# Addressing some common Cybersecurity jargons

Let’s break down some common Cybersecurity jargons.

Sometimes people get confused by these terms or find it hard to retain their differences.

➊. 𝐀𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐯𝐬 𝐀𝐮𝐭𝐡𝐨𝐫𝐢𝐳𝐚𝐭𝐢𝐨𝐧:

𝐀𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐚𝐭𝐢𝐨𝐧 is the process of verifying the identity. It uses a combination of techniques/methods to verify the identity. For e.g: If one of your friends calls you from an unknown number, after hearing their voice you’ll ask ABC, is that you? and they will reply yes, it’s me.

Whereas 𝐀𝐮𝐭𝐡𝐨𝐫𝐢𝐳𝐚𝐭𝐢𝐨𝐧 refers to the permissions attached to performing a certain task. This often comes after authentication is successful and a task is to be executed. For e.g: While making online payments you are asked to input PIN/OTP which is a form of authorization.

\[ NOTE: While these solutions might sound very true there are ways to circumvent them. \]

➋. 𝐃𝐑𝐘 𝐩𝐫𝐢𝐧𝐜𝐢𝐩𝐥𝐞 𝐯𝐬 𝐖𝐄𝐓 𝐩𝐫𝐢𝐧𝐜𝐢𝐩𝐥𝐞:

𝐃𝐑𝐘 stands for “Don’t Repeat Yourself”. Simply put it minimizes bugs & shortens codebase size

Whereas 𝐖𝐄𝐓 stands for “Write Everything Twice”. Simply put it means the same code is implemented at least two times in a codebase. It offers the flexibility to use the same code for two different purposes.

\[ NOTE: These two terms are not common as they are part of the software development process. There are high chances of seeing their implementation if you do web app pentest or code reviews. \]

➌. 𝐔𝐑𝐈 𝐯𝐬 𝐔𝐑𝐋:

𝐔𝐑𝐈 or Uniform Resource Identifier provides the identity of an item. For e.g: the IMEI no of your smartphone can be defined as Uri, or the ISBN no of a book, or better yet your roll number/employee id.

𝐔𝐑𝐋 or Uniform Resource Locator provides a way to reach any location. It comprises of a protocol, domain name/IP address and path to the resource. For e.g: [https://medium.com](https://medium.com)

➍. 𝐏𝐞𝐧𝐞𝐭𝐫𝐚𝐭𝐢𝐨𝐧 𝐭𝐞𝐬𝐭𝐢𝐧𝐠 𝐯𝐬 𝐑𝐞𝐝 𝐭𝐞𝐚𝐦 𝐚𝐬𝐬𝐞𝐬𝐦𝐞𝐧𝐭:

𝐏𝐞𝐧𝐞𝐭𝐫𝐚𝐭𝐢𝐨𝐧 𝐭𝐞𝐬𝐭𝐢𝐧𝐠 is a process to test the security of a company/system/network/website/software. For e.g: You hired a lockpicker to check the strength of your locks.

𝐑𝐞𝐝 𝐭𝐞𝐚𝐦 𝐚𝐬𝐬𝐞𝐬𝐦𝐞𝐧𝐭 on the other hand deals with testing the strength of blue team & adversary simulation. For e.g: You hired a professional thief to test out your state-of-the-art home security system.

\[ NOTE: There is a fine line between these two terms. In most scenarios, they differ only in terms of use cases. In other scenarios, their terms are often interchanged. \]

➎. 𝐂𝐈𝐀 𝐭𝐫𝐢𝐚𝐝 𝐯𝐬 𝐃𝐀𝐃 𝐭𝐫𝐢𝐚𝐝:

𝐂𝐈𝐀 𝐭𝐫𝐢𝐚𝐝 stands for Confidentiality, Integrity & Availability. It’s part of the Blue team side of security where these terms help design security mechanisms. For e.g: You use WhatsApp to send encrypted messages to another person & can do until WhatsApp servers are down or there is a Man-In-The-Middle (MITM ).

𝐃𝐀𝐃 𝐭𝐫𝐢𝐚𝐝 stands for Disclosure, Alter & Denial. It’s part of the Red team side of security where they define breaking of the CIA triad. For e.g: If someone intercepts your WhatsApp traffic and manages to break the encryption they can read, modify or even permanently delete your messages.

\[ NOTE: While WhatsApp encrypts your text messages, any documents sent over it are not encrypted and remain plaintext in its servers. Anyone with access to these servers/MITM can easily read them. Be mindful of what you share over WhatsApp \]

➏. 𝐑𝐞𝐯𝐞𝐫𝐬𝐞 𝐬𝐡𝐞𝐥𝐥 𝐯𝐬 𝐁𝐢𝐧𝐝 𝐬𝐡𝐞𝐥𝐥: For this let’s imagine you have two devices i.e, a client ( your smartphone ) and a server ( your laptop ). For the sake of simplicity let’s also assume these two are in the same LAN network.

In 𝐑𝐞𝐯𝐞𝐫𝐬𝐞 𝐬𝐡𝐞𝐥𝐥 scenario the client will open a port and the server will connect back to it using the IP:Port combo. This is very useful in case of circumventing firewalls. For e.g: Let’s assume you met someone and instead of asking them, shared your phone number so they can contact you.

Whereas in 𝐁𝐢𝐧𝐝 𝐬𝐡𝐞𝐥𝐥 server will open a port and the client will connect to it using the IP:Port combo. This is helpful but less reliable if security measures are in place. For e.g: Let’s assume you met someone & they shared their phone no so you can contact them.

\[ NOTE: Both of these shells have their individual use cases, sometimes you will use reverse and sometimes bind. It often takes trial & error to find a perfect solution for a given scenario, however in most cases reverse shell will do well than a bind one. \]

➐. 𝐄𝐧𝐜𝐫𝐲𝐩𝐭𝐢𝐨𝐧 𝐯𝐬 𝐇𝐚𝐬𝐡𝐢𝐧𝐠:

𝐄𝐧𝐜𝐫𝐲𝐩𝐭𝐢𝐨𝐧 is a terminology given to the process of encoding information in a way that it cannot be recovered without a secret (code/key). Simply put using this technique you can encode/decode your content ( text, files, devices ). Encryption is used to provide confidentiality among two or more people. Some common encryption algorithms are AES, RSA, etc.

For e.g: Let’s imagine you have a lock and a key, in this case, that lock can’t be opened without that key.

Whereas 𝐇𝐚𝐬𝐡𝐢𝐧𝐠 is a different technique that uses special mathematical functions to encode data in such a manner that it cannot be reversed. Due to this unique property, hashing is also used to store passwords in a database. It is also worth mentioning there is no secret/key in this scenario. Hashes are used to verify the integrity of a given data/file. Some of the common hash algorithms are MD5, SHA256, etc.

For e.g: You login into your Computer using a combination of username/password. This password is stored in the form of a hash and when you type it in the login panel, the system translates it into a hash & then compares it with the one stored in its database. Only if both matches, access is granted.

> If you have read till here, thank you for bearing with me. While I wrote this post to explain concepts in layman's terms, hope you enjoyed it.