IP
  • Source and destination port
  • Protocol in use


A way to observe malware or potential malware in an isolated environment where it can’t do any harm. VMs are a type of sandboxing environment. Sandboxes can also be used by threat actors to hide their traces.

Cuckoo is a free and open source sandbox. Cisco Threat Grid Glovebox is also a sandbox.

Cisco AMP

Addresses all phases of a malware attack, from breach prevention to detection, response and remediation. It’s a threat intelligence. 


Identifies and stops latent malware on files.

Identifies and stops email threat actors.

Blocks attacks across the web.

Network profiling

To detect abnormal network behaviour, we need to establish a baseline or what is normal behaviour. Wireshark and NetFlow can assist with understanding what ports and IP-addresses are normally used.

Server profiling

Same as network profiling. Listening ports, running processes and tasks, user accounts and so on.

Vulnerability testing

Risk analysis

Analysis on potential impacts of an attack on core assets and functionality.

Vulnerability assessment

Host scans, port scans, IP scans and other vulnerability scans with Kali Linux e.g

Penetration testing

Ethical hacking, metasploit, Core Impact and so on. 

CVSS – Common Vulnerability Scoring System

Risk assessment on a network and endpoints. CVSS 3.0 is the latest framework and an industry standard for weighing risks.

NIST Security framework

ISO27000 -> 27005

WAP – Wireless Access Point

WAP connects wireless clients like laptops and mobile phones to a wired network.

Rogue AP

Criminals place a WAP and connect it to the wired network. Usually done by former employees or employees with criminal intentions.

MAC Spoofing

Sniffs wireless traffic. Steals MAC-addresses to trick the WAP into sending packets the the wrong person.

Wireless Man In The Middle attack

Replays traffic after copying or modifying the traffic.

Ways to protect WLAN

SSID hiding

WAP normally broadcasts the SSID as a beacon every 30 seconds. Hiding SSID means disabling the beacon. Not considered safe.

MAC filtering

Maintain a whitelist of known and approved MAC-addresses. Only approved MAC-addresses can connect. Not considered safe.


SMTP (Simple Mail Transfer Protocol)

Used to send email. Then the client retrieves emails using IMAP or POP. Uses port 25.

IMAP (Internet Message Access Protocol)

Requires a larger amount of disk space. Downloads only copies of email messages to the client. Original messages must be manually deleted.

POP3 (Post Office Protocol)

Mail is downloaded from the server and then deleted. Does not require a centralized backup solution. Desirable for an ISP or large business.

STP – Spanning Tree Protocol

Prevents layer 2 loops that might occur on a redundant network. STP closes physical links to achieve this. TTL also helps.

Three-Layer network design

(Hierarchical design)

Also called a three-tier or campus network.

  • Core Layer – Connects to the internet
  • Distribution Layer – Connects the core and access layer. Houses multilayer switches that can operate at both layer 2 and 3. Normally only routers operate at level 3.
  • Access Layer – Where devices are connected.

Smaller networks use a two-tier design called Collapsed core where the core and distribution layer are combined.

Routing protocol

Routing protocols can be divided into two categories, distance vector and link state protocols:

Distance vector routing protocols

BGP – Border Gateway Protocol (Used to exchange routes between ISPs)

EIGRP – Enhanced Interior Gateway Routing Protocol

RIP – Routing Information Protocol

Unique routing table for every router. Collects info about routes and nearby hops. Works like sign posts.

Link state routing protocols

OSPF – Open Shortest Path First

IS-IS – Intermediate System to Intermediate System

Builds a full map. Same on every router. Has info on all routes and hops. Works like a map rather than directions like distance vector protocols.

DMZ – Demilitarized zone

DMZ is used when internal servers need to be available by the internet/public. Having public servers connected to the same network as employees at a company poses a risk to the internal devices. DMZ can be configured with software in a very small network, but a large network uses two firewalls. One before the public servers, and one after, before entering the internal network.

NTP – Network Time Protocol

Used because we need:

Timestamp on logs. For security applications. For scheduling events.

NTP servers are divided into layers.

Stratum 0 – Uses atomic clocks

Stratum 1 – NTP servers based on stratum 0

Stratum 2 – NTP servers based on stratum 1

The lower the level, the more accurate time. Windows has a NTP server built in. NTP uses UDP to communicate. Usually both a primary and a backup server is used.

Syslog server

All network devices generate syslogs. Logs can be stored locally on devices or stored externally.

Severity levels:

0 – Emergency.

1 – Alert.

2 – Critical.

3 – Error.

4 – Warning.

5 – Notice.

6 – Informational.

7 – Debug.

Syslog servers are used to centralize log collection. Use UDP port 514. Servers can be exfiltrated to gather intelligence by threat actors.


802.11 = Wireless LAN

Collision avoidance. Has signal interference.

WLAN requires more information in the header than LAN. WLAN is half duplex, which means only one client can transmit or receive at the same time.

  • Passive mode – Access point sends a beacon every 30 seconds or so with SSID, supported standards and security settings.
  • Active mode – Client must know SSID. Client broadcast request with SSID and supported standards. Then AP sends a probe response.

CSMA/CA – Carrier Sense Multiple Access with Collision Avoidance

WLANs are half-duplex, meaning that only one client can send or receive at any given moment.


Lightweight AP. In a wireless deployment that is using lightweight access points (LWAPs), the LWAP forwards data between the wireless clients and the wireless LAN controller (WLC).


When an Ethernet switch receives a frame with an unknown Layer 2 address, the switch records that address in the address table.

Cisco switches assign an IP address to a routed port.

FTP – File Transfer Protocol

FTP uses TCP to avoid packet loss on port 20/21.

SFTP – Secure FTP

Uses SSH.

TFTP – Trivial FTP

For users within a LAN. Uses UDP on port 69.

SMB – Server Message Blocks

Is a client/server file sharing protocol. Uses a request/response protocol.

Digital hygiene

A routine to keep the computer updated, remove trash and downloaded files, changing/updating passwords, unsubscribing to unwanted newsletters, deleting unused accounts, using multi-factor authentication, shutting down the computer when it’s not used and so on. Should be used both personally and at organizations.

Linux terminal commands

  • man – Provides documentation.
  • | – In the Linux shell, several commands can be combined to perform a complex task. This technique is known as piping. The piping process is indicated by inserting the character “|” between two consecutive commands.
  • chmod – Modifies file permission.
  • ps – Process Status. List the currently running processes and their PID.
  • top – Lists processes like ps but keeps displaying them.
  • kill – Remove, restart or pause a process.
  • pwd – One of the most important commands in Linux is the pwd command, which stands for print working directory. It shows users the physical path for the directory they are working in.
  • sudo – Allows a user to execute commands as a superuser.
  • ren – Renames a file.
  • mkdir – Creates a new directory.
  • cd – Changes the current directory.
  • dir – Lists files in a directory.
  • ls – Lists the files in the current directory. -l lists the permission of a file.
  • ln – Creates a hard link.
  • rm – Removes files, links and so on from the file system.

Windows commands

  • netstat – When used by itself (without any options), the netstat command will display all the active TCP connections that are available.
  • netsh – The netsh.exe tool can be used to configure networking parameters for the PC from a command prompt.
  • net accounts – Sets password and logon requirements for users. When used without options, the net accounts command displays the current settings for password, logon limitations, and domain information.
  • net start – Starts a network service or lists running network services
  • net use – Connects, disconnects, and displays information about shared network resources.
  • net view – Shows a list of computers and network devices on the network.
  • nslookup – Is a tool for testing and troubleshooting DNS servers.

Windows functions/programs


A hierarchical database of all system and user information

Windows firewall

Selectively denies traffic on specified interfaces


A CLI environment used to run scripts and automate tasks

Event Viewer

Maintain system logs.


The Services console in Windows OS allows for the management of all the services on the local and remote computers. The setting of Automatic in the Services console enables the chosen service to start when the computer is started.

Local Security Policy

Windows systems that are not part of an Active Directory Domain can use the Windows Local Security Policy to enforce security settings on each stand-alone system.


  • cmdlets – perform an action and return an output or object to the next command that will be executed

File systems


  • exFAT
  • HFS+ (Hierarchical FIle System Plus)
  • EXT (Extended File System)
  • NTFS (New Technology File System)


  • ext2 (second EXTended file system)
  • ext3 (third)
  • ext4 (fourth)
  • NFS (Network File System)
  • CDFS (Compact Disk File System)
  • Swap File System
  • HFS+ (Hierarchical File System Plus)
  • APFS (Apple File System)
  • MBR (Master Boot Record)

Linux roles and file permission

On a Linux system, everything is treated as a file. That file carries file permissions. Possible file permissions are Read, Write and Execute (rwx).



The dash indicated it’s a file, “d” instead of a dash would indicate a directory.

  • First set of rwx indicates user permission.
  • Second set indicates group permission.
  • Third set indicates permission for other or group.
0000No access
0011–xExecute only
0102-w-Write only
0113-wxWrite and Execute
1004r–Read only
1015r-xRead and Execute
1106rw-Read and Write

Abbreviations and acronyms

  • SOC – Security Operations Center
  • SIEM – Security Information and Event Management software
  • SOAR – Security Orchestration, Automation and Response
  • UEBA – User Entity Behaviour Analytics
  • KPI – Key Performance Indicators
  • APT – Advanced Persistent Threat
  • DOS – Denial Of Service
  • DDOS – Distributed Denial Of Service
  • RaaS – Ransomware as a Service
  • IOT – Internet Of Things
  • GDPR – General Data Protection Regulation
  • OVF – Open Virtualization Format
  • SecOps – Security Operations
  • TacOps – Tactical Operations
  • OpSec – Operational Security
  • OSINT – Open Source Intelligence
  • WMI – Windows Management Instrumentation
  • NIDS – Network Intrusion Detection System
  • BYOD – Bring Your Own Device
  • FTP – File Transfer Protocol
  • SMB – Server Message Blocks
  • SSH – Secure Shell Protocol
  • DNS – Domain Name System
  • MX – Mail Exchange
  • TLD – Top Level Domain
  • SNMP – Simple Network Management Protocol
  • DHCP – Dynamic Host Configuration Protocol
  • AES – Advanced Encryption Standard
  • VPN – Virtual Private Network
  • DaaS – Desktop as a Service
  • CLI – Command Line Interface
  • API – Application Programming Interface
  • OLE – Object Linking and Embedding
  • MBR – Master Boot Record
  • ICMP – Internet Control Message Protocol
  • TCP – Transmission Control Protocol
  • UDP – User Datagram Protocol
  • ISP – Internet Service Provider
  • NIC – Network Interface Controller
  • MAC – Media Access Control
  • ARP – Address Resolution Protocol
  • NAT – Network Address Translation
  • NTP – Network Time Protocol
  • TLL – Time To Live
  • FCS – Frame Check Sequence
  • CAM – Content-Addressable Memory
  • IP – Internet Protocol
  • OS – Operating System
  • IDS – Intrusion Detection Systems
  • IPS – Intrusion Prevention Systems
  • HIPS – Host-based Intrusion Prevention Systems
  • HIDS – Host-based Intrusion Detection Systems
  • ISP – Internet Service Providers
  • ACL – Access Control List
  • PLC – Programmable Logic Controller
  • BSS – Basic Service Set
  • PDU – Protocol Data Units
  • DAD – Duplicate Address Detection
  • DLP – Data Loss Prevention
  • RTS – Ready To Send
  • CTS – Clear To Send
  • AP – Access Point
  • WAP – Wireless Access Point
  • SSID – Service Set IDentifier
  • WLAN – Wireless Local Area Network
  • VLAN – Virtual Local Area Network
  • LAN – Local Area Network
  • WAN – Wide Area Network
  • OSPF – Open Shortest Path First
  • RIP – Routing Information Protocol
  • LPM – Longest Prefix Match
  • IOC – Indicators Of Compromise
  • IOA – Indicators Of Attack
  • STP – Spanning Tree Protocol
  • DMZ – Demilitarized Zone
  • ZFW – Zone-based policy Firewall
  • CISA – US Cybersecurity Infrastructure and Security Agency
  • AIS – Automated Indicator Sharing
  • NCSA – National Cyber Security Alliance
  • ENISA – European Union Agency for Cybersecurity
  • IETF – Internet Engineering Task Force
  • SQL – Structured Query Language
  • AIS – Automated Indicator Sharing
  • CVE – Common Vulnerabilities and Exposures
  • SID – Security Identifier
  • CTI – Cyber Threat Intelligence
  • STIX – Structured Threat Information Expression
  • TAXII – Trusted Automated Exchange of Indicator Information
  • FIRST – Forum of Incident Response and Security Teams
  • MISP – Malware Information Sharing Platform
  • CIS – Centre for Internet Security
  • TIP – Threat Intelligence Platform
  • NIST – National Institute of Standards and Technology
  • CSIRT – Computer Security Incident Response Team
  • CSIRC – Computer Security Incident Response Capability
  • HMAC – Hash Message Authentication Code
  • KDE – Key Derivation Function
  • CVSS – Common Vulnerability Scoring System
  • NVD – National Vulnerability Database
  • PKI – Public Key Infrastructure
  • CA – Certificate Authority
  • ISMS – Information Security Management System
  • NSM – Network Security Monitoring
  • AAA – Authentication, Authorization and Accounting
  • RADIUS – Remote Authentication Dial-In User Service
  • TACACS – Terminal Access Controller Access-Control System
  • AMP – Advanced Malware Protection
  • ESA – Email Security Appliance
  • WSA –  Web Security Appliance
  • NAC – Network Admission Control
  • TTP – Tactics, Techniques and Procedures
  • ATT&CK – Adversary Tactics, Techniques & Common Knowledge
  • RSA – Retrospective Security Analysis
  • SOP – Standards Operation Procedures
  • SME – Subject Matter Expert
  • PID – Process ID (Unique)
  • HAL – Hardware Abstraction Layer
  • CTF – Capture The Flag

Personal information

  • PII – Personally Identifiable Information
  • PHI – Protected (Personal) Health Information
  • PSI – Personal Security Information

Types of malwares and exploits

  • Malware – Collective name for different types of viruses, worms and trojans.
  • Worm – Designed to be replicated and to spread across networks. Stuxnet was a worm.
  • Virus – Designed to inject itself into regular programs or processes.
    • Metamorphic – A metamorphic virus is a virus that is rewritten with every iteration so that every succeeding version of the code is different from the proceeding one.
    • Polymorphic – A polymorphic virus is a harmful, destructive or intrusive type malware that can change, making it difficult to detect with anti-malware programs.
  • Trojan horse – A malware embedded in a normal file or program.
  • Spyware – Usually a trojan. Can be a keylogger. Spies on users browsing history and or/credit card information.
  • Adware – Virus that displays illicit/unwanted advertisements.
  • Keylogger – Logs keystrokes. Can be a spyware virus, USB stick or a hijacked bluetooth keyboard.
  • Ransomware – Encrypts the computer and forces the user to pay a ransom to unlock. Often in Bitcoin or other cryptocurrency.
  • Root-kit – A virus, trojan, keylogger e.g that is hidden ”deep” inside the computer without detection with comprehensive admin privileges. Hard to find. Usually mask itself as a legitimate program or as a part of the OS.
  • SQL injection – Threat actors can exploit vulnerabilities in databases using string query to gain access to passwords, social security numbers, phone numbers and so on.
  • Zero Day Exploit – Vulnerabilities not yet detected and/or patched for. A virus can use the exploit to gain access to the machine.
  • Man in the middle attack – (MiTM) A MiTM attack occurs when threat actors have positioned themselves between a source and destination. They can now actively monitor, capture, and control the communication transparently.
  • Data exfiltration – Unauthorized data transfer. Is considered data theft. Can be made by a malware or a threat actor.
  • Daemon – An operating system program running in the background designed to perform a specific task when certain conditions or events occur. A daemon is a background process that runs without the need for user interaction.


Fyll i dina uppgifter nedan eller klicka på en ikon för att logga in:

Du kommenterar med ditt Logga ut /  Ändra )


Du kommenterar med ditt Twitter-konto. Logga ut /  Ändra )


Du kommenterar med ditt Facebook-konto. Logga ut /  Ändra )

Ansluter till %s