[introduction to IOV security] i. popular science on common terms of Internet of vehicles security

Posted by bri4n on Fri, 19 Nov 2021 18:09:26 +0100

Welcome new students
... ...
If you are nameless, you can concentrate on practicing sword

I am not a salted fish, but a dead fish!

Common terms of Internet of vehicles security

0x01 train end

      Internet of Vehicle (IoV) is a technology integrating mobile Internet and Internet of things. It includes all new and old models with wireless network connection capability through rear installation or original factory configuration of wireless communication module. It involves technologies such as communication, environmental protection, energy saving and safety.

      CAN (Controller Area Network) is the English abbreviation of Controller Area Network. The birth of CAN is only to realize a wider range of collaborative functions and global control.

      High Speed CAN (CAN-C): the standard of CAN-C is ISO11898-2, and the rate is 125bit/s to 1Mbit/s. therefore, this rate CAN meet the real-time data transmission requirements of the driving system. CAN-C is often used to connect the following subsystems:

·Engine control unit

·Transmission control unit

·Body stability control

·Instrument system

      Low Speed CAN (CAN-B): the standard of CAN-B is ISO11898-3 and the rate is 5 ~ 125kbit/s. this rate is sufficient for some applications of automobile comfort system and body control system (such as sunroof, door, etc.). Examples of CAN-B applications are as follows:

·Air conditioning system (AC)

·Seat adjustment

·Power windows

·Sunroof control

·Mirror adjustment

·Lighting system

·Navigation system control

  • Network topology: network topology refers to the physical layout of interconnecting various devices with transmission media (such as twisted pair, optical fiber, wireless link, etc.), that is, how to connect computers and other devices in the network. The topology diagram gives the network configuration and mutual connection of network servers and workstations. Its structure mainly includes star structure, ring structure, bus structure, distributed structure, tree structure, mesh structure and so on
  • BUS: BUS is a common communication trunk line for transmitting information between various functional components of the computer. It is a transmission harness composed of wires.
  • Network Protocols: Network Protocols are a collection of rules, standards or conventions established for data exchange in computer networks.
  • Gateway: also known as inter network connector and protocol converter. Gateway realizes network interconnection above the network layer. It is the most complex network interconnection equipment. It is only used for network interconnection with two different high-level protocols. The gateway can be used for both Wan interconnection and LAN interconnection. Gateway is a computer system or device that acts as an important conversion task. It is used between two systems with different communication protocols, data formats, languages and even completely different architectures. Gateway is a translator. Unlike the bridge that simply conveys information, the gateway repackages the received information to meet the needs of the target system.
  • V2V: vehicle to vehicle communication
  • V2R (Vehicle to Road): Vehicle to Road communication
  • V2H (Vehicle to Human): Vehicle to Human communication
  • V2S (Vehicle to Sensor): Vehicle to Sensor communication
  • V2I :
  • V2X :
  • UDS (Unified Diagnostic Services): unified diagnostic service

Collision warning

      Several types of vehicle collision can be avoided through V2V communication before collision. For example, when the current vehicle wants to change lanes, the driver of the vehicle behind may receive the steering warning signal sent by the front vehicle through V2V communication in addition to the turn signal of the front vehicle. In this case, if the driver of the vehicle behind does not notice the steering light of the vehicle in front or the driver of the vehicle in front forgets to turn on the steering light, the driver of the vehicle behind can also be prompted by sound or indicator light. On the other hand, if there is a vehicle in the blind spot of the vehicle to change lanes (which is not visible in the rear-view mirror on the vehicle side) and the driver does not see it, the driver will also be reminded when trying to turn to change lanes.

1.0 left pass assist

      Left Turn Assist (LTA): LTA will alert the driver when the vehicle turns left and a collision may occur.

1.1 emergency braking prompt

      Emergency Electronic Brake Light: when a vehicle equipped with V2X function of the current party suddenly brakes, the rear vehicle will receive a prompt, which is very useful in heavy fog, heavy rain or when there is a vehicle blocking the line of sight in front. If there is no emergency braking prompt, when the driver of the rear vehicle notices the emergency braking of the front vehicle, it may be too late to slow down.

      Red Light Violation Warning: this function will judge whether it is possible to run the red light according to the vehicle speed and other information when the vehicle is driving towards the traffic signal, and then remind the driver.

1.2 turning speed warning

      Curve Speed Warning: this function will remind the driver to slow down if it may be dangerous for the vehicle to pass through the curved road ahead at the current speed.

1.3 construction section reminder

      Reduced Speed Zone Warning: this function will remind the driver to slow down, change lanes or prepare to stop.

1.4 real time weather information reminder

      Real time weather information reminder: this function will download real-time weather information and location through V2I, and send alarm to the driver if necessary.

  • Online diagnosis system (OBD): refers to the self diagnosis and fault reporting function provided by the vehicle. The owner or maintenance personnel can obtain the working status of each subsystem of the vehicle through OBD protocol to diagnose the vehicle.

  • Five OBD protocols: SAE J1850 PWM, SAE J1850 VPW, ISO 9141-2, ISO 14230 KWP2000 and ISO 15765 CAN (the most commonly used)

1.5 introduction to automobile bus protocol

      A variety of protocols are used in the automotive intranet, such as FlexRay, MOST, CAN, LIN, etc. these protocols have different rates and costs, so they have their own application scenarios, as shown in Figure 6-1. For example, MOST is often used for high-speed data transmission in multimedia systems, FlexRay is used for X-By-Wire with high real-time requirements, CAN is often used to connect controllers, LIN is used for door and window switches, etc.

  • ISO-TP: Although the CAN protocol standard specifies that the maximum length of data is 8 bytes, there is a standard can based upper layer protocol used to send data greater than 8 bytes, such as ISO-TP or ISO15765-2. According to this standard, data of any length can be sent through the CAN bus. ISO15765-2 protocol defines the network layer requirements of on-board diagnostic system and operates based on CAN data link layer (defined by ISO11898 standard). Although its original design is used in the diagnosis system, it is also applicable to other can communication systems that need network layer protocol.

  • CANopen

CANopen is a high-level communication protocol based on the control local area network. CANopen divides the 11 bit message ID into 4-bit function code and 7-bit node ID. There are 128 different combinations of 7-bit node IDs, of which ID0 is not used. Therefore, a CANopen network allows up to 127 devices. The can message allows a 29 bit ID in the CAN2.0B specification. Therefore, if used with CAN2.0B, there can be more than 127 devices on the CANopen network. However, in practical application, the number of devices on most CANopen networks is lower than this value.

  • COB-ID: CANopen refers to the 11 bit ID of the CAN message as the communication object ID

  • Heartbeat Protocol: used to monitor nodes in the network and confirm their normal operation.

  • UDS: unified diagnostic service

1.6 CAN reverse analysis tool

  • 1.VehicleSpy

      VehicleSpy is a product of interpex Control System Co., Ltd. in the United States. It is a tool integrating the functions of diagnosis, node / ECU simulation, data acquisition, automatic test and in vehicle communication network monitoring. It supports standard CAN database (i.e.. dbc file). Combined with the supporting interface adapter hardware, it CAN also support other protocols other than CAN, such as FlexRay, LIN Automobile Ethernet, etc.

      It supports a lot of hardware. Analyze the CAN protocol and use ValueCAN. It can view, filter, classify, customize and record signals and messages of multiple bus networks at the same time. Its automatic message highlighting can accurately and clearly indicate the changing data on the vehicle bus, which is very convenient for reverse analysis of can. The message editing interface allows users to easily set the sending or receiving messages and signals of automotive network communication. VehicleSpy also has very powerful graphical data analysis functions, including composite Y-axis, composite X-axis, overlapping data files, charts, copying to clipboard, various pointer instruments, etc

      VehicleSpy also supports script programming, which is very powerful. You can see its user manual for details. For more information about VehicleSpy, please refer to: intrepidcs comhttp://www .hongkeqiche.com/index.php/bussoftware/vehicle-spy3compare/

  • 2.BusMaster

      BusMaster is an open source free software that supports the hardware of many manufacturers, such as Kavaser, Vector and other manufacturers. Figure 6-13 shows the hardware supported by BusMaster.

      BusMaster supports playback, recording, graphical display and Simulation of CAN data, as well as loading CAN database (not a standard DBC file, but a file with the suffix. dbf). It has very powerful functions. Because it is free, it is very suitable for introductory learning. Kavaser Leaf Light is very stable when used with BusMaster

  • 3.SocketCAN

      SocketCAN is the CAN driver and protocol stack implementation contributed by Volkswagen to the Linux kernel. It supports virtual CAN devices, built-in CAN chips, USB or serial CAN interface devices.

      The traditional Linux CAN driver adopts the character device model, which usually only supports a single process to send or receive CAN data. SocketCAN adopts the network equipment model

  • 4.CANToolz

      CANToolz, also known as YACHT (Yet Another Car Hacking Tool), is a framework for analyzing CAN and devices. The tool is assembled based on different modules and CAN be used by security researchers and security testers of automobile industry / OEM for black box analysis. CANToolz CAN be used to discover electronic control unit (ECU), man in the middle attack test, fuzzy test, brute force cracking, scanning or R & D test and verification.

1.7 LIN bus

  • LIN: it supports single line and two-way communication and adopts a cheap single chip microcomputer driven by RC oscillator, but it has to pay a price in time and software. Each message must go through a process of automatically determining the baud rate.

  • Bit error: the sending node should compare the data it wants to send with the actual data on the bus. The controller must wait enough time to ensure that the bus responds to the sent data before testing the data. It is assumed that the minimum edge change rate of the bus response signal is 1V/ μ s. If the maximum bus voltage is 18V, the transmitter should wait for 18 seconds μ S before testing.

1.8 MOST bus

  • MOST: Media Oriented Systems Transport (MOST) is a high-speed multimedia network technology for automobiles, which can be used in automobiles and other fields. The serial MOST bus adopts ring topology, synchronous data transmission mechanism and optical fiber to transmit audio and video

1.9 FlexRay high speed bus

  • FlexRay: FlexRay is a high-speed bus. It is mainly used in open-loop or closed-loop control systems in automobiles. It is mainly characterized by high reliability, good fault tolerance and good real-time performance. It is mainly used in application scenarios with high reliability and real-time requirements, such as electronic steering, electronic braking, electronic drive and other systems, electronic throttle, and other active safety systems. These systems may not have mechanical backup systems, that is, if the electronic system fails, it will not be remedied, so they have high requirements for reliability, and X-By-Wire is a trend

  • The FlexRay node consists of a Host, a Communication Controller and a bus driver. Each node may also include a BUS Guardian to monitor the bus driver.

0x02 cloud

2.1 POC, EXP, Payload and Shellcode

POC: Full name ' Proof of Concept ',chinese ' Proof of concept ' ,Often refers to a piece of code that proves a vulnerability.

EXP: Full name ' Exploit ',chinese ' utilize ',It refers to the action of exploiting system vulnerabilities.

Payload: chinese ' Payload ',Refers to success exploit After that, the code or instruction actually executed on the target system.

Shellcode: Simple translation ' shell code ',yes Payload Because it establishes a positive/reverse shell And got its name. Name.

2.1.1 precautions

POC To prove the existence of vulnerabilities, EXP It is used to exploit vulnerabilities. The two are usually not the same, or, PoC Usually harmless, Exp Usually harmful, with POC,Only then EXP. 

Payload There are many kinds. It can be Shellcode,It can also be a system command directly. Same Payload It can be used for multiple vulnerabilities, but each vulnerability has its own EXP,That is, there is no universal EXP. 

Shellcode There are also many kinds, including forward, reverse, and even meterpreter. 

Shellcode And Shellshcok Not one, Shellshock Especially found in 14 years Shellshock loophole.

2.1.2 Payload module

Among the six Metasploit framework modules, there is a Payload module. Under this module, there are three types: single, stager and stages. Single is an all in one Payload that does not depend on other files, so its volume will be relatively large. Stager is mainly used to transfer a smaller stager to establish a connection when the memory of the target computer is limited, Stages refers to downloading subsequent payloads using the connection established by stager. There are many types of stager and stages, which are suitable for different scenarios.

2.2 dark XX (net x)

Search online by yourself (well understood)

dark x Using encrypted transmission P2P Peer-to-peer network, multipoint relay confusion, etc., to provide protection for users ming Internet information access is a kind of technical means, and its most prominent feature is concealment ming Sex.

2.3 broiler

    The so-called "broiler" is a very vivid metaphor for computers, mobile phones, servers or other intelligent devices such as cameras and routers that can be controlled by attackers to launch network attacks.
    For example, in the network disconnection incident on the east coast of the United States in 2016, hacker organizations controlled a large number of networked cameras for launching network attacks, which can be called "broilers".

2.4 botnets

    Botnet Botnet It means that a large number of hosts are infected with viruses by one or more transmission means, so as to form a one to many control network between the controller and the infected host.
    Botnet is a very vivid metaphor. Many computers are unconsciously driven and commanded by people like the zombie group in China's ancient legend, and become attackers to perform all kinds of malicious activities( DDOS,Spam, etc.) an infrastructure used by.

2.5 Trojan horse

    Those programs that appear to be normal, but when these programs run, they will obtain the whole control authority of the system.

    Many hackers are keen to use Trojan horse programs to control other people's computers, such as gray pigeon Gh0st,PcShare wait.

2.6 web Trojan

    On the surface, it pretends to be an ordinary web page or inserts malicious code directly into the normal web page file. When someone visits, the web Trojan will automatically implant the configured Trojan server into the visitor's computer by taking advantage of the vulnerability of the other party's system or browser, and automatically turn the affected client computer into a broiler or into a botnet.

2.7 Rootkit

    Rootkit It is used by attackers to hide their whereabouts and reservations root(Root permission can be understood as WINDOWS Lower system Or administrator access).
    Usually, an attacker can obtain information by means of remote attacks root Access rights, or first use password guessing (cracking) to obtain common access rights to the system, enter the system, and then obtain the security rights of the system through the security vulnerabilities existing in the other party's system root or system jurisdiction.
    Then, the attacker will install it on the other party's system Rootkit,In order to control each other for a long time, Rootkit It is similar to Trojan horse and back door in function, but it is far more hidden than them.

2.8 worms

    It is a kind of relatively independent malicious code, which takes advantage of the openness of the networking system and propagates independently through remotely exploitable vulnerabilities. The controlled terminal will become the initiator of the attack and try to infect more systems.
    The main characteristics of worm virus are: self replication ability, strong transmission, latency, specific trigger and great destruction.

2.9 earthquake network virus

    also called Stuxnet Virus is the first "worm" virus that specifically attacks infrastructure (energy) facilities in the real world, such as nuclear power plants, dams and the State Grid.
    As the world's first network "super destructive weapon", Stuxnet The computer virus has infected more than 45000 networks around the world, and its target Iran's uranium enrichment equipment has been the most seriously attacked.

2.10 blackmail virus

    It is mainly spread in the form of mail, program Trojan horse and web page hanging horse. The nature of the virus is bad and does great harm. Once infected, it will bring immeasurable losses to users. This virus uses various encryption algorithms to encrypt files. Infected people generally can't decrypt. They must get the decrypted private key before they can crack it.

2.11 mining Trojan horse

    A will PC,Mobile devices and even servers become Trojans of mining machines, which are usually implanted by mining gangs to mine bitcoins to earn profits.

2.12 attack load

    Attack load( Payload)It is multi-stage malicious code executed after the system is captured.
    Usually, the attack payload is attached to the vulnerability attack module, distributed with the vulnerability attack, and more components may be obtained through the network.

2.13 Sniffer

    Sniffer is a device or program that can capture network packets. The legitimate use of sniffer is to analyze the network traffic in order to find out the potential problems in the concerned network.

2.14 malware

    A program designed to achieve a variety of malicious behaviors such as unauthorized control of a computer or stealing computer data.

2.15 Spyware

    The utility model relates to a software which can install a back door on a user's computer and mobile phone without the user's knowledge, and has the functions of collecting user information, monitoring, secretly photographing, etc.

2.16 rear door

    This is a vivid metaphor. After using some methods to successfully control the target host, the intruder can implant specific programs in the other party's system, or modify some settings to access, view or control the host.

    On the surface, these changes are difficult to detect, as if the intruder secretly equipped with a key to the master's room, or repaired a button in an inconspicuous place, which can facilitate their free access.

    Usually, most Trojan horse programs can be used by intruders to create backdoors( BackDoor). 

2.17 weak password

    It refers to those that are not strong enough and easy to be guessed, such as 123, abc Such a password (password).

2.18 vulnerabilities

    Vulnerabilities are defects in the specific implementation of hardware, software, protocols or system security policies, which can enable attackers to access or destroy the system without authorization.
    Qi Xiangdong, chairman of Qianxin group, pointed out in his book "vulnerabilities" that software defects are a main source of vulnerabilities. Defects are natural and vulnerabilities are inevitable.

2.19 remote command execution vulnerability

    Due to the vulnerability in the system design and implementation, the attacker may send specific requests or data to cause the execution of arbitrary commands specified by the attacker on the affected system.

2.20 0day vulnerability

    0day The earliest crack of the vulnerability was specifically aimed at software, called WAREZ,Later, it developed to games, music, film and television and other content.
    0day 0 in represents Zero,Early 0 day Indicates that the cracked version appears within 24 hours after the software is released.
    In the context of network attack and defense, 0 day Vulnerabilities refer to those vulnerabilities that have been discovered, mastered and exploited by the attacker, but have not been known to the public, including the affected software manufacturers. Such vulnerabilities have complete information advantages for the attacker. Since there is no corresponding patch or temporary solution for the vulnerability, the defender does not know how to defend, and the attacker can achieve the greatest possible threat.

2.21 1day vulnerability

    It refers to the vulnerability whose vulnerability information has been disclosed but no patch has been released. The harm of such vulnerability is still high, but the official will often announce some mitigation measures, such as closing some ports or services.

2.22 Nday vulnerability

    Refers to a vulnerability that has been released with an official patch. Usually, the protection of such vulnerabilities only needs to update the patch. However, due to various reasons, there are often a large number of device vulnerabilities, the patch is not updated in time, and the vulnerability utilization method has been disclosed on the Internet. Often, such vulnerabilities are the most commonly used vulnerabilities by hackers.
    For example, in the eternal blue incident, Microsoft has released a patch in advance, but there are still a large number of users.

2.23 hanging horse

    Is to put a web Trojan horse in someone else's Web site file, or sneak the code into the other party's normal web page file, so as to make the browser win the horse.

2.24 excavation

    Refers to vulnerability mining.

2.25 shelling

    Is to use a special algorithm to EXE Executable program or DLL The encoding of the dynamic connection library file is changed (such as compression and encryption) to reduce the file volume or encrypt the program code, and even avoid the killing of anti-virus software.
	At present, the commonly used shells are UPX,ASPack,PePack,PECompact,UPack,Immune 007, Trojan horse color clothes, etc.

2.26 spillage

    The simple explanation is that the program does not perform effective boundary detection on the input data, resulting in an error, which may cause the program to crash or execute the attacker's command.

2.27 buffer overflow

    An attacker enters a large number of characters into an address area that cannot be stored in this interval. In some cases, these redundant characters can be run as "execution code", which is enough to enable an attacker to gain control of the computer without being restricted by security measures.

2.28 injection

    Web The number one enemy of security. The attacker sends some attack code to the interpreter as commands or query statements. These malicious data can deceive the interpreter to execute unplanned commands or access data without authorization.
    Injection vulnerabilities are often caused by the lack of security checks on input in applications. Injection vulnerabilities can usually be SQL Query LDAP Query OS Appears in commands, program parameters, etc.

2.28.1 SQL injection

    The most common form of injection attack mainly refers to Web The application does not judge the legitimacy of user input data or the filtering is not strict, and an attacker can Web Add additional at the end of the pre-defined query statement in the application SQL Statement to realize illegal operation without the knowledge of the administrator, so as to deceive the database server to perform unauthorized arbitrary query or other operations, resulting in database information disclosure or unauthorized operation of the data table.

2.28.2 injection point

    That is, the place where injection can be implemented is usually an application link involving accessing the database. According to the permissions of the running account of the injection point database, you get different permissions.

2.29 software shelling

    As the name suggests, it is to use the corresponding tools to remove the "shell" program that plays a protective role "outside" the software and return the original appearance of the file. In this way, it is much easier to modify the file content or analyze and detect.

2.30 no killing

    It is to modify the program through shelling, encryption, modification of feature code, flower instruction and other technologies to make it escape the inspection and killing of anti-virus software.

2.31 brute force cracking

    Referred to as "blasting". Hackers conduct highly intensive automatic search for each possible password of the account in the system, so as to destroy security and obtain access to the computer.

2.32 flood attack

    It is an attack technology commonly used by hackers. It is characterized by simple implementation and great power. Most of them ignore defense.
    By definition, a flood attack occurs when an attacker sends excessive data to a network resource, which can be router,switch,host,application Wait.
    Flood attack compares the attack flow to flood. As long as the attack flow is large enough, the defense means can be broken through.
    DDoS Attack is a kind of flood attack.

2.33 SYN attack

    Using the operating system TCP Coordinate design issues to perform denial of service attacks involving TCP Design of triple handshake when establishing connection.

2.34 DoS attack

    Denial of service attack. By exploiting vulnerabilities or sending a large number of requests, the attacker can not access the network or the website.

2.35 DDoS

    Distributed DOS Attacks, common UDP,SYN,Reflection amplification attack, etc. is to send you some network request information through many broilers, resulting in your network blocking and unable to surf the Internet normally.

2.1.36 catching chickens

    That is, try to control the computer and turn it into a broiler.

2.37 port scanning

    Port scanning refers to sending a group of port scanning messages to find out where to find the attack vulnerability and the type of computer network services it provides, so as to try to invade a computer.

2.38 flower instruction

    By adding redundant assembly instructions that do not affect the program function, the anti-virus software can not normally judge the structure of virus files. The popular point is "anti-virus software identifies viruses from head to toe. If we reverse the head and feet of the virus, the anti-virus software will not find the virus".

2.39 rebound port

    It has been found that the firewall often filters incoming connections very strictly, but neglects to prevent outgoing connections.
    Therefore, using this feature, the server of port software is rebounded(Controlled end)Will actively connect to the client(Control end),It gives people the illusion that the controlled end actively connects to the control end, which makes people careless.

2.40 phishing

    Attackers use fraudulent e-mail or forged Web Sites to carry out online fraud.
    Fraudsters usually disguise themselves as trusted brands such as Internet banking, online retailers and credit card companies to defraud users' private information or email account passwords.
    Deceived people often reveal their mailboxes, personal data, such as credit card number, bank card account, ID number and so on.

2.41 harpoon attack

    Harpoon attack introduces the image of fishing with harpoon into the network attack. It mainly refers to the phishing attack that can make the deceptive e-mail look more credible and has a higher possibility of success.
    Unlike net fishing, harpoon attacks are often more targeted, and attackers often "see the fish and make the fork".
    In order to achieve this goal, an attacker will try to collect as much information as possible on the target. Usually, there are some security vulnerabilities for specific individuals in the organization.

2.42 whale fishing attack

    Whaling is another evolutionary form of Harpoon phishing. It refers to phishing attacks against senior managers and other senior people in the organization.
    Attacks by personalizing e-mail content and specifically targeting related targets.

2.43 puddle attack

    As the name suggests, a "puddle" was set up on the only way for the victims(trap)". 
    The most common way is that hackers analyze the online activity law of the attack target, look for the weakness of the website frequently visited by the attack target, first "break" the website and implant the attack code, and once the attack target visits the website, it will be "caught".

2.44 sniffing

    Sniffing refers to intercepting and analyzing data packets in LAN to obtain effective information.

2.45 APT attack

    Advanced Persistent Threat,Advanced Sustainable threat attack refers to the continuous and effective attack activities of an organization against specific objects on the network.
    This kind of attack has strong concealment and pertinence. It usually uses various infected media, supply chain, social engineering and other means to implement advanced, lasting and effective threats and attacks.

2.46 C2

    C2 Full name Command and Control,Command and control, common in APT In the attack scenario. When used as a verb, it is understood as the interaction between malware and attacker, and when used as a noun, it is understood as the "infrastructure" of attacker.

2.47 supply chain attacks

    It is a partner of the target organization attacked by hackers, and takes the partner as a springboard to penetrate the target users.
    A common manifestation is the user's trust in the manufacturer's products, which is attacked by malware implantation when the manufacturer's products are downloaded, installed or updated.
    Therefore, when downloading from some software download platforms, if you encounter bundled software, you have to be careful!

2.48 social engineering

    A hacker technique that does not need to rely on any hacker software and pays more attention to the study of human weaknesses is emerging, which is social engineering hacker technology.
    Generally speaking, it refers to a set of methodology to use people's sociological weaknesses to carry out network attacks, and its attack methods are often unexpected.
    Kevin, the world's first hacker·Mitnick mentioned in the art of anti deception that human factors are the weakness of security. Many enterprises and companies invest a lot of money in information security, and the final cause of data leakage often occurs in people themselves.

2.49 take station

    It refers to getting the highest permission of a website, that is, getting the name and password of the background and administrator.

2.50 right raising

    It refers to getting the permissions you didn't get. For example, non system administrators in the computer can't access some C Disk, and the system administrator can promote ordinary users to become administrators through certain means, so that they can have administrator rights, which is called raising rights.

2.51 penetration

    It is to detect whether there are security vulnerabilities in your network equipment and system through scanning. If there are, it may be invaded. It is like a drop of water passing through a leaky board. Successful penetration means that the system is invaded.

2.52 traverse

    It means that after an attacker invades, he expands his foothold in the internal network to search and control more systems.

2.53 springboard

    A machine with auxiliary function uses this host as an indirect tool to invade other hosts, which is generally used in conjunction with broilers.

2.54 net horse

    Is to implant a Trojan horse into the web page. When you open the web page, you run the Trojan horse program.

2.55 Black Pages

    After a successful hacker attack, the page of successful hacker intrusion left on the website is used to show off the attack results.

2.56 dark chain

    Invisible website links, "dark chain" links in the website are very hidden, which is not easy to be detected by search engines in a short time.
    It has similarities with links, which can effectively improve the weight of the website.

2.57 towing shed

    Drag library is originally a term in the database field, which refers to exporting data from the database.
    In the field of network attack, it is used to mean that hackers steal their database files after the website is invaded.

2.58 impact Library

    Hit the library is that hackers collect the leaked user and password information on the Internet, generate the corresponding dictionary table, and try to log in to other websites in batches to get a series of users who can log in.
    Many users use the same account and password on different websites, so hackers can obtain users' passwords through A To try to log in B Website, which can be understood as library collision attack.

2.59 emergency storage

    A way to invade a website is to let the website reveal some sensitive data through malicious code.

2.60 CC attack

    Namely Challenge Collapsar,The name comes from the anti denial of service product black hole against the early anti denial of service product of Lvmeng technology, a domestic security manufacturer. The attacker uses the proxy server to generate a legal request to the victim host involving a large amount of system resources, depleting the target's processing resources and achieving the purpose of denial of service.

2.61 Webshell

    Webshell Is to asp,php,jsp perhaps cgi It can also be called a web back door, which can upload and download files, view databases, execute arbitrary program commands, etc.

2.62 cross site attack

    Commonly referred to as XSS,It refers to that the attacker uses the website program to filter the user's input insufficiently, and the input can be displayed on the page and affect other users HTML Code, so as to steal user data, use user identity to do some action, or carry out virus infringement on visitors.

2.63 man in the middle attack

    Man in the middle attack is an "indirect" intrusion attack. This attack mode is to virtually place a computer controlled by an intruder between two communication computers in the network connection through various technical means, intercept normal network communication data, tamper with and sniff data, and this computer is called "man in the middle".

2.64 wool collection

    It refers to online earners who use various online financial products or red envelope activities to promote offline to make money. It also refers to collecting preferential information from various banks and other financial institutions and various businesses, so as to achieve the purpose of making profits. This kind of behavior is called wool gathering.

2.65 commercial email attack (BEC)

    Also known as "face changing fraud" attack, this is an attack against senior managers. Attackers usually impersonate (steal) the email of decision-makers to give instructions related to funds and interests; Or the attacker relies on social engineering to produce e-mail and persuade/Induce executives to conduct economic transactions in a short time.

2.66 telecommunications fraud

    It refers to the criminal act of fabricating false information, setting up a scam, implementing remote and non-contact fraud against the victim and inducing the victim to make money or transfer money by means of telephone, network and SMS. The purpose of deception is usually achieved by impersonating others and counterfeiting and forging various legal coats and forms.

2.67 pig killing plate

    Network buzzword, a kind of Telecom fraud, is a kind of online dating, inducing stock investment, gambling and other types of fraud. "Pig killing plate" is the name of "practitioners", which refers to the long-term "pig raising" fraud. The longer you keep it, the more ruthless the fraud is.

2.68 ARP attack

    ARP The basic function of the protocol is through the target device IP Address to query the address of the target device MAC Address to ensure the progress of communication.
    be based on ARP This working feature of the protocol allows hackers to continuously send fraudulent messages to each other's computers ARP Data packet, which contains data that is repeated with the current device Mac Address, so that the other party cannot carry out normal network communication due to simple address repetition error when responding to the message.

2.69 spoofing attacks

    The technologies of network spoofing mainly include: HONEYPOT And distributed HONEYPOT,Deception, space technology, etc.
    The main methods are: IP Deception ARP Deception DNS Deception Web Spoofing, e-mail spoofing, source route spoofing (through the designated route, legally communicate with other hosts with a fake identity or send fake messages, resulting in the wrong action of the attacked host), address spoofing (including forging source address and forging intermediate site), etc.

2.70 Shellcode

    A piece of malicious code that can be executed by the operating system without special positioning and processing, usually after exploiting software vulnerabilities, shellcode Binary machine code, because it is often obtained by attackers shell And got its name.

2.71 physical attack

    Popular understanding, that is, using physical contact rather than technical means to achieve the purpose of network intrusion, the most common form is plug-in U Plate.
    The famous earthquake network virus event is plug-in U In the form of a disk, it infected Iran's nuclear facilities.

2.72 black production

    Network black production refers to the illegal behavior that takes the Internet as the medium and network technology as the main means to bring potential threats (major security risks) to the security of computer information system, the order of cyberspace management, and even national security and social and political stability.
    For example, the illegal data trading industry.

2.73 black hat hacker

    A person who hacks for illegal purposes, usually for economic gain. They enter the secure network to destroy, redeem, modify or steal data, or make the network unavailable to authorized users.
    The name comes from such a history: in the old black-and-white western movies, villains are easy to be recognized by the film audience because they wear black hats, while "good people" wear white hats.

2.74 white hat hacker

    Hackers who use their own hacker technology to conduct legitimate security test and analysis, test the performance of the network and system to determine how strong they can withstand the intrusion.

2.75 red hat hacker

    In fact, the most accepted saying is red guest.
    Red hat hackers take justice, morality, progress and strength as the purpose and love the motherland, adhere to justice and forge ahead as the spiritual pillar. Red hat hackers usually use their own technology to maintain the security of domestic networks and fight back against foreign attacks.

2.76 red team

    Usually refers to offensive and defensive exercises*Attack team in.

2.77 blue team

    Usually refers to offensive and defensive exercises*A defensive team in.

2.78 purple team

    Attack and defense drill*Zhongxin*The party born usually refers to the supervisor or the referee.

2.79 encryptor

The host encryption device is used between the encryption machine and the host TCP/IP Protocol communication, so the encryptor has no special requirements for the type of host and host operating system.

2.80 CA certificate

It provides electronic authentication for secure communication between the two sides.

In the Internet, intranet or extranet, digital certificates are used to realize identity identification and electronic information encryption.

The digital certificate contains the identification information of the owner of the key pair (public key and private key). The identity of the certificate holder is verified by verifying the authenticity of the identification information.

2.81 SSL certificate

SSL Certificate is a kind of digital certificate, which is similar to the electronic copy of driver's license, passport and business license.
Because it is configured on the server, it is also called SSL Server certificate.

2.82 firewall

It is mainly deployed at the exit between different networks or network security domains. By monitoring, limiting and changing the data flow across the firewall, it can shield the internal information, structure and operation status of the network as much as possible and selectively accept external access.

2.83 IDS

Intrusion detection system is used to detect and intercept attacks before hackers launch attacks or attacks.

IDS Is different from firewall. Firewall can only shield intrusion, but IDS But before the invasion, we can detect the impending attack or invasion and respond through some information.

2.84 NIDS

yes Network Intrusion Detection System The abbreviation of network intrusion detection system is mainly used for detection Hacker or Cracker . 

Intrusion through the network. NIDS There are two operation modes of, one is running on the target host to monitor its own communication information, and the other is running on a separate machine to monitor the communication information of all network devices, such as Hub,Router.

2.85 IPS

Full name Intrusion-Prevention System,The purpose of intrusion prevention system is to timely identify attack programs or harmful codes and their clones and variants, and take preventive measures to prevent intrusion in advance.

Or at least fully reduce its harmfulness. Intrusion prevention system is generally used as a supplement to firewall and anti-virus software.

2.86 antivirus software

Also known as anti-virus software or anti-virus software, it is a kind of software used to eliminate computer threats such as computer viruses, Trojans and malware.

2.87 anti virus engine

Popular understanding is a set of technical mechanism to judge whether a specific program behavior is a virus program (including suspicious).

For example, it is independently developed by Qianxin QOWL Owl anti-virus engine.

2.88 anti poison wall

Different from the anti-virus software deployed on the host, the deployment mode of the anti-virus wall is similar to that of the firewall. It is mainly deployed at the network exit to scan and intercept viruses. Therefore, the anti-virus wall is also known as the anti-virus gateway.

2.89 old three samples

Usually refers to IDS,Firewall and anti-virus are the three oldest security products.

2.90 alarm

It refers to the alert generated by network security equipment for attack behavior.

2.91 false positives

Also known as invalid alarm, it usually refers to alarm error, that is, the alarm is generated by judging the legal behavior as illegal behavior.

At present, due to the rapid progress of attack technology and the limitation of detection technology, the number of false positives is very large, so that security personnel have to spend a lot of time dealing with such alarms, which has become the main reason to perplex and reduce the efficiency of daily security disposal.

2.92 missing report

It usually refers to that the network security equipment does not detect illegal behavior and does not generate alarm. In case of missing report, the risk of system intrusion will be greatly increased.

2.93 NAC

Full name Network Access Control,The purpose of network access control is to prevent emerging hacker technologies such as viruses and worms from endangering enterprise security.

With the help of NAC,The customer can only allow legitimate and trusted terminal devices (e.g PC,Server PDA)Access the network without allowing other devices to access.

2.94 missed scanning

That is, vulnerability scanning refers to a security detection (penetration attack) behavior that detects the security vulnerability of the specified remote or local computer system by scanning based on the vulnerability database and finds exploitable vulnerabilities.

2.95 UTM

Namely Unified Threat Management,The Chinese name is unified threat management, which was first developed by IDC It was proposed in 2014 that the security capabilities of different devices (including intrusion detection, firewall and anti-virus technology at the earliest) should be concentrated on the same gateway to realize unified management and operation and maintenance.

2.96 network gate

The gateway is an information security device that uses a solid-state switch read-write medium with multiple control functions to connect two independent host systems.

Since two independent host systems are isolated through the gateway, there is only protocol free ferry in the form of data file.

2.97 fortress machine

Use various technical means to monitor and record the operation behavior of operation and maintenance personnel on servers, network equipment, security equipment, databases and other equipment in the network, so as to centralized alarm, timely processing and audit responsibility determination.

2.98 database audit

It can record database activities on the network in real time, conduct compliance management of fine-grained audit on database operations, alarm risk behaviors suffered by the database and block attacks.

Through the recording, analysis and reporting of users' access to the database, it is used to help users generate compliance reports and trace the source of accidents. At the same time, it strengthens the network behavior records of internal and external databases and improves the security of data assets.

2.99 DLP

Data leakage prevention, through accurate identification and strategy formulation of digital assets, is mainly used to prevent the designated data or information assets of the enterprise from flowing out of the enterprise in the form of violating the provisions of the security policy.

2.100 VPN

Virtual private network establishes a private network on the public network for encrypted communication, and realizes remote access through the encryption of data packets and the conversion of data packet target address.

2.101 SD-WAN

That is, software defined Wan, which is used to connect enterprise networks, data centers, Internet applications and cloud services with a wide geographical range.

The typical feature of this service is to cloud the network control capability through software.

Usually, SD-WAN Are integrated with firewall, intrusion detection or anti-virus capabilities. And from the current trend, the design with security as the core SD-WAN Emerging, including Qianxin Fortinet And many other security manufacturers began to get involved in this field and provided relatively complete endogenous security design.

2.102 router

It is the hub used to connect different subnets. They work in OSI7 Transport layer and network layer of layer model.

The basic function of routers is to transmit network packets to their destinations. Some routers also have access control lists( ACLs),Allow filtering out unwanted packets.

Many routers can inject their log information into IDS In the system, and comes with basic packet filtering (i.e. firewall) function.

2.103 gateway

Usually refers to routers, firewalls IDS,VPN And other border network equipment.

2.104 WAF

Namely Web Application Firewall,Namely Web Application firewall is implemented through a series of HTTP/HTTPS Security policies specifically for Web A product that provides protection for applications.

2.105 SOC

Namely Security Operations Center,It is translated into a centralized security management system of security operation center or security management platform, which assists the administrator in event analysis, risk analysis, early warning management and emergency response by establishing a set of real-time asset risk model.

2.106 LAS

The main function of log audit system is to provide log collection, retrieval and analysis capabilities, which can provide rich context for threat detection.

2.107 NOC

Namely Network Operations Center,The network operation center or network operation center is the management, monitoring and maintenance center of remote network communication. It is the focus of network problem solving, software distribution and modification, routing, domain name management and performance monitoring.

2.108 SIEM

Namely Security Information and Event Management,Security information and event management, responsible for collecting, analyzing and reporting security log data from a large number of enterprise security controls, host operating systems, enterprise applications and other software used by enterprises.

2.109 Internet behavior management

It refers to devices that help Internet users control and manage their use of the Internet.

It includes web access filtering, Internet privacy protection, network application control, bandwidth traffic management, information sending and receiving audit, user behavior analysis, etc.

2.110 Honeypot

Is a system containing vulnerabilities. It simulates one or more vulnerable hosts to provide hackers with an easy target.

Since the honeypot has no other tasks to complete, all attempts to connect should be considered suspicious.

Another purpose of honeypot is to delay the attacker's attack on his real target and let the attacker waste time on the honeypot.

Honeypot products include Honeynet, honey system, honey account, etc.

2.111 sandbox

Sandbox is a mechanism for running programs safely. It is often used to execute untrusted programs.

The impact of malicious code in untrusted programs on the system will be limited to the sandbox without affecting other parts of the system.

2.112 sandbox escape

A phenomenon that identifies the sandbox environment and bypasses sandbox detection by using techniques such as silence and deception

2.113 network shooting range

It mainly refers to the combination of virtual environment and real equipment to simulate the real cyber cyberspace attack and defense combat environment, which can support attack and defense drill, security education, cyberspace combat capability research and network weapon equipment verification test platform.

2.114 encryption technology

Encryption technology includes two elements: algorithm and key.

Algorithm is the step of combining ordinary text with a string of numbers (key) to produce incomprehensible ciphertext. Key is an algorithm used to encode and decode data.

The cryptosystem of key encryption technology is divided into symmetric key system and asymmetric key system. Accordingly, the technology of data encryption is divided into two categories, namely symmetric encryption (private key encryption) and asymmetric encryption (public key encryption) The encryption key and decryption key of symmetric encryption are the same, but the encryption key and decryption key of asymmetric encryption are different. The encryption key can be made public, but the decryption key needs to be kept confidential.

2.115 blacklist

As the name suggests, a blacklist is a bad list. All software on the blacklist IP Address, etc. are considered illegal.

2.116 white list

Corresponding to the blacklist, the white list is the list of "good people". All software on the white list IP And so on, are considered legal and can run on the computer.

2.117 Intranet

Generally speaking, it is LAN, such as Internet cafe, campus network, company intranet, etc.

see IP If the address is within the following three ranges, it means that we are in the intranet:—,—,—

2.118 extranet

Direct connection INTERNET(Internet), which can access each other with any computer on the Internet.

2.119 border defense

The defense model with network boundary as the core, based on static rule matching, emphasizes that all security threats are blocked in the external network.

2.120 north south flow

It usually refers to the traffic generated by internal and external communication in the data center.

2.121 East West flow

It usually refers to the traffic generated by the communication between different hosts in the data center.

2.122 rule base

The core database of network security, similar to the black-and-white list, is used to store a large number of security rules. Once the access behavior matches the rule base, it is considered illegal. Therefore, some people also compare the rule base to the law of cyberspace.

2.123 next generation

It is often used in the field of network security to indicate that products or technologies have been greatly innovated and have made significant progress compared with traditional methods. It is usually abbreviated as NG(Next Gen). 

For example, NGFW (next generation firewall), NGSOC (next generation security management platform), etc.

2.124 big data security analysis

Different from the traditional defense mode of passive rule matching, it uses the method of actively collecting and analyzing big data to find out the possible security threats, so it is also called data-driven security.

This theory was first proposed by Chian shin in 2015.

2.125 EPP

Full name Endpoint Protection Platform,Endpoint Protection Platform, a security protection solution deployed on terminal devices,It is used to prevent malicious software, malicious scripts and other security threats against the terminal. It is usually associated with EDR Conduct linkage.

2.126 EDR

Full name Endpoint Detection & Response,That is, endpoint detection and response. Through continuous detection of endpoints and analysis of abnormal behaviors such as application calls to the operating system, we can detect and protect unknown threats, and finally achieve the purpose that anti-virus software can not solve unknown threats.

2.127 NDR

Full name Network Detection & Response,That is, network detection and response. Through the continuous detection and analysis of network side traffic, it helps enterprises enhance their threat response ability and improve the visibility and threat immunity of network security.

2.128 security visualization

It refers to the presentation technology in the field of network security, which converts the data and results in the process of network security reinforcement, detection, defense and response into a graphical interface, and carries out search, processing, summary and other operations through human-computer interaction.

2.129 NTA

Network traffic analysis( NTA)The concept is Gartner First proposed in 2013, it is one of the five means to detect advanced threats.

It combines the traditional rule-based detection technology and machine science*And other advanced analysis techniques to detect suspicious behavior in enterprise networks, especially after the fall.

2.130 MDR

Full name Managed Detection & Response,That is, hosting detection and response, relying on network and host based detection tools to identify malicious patterns.

In addition, these tools usually collect data from terminals within the firewall to more fully monitor network activity.

2.131 emergency response

It usually refers to the preparation made by an organization in response to various accidents and the measures taken after the events.

2.132 XDR

Generally refers to the general name of network security policies with detection and response technology as the core, including EDR,NDR,MDR Wait.

2.133 safe operation

Through a series of links such as product R & D, business operation, vulnerability repair, protection and detection and emergency response, systematic management methods and processes are implemented to organically combine the safety prevention and control of each link to ensure the safety of the whole business.

2.134 Threat Intelligence

according to Gartner Threat Intelligence is a kind of evidence-based knowledge, including context, mechanism, indication, meaning and executable suggestions. This knowledge is related to the existing or brewing threats or hazards faced by assets, and can be used to provide information support for the response or processing decision-making of asset related subjects to threats or hazards. According to different users, threat intelligence is mainly divided into Human readable intelligence and machine readable intelligence.

2.135 TTP

It mainly includes three elements: tactics Tactics,technology Techniques And process Procedures,It is an important indicator to describe advanced threat organizations and their attacks. As an important part of threat intelligence, TTP It can provide decision support for safety analysts.

2.136 IOC

The Chinese name is the lost sign: used to find the internal APT The lost hosts controlled by gangs, Trojan horse backdoors and botnets are often domain names URL Wait.

For now, IOC It is the most widely used threat intelligence because its effect is the most direct. Once matched, it means that there are lost hosts.

2.137 context

Extended from the context of the article, it mainly refers to the associated information of a threat index, which is used to achieve more accurate security matching and detection.

2.138 STIX

STIX It is a structured language to describe network threat information. It can obtain a wider range of network threat information in a standardized and structured way. It is often used for the sharing and exchange of threat intelligence. At present, it is the most widely used in the world.

STIX 1 of the components in 8 are defined.0 Based on the version, 2 components in 12 have been defined.0 edition.

2.139 killing chain

The killing chain originated from the military field and is used to describe the state of each stage of the attacking party.

In the field of network security, this concept was first developed by Lockheed-Martin company proposed that the English name is Kill Chain,Also known as the network attack life cycle, it includes seven stages: investigation and tracking, weapon construction, load delivery, vulnerability utilization, installation and implantation, command control and target achievement to identify and prevent intrusion.

2.140 ATT&CK

It can be simply understood as a knowledge base describing the techniques and tactics of attackers.

MITRE The model was launched in 2013, which describes and classifies confrontation behavior based on real observation data.

ATT&CK The known attacker behaviors are transformed into a structured list, which is summarized into tactics and technologies, and through several matrices and structured threat information expressions( STIX),Trusted automatic exchange of index information( TAXII)To show.

2.141 Diamond Model

Diamond model is widely used in various fields. In the field of network security, diamond model establishes a formal method of applying scientific principles to intrusion analysis for the first time:

Measurable, testable and repeatable - provides a way to record attacks(information)A simple, formal and comprehensive method of synthesis and correlation.

This scientific method and simplicity can improve the efficiency, efficiency and accuracy of analysis.

2.142 correlation analysis

Association mining, also known as association mining, is to find frequent patterns, associations, correlations or causal structures between item sets or object sets in transaction data, relationship data or other information carriers.

In the field of network security, it mainly refers to the association mining of different dimensions and types of security data to find out the potential intrusion behavior.

2.143 situational awareness

It is an environment-based, dynamic and overall ability to understand security risks. It is a way to improve the ability to discover, identify, understand, analyze, respond and deal with security threats from a global perspective based on security big data. It is ultimately for decision-making and action and the landing of security capabilities.

2.144 probe

It is also called network security probe or security probe, which can be simply understood as the camera of cyber world. It is deployed on the key nodes of the network topology to collect and analyze traffic and logs, find abnormal behavior, and warn of possible attacks.

2.145 cyberspace mapping

Search engine technology is used to provide interaction, so that people can easily search for devices in cyberspace.

Compared with the maps used in reality, various mapping methods are used to describe and mark the geographical location, and active or passive detection methods are used to draw the network node and network connection diagram of equipment in cyberspace, as well as the portrait of each equipment.

2.146 SOAR

Full name Security Orchestration, Automation and Response,It means the automation and response of security arrangement, which is mainly a series of automatic or semi-automatic response and disposal actions for intrusion through scripted and procedural instructions.

2.147 UEBA

Full name User and Entity Behavior Analytics,That is, user entity behavior analysis, generally through the method of big data analysis, analyzes users and IT The behavior of the entity, so as to judge whether there is an illegal behavior.

2.148 memory protection

Memory protection is a mechanism for the operating system to manage the access rights to the memory on the computer. The main purpose of memory protection is to prevent a process from accessing the addressing space not configured by the operating system.

2.149 RASP

Full name Runtime application self-protection,Application runtime self-protection.

By 2014 Gartner It is proposed that it is a new application security protection technology. It injects the protection program into the application program like a vaccine. The application program is integrated, which can detect and block the security attack in real time, so that the application program has the ability of self-protection. When the application program is injured by the actual attack, it can automatically defend it without manual intervention.

2.150 package inspection

The behavior of unpacking and detecting traffic packets and data packets.

2.151 deep packet detection

Deep Packet Inspection,Abbreviated as DPI,Also known as full packet detection( complete packet inspection)Or information extraction( Information eXtraction,IX),It is a computer network packet filtering technology, which is used to check the data part of the packet passing through the detection point (possibly including its header) to search for protocols, viruses, spam and intrusion signs that do not match the specification.

2.152 full flow detection

Full flow is mainly reflected in three "full", namely, full flow collection and preservation, full behavior analysis and full flow backtracking.

Through the full traffic analysis equipment, the network full traffic collection and storage, full behavior analysis and full traffic backtracking are realized, and the network metadata is extracted and uploaded to the big data analysis platform to achieve richer functions.

2.153 metadata

Metadata( Metadata),Also known as intermediary data and relay data, it is the data describing the data( data about data),It mainly describes data attributes( property)Information used to support functions such as indicating storage location, historical data, resource search, file recording, etc.

2.154 fraud detection

To construct false targets to deceive and trap attackers, so as to delay the attack rhythm, detect and analyze the attack behavior.

2.155 micro isolation

As its name implies, it is a smaller fine-grained network isolation technology, which can meet the needs of east-west traffic isolation in traditional environment, virtualization environment, hybrid cloud environment and container environment. It is mainly used to prevent attackers from horizontal translation after entering the enterprise data center network.

2.156 reverse

It is common in reverse engineering or reverse analysis. In short, all the behaviors of extracting principle and design information from products and applying it to reengineering and improvement are reverse engineering.

In network security, more is investigation and evidence collection, malware analysis and so on.

2.157 agentless security

In terminal security or virtualization security protection, it is often necessary to install on each host or virtual machine agent(Agent), which often consumes a lot of resources.

Agent free security does not need to be installed agent,It can reduce a lot of deployment, operation and maintenance work and improve management efficiency.

2.158 CWPP

Full name Cloud Workload Protection Platform,It means cloud workload protection platform, which mainly refers to the technology to protect cloud applications and workloads (including workloads on virtual hosts and container hosts). It realizes more fine-grained protection than in the past. It is the last line of defense for cloud security at this stage.

2.159 CSPM

Cloud security configuration management can analyze and manage infrastructure security configurations. These security configurations include account privileges, network and storage configurations, and security configurations (such as encryption settings). If the configuration is found to be inconsistent, CSPM Action will be taken to amend.

2.160 CASB

Full name Cloud Access Security Broker,That is, cloud access security agent. As the security policy control point deployed between customers and cloud service providers, it is the security policy implemented by enterprises when accessing cloud based resources.

2.161 anti climbing

Anti crawler means to prevent web crawlers from crawling information from their own websites. Web crawler is a program or script that automatically grabs network information according to certain rules.

2.162 security resource pool

Security resource pool is a collection of virtualization of a variety of security products, covering a variety of security capabilities such as server terminal, network, business, data and so on.

2.163 IAM

Full name Identity and Access Management,Identity and access management is often called identity authentication.

2.164 4A

Namely authentication Authentication,to grant authorization Authorization,account number Account,audit Audit,That is, the solution integrating the four elements of unified user account management, unified authentication management, unified authorization management and unified security audit will cover single sign on( SSO)And other safety functions.

2.165 Access Control list(ACL)

Access control list.

2.166 multi factor certification

It is mainly different from the single password authentication. It can only be authorized to use computer resources after passing more than two authentication mechanisms.

For example, the user wants to enter PIN Code, insert the bank card, and finally compare the fingerprints to obtain authorization through these three authentication methods. This authentication method can reduce the risk of single password theft and improve security.

2.167 privileged account management

abbreviation PAM. Because privileged accounts often have high authority, once stolen or abused, it will bring great network security risks to institutions. Therefore, privileged account management is often very important in.

Its main principles are: eliminate the sharing of privileged credentials, assign personal responsibility to the use of privileges, realize the minimum permission access model for daily management, and realize the audit function for the activities performed by these credentials.

2.168 zero trust

Zero trust is not distrust, but as a new concept of identity authentication and access authorization, it no longer defines trusted or untrusted by network boundary, but does not trust anyone, network and equipment by default. It adopts dynamic authentication and authorization to minimize the network security risk brought by visitors.

2.169 SDP

Full name Software Defined Perimeter,That is, software defined boundary, proposed by cloud security alliance based on zero trust network, is a logical access boundary based on identity and context created around an application or a group of applications.

2.170 Security as a Service

Security is a service, which can generally be understood as SaaS To deliver security capabilities to customers.

2.171 homomorphic encryption

Homomorphic encryption is a kind of encryption method with special natural attributes Rivest Compared with the general encryption algorithm, homomorphic encryption can not only realize the basic encryption operation, but also realize a variety of computing functions between ciphertexts.

2.172 quantum computing

It is a new computing mode that regulates the calculation of quantum information units according to the laws of quantum mechanics. At present, it has been gradually applied to encryption and communication transmission.

2.173 trusted computing

It is a trusted computing group (trusted computing cluster, formerly known as TCPA)Promote and develop new technologies.

Trusted computing is a trusted computing platform supported by hardware security module, which is widely used in computing and communication systems to improve the overall security of the system.

2.174 mimicry defense

The core implementation is a dynamic heterogeneous redundancy structure based on the endogenous security mechanism in cyberspace( Dynamic Heterogeneous Redundancy,DHR),In order to deal with unknown threats based on unknown vulnerabilities, backdoors or Trojans in cyberspace, this paper provides defense theories and methods with universal and innovative significance.

2.175 blockchain

English name is blockchain,It is a shared database. The data or information stored in it has the characteristics of "unforgeability", "whole process trace", "traceability", "openness and transparency", "collective maintenance", etc.

2.176 remote browser

Since the browser often becomes the entrance of hacker attacks, the browser is deployed in a remote "browser server pool".

In this way, the server where these browsers are located is isolated from the terminal and network in the user's environment, which greatly reduces the exposure of the customer's network.

This service is also similar to products such as virtual desktop and cloud mobile phone.

2.177 cloud mobile phone

Cloud mobile phone adopts a new VMI(Virtual Mobile Infrastructure Virtual mobile facilities, and PC Cloud desktop (similar) technology provides employees with an independent mobile device security virtual phone. Business applications and data are only run and stored on the server, and only encrypted streaming media presentation and touch are done on the personal terminal, so as to effectively ensure the security of enterprise data.

2.178 risk control

Also known as big data risk control, it refers to the use of big data analysis to judge the possible security risks of business. At present, this technology is mainly used in the field of financial credit to prevent the occurrence of bad debts.

2.179 penetration test

In order to prove that the network defense operates normally according to the expected plan, the attack team of professional companies is usually invited to attack the established targets according to certain rules, so as to find out the loopholes or other security risks, and issue test reports and improvement suggestions.

Its purpose is to continuously improve the security of the system.

2.180 safety public test

With the help of the power of many white hats, the vulnerability reward test is carried out for the target system within the specified time.

After you receive an effective vulnerability, you will give a certain reward to the white hat according to the vulnerability risk level. Usually, you pay according to the vulnerability, which has a high cost performance.

At the same time, different white hat skills may have different research directions, which is more comprehensive when testing.

2.181 endogenous safety

Qi Xiangdong, chairman of Qianxin group, first proposed at the 2019 Beijing network security conference, which refers to the security capability growing from the information system, which can continuously improve with the growth of business and continuously ensure business security.

Endogenous security has three characteristics, that is, it depends on the aggregation of information system and security system, the aggregation of business data and security data, and IT The aggregation of talents and security talents continuously develops the security ability of self adaptation, autonomy and self-growth from the inside of the information system.

2.182 endogenous safety framework

In order to promote the implementation of endogenous safety, Qianxin has launched an endogenous safety framework.

From the top-level perspective, the framework supports the construction mode of various industries from "local rectification plug-in" to "deep integration and systematization" From the perspective of project realization, implement the security requirements step by step and gradually build a future oriented security system; the endogenous security framework can output practical, systematic and normalized security capabilities, and build a network security defense system of dynamic defense, active defense, defense in depth, precision protection, overall prevention and control, joint prevention and control.

The endogenous security framework includes 29 security area scenarios and 79 types of security components.

2.183 PPDR

Fan Filter Unit  Policy Protection Detection Response,Translate into strategy, protection, detection and response.

It mainly takes security policy as the core to detect security vulnerabilities through consistency check, traffic statistics, exception analysis, pattern matching and intrusion check based on application, target, host and network.

2.184 CARTA

Full name Continuous Adaptive Risk and Trust Assessment,That is, continuous adaptive risk and trust assessment aims to evaluate user behavior through dynamic intelligent analysis, give up the pursuit of perfect security, and can not require zero risk or 100%Trust, seeking a balance between risk and trust between 0 and 1.

CARTA Strategy is a huge system, including big data AI,Machine science*,Automation, behavior analysis, threat detection, security protection, security assessment, etc.

2.185 SASE

Full name Secure Access Service Edge,That is, secure access to the service edge, Gartner It is defined as an entity based identity, real-time context and enterprise security/Compliance strategy and continuous risk assessment throughout the session/Trusted services.

The identity of an entity can be associated with people, groups of people (branch offices), equipment, applications, services, Internet of things systems or edge computing sites.

2.186 SDL

Full name Security Development Lifecycle,Security development life cycle is a software development process that helps developers build safer software and solve security compliance requirements while reducing development costs. It was first proposed by Microsoft.

2.187 DevSecOps

Full name Development Security Operations,It can be translated into security development and operation and maintenance.

It emphasizes that in DevOps At the beginning of the plan, the security team should be invited to ensure the security of information, formulate an automatic security protection plan, and run through it to achieve continuous security IT Protection.

2.188 code audit

As the name suggests, it is to check the security defects in the source code, check whether there are potential security risks in the program source code, or there are places with non-standard coding, check and analyze the program source code one by one through automatic tools or manual review, find the security vulnerabilities caused by these source code defects, and provide code revision measures and suggestions.

2.189 NTLM verification

NTLM(NT LAN Manager)Is an authentication mechanism developed by Microsoft NT4 It has been used since the beginning. It is mainly used for local account management.

2.190 MTTD

Average detection time.

2.191 MTTR

Average response time.

2.192 CVE

Full name Common Vulnerabilities and Exposures,Due to the safety mechanism Mitre Maintaining an international unique vulnerability numbering scheme has been a widely accepted standard in the security industry.

2.193 software shelling

""Shell" is a program specially responsible for protecting software from illegal modification or decompilation.

They usually run before the program, get control, and then complete their task of protecting the software.

The shelled software can't see its real hexadecimal code when tracking, so it can protect the software.

2.194 CNVD

The national information security vulnerability sharing platform is established by the National Computer Emergency Response Center CNCERT Maintenance, mainly responsible for the unified collection and management of domestic vulnerability information, and the vulnerability number prefix is CNVD. 

2.195 data desensitization

Data desensitization refers to the deformation of some sensitive information through desensitization rules to realize the reliable protection of sensitive privacy data. It is mainly used in scenarios involving large-scale data flow, such as data sharing and trading.

2.196 GDPR

<General data protection regulations( General Data Protection Regulation,abbreviation GDPR)It is a regulation of the European Union, formerly known as the computer data protection law formulated by the European Union in 1995.

2.197 CCPA

California consumer privacy act.

2.198 SRC

Namely Security Response Center,The Chinese name is security emergency response center, which is mainly responsible for excavating and publicly collecting loopholes and other security risks existing in the organization.

2.199 CISO

Sometimes called CSO,The chief information security officer is the principal security principal of the organization.

2.120 IPC pipes

In order to better control and handle the communication and data exchange between different processes, the system will schedule the whole process through a special connection pipeline.

2.121 SYN package

TCP The first packet connected, a very small packet. SYN Attacks include a large number of such packets that cannot be processed effectively because they appear to come from sites that do not actually exist.

2.122 IPC$

It is a resource sharing "named pipe". It is an open named pipe for inter process communication. You can obtain corresponding permissions by verifying the user name and password, which can be used when remotely managing the computer and viewing the shared resources of the computer.

2.123 shell

It refers to a command-line environment, which is the exchange mode interface between the system and users. In short, it is the "communication" environment between the system and users.

We usually use it DOS,Just one shell. (Windows2000 yes cmd.exe)

2.124 ARP

Address resolution protocol(Address Resolution Protocol)This protocol maps network addresses to hardware addresses.

Reference link:
And the explanation of common terms in the secret of intelligent vehicle security attack and defense
There are some other sources. If there are missing links, please chat with me and I'll add them

Reprint is temporarily prohibited. If you need to reprint, please contact the blogger

I smiled at the sky with my horizontal knife, leaving two Kunlun Mountains

Topics: IoT Information Security