🌊 SYO-501 | Glossary

 

MASTERING SECURITY BASICS

Use case	describes a goal an organisation wants to achieve, engineers use this in systems analysis and software development to identify and clarify requirements to achieve the goal
Common naming strategy	for use case, verb-noun format (e.g. place order)
Actors	this use case element could be a registered user with a shipping and billing information, a new customer with no information saved, or the billing system(bills for the order)/fullfillment system (processes and ships the order)
Precondition	this use case element must occur before the process can start, like selecting an item first before placing the order
Trigger	this use case element could be when you click the shopping cart to start the process
Postcondition	this use case element could occur after triggering the process like receiving an acknowledgement of the order, steps to bill the user and shipping department takes steps to ship the product
Normal Flow	this use case element could occur when you see a list of each step in a specific order once you pick an order and ends with completing the order and exiting the system
Alternate flow	this use case element could occur when user might want to use a different credit card or shipping address, and even cancel the whole process or just abandon it
Confidentiality	this prevents the unauthorised disclosure of data
Encryption	scrambles data to make it unreadable by unauthorised personnel, only the authorised can decrypt this e.g. encrypting emails protects the confidentiality the best
PII	personally identifiable information, like medical information or credit card data
Access Controls	identification, authentication, and authorisation combined provide access controls and help ensure that only authorised personnel can access data
Identification	when users claim an identity with a unique username
Authentication	when users prove their identity with authentication such as password
Authorisation	when you can grant or restrict access to resources using an authorisation method such as permissions
Steganography	this is the practice of hiding data within data
Obfuscation	attempts to make something unclear or difficult to understand
IT Security Obfuscation	in this context, this is called security by obscurity or security through obscurity, note that security experts rejects this as reliable for maintaining security
Steganography example	a common form of obfuscation, embed a hidden message in an image by modifying certain bits within the file, or when you add a textfile to an image file using winrar and windows command line
Integrity	provides assurances that data has not changed, and when unauthorised users, malicious software (malware), system/human errors modify, tampers or corrupts the data, the data has lost integrity
Hashing	simply a number created by executing a hashing algorithm against data, such as a file or message, if the data never changes the resulting hash will always be the same, which means the data hasn't lost data integrity
Hashing example	homer sends a message and hash to marge, the message was "hello" with hash 123, marge calculates the hash and compare her hash from Homer, if it's similar, then it hasn't lost its Data Integrity- Otherwise, if different like 456, Data integrity would've been lost
Hashing disadvantage	it doesn't tell you what modified the message
Hash use	can be used on email, data files- sometimes email programs use message authentication code, MAC, instead of hash with the same concept to verify integrity
Hashing advantage	it can also check if integrity is maintained during download/transfer- some programs would detect by comparing source hash and desination hash- once detected its reported to the user
Hashing example part two	website admin can calculate and post the hash of a file on the site- users can manually calculate the hash of the file after downloading it and compare the hash- if file was infected by virus than hash would be different- you can use freeware like md5sum.exe to calculate MD5 hashes
Hashing example part three	possible to lose data integrity through human error- database admin needs to modify a significant amount of data- admin can write a script for a bulk update- however if the script is faulty it can corrupt/change the database losing integrity
Key concepts of integrity part one	integrity provides assurances that data has not been modified, tampered with or corrupted- might be due to unauthorised or unintended changes/human error
Key concepts of integrity part two	hashing verifies integrity, a hash is a numeric value created by executing a hashing algorithm against a message or file- hashes are created at the source and destination or at two different times like first and fifteenth of the month
Digital signature	similar in concept to a handwritten signature- it provides authentication- if the signature arrives intact, it authenticates the sender
Digital signature advantage	prevents attackers from impersonating others and sending malicious emails- attacker could make an email look like it came from Lisa and include a link to a malicious site urging Bart to click it
Non-repudiation	digital signatures provide non-repudiation, Lisa would not be able to deny sending an email because the digital signature would prove it
Digital signature requirement	requires certificates
Availability	indicates that data and services are available when needed- some organisations during 8-5pm mon-fri, some organisations 24 hours a day
Availability implementation	organisations commonly implement redundancy and fault-tolerant methods to ensure high levels of availability for key systems- organisations ensure systems stay up to date with current patches to ensure that software bugs dont affect availability
Redundancy	adds duplication to critical systems and provides fault tolerance-
SPOF	Single Point of Failure
Common goal of Redundancy and Fault Tolerance	If an SPOF fails, the entire system can fail, so a common goal is to remove SPOF e.g. if server has a single drive, the drive is an SPOF cos its failure takes down the server
Disc redundancies	Fault-tolerant discs, such as RAID-1 (mirroring), RAID-5 (striping with parity), and RAID-10 (striping with a mirror), allow a system to continue to operate even if a disc fails
Server redundancies	Failover clusters include redundant servers and ensure a service will continue to operate, even if a server fails
Server redundancies (in fail over clusters)	the service switches from the failed server in a cluster to an operational server in the same cluster
Virtualisation	can increase availability of servers by reducing unplanned downtime
Load balancing	uses multiple servers to support a single service, such as a high-volume web site- this can increase the availability of web sites and web-based applications
Site redundancies	if a site can no longer function due to a disaster, such as a fire, flood, hurricane, or earthquake, the organisation can move critical systems to an alternate site
Hot site	ready and available 24/7
Cold site	location where equipment, data and personnel can be moved to when needed
Warm site	a compromise between a hot site and cold site
Backups	if personnel back up important data, they can restore it if the original data is lost
Data loss cause	corruption, deletion, application errors, human error, and even hungry gremlins that just randomly decide to eat your data- without backup data is lost forever
Alternate power	uninterruptible power supplies (UPSs) and power generators can provide power to key systems even if commercial power fails
Cooling systems	heating, ventilation, and air conditioning (HVAC) systems improve the availability of systems by reducing outages from overheating
Patching	another method of ensuring systems stay available is with patching- software bugs cause a wide range of problems, including security issues and even random crashes- software vendors discover the bugs, develop and release code that patches or resolves these problems- organisations commonly implement patch management programs to ensure systems are up to date
Resource vs Security Constraints	Why not encrypt all the data? The reason is that encryption consumes resources
Resource vs Security Constraints Example	If there was 260 characters encrypted it will go up to 360 characters, an increase of 40%. This means the company would need 40% more disk space. Additionally, processing this will consume more memory. Also takes more time and power to encrypt and decrypt data. Security experts and executives might disagree on whether it's worth it
Risk	the possibility or likelihood of a threat exploiting a vulnerability resulting in a loss
Threat	any circumstance or event that has the potential to compromise confidentiality, integrity or availability
Vulnerability	a weakness, it can be in the hardware, the software, configuration, or even the users operating the system
Security incident	an adverse event or series of events that can negatively affect the confidentiality, integrity or availability of an organisations
Risk mitigation	reduces the chances that a threat will exploit a vulnerability or impact of risk through security controls e.g. reduce access control so if employees disgruntled, no harm
Security incident	an adverse event or series of events that can negatively affect the confidentiality, integrity or availability of an organisations
Control Types / Security Controls	most security controls can be classified as technical (technology), administrative (admin or management methods) or physical (things you can touch)
Technical controls	use technology to reduce vulnerabilities, admin installs and configures a technical control and the technical control then provides the protection automatically
Technical control: Encryption	strong technical control used to protect the confidentiality of data transferred over network, stored on devices servers, desktop computers and mobile
Technical control: Antivirus software	once installed this provides protection against malware infection
Technical control: Intrusion detection systems (IDSs) and Intrusion prevention systems (IPSs)	strong technical control used to protect the confidentiality of data transferred over network, stored on devices servers, desktop computers and mobile
Technical control: Network Firewall	restrict network traffic going in and out of a network
Technical control: Least privilege	when individuals are granted only the privileges they need
Administrative Controls	use methods mandated by organisational policies or other guidelines
Administrative control: Risk assessment	helps quantify and qualify risks within an organisation to focus on a serious task
Risk assessment: Quantitative Risk assessment	uses cost and asset values to quantify risk through monetary values
Risk assessment: Qualitative Risk assessment	uses judgements to categorise risks based on probability and impact
Administrative control: Vulnerability assessment	attempts to discover current weaknesses/vulnerabilities
Administrative control: Penetration tests	when exploiting vulnerabilities is attempted e.g. server not up to date, penetration test would attempt to compromise the server by exploiting the unpatched vulnerability
Administrative control: focus on physical security and environment	an access list identifies individuals allowed into a secured area, guards verify individuals are on the access list before allowing them in
Administrative control: operational/management control	ensures that day to day operations of overall security plan, people implement these controls
Operational/management control: Awareness and training	training helps users maintain password security, clean desk policy, understand threats such as phishing and malware etc.
Operational/management control: Configuration and change management	configuration management often uses baselines to ensure that systems start in a secure hardened state, ensures that changes don't result in unintended configuration errors
Operational/management control: Contingency planning	help plan and prepare for potential system outages, to reduce impact on organisations if an outage occurs
Operational/management control: Media protection	includes physical media such as USB flash drives, external and internal drives, and backup tapes
Operational/management control: Physical and environmental protection	includes physical controls like cameras, door locks, and environmental controls like heating and ventilation systems
Physical Controls	any controls that you can physically touch like lighting, signs, fences, security guards and more e.g. fire suppression system that's both physical and technical cos it can detect fire
Control goals	technical and administrative controls categorise the controls based on how they are implemented
NIST and SP 800 Documents	National Institute of Standards and Technology includes a Computer Security Division hosting Information Technology Laboratory (ITL). The ITL publishes Special Publications (SPs) in the 800 series. IT Security professionals use these documents as references to design secure IT systems and networks
NZISM	New Zealand Information Security Manual
Preventive Controls	to prevent security incidents
Hardening	practice of making a system or application more secure than its default configuration e.g. disabling unnecessary ports, services, implementing secure protocols, using strong passwords (robust password policy), disabling default and unnecessary accounts
Security awareness and training	ensuring that users are aware of security vulnerabilities and threats helps prevent incidents e.g. less likely to be tricked when users understand how social engineers operate
Security guards	guards prevent and deter many attacks, e.g. guards can prevent unauthorised access into secure areas of a building by first verifying user identities
Change management	change management ensures that changes don't result in unintended outages e.g. administrators submit the change to a change management process (both operational and preventive control)
Account disablement policy	an account disablement policy ensures that user accounts are disabled when an employee leaves
Detective Controls	attempts to detect when vulnerabilities have been exploited, resulting in a security incident
Detective controls: Log monitoring	several different logs record details of activity on systems and networks e.g. firewall logs record details of all traffic that the firewall blocked / automated methods detect potential incidents and report them right after they've occured
Detective controls: Trend analysis	to monitor logs to detect trends, e.g. an IDS (Intrusion Detection System) attempts to detect attacks and raise alerts/ alarms, analysing the past to see increase of attack on a specific system
Detective controls: Security audit	security audits can examine the security posture of an organisation e.g. password audit determined if password policy is ensuring the use of strong passwords / periodic review of user rights can detect if users have more permissions than they should
Detective controls: Video surveillance	closed-circuit television (CCTV) system can record activity
Detective controls: Motion detection	many alarm systems can detect motion from potential intruders and raise alarms
Note about Detective Controls	attempts to detect when vulnerabilities have already been exploited
Detective vs Preventive Controls	detective can't predict when an incident will occur and it can't prevent it while prevention stops the incident from occuring at all e.g. Video surveillance: detective, Guards: preventive
Corrective controls	attempt to reverse the impact of an incident or problem after it has occured
Corrective controls: IPS	Intrusion prevention system attempts to detect attacks and then modify the environment to block the attack from continuing
Corrective controls: Backups and system recovery	ensures that personnel can recover data if it is lost or corrupted, system recovery procedures ensures admins can recover a system after failure
Deterrent controls	attempt to discourage a threat
Deterrent controls: cable locks	securing laptops to furniture with a cable lock deters thieves from stealing the laptops
Hardware locks	other locks such as locked doors securing a wiring closet or a server room / locked cabinet doors
Compensating Controls	alternative controls used instead of a primary control e.g. Time based One-Time Password (TOTP)
Virtualisation	used within large data centers and can also be used on a regular personal computer (PC), allows to host one or more virtual systems / VMs on a single physical system e.g. a virtual network within a single physical system, this reduces cost
Virtualisation: Hypervisor	the software that creates, runs, and manages the VMs (VMware, Microsoft Hyper-V, Oracle VM all have hypervisor)
Virtualisation: Host	physical system hosting the VMs is the host, cost more for RAM, processor, hard drive space, one or more fast network cards but requires less electricity, less cooling and less physical space
Virtualisation: Guest	operating systems running on the host system are guests or guest machines
Virtualisation: host elasticity and scalability	referse to the ability ro resize computing capacity based based on the load e.g. VM increased traffic, where you can then increase the processing power and memory used by the server
ROI	good return of investment e.g. nine servers with 20% processing power memory and disk space, you can instead convert three physical servers to virtual hosts and run three guests + easier maintain less physical servers (electricity, HVAC)
Security awareness and training	ensuring that users are aware of security vulnerabilities and threats helps prevent incidents e.g. less likely to be tricked when users understand how social engineers operate
Comparing Hypervisors	Type I Hypervisors vs Type II Hypervisors
Hypervisors: Type I	run directly on the system hardware, bare metal hypervisors because no need to be in an OS e.g. VMware has a family of ESX/ESXi products that are Type I
Hypervisors: Type II	run as software within a host operating system e.g. Microsoft Hyper-V runs within a Microsoft OS
When to use each type of Hypervisor	on a pc, you use type II hypervisor-based virtualisation, virtualisation in large-scale data centers use type I typically
Application cell virtualisation	has no kernel, runs services or applications within isolated application cells (or containers) e.g. container has one isolated service or app running on host operating system kernel)
Benefit of container virtualisation	it uses fewer resources and can be more efficient than a system using a traditional Type II hypervisor virtualisation, ISP often use it for customers who need specific applications, drawback: containers must use OS of the host, e.g. host is running linux all containers must run linux
Security Network Architecture	possible to use virtualisation as part of an overall secure network architecture, VMs can provide segregation, segmentation and isolation of individual systems e.g. disabling the NIC in the VM prevents transmitting data
Snapshots	provides you with a copy of the VM at a moment in time, which you can use as a backup e.g. best to take snapshot of system before performing a risky operation like patches, updates, testing security controls, and installing new apps (can revert or roll back to this)
VDI/VDE and non-persistence	virtual desktop infrastructure (VDI) / virtual desktop environment (VDE), user's desktop operating system runs a VM on a server
Benefits of VDI/VDE	user PCs can have limited hardware resources, if the PC can connect to a server over a network it can run a full featured desktop OS
Consider these when using virtual desktops	if they support persistence or non-persistence
Persistent Virtual Desktop	each user has a custom desktop image, users can customise them and save their data within desktop, drawback: amount of disk space required on the server to support unique desktop images for all users
Non persistent Virtual Desktop	serve the same desktop for all users, when user acces the remote server, it provides a desktop oOS from preconfigured snapshot, although users can make changes to the desktop as they're using it, it reverts to a known state when they log off
Security awareness and training	ensuring that users are aware of security vulnerabilities and threats helps prevent incidents e.g. less likely to be tricked when users understand how social engineers operate
VMs as Files	they're just files so it's easy to manage
VM Escape	is an attack that allows an attacker to access the host system from within the virtual system, can hack the hypervisor so keep physical and virtual servers patched
VM Sprawl	occurs when organisation has many VMs that aren't managed properly e.g. Bart uses a VM to test a software and leaves it running, SysAd patches all known VMs, Bart didn't tell anyone so now it's unpatched and a vulnerability
VM: Confidentiality	important to protect VMs cos they're just files, easy to hack by a disgruntled admin
Kali Linux	a free linux distribution used by many security professionals for penetration testing and security auditing
VM choices	Hyper-V, VMware Workstation Player, Oracle VMVirtualBox
Help Switch on CMD	ping /? or ping-?, ipconfig /? or ipconfig -?, netstat /? or netstat -?
Help on Terminal	ping, ping | help (:these two returns an error but doesn't provide the same amount of help), ping -help, man ping
CMD vs Terminal	CMD is not case sensitive
Ping	to test connectivity for remote systems e.g. verify can resolve valid host named to IP address, test the NIC, and check security posture of network
Ping's Protocol	sends Internet Control Message Protocol (ICMP) echo request packets, remote system is operational when you receive echo replies e.g. ping 192.168.1.1 verifies computer can connect to another computer in the network
Ping replies	on windows it replies 4x while on linux it just continues until you press ctrl + c, but you can mimic this on windows with ping -t 192.168.1.1, on linux can mimic windows with ping - c 192.168.1.1
Ping to check name resolution	computer queries a Domain Name System (DNS) with the host name, and DNS respond with an IP address e.g. malware can change the name resolution process to prevent systems from reaching the Windows Update server for updates, you can ping it to verify it works
What if Ping fails?	can't just assume that it's not operational or unreachable cos many denial of service (DoS) attacks use ICMP to disrupt services on internet based systems and firewalls commonly block ICMP traffic e.g. you can connect to slytherinfakesite.com using a browser, but ping might fail so thie means it operates on HTTP but firewall blocks ICMP
Main uses of ping	Verify name resolution process, security posture, networks through verifying routers, firewalls, and IPSs block ICMP traffic when configured
ipconfig	shows the Transmission Control Protocol (TCP/IP) configuration information for a system e.g. IP address, subnet mask, default gateway, MAC address, address of DNS server, Config info on NIC, wired/wireless NIC
ifconfig	interface configuration, more capable than ipconfig cos you can configure the NIC
Common commands: ipconfig /all	shows comprehensive listing of TCP/IP config info for each NIC, MAC, DNS server, DHCP server address if it's a client / ifconfig -a on linux
Common commands: ipconfig /displaydns	each time a system queries DNS to resolve a host name to an IP address, it stores the result in the DNS cache, hostname to IP address mappings included
Common commands: ipconfig /flushdns	you can erase the contents of the DNS cache with this command, used when cache has incorrect information and you want to ensure DNS is queried for up to date information
Linux Common commands: ipfconfig eth0	shows the config of the first NIC to change settings / wlan0 for first wireless interface
Linux Common commands: ifconfig eth0 promisc	enabled promiscuous mode on the first ethernet interface, allows NIC to process all traffic it receives / default is all packets not addressed to it, just few addressed to it
Linux Common commands: ifconfig eth0 allmulti	command enables multicast mode on the NIC, allows process all multicast traffic received by the NIC usually only process traffic for multicast groups it joined, turn it off with 'ifconfig eth0 -allmulti'
Linux: use ip instead of ifconfig	linux debian developers don't maintain the package anymore but still available sometimes e.g. ip link show (shows the interfaces along with some details on them), ip link set eth0up (enables a network interface), ip -s link (shows statistics on the network interfaces)
netstat	network statistics, allows you to view statistics for TCP/IP protocols on a system, also gives the ability to view active TCP/IP network connections. Many attacks establish connections from an infected computer to a remote one. Use this if you suspect it
Common commands: netstat -a	displays a listing of all TCP and User Datagram Protocol (UDP) ports that a system is listening on, in addition to all open connections e.g. IP address followed by :80 means it's listening on the default port of 80 for HTTP, a web server
Other common commands for netstat	netstat -r (displays the routing table), netstat -e (displays details on network stats, including bytes sent and received), netstat -s (displays stats of packets sent or received for specific protocols such as IP, ICMP, TCP, and UDP), netstat -n (displays addresses and port numbers in numerical order), netstat -p protocol (shows stats on a specific protocol like TCP / UDP e.g. netstat -p tcp / netstat -anp tcp to define states).. Established means normal, Listen means waiting, CLOSE_WAIT waiting for termination, TIME_WAIT, SYN_SENT, SYN_RECEIVED etc.
Tracert	lists the routers between two systems, each router is a hop. Tracert identifies the IP address and sometimes the host name of each hop in addition to round-trip times (RTTs) for each hop, linux use traceroute. Use this for faulty routers. shows where the traffic stops. Useful for Wide Area Networks (WAN)!
Security use: Tracert	could discover an unauthorised router between router 1 and the internet
Tracing a path with tracert	Attacker could capture the traffic with a protocol analyser and view data sent in cleartext, attacker may also launch other attacks e.g. connection is slow, could use tracert to verify path and you can find out that IP Address is in foreign countries (tracert -d site forces tracert to not resolve ip to host name so its faster
Arp	address resolution protocol/command, resolves ip address to MAC addresses and stores the result in the ARP cache (arp shows help, arp -a shows ARP cache, arp-a 192.168.1.1 displays ARP cache entry for the specified IP address | for linux: arp shows ARP cache)
When to use Ping, Netstat, Tracert, Ipconfig and ARP	the gist is that Ping for a reply to test connection, Netstat to see the connections (infected to another computer), Tracert to see where traffic stops (hop/router), Ipconfig to view config of network interfaces and ARP to identify MAC address when you have the IP (arp -a ip or leave it without ip) arp can be useful for ARP cache poisoning attacks

BLUE TEAM

Threat	this refers to a new or newly discovered incident that has the potential to harm a system or your company overall. e.g. Natural, Unintentional, or Intentional
Vulnerability	refers to a known weakness of an asset (resource) that can be exploited by one or more attackers e.g. How are you protecting your data?
Risk	defined as the potential loss or damage when a threat exploits a vulnerability e.g. Damage a reputation, Financial Losses
Proprietary Standard	"owns exlusive rights to something e.g. Facetime is a proprietary standard that cannot be installed on other OS legally."
Top-down Policies and Protocols	refers to cybersecurity mandatory practices to have adequate security
Triage	a method that helps you respond faster and with more accuracy to security events
3 Step Triage	Identify, Map and Eradicate
Identify	to identify compromised, or infected end points
Map	to find how they got in, where they went, and what they're trying to retrieve
Eradicate	to eradicate any malicious contents so the attacker no longer poses a threat
What does a security solution include?	IPS/IDS, WAF, SIEM all generate security alerts
It's important to combine these for defense	AI, Human and Threat Intelligence is needed
IPS/IDS	Intrusion Prevention/Detection System
WAF	Web Application Firewall
TLP	Traffic Light Protocol, a set of designations to ensure that sensitive information is shared to the right audience
Data Exfiltration / Data Extrusion	the unauthorised transfer of data from a computer
ICMP	Internet Control Message Protocol
ANY.RUN	Malware Analysis Software
NIST	National Institute of Standards and Technology
NZISM	New Zealand Information Security Manual, the government's manual for information assurance, and information security systems
Artifact	data that may or may not be relevant to the response / investigation e.g. Registry Keys, Time Stamp, Event Logs
FTPS	File Transfer Protocol that uses TLS/SSL protocol for encryption e.g. FileZilla and WinSCP
TCP vs UDP	Transmission Control Protocol prioritises quality of connection, while User Datagram Protocol focuses on speed
Core Functions Sample (SACTAPC)	Security Operations Centre (action for smaller stuff), Advisory and Strategy, CSIRT Team (for incidents!), Security Testing (Pentesting), Security Awareness, Programme of Work(how we're doing), Collaboration (research teams like CROW and WAND)
Incident Red Book Sample (ACER)	Assessment, Containment, Eradication, and Recovery
C&C (Command and Control) Server	computer controlled by an attacker or cybercriminal used to send commands to systems compromised by malware and receive stolen data e.g. Blocking C&C IPs at the firewall
Triage	sorting threats by importance or priority
Threat Intelligence	information that organisations can use to combat cyber threats
Common Vulnerability Score System / CVSS	a free and open industry standard for assessing the severity of computer system security vulnerabilities.
Security through obscurity / STO	is based primarily on hiding important information and enforcing secrecy as the main security technique. e.g. Hiding passwords on binary, renaming folders, hiding software versions
Deep Packet Inspection (DPI)	involves the use of network equipment to intercept, examine, modify, restrict, or copy the content of data communications on the fly.

UNDERSTANDING IDENTITY AND ACCESS MANAGEMENT

Identification	occurs when users claim (or profess) their identity with identifiers such as usernames or email addresses
Authentication	users prove their identity with this, such as with a password
User's credential	refers to both claimed identity and an authentication mechanism
AAA	authentication, authorisation, and accounting
Authorisation	users are granted this to access resources based on their proven identity
Accounting	this method track user activity, and record the activity in logs
Audit Logs	track activity and administrators use these to create an audit trail
Audit Trail	allows security professionals to re-create the events that preceded a security incident
'Something you know' Authentication Factor	typically refers to a shared secret, such as a password or even a PIN. This factor is the least secure form of authentication. However, you can increase the security through guidelines.
Password Complexity	complex passwords doesn't necessarily mean strong. Recommendations for the best length vary depending on the type of account.In 2016, Microsoft began recommending a best practice of setting the length to at least 14 characters.
Key Point on Longer Passwords	longer passwords using more character types are more secure and short passwords of 4 or 5 characters are extremely weak.
Formulas on passwords	26^6 for lower case letters 6 character passwords / 10 of the same will be 26^10 because of 26 letters. Password cracking tools can crack 20 billion per second on high0end graphics processor. 10 character password can be cracked in 2 hours. But if you use 94 printable characters, it's 94^10 at the quintillions. Takes years to crack 4 different character types
Millions	Billions, Trillions, Quadrillion, Quintillion