Security+ Domains 1-5 Study Guide

Short-Answer Quiz

Instructions: Answer the following questions in 2-3 sentences each. Your answers should be based on the concepts presented in the study materials.

1. Describe the difference between Preventive and Detective security control types.
2. What is the Zero Trust security model, and what is its fundamental assumption?
3. Explain the concept of non-repudiation in the context of cybersecurity.
4. Compare and contrast the motivations of a Hacktivist and an Organized Crime threat actor.
5. What is a “watering hole” attack, and what is its primary threat vector?
6. Explain the difference between a hot site and a cold site in the context of disaster recovery.
7. What is the purpose of establishing a “secure baseline” for computing resources?
8. Define the principle of least privilege and its importance in access control.
9. What are the key differences between a qualitative and a quantitative risk analysis?
10. Describe the purpose of a “right-to-audit” clause in a third-party vendor agreement.

——————————————————————————–

Answer Key

1. Preventive controls aim to block unauthorized attempts to change a system before they can happen. Detective controls, on the other hand, are security measures implemented to detect an unauthorized activity or security incident after it has occurred.
2. Zero Trust is a security model that assumes no trust, even for users and devices within the internal network. Its fundamental assumption is that all users and devices must be authenticated and verified before being granted access to resources.
3. Non-repudiation is a concept that prevents an individual or entity from denying the validity of their previous actions or commitments. In practice, this ensures that a user cannot deny having sent a message or made a transaction.
4. A Hacktivist engages in hacking activities to promote a social or political agenda, driven by philosophical or political beliefs. In contrast, an Organized Crime threat actor is primarily motivated by financial gain, engaging in activities like stealing sensitive information or conducting ransom attacks.
5. A watering hole attack is a social engineering technique where attackers compromise websites frequently visited by their intended victims. The threat vector is the compromised website, which is then used to distribute malware or gather information from the visiting targets.
6. A hot site is a fully operational data center with up-to-date equipment and data, ready to take over operations immediately after a primary site failure. A cold site is a location with the necessary infrastructure but lacks equipment and data, requiring significant manual setup in the event of a disaster.
7. Establishing a secure baseline involves defining a standard set of security configurations that serve as a foundation for securing systems. This process ensures consistent security measures are deployed across the organization and helps in maintaining that security posture over time.
8. The principle of least privilege ensures that users are granted only the minimum levels of access necessary to perform their job functions. This is important because it reduces the risk of unauthorized access and limits the potential damage from a compromised account.
9. Qualitative risk analysis is a subjective evaluation of risks based on factors like severity and likelihood. Quantitative risk analysis is an objective assessment involving numerical values and monetary terms, using metrics like Single Loss Expectancy (SLE) and Annualized Loss Expectancy (ALE).
10. A right-to-audit clause is a contractual provision that grants a customer the right to assess and audit their vendor’s processes, controls, and compliance. This is crucial for verifying the vendor’s security posture and ensuring they meet the customer’s security requirements.

——————————————————————————–

Essay Questions

Instructions: Prepare a detailed, essay-format response for each of the following questions. Your answers should synthesize information from across the study domains.

1. Discuss the various types of security controls (Categories: Technical, Managerial, Operational, Physical; and Types: Preventive, Deterrent, Detective, etc.). Provide examples of how a single security measure, such as video surveillance, could fit into multiple classifications.
2. Analyze the motivations and attributes of three different threat actors (e.g., Nation-state, Insider Threat, Unskilled Attacker). Explain how their respective levels of sophistication, resources, and funding impact the types of attacks they are likely to carry out and the attack surfaces they target.
3. Explain the importance of change management in maintaining a secure IT environment. Discuss at least five business processes (e.g., approval process, impact analysis) and three technical implications (e.g., downtime, dependencies) that must be considered during the change management lifecycle.
4. Compare and contrast different data protection methods including encryption, hashing, tokenization, and data masking. Describe a specific scenario where each method would be the most appropriate solution for securing sensitive data.
5. Describe the complete seven-stage incident response process, from Preparation to Lessons Learned. Explain why each stage is critical for effectively managing a security incident and for improving an organization’s overall security posture over time.

——————————————————————————–

Glossary of Key Terms

A

• AAA/Remote Authentication Dial-In User Service (RADIUS): A network protocol that provides centralized authentication, authorization, and accounting for wireless and remote access.
• Acceptable Use Policy (AUP): Defines acceptable use of organizational resources, including computers, networks, and information systems.
• Access badge: A physical or electronic card granting access.
• Access control: Regulates who or what can view or use resources in a system. It prevents unauthorized access and protects sensitive data.
• Access control vestibule: An enclosed area with two sets of doors to control access.
• Access Control List (ACL): A list that defines permissions attached to an object, such as a file or a network resource.
• Accounting: Tracking and recording activities and resource usage, often for audit purposes.
• Acquisition (Digital Forensics): Collecting digital evidence using forensically sound methods.
• Active vs. Passive (Device Attribute): Active devices actively modify or manipulate network traffic, while passive devices monitor and analyze traffic without making changes.
• Adaptive identity: Adjusting access privileges based on the changing identity of users or systems.
• Ad Hoc (Risk Assessment): Informal and unscheduled risk assessments conducted as needed.
• Agents/Agentless: Agents are software components installed on devices to collect and transmit data for monitoring. Agentless monitoring uses existing protocols and interfaces without installing additional software.
• Air-Gapped: An air-gapped network is physically isolated from unsecured networks, ensuring there is no direct or indirect connection to the internet or other networks.
• Alert Tuning: Involves adjusting the sensitivity and specificity of security alerts to reduce false positives and improve the accuracy of detection.
• Alerting: Involves generating notifications or alerts based on predefined criteria or thresholds, indicating potential security incidents or abnormal activities.
• Allow lists/deny lists: Lists specifying entities (such as IP addresses, applications, users) that are allowed or denied access.
• Annualized Loss Expectancy (ALE): The expected monetary loss from a risk over the course of a year.
• Annualized Rate of Occurrence (ARO): The anticipated frequency of a specific risk occurring within a year.
• Antivirus: Antivirus software is designed to detect, prevent, and remove malicious software, including viruses, malware, and other types of threats.
• Application Allow List: Defines a list of approved applications that are allowed to run on a system, reducing the risk of malicious software execution.
• Application restart: Restarting an application to apply changes or address issues.
• Approval process: A formal process where changes or implementations are reviewed and authorized before being executed.
• Archiving: Involves storing historical data, logs, or records for future reference, compliance, or analysis purposes.
• Asymmetric (Encryption): Encryption using a pair of keys (public and private) for encryption and decryption.
• Attack Surface: The sum of all possible points where an unauthorized user or malicious software could try to enter or extract data from an environment.
• Attestation: Involves verifying and confirming the accuracy of user account information, permissions, and access rights, typically through periodic reviews or audits.
• Attribute-Based (Access Controls): Use attributes such as user characteristics, environmental conditions, or resource properties to make access decisions.
• Authentication: Verifying the identity of a person, system, or entity.
• Authentication Protocols: Verify the identity of users or devices connecting to a wireless network, ensuring authorized access.
• Authorization: Granting or denying access to resources or actions based on authenticated identity.
• Availability: Ensuring that systems and resources are accessible and available when needed by authorized users.
• Avoid (Risk Management): Eliminating or withdrawing from activities or processes that pose significant risks.

B

• Backout plan: A predefined set of steps to revert changes or implementations in case of issues or failures.
• Benchmarks: Predefined standards or guidelines used to assess and measure the security configuration and posture of systems, applications, or networks.
• Biometrics: Involves using unique physical or behavioral characteristics, such as fingerprints or facial recognition, for user authentication.
• Birthday (Attack): Exploits the mathematical probability of finding two different inputs with the same hash value in a hash function.
• Blackmail: Coercing individuals or organizations by threatening to reveal sensitive information.
• Blockchain: A decentralized and distributed ledger technology that records transactions across multiple computers in a secure and tamper-resistant manner.
• Bloatware: Software that comes pre-installed on a device and often includes unnecessary or unwanted applications that may consume system resources.
• Bollards: Short vertical posts used to control or direct traffic.
• Brand Impersonation: Pretending to be a legitimate brand or organization to deceive individuals.
• Bring Your Own Device (BYOD): A deployment model where employees use their personal devices for work.
• Brute Force: A method of attempting to gain unauthorized access to a system or an account by systematically trying all possible passwords until the correct one is found.
• Buffer Overflow: Happens when a program writes more data to a buffer than it can hold, potentially overwriting adjacent memory.
• Bug Bounty Program: A formal initiative that rewards individuals or researchers for responsibly disclosing security vulnerabilities.
• Business Continuity: Outlines strategies and procedures to ensure business operations continue during and after disruptions.
• Business Email Compromise: Compromising business email accounts for fraudulent purposes, often involving financial transactions.
• Business Impact Analysis: A process to determine the potential effects of an interruption to critical business operations.
• Business Partners Agreement (BPA): A comprehensive agreement defining the terms of a business partnership.

C

• Centralized vs. Decentralized: Describes the distribution of authority and control within an organization.
• Certificate authorities: Trusted entities that issue digital certificates.
• Certificate revocation lists (CRLs): Lists of digital certificates that have been revoked before their expiration date.
• Certificate signing request (CSR) generation: The process of generating a request for a digital certificate.
• Certification (Disposal): Obtaining formal documentation or confirmation that assets have been properly decommissioned, sanitized, or destroyed.
• Chain of Custody: Documenting and maintaining the integrity of digital evidence throughout an investigation.
• Change Management: Regulates the process of introducing, modifying, or removing systems and components.
• Choose Your Own Device (CYOD): A deployment model where employees choose from a list of approved devices provided by the organization.
• Classification (Asset): Categorizing assets based on their importance, sensitivity, or criticality to the organization.
• Cloud-specific (Vulnerabilities): Vulnerabilities specific to cloud environments, often related to misconfigurations, shared resources, or insecure interfaces.
• Clustering: Involves connecting multiple servers to work together as a single system, providing redundancy and fault tolerance.
• Code Signing: Involves digitally signing software or code to verify its authenticity and integrity.
• Cold (Site): A location equipped with necessary infrastructure, but lacks up-to-date equipment, data, and applications.
• Collision (Attack): Involves finding two different inputs that produce the same hash value, compromising the integrity of hash functions.
• Common Vulnerability Enumeration (CVE): A dictionary of unique identifiers assigned to publicly known cybersecurity vulnerabilities.
• Common Vulnerability Scoring System (CVSS): A standardized scoring system that assigns numerical values to vulnerabilities.
• Compensating (Controls): Controls employed in lieu of a recommended security control that provides equivalent or comparable protection.
• Compensating Controls (Vulnerability Response): Alternative security measures implemented to mitigate risks when the primary control is not feasible.
• Confidential (Data): Information that requires protection to prevent unauthorized disclosure, but its impact may be less severe than that of sensitive data.
• Confidentiality: Ensuring that information is only accessible to those who have the proper authorization.
• Configuration Enforcement: Ensures that systems and networks are configured securely by enforcing predefined security configurations.
• Conflict of Interest: Identifying and managing situations where a vendor’s interests may conflict with the customer’s interests.
• Connectivity: The extent and reliability of network connections between devices, systems, or networks.
• Containerization: A lightweight form of virtualization that encapsulates an application and its dependencies into a standardized unit called a container.
• Continuous (Risk Assessment): Ongoing and dynamic risk assessment processes that adapt to changes in the organizational environment.
• Continuity of Operations (COOP): Ensures that essential functions and services can continue in the face of disruptive events.
• Control Plane (Zero Trust): Manages adaptive identity, threat scope reduction, and policy-driven access control.
• Corrective (Controls): Measures implemented to restore systems or resources to their previous state after a security incident.
• Corporate-Owned, Personally Enabled (COPE): A deployment model where organizations provide employees with company-owned devices, allowing some personal use.
• Credential Replay: Involves intercepting and reusing previously captured authentication credentials to gain unauthorized access.
• Critical (Data): Information deemed crucial to the functioning and survival of an organization.
• Cross-site Scripting (XSS): Occurs when an attacker injects malicious scripts into web pages viewed by other users.
• Cryptographic (Vulnerabilities): Vulnerabilities related to the implementation or use of cryptographic algorithms or protocols.
• Cryptographic Protocols: Algorithms and methods used to secure wireless communication, ensuring confidentiality and integrity.
• Custodians/Stewards: Responsible for the day-to-day management and protection of specific data assets.

D

• Dark Web: A part of the internet that is intentionally hidden and often associated with illegal activities.
• Data at Rest: Information that is stored on a physical or digital medium and is not currently in use.
• Data Classifications: The categorization of data into types like Sensitive, Confidential, Public, Restricted, Private, and Critical.
• Data exfiltration: Stealing sensitive data for various purposes.
• Data in Transit: Information being transmitted over a network or communication channel.
• Data in Use: Information actively being processed or accessed by a system or user.
• Data Loss Prevention (DLP): Solutions designed to prevent unauthorized access, sharing, or leakage of sensitive data.
• Data masking: Concealing specific data elements within a database.
• Data Plane (Zero Trust): Contains implicit trust zones, subjects/systems, and policy enforcement points.
• Data Retention: Established policies and practices for retaining or securely disposing of data.
• Data Sovereignty: The concept that data is subject to the laws and regulations of the country or region in which it is located.
• Decommissioning: Safely retiring or taking out of service systems, devices, or software to prevent them from being exploited.
• Default Credentials: Systems using default usernames and passwords are vulnerable to unauthorized access.
• Dependencies: Relationships between different components or systems where one relies on the other.
• Destruction (Asset): Physically destroying or rendering an asset unusable at the end of its lifecycle.
• Detective (Controls): Security measures implemented to detect unauthorized activity or a security incident.
• Deterrent (Controls): Controls that aim to discourage attackers from attacking their systems or premises.
• Digital Forensics: The process of identifying, preserving, analyzing, and presenting digital evidence in a legally admissible manner.
• Digital signatures: A cryptographic technique for validating the authenticity and integrity of digital messages or documents.
• Directive (Controls): Controls that aim to ensure that identified risks are managed through formal directions.
• Directory Traversal: Involves accessing files or directories outside of the intended scope by exploiting insufficient input validation.
• Disaster Recovery: Describes processes and measures to recover and restore systems and data after a disaster.
• Discretionary (Access Controls): Allow users to set permissions on resources, giving them the discretion to control access to their own data or files.
• Disruption/chaos: Creating disorder and confusion, often for ideological reasons.
• Distributed Denial-of-Service (DDoS): An attack that aims to make an online service unavailable by overwhelming it with traffic from multiple sources.
• Domain-Based Message Authentication Reporting and Conformance (DMARC): An email authentication and reporting protocol that helps protect against email spoofing and phishing.
• DomainKeys Identified Mail (DKIM): An email authentication method that uses cryptographic signatures to verify the authenticity of an email message.
• Downgrade (Attack): Involves manipulating or forcing systems to use weaker encryption protocols than their capabilities.
• Downtime: Period during which a system or service is unavailable.
• Due Diligence: Thorough research and investigation to assess a vendor’s capabilities, financial stability, and overall suitability.
• Dynamic Analysis: Involves testing an application during runtime to identify security vulnerabilities.

E

• E-Discovery: Following legal procedures for the identification, collection, and production of electronically stored information during legal proceedings.
• Embedded Systems: Specialized computing systems integrated into other devices or systems to perform specific functions.
• Encryption: Converts data into a secure format to prevent unauthorized access.
• Endpoint Detection and Response (EDR)/Extended Detection and Response (XDR): Security solutions that focus on detecting and responding to security incidents on endpoints.
• Endpoint Logs: Records generated by endpoints (computers, devices), providing information about user activities, system changes, and potential threats.
• End-of-life (Vulnerabilities): Result from using hardware that is no longer supported or receiving security updates.
• Enumeration (Asset): The process of systematically identifying and counting assets within an organization.
• Environmental (Attacks): Involve physically compromising the security of a system, such as through tampering or destruction.
• Ephemeral Credentials: Temporary access credentials with a limited validity period.
• Eradication: Identifying and eliminating the root cause of a security incident.
• Espionage: Gathering confidential information for political, economic, or military advantage.
• Ethical (Motivation): Conducting cyber activities with the intention of exposing or correcting perceived ethical violations.
• Exceptions and Exemptions: Formally acknowledging and documenting instances where certain security policies or controls cannot be fully implemented.
• Exposure Factor: The percentage of loss expected if a specific risk occurs.
• Extensible Authentication Protocol (EAP): A framework that various other authentication protocols use to facilitate secure communication.

F

• Fail-Closed: In the event of a failure, the device blocks traffic, preventing unauthorized access but potentially causing service disruption.
• Fail-Open: In the event of a failure, the device allows traffic to pass through, potentially exposing the network.
• Failover: Testing that involves intentionally triggering a failure to assess the system’s ability to switch to a backup or secondary system.
• False Negative: Occurs when a security tool fails to detect a genuine security threat or vulnerability.
• False Positive: Occurs when a security tool incorrectly identifies a benign activity or file as malicious or as a security risk.
• Federation: An identity management approach that enables users to access multiple systems or applications with a single set of credentials.
• Fencing: Physical barriers used for security.
• File Integrity Monitoring: Involves continuously monitoring and verifying the integrity of files on systems or networks to detect unauthorized changes.
• Financial gain: Engaging in cyber activities to generate profit.
• Financial Information: Encompasses data related to financial transactions, accounts, budgets, and other monetary aspects.
• Firewall Logs: Records generated by a firewall, capturing information about network traffic.
• Firmware (Vulnerabilities): Weaknesses in the software embedded in hardware devices.
• Forgery: Involves creating or altering data or transactions with the intent to deceive or gain unauthorized benefits.
• Full-disk (Encryption): Encrypting an entire storage device, protecting all data on it.

G

• Gap analysis: The process of assessing the difference between current and desired cybersecurity postures to identify areas for improvement.
• Gateway (Email): Devices or services positioned at the network gateway to filter and protect against email-borne threats.
• Generators: Devices that convert mechanical energy into electrical energy, providing backup power during electrical outages.
• Geographic Dispersion: Spreading critical infrastructure across multiple locations to mitigate the impact of localized disasters or disruptions.
• Geographic Restrictions: Limiting access to data based on the physical location of users or systems.
• Geolocation: Involves identifying and tracking the physical location of devices or individuals using data from various sources.
• Group Policy: A feature in Microsoft Windows that allows administrators to define and enforce security settings.

H

• Hacktivist: Individuals or groups who engage in hacking activities to promote a social or political agenda.
• Hard/Soft Authentication Tokens: Hardware or software-based devices/apps that generate one-time codes.
• Hardening Techniques: Strengthening security by implementing various measures such as encryption, endpoint protection, and disabling unnecessary services.
• Hardware security module (HSM): A physical device designed to manage and safeguard cryptographic keys.
• Hashing: A one-way function that converts input data into a fixed-size string of characters, often used for data integrity verification.
• Heat Maps: Visually represent the signal strength and coverage areas of wireless networks.
• High Availability: The design and implementation of systems that ensure a high level of operational performance.
• Honeyfile: A file used to detect unauthorized access.
• Honeynet: A network of honeypots.
• Honeypot: A decoy system designed to attract and analyze attackers.
• Honeytoken: A type of bait used to detect unauthorized access.
• Host-based Firewall: A firewall that operates on individual devices, controlling incoming and outgoing network traffic.
• Host-based Intrusion Prevention System (HIPS): A system that monitors a single host for suspicious activity by analyzing events occurring within that host.
• Hot (Site): A fully operational data center with up-to-date equipment, data, and applications, ready for immediate takeover.
• Human-Readable: Information that can be easily interpreted by humans without additional processing.
• Hybrid Considerations (Cloud): An IT architecture incorporating workload portability, orchestration, and management across multiple environments.

I

• Identity Proofing: The process of verifying the identity of an individual during the initial account creation or registration.
• Impossible Travel: User logins from geographically distant locations within an impractical timeframe.
• Impersonation: Pretending to be someone else to deceive or gain unauthorized access.
• Implicit trust zones: Designated areas where trust is automatically assumed.
• Impact analysis: Assessing the potential effects or consequences of a change or event on systems, processes, or the organization.
• Incident Response: Defines steps and actions to be taken in response to security incidents.
• Information Security Policies: Establish guidelines for protecting sensitive information and managing security risks.
• Information-Sharing Organization: Facilitates the exchange of threat intelligence among member entities.
• Infrastructure as Code (IaC): A practice in which infrastructure is provisioned and managed using code and software development techniques.
• Injection (Attack): Involves injecting malicious code or data into applications to manipulate their behavior.
• Inline vs. Tap/Monitor: Inline devices are directly in the data path and can modify traffic, while tap/monitor devices passively observe traffic.
• Input Validation: The process of checking user inputs to ensure they meet specified criteria.
• Insider threat: Individuals within an organization who misuse their access and privileges to compromise security.
• Installation of Endpoint Protection: Installing security software on individual devices to prevent and detect threats.
• Instant Messaging (IM): A threat vector where attackers distribute malware or phishing links.
• Insurance (Cybersecurity): Provides financial protection to organizations in the event of a security breach.
• Integrity: Ensuring that data remains accurate, unaltered, and trustworthy throughout its lifecycle.
• Intellectual Property: Includes creations of the mind, such as inventions, literary works, and designs.
• Internet Protocol Security (IPSec): A suite of protocols that secure internet protocol communications by authenticating and encrypting each packet.
• Interoperability: The ability of different systems or components to work together seamlessly.
• Intrusion Prevention System (IPS): A security appliance that actively monitors and analyzes network or system activities to detect and prevent malicious activities.
• Intrusion Detection System (IDS): A security appliance that passively monitors network or system activities and alerts on potential security threats.
• Inventory (Asset): Maintaining a comprehensive and up-to-date list of all assets within an organization.
• IoT (Internet of Things): The network of interconnected devices embedded with sensors, software, and other technologies to exchange data.
• Isolation: Separates potentially vulnerable systems from critical systems, limiting the impact of a security incident.

J

• Jailbreaking: Removes restrictions on a mobile device, allowing the installation of unauthorized software.
• Journaling: Records changes or modifications made to data, providing a log that can be used for recovery.
• Jump Server: An intermediary server used to access and manage devices within a secure network.
• Just-in-Time Permissions: Grant elevated access only for the necessary duration.

K

• Key escrow: A process where a trusted third party holds a copy of an encryption key.
• Key exchange: Secure exchange of cryptographic keys between parties.
• Key length: The size of the encryption key, usually measured in bits.
• Key logger: A type of software or hardware that records the keystrokes of a user.
• Key management system: A system for managing cryptographic keys throughout their lifecycle.
• Key stretching: Techniques to increase the security of passwords by making them more resistant to brute-force attacks.

L

• Least Privilege: Users are given the minimum levels of access necessary to perform their job functions.
• Legacy (Vulnerabilities): Arise from outdated or unsupported hardware components.
• Legacy applications: Older software or applications that may no longer be actively supported or updated.
• Legal Hold: Preserving and protecting digital evidence to ensure its admissibility in legal proceedings.
• Legal Information: Data related to legal matters, such as contracts and court records.
• Lessons Learned: A post-incident review to identify improvements and update response plans.
• Lightweight Directory Access Protocol (LDAP): A protocol used for accessing and managing directory information.
• Lighting: Illumination for security purposes.
• Likelihood: The chance of a risk event taking place.
• Load Balancer: Distributes incoming network traffic across multiple servers.
• Load Balancing: The distribution of network traffic across multiple servers to ensure no single server becomes overwhelmed.
• Log Aggregation: The process of collecting, consolidating, and centralizing log data from various sources.
• Logic Bomb: A piece of code intentionally inserted into software to execute a malicious action when certain conditions are met.
• Logical Segmentation: Dividing a network into segments based on logical criteria, such as departments or functions.

M

• Maintenance window: A scheduled timeframe during which system maintenance or changes can be performed.
• Malicious Code: Involves the injection or execution of harmful code to compromise systems.
• Malicious Update: The distribution of fake or compromised software updates containing malware.
• Managerial (Controls): Security controls that focus on the management of risk and the management of information systems security.
• Mandatory (Access Controls): Enforce access restrictions based on security policies or classifications.
• Masking (Data): See Data Masking.
• Master Service Agreement (MSA): An overarching agreement that outlines general terms and conditions for future services.
• Mean Time Between Failures (MTBF): The average time between the occurrences of failures or disruptions.
• Mean Time to Repair (MTTR): The average time it takes to restore a system or process after a failure.
• Memorandum of Agreement (MOA): A formal document outlining the terms and understanding between parties.
• Memorandum of Understanding (MOU): Outlines a mutual understanding between parties, may not be legally binding.
• Memory Injection: Occurs when an attacker injects malicious code into the memory space of a running process.
• Microservices: An architectural style that structures an application as a collection of small, independently deployable services.
• Misconfiguration: Vulnerabilities resulting from improper or insecure configuration settings.
• Misinformation/Disinformation: Spreading false or misleading information to manipulate individuals or systems.
• Mitigate (Risk): Implementing measures to reduce the likelihood or impact of a risk.
• Mobile Device Management (MDM): Involves deploying software solutions to manage and secure mobile devices.
• Monitoring: Continuous observation of systems and networks to detect and respond to security incidents in real-time.
• Multi-Cloud Systems: Involve utilizing services or resources from multiple cloud service providers.
• Multifactor Authentication: An authentication method that requires the user to provide two or more verification factors.

N

• Nation-state: Governments or state-sponsored entities engaged in cyber activities.
• NetFlow: A network protocol that provides visibility into network traffic by collecting and analyzing information about IP flows.
• Network Access Control (NAC): A security solution that enforces policies to control access to a network.
• Next-Generation Firewall (NGFW): A firewall that combines traditional capabilities with advanced features like application-layer filtering.
• Non-Disclosure Agreement (NDA): A legal agreement outlining the protection and confidentiality of shared information.
• Non-Human-Readable: Information formatted or encoded in a way that is not easily understood by humans.
• Non-repudiation: A concept that prevents an individual or entity from denying the validity of their previous actions.

O

• Obfuscation: Concealing information within other non-secret data, or deliberately making data unclear.
• On-Path (Attack): Involves intercepting and manipulating network traffic by positioning the attacker on the communication path.
• On-Premises: The deployment of software, infrastructure, or services within an organization’s physical location.
• Onboarding/Offboarding: The processes for integrating new employees into the organization and removing departing employees.
• Online Certificate Status Protocol (OCSP): A protocol for checking the validity of a digital certificate.
• Open Authorization (OAuth): An open standard for secure authentication and authorization.
• Open public ledger: A publicly accessible and transparent record of all transactions on a blockchain.
• Open Service Ports: Ports that may expose services to external threats.
• Operational (Controls): Security controls that maintain the security and integrity of system facilities, data centers, and equipment.
• Operating System (OS)-based (Vulnerabilities): Vulnerabilities inherent in the design or implementation of an operating system.
• Organized crime: Criminal groups engaged in cyber activities for financial gain.
• Open-Source Intelligence (OSINT): Involves collecting and analyzing information from publicly available sources to gather intelligence.
• Ownership: Designates individuals or groups responsible for specific processes, systems, or assets.

P

• Packet Captures: Captured data packets containing information about network communications.
• Package Monitoring: Involves tracking and analyzing the security of software packages and dependencies.
• Parallel Processing (Testing): Involves running simultaneous tasks to assess a system’s ability to handle multiple operations.
• Password (Concepts): Best practices related to length, complexity, reuse, expiration, and age.
• Password Managers: Tools that securely store and manage passwords.
• Password Vaulting: Securely storing and managing privileged account credentials.
• Passwordless: Authentication that eliminates the need for traditional passwords.
• Patching: Regularly applying updates and patches to software and systems to fix vulnerabilities.
• Penetration Testing: Simulating cyberattacks on systems to identify vulnerabilities.
• Permissions: Specify what actions users or system processes are allowed to perform on a resource.
• Phishing: Deceiving individuals into revealing sensitive information through fraudulent emails or websites.
• Philosophical/political beliefs (Motivation): Acting in alignment with personal or group beliefs.
• Physical (Controls): Tangible security controls used to prevent or detect unauthorized access to physical areas.
• Physical Isolation: Physically separating networks or components to enhance security.
• Platform Diversity: The use of different hardware, software, or operating systems to reduce single points of failure.
• Playbooks: Step-by-step guides outlining actions to be taken in response to specific incidents.
• Policy Administrator: Manages and configures security policies in a Zero Trust model.
• Policy Engine: Enforces security policies in a Zero Trust model.
• Policy Enforcement Point: The location where security policies are enforced in a Zero Trust model.
• Policy-driven access control: Enforcing access policies based on defined rules.
• Port Security (802.1X): A port-based authentication protocol for network access.
• Pretexting: Creating a fabricated scenario to manipulate individuals into disclosing information.
• Preventive (Controls): Controls that aim to block any unauthorized attempts to change a system before it happens.
• Prioritize (Vulnerabilities): Assessing and ranking identified vulnerabilities based on severity and impact.
• Private (Data): Information intended for a limited audience and not publicly disclosed.
• Private key: A secret key known only to the owner, used for decryption and creating digital signatures.
• Privilege Escalation: Exploiting vulnerabilities to gain higher levels of access or privileges.
• Privileged Access Management Tools: Tools for managing accounts with elevated permissions, using techniques like JIT permissions and password vaulting.
• Probability: The likelihood of a specific risk event occurring.
• Proxy Server: An intermediary between clients and servers, forwarding requests and responses.
• Public (Data): Information meant for unrestricted access and can be freely shared.
• Public key: A cryptographic key shared openly, used for encryption and verification.
• Public Key Infrastructure (PKI): A system for creating, managing, distributing, using, storing, and revoking digital certificates.

Q

• Qualitative (Risk Analysis): Subjective evaluation of risks based on factors such as severity, likelihood, and impact.
• Quantitative (Risk Analysis): Objective assessment involving numerical values, often expressed in monetary terms.
• Quarantine: Isolating or restricting access to a system or network segment that may be compromised.
• Questionnaires (Vendor): Surveys or forms used to gather information from vendors about their practices.

R

• Race Conditions: Occur when the behavior of software depends on the timing of events, leading to unpredictable outcomes.
• Radio Frequency Identification (RFID) Cloning: Copying information stored on an RFID card to create a duplicate.
• Ransomware: Malicious software designed to block access to a system or files until a ransom is paid.
• Real-Time Operating System (RTOS): An operating system designed to meet the requirements of real-time systems.
• Recovery: The process of restoring affected systems and services to normal operation.
• Recovery Point Objective (RPO): The acceptable data loss measured in time before a disruption.
• Recovery Time Objective (RTO): The targeted duration for restoring operations after a disruption.
• Recurring (Risk Assessment): Regularly scheduled risk assessments to continually evaluate and manage risks.
• Regulated (Data): Information subject to specific legal regulations and compliance requirements.
• Remote Access: The ability for users to connect to a network or system from a remote location.
• Removal of Unnecessary Software: Eliminating unneeded applications and services to reduce the attack surface.
• Replay (Attack): The unauthorized repetition or retransmission of legitimate data.
• Replication: Creating and maintaining duplicate copies of data or systems in real-time.
• Reporting (Vulnerability Management): Communicating findings, analysis, and remediation status of vulnerabilities.
• Reporting (Digital Forensics): Generating detailed reports documenting the findings of an investigation.
• Rescanning: Conducting additional vulnerability scans after applying remediation measures.
• Resilience: The ability of a system to recover quickly from disruptions.
• Resource Reuse (Vulnerability): The improper allocation or sharing of resources within a virtualized environment.
• Resources/funding (Threat Actor): The tools, personnel, infrastructure, and financial support available to a threat actor.
• Responsibility Matrix (Cloud): A document outlining the division of responsibilities between a cloud service provider and its customers.
• Responsible Disclosure Program: A program for reporting security vulnerabilities to an organization.
• Restricted (Data): Data subject to limitations on access, sharing, or distribution.
• Restricted activities: Actions that are limited or prohibited to prevent security risks.
• Revenge (Motivation): Seeking retaliation against individuals or organizations.
• Right to Be Forgotten: Granting individuals the right to request the deletion of their personal data.
• Right-to-Audit Clause: A contractual provision granting a customer the right to assess and audit a vendor.
• Risk Appetite: The amount and type of risk that an organization is willing to pursue or retain.
• Risk Register: A document used to record information about identified risks.
• Risk Tolerance: The level of acceptable risk that an organization is willing to take.
• Risk Transference: Shifting the burden of potential risks and liabilities to a third party.
• Role-Based (Access Controls): Assign permissions based on a user’s role or job function.
• Root of trust: A foundational element in a security system that is inherently trusted.
• Rootkit: Malicious software designed to conceal the existence of certain processes or programs.
• Rule-Based (Access Controls): Use predefined rules or conditions to determine access permissions.
• Rules of Engagement: Guidelines defining the scope and rules for interactions with a vendor, particularly in testing.

S

• Salting: Adding a random value (salt) to data before hashing to enhance security.
• Sandboxing: Isolating applications or processes from the rest of the system.
• Sanitization: The process of securely erasing or removing data from a storage device.
• Scalability: The ability of a system to handle an increasing amount of load or demand.
• Scanning: Systematically examining systems, networks, or applications for vulnerabilities.
• SELinux (Security-Enhanced Linux): A security framework for Linux systems that implements mandatory access controls.
• Secure enclave: A secure and isolated area in a system’s hardware or software for protecting sensitive data.
• Security Access Service Edge (SASE): An integrated security framework combining network security with WAN capabilities.
• Security Assertions Markup Language (SAML): An XML-based standard for exchanging authentication and authorization data.
• Security Content Automation Protocol (SCAP): A set of standards that standardize the format of security-related information.
• Security guard: Human personnel providing security.
• Security Information and Event Management (SIEM): A solution that provides real-time analysis of security alerts.
• Security Keys: Physical devices used for authentication.
• Security Zones: Involve segregating network resources and assets based on security requirements.
• Segmentation: Dividing a network into smaller, isolated segments to contain the impact of a security breach.
• Self-signed (Certificate): A certificate that is signed by its own creator.
• Sender Policy Framework (SPF): An email authentication protocol that helps prevent email spoofing.
• Sensitive (Data): Information that, if disclosed, could result in harm.
• Sensors (Network): Devices that collect data from the environment, such as network traffic.
• Sensors (Physical): Devices that detect physical phenomena, such as infrared, pressure, microwave, or ultrasonic waves.
• Serverless: A cloud computing model where the cloud provider manages the infrastructure.
• Service disruption: Disrupting the availability or functionality of services.
• Service restart: Restarting a service to apply changes or address issues.
• Service-Level Agreement (SLA): Defines the expected level of service, performance metrics, and responsibilities.
• Shadow IT: Unauthorized or unapproved use of IT systems and applications within an organization.
• Side Loading: Installing applications from unofficial sources rather than official app stores.
• Signatures (IDS/IPS): Predefined patterns or characteristics of known malicious activities.
• Simple Network Management Protocol (SNMP) Traps: Notifications sent by network devices to a central management system.
• Simulation (Testing): Recreates real-world scenarios to evaluate system performance and response.
• Single Loss Expectancy (SLE): The potential monetary loss associated with a single occurrence of a specific risk.
• Single Sign-On (SSO): Allows users to log in with a single ID and password to any of several related, yet independent, software systems.
• Site Surveys: Assessing a physical location to determine optimal placement and configuration of wireless devices.
• Smishing: Using SMS or text messages to trick individuals into divulging sensitive information.
• Snapshots: Point-in-time copies of data that capture the state of a system.
• Software Development Lifecycle (SDLC): Governs the development process, emphasizing security considerations.
• Software-Defined Networking (SDN): An approach to networking that uses software-based controllers to direct traffic.
• Software-Defined Wide Area Network (SD-WAN): An approach to designing and deploying WANs using software-defined networking.
• Sophistication/capability (Threat Actor): The technical expertise and advanced methods employed by a threat actor.
• Spraying (Password Attack): Attempting to gain access by trying a small set of common passwords across multiple accounts.
• Spyware: Malicious software that secretly monitors and collects user information.
• Structured Query Language Injection (SQLi): Involves inserting malicious SQL code into input fields to manipulate a database.
• Stakeholders: Individuals or groups with an interest or concern in the security and functioning of a system.
• Standard operating procedure: A documented set of step-by-step instructions to perform routine tasks.
• Static Analysis: Examining the source code or binary of an application without executing it.
• Static Code Analysis: Analyzing source code for security vulnerabilities without executing the program.
• Steganography: Concealing information within other non-secret data.
• Supply Chain (Threat Vector): Vulnerabilities introduced through managed service providers, vendors, or suppliers.
• Symmetric (Encryption): Encryption using a single key for both encryption and decryption.

T

• Tabletop Exercises: Discussion-based simulations where key personnel discuss their roles and responses to scenarios.
• Technical (Controls): Security controls primarily implemented and executed by the information system through hardware, software, or firmware.
• Test results: Outcomes and findings from testing activities, such as security assessments.
• Third-party (Certificate): Certificates issued by a trusted third-party certificate authority.
• Threat Feed: A stream of data that provides information on potential cybersecurity threats.
• Threat Hunting: Proactively searching for signs of malicious activity within the network.
• Threat scope reduction: Minimizing the potential impact of security breaches by reducing the attack surface.
• Time-of-Day Restrictions: Limit access to resources based on specific time periods.
• Tokenization: Replacing sensitive data with a non-sensitive equivalent (token).
• Transfer (Risk): Shifting the impact or responsibility of a risk to another party.
• Transport Layer Security (TLS): A protocol that ensures privacy between communicating applications and users on the internet.
• Trojan: Malware that disguises itself as a legitimate file or program.
• Trusted Platform Module (TPM): A hardware module that provides secure storage of cryptographic keys.
• Typosquatting: Registering domain names with slight misspellings to deceive users.

U

• Unified Threat Management (UTM): A comprehensive security solution that integrates multiple security features into a single platform.
• Uninterruptible Power Supply (UPS): A device that provides short-term battery power backup during electrical outages.
• Universal Resource Locator (URL) Scanning: Inspecting and categorizing web addresses to control access.
• Unskilled attacker: Individuals with limited technical knowledge or skills.
• Unsupported Systems and Applications: Systems and applications that no longer receive updates or patches.
• Updating diagrams: Keeping visual representations of systems, processes, or networks current.
• Updating policies/procedures: Modifying documented guidelines or instructions related to security practices.
• User Behavior Analytics (UBA): Analyzing patterns of user behavior to detect anomalies that may indicate threats.

V

• Version control: Managing and tracking changes to documents, code, or configurations.
• Video surveillance: Using cameras to monitor and record activities.
• Virtual Machine (VM) Escape: Occurs when an attacker breaks out of a virtual machine to compromise the underlying hypervisor.
• Virtual Private Network (VPN): Creates a secure, encrypted connection over a less secure network.
• Virtualization: Creating a virtual version of a computing resource, such as a server, operating system, or network.
• Virus: A type of malware that attaches itself to legitimate programs and spreads by replicating when the program is executed.
• Vishing: Exploiting voice communication channels to deceive individuals into providing sensitive information.
• Vulnerability Scan: A systematic process of scanning systems, networks, or applications for security vulnerabilities.
• Vulnerability Scanners: Tools that systematically examine systems for security vulnerabilities.

W

• War (Motivation): Engaging in cyber warfare for geopolitical or military objectives.
• Warm (Site): A compromise between hot and cold sites, with some infrastructure in place.
• Watering Hole (Attack): Attackers compromise websites frequented by their victims to distribute malware.
• Web Application Firewall (WAF): A firewall specifically designed to protect web applications.
• Web Filter: A tool that restricts the websites a user can visit on their computer.
• Wi-Fi Protected Access 3 (WPA3): The latest security protocol for Wi-Fi networks.
• Wildcard (Certificate): A type of certificate that can be used for multiple subdomains of a domain.
• Work Order (WO)/Statement of Work (SOW): Details the specific tasks, deliverables, and timeline for a project.
• Worm: A self-replicating type of malware that spreads across networks, often without user interaction.

Z

• Zero-day (Vulnerability): Flaws in software or hardware that are unknown to the vendor.
• Zero Trust: A security model that assumes no trust, even within the internal network, and requires verification for all users and devices.