Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
CyberSecurity
SecurityPlus
| Question | Answer |
|---|---|
| Cross-site scripting (XSS) | An attack where malicious scripts are injected into web pages through unsanitized inputs — prevented by input validation |
| Input validation | A security technique that checks and sanitizes user-submitted data before processing — the fix for XSS vulnerabilities |
| SQL injection | An attack where malicious SQL code is inserted into a query field to manipulate or expose a database — a software vulnerability |
| Buffer overflow | When a program writes more data to a buffer than it can hold, overwriting adjacent memory — can allow attackers to run arbitrary code |
| Firmware vulnerability | A weakness in low-level software embedded in hardware like BIOS or routers — a BIOS update patch addresses this type |
| Jailbreaking | Modifying a mobile device OS to remove manufacturer restrictions — bypasses built-in security controls and allows unauthorized apps |
| Side loading | Installing apps on a mobile device from outside the official app store — often bypasses security vetting |
| VM escape | An attack where a process inside a virtual machine breaks out to interact with the hypervisor or other VMs |
| Penetration testing | A simulated, authorized cyberattack on a system to find exploitable vulnerabilities — more targeted and hands-on than a vulnerability scan |
| Bug bounty | A program where a company invites external researchers to find and report vulnerabilities in exchange for compensation |
| Red team | A group that plays the adversary role — conducts offensive security assessments including pentesting and social engineering |
| Vulnerability assessment | A systematic process of identifying and cataloging security weaknesses — after remediating findings, always rescan to verify fixes |
| Root cause analysis (RCA) | Identifying the underlying reason an incident occurred — purpose is to prevent future incidents of the same nature |
| CVE (Common Vulnerabilities and Exposures) | A standardized list of publicly known cybersecurity vulnerabilities with unique identifiers — identifies vulnerabilities but does not score them |
| CVSS (Common Vulnerability Scoring System) | A framework for quantitatively measuring vulnerability severity on a scale of 0–10 — used to prioritize patching |
| False positive | A vulnerability scanner result that flags something as a vulnerability when it actually is not — a scanner error |
| hping | A command-line tool used to craft and send custom TCP/IP packets — used for firewall testing and security assessments |
| Incident response (IR) phases | In order: Preparation → Detection → Analysis → Containment → Eradication → Recovery → Lessons Learned |
| IoC (Indicator of Compromise) | Artifacts or evidence (IP addresses, file hashes) that suggest a system has been breached — gathered during the Analysis phase |
| Analysis (IR phase) | The phase where the team investigates the scope and source of an incident — understanding where it originated |
| Containment (IR phase) | The phase where affected systems are isolated to prevent further spread — happens before eradication |
| Segmentation | Dividing a network into separate zones to limit attack spread — used for legacy servers running critical apps |
| Hardening | Reducing a system's attack surface by disabling unnecessary services and configuring security settings — disable web-based admin on routers |
| ARP poisoning | An attack associating the attacker's MAC with a legitimate IP — enables traffic interception on the local network |
| DNS poisoning | Corrupting a DNS cache so domain names resolve to malicious IPs — redirects users to attacker-controlled sites |
| IaaS (Infrastructure as a Service) | Cloud model where the provider manages hardware — the customer is responsible for OS, applications, and data including database security |
| PaaS (Platform as a Service) | Cloud model where provider manages hardware and OS/platform — vendor patches firmware, OS, and runtime; you patch your app |
| SaaS (Software as a Service) | Cloud model where provider manages everything — vendor patches hardware, OS, and application; customer manages data only |
| Shared responsibility model | Framework defining which security tasks belong to the cloud provider vs. customer — varies by IaaS, PaaS, or SaaS model |
| Serverless architecture | Cloud model where provider manages server allocation dynamically — low-cost, cloud-based app hosting with no infrastructure management |
| Containers | Lightweight, portable application packaging — ideal for constantly changing environments; reduce OS patch burden by sharing the host OS |
| Virtualization | Creating virtual instances of hardware — allows multiple VMs on one physical server to reduce hardware costs |
| VDI (Virtual Desktop Infrastructure) | Hosts desktop environments on central servers — keeps data on company servers while allowing remote access, even by offshore teams |
| Infrastructure as Code (IaC) | Managing cloud infrastructure through configuration files — enables fast, consistent, and easy cloud resource deployments |
| Load balancer | Distributes incoming traffic across multiple servers — improves performance and availability for multi-server applications |
| Version control | A system that tracks code changes over time — used to track modifications to infrastructure code or application source |
| MDM (Mobile Device Management) | Software platform for remotely managing and securing mobile devices — can enforce policies, lock, or wipe devices |
| Remote wipe | An MDM feature that erases all data on a lost or stolen device remotely — prevents malicious use after loss |
| Screen lock | An MDM-enforced PIN or password requirement before device use — prevents unauthorized access to a lost device |
| FDE (Full Device Encryption) | Encrypts all data on a device so it is unreadable without the key — best protection if remote wipe is not possible |
| Business Email Compromise (BEC) | An attack where criminals impersonate executives via email — classic sign is a spoofed display name with gift card or wire transfer requests |
| Phishing | A social engineering attack using deceptive emails or links to steal credentials or install malware — fake login page is the key indicator |
| VPN (Virtual Private Network) | Encrypts network traffic between a remote user and the corporate network — standard solution for secure remote access without interception |
| RPO (Recovery Point Objective) | The maximum acceptable amount of data loss measured in time — shorter RPO requires more frequent backups |
| RTO (Recovery Time Objective) | The maximum acceptable time to restore a system after a disruption — shorter RTO requires faster recovery infrastructure |
| Differential backup | Backs up all data changed since the last full backup — faster to restore than incremental; good for ransomware recovery with cloud storage |
| Cross-site scripting (XSS) | An attack where malicious scripts are injected into web pages through unsanitized inputs — prevented by input validation |
| Input validation | A security technique that checks and sanitizes user-submitted data before processing — the fix for XSS vulnerabilities |
| SQL injection | An attack where malicious SQL code is inserted into a query field to manipulate or expose a database — a software vulnerability |
| Buffer overflow | When a program writes more data to a buffer than it can hold, overwriting adjacent memory — can allow attackers to run arbitrary code |
| Firmware vulnerability | A weakness in low-level software embedded in hardware like BIOS or routers — a BIOS update patch addresses this type |
| Jailbreaking | Modifying a mobile device OS to remove manufacturer restrictions — bypasses built-in security controls and allows unauthorized apps |
| Side loading | Installing apps on a mobile device from outside the official app store — often bypasses security vetting |
| VM escape | An attack where a process inside a virtual machine breaks out to interact with the hypervisor or other VMs |
| Penetration testing | A simulated, authorized cyberattack on a system to find exploitable vulnerabilities — more targeted and hands-on than a vulnerability scan |
| Bug bounty | A program where a company invites external researchers to find and report vulnerabilities in exchange for compensation |
| Red team | A group that plays the adversary role — conducts offensive security assessments including pentesting and social engineering |
| Vulnerability assessment | A systematic process of identifying and cataloging security weaknesses — after remediating findings, always rescan to verify fixes |
| Root cause analysis (RCA) | Identifying the underlying reason an incident occurred — purpose is to prevent future incidents of the same nature |
| CVE (Common Vulnerabilities and Exposures) | A standardized list of publicly known cybersecurity vulnerabilities with unique identifiers — identifies vulnerabilities but does not score them |
| CVSS (Common Vulnerability Scoring System) | A framework for quantitatively measuring vulnerability severity on a scale of 0–10 — used to prioritize patching |
| False positive | A vulnerability scanner result that flags something as a vulnerability when it actually is not — a scanner error |
| hping | A command-line tool used to craft and send custom TCP/IP packets — used for firewall testing and security assessments |
| Incident response (IR) phases | In order: Preparation → Detection → Analysis → Containment → Eradication → Recovery → Lessons Learned |
| IoC (Indicator of Compromise) | Artifacts or evidence (IP addresses, file hashes) that suggest a system has been breached — gathered during the Analysis phase |
| Analysis (IR phase) | The phase where the team investigates the scope and source of an incident — understanding where it originated |
| Containment (IR phase) | The phase where affected systems are isolated to prevent further spread — happens before eradication |
| Segmentation | Dividing a network into separate zones to limit attack spread — used for legacy servers running critical apps |
| Hardening | Reducing a system's attack surface by disabling unnecessary services and configuring security settings — disable web-based admin on routers |
| ARP poisoning | An attack associating the attacker's MAC with a legitimate IP — enables traffic interception on the local network |
| DNS poisoning | Corrupting a DNS cache so domain names resolve to malicious IPs — redirects users to attacker-controlled sites |
| IaaS (Infrastructure as a Service) | Cloud model where the provider manages hardware — the customer is responsible for OS, applications, and data including database security |
| PaaS (Platform as a Service) | Cloud model where provider manages hardware and OS/platform — vendor patches firmware, OS, and runtime; you patch your app |
| SaaS (Software as a Service) | Cloud model where provider manages everything — vendor patches hardware, OS, and application; customer manages data only |
| Shared responsibility model | Framework defining which security tasks belong to the cloud provider vs. customer — varies by IaaS, PaaS, or SaaS model |
| Serverless architecture | Cloud model where provider manages server allocation dynamically — low-cost, cloud-based app hosting with no infrastructure management |
| Containers | Lightweight, portable application packaging — ideal for constantly changing environments; reduce OS patch burden by sharing the host OS |
| Virtualization | Creating virtual instances of hardware — allows multiple VMs on one physical server to reduce hardware costs |
| VDI (Virtual Desktop Infrastructure) | Hosts desktop environments on central servers — keeps data on company servers while allowing remote access, even by offshore teams |
| Infrastructure as Code (IaC) | Managing cloud infrastructure through configuration files — enables fast, consistent, and easy cloud resource deployments |
| Load balancer | Distributes incoming traffic across multiple servers — improves performance and availability for multi-server applications |
| Version control | A system that tracks code changes over time — used to track modifications to infrastructure code or application source |
| MDM (Mobile Device Management) | Software platform for remotely managing and securing mobile devices — can enforce policies, lock, or wipe devices |
| Remote wipe | An MDM feature that erases all data on a lost or stolen device remotely — prevents malicious use after loss |
| Screen lock | An MDM-enforced PIN or password requirement before device use — prevents unauthorized access to a lost device |
| FDE (Full Device Encryption) | Encrypts all data on a device so it is unreadable without the key — best protection if remote wipe is not possible |
| Business Email Compromise (BEC) | An attack where criminals impersonate executives via email — classic sign is a spoofed display name with gift card or wire transfer requests |
| Phishing | A social engineering attack using deceptive emails or links to steal credentials or install malware — fake login page is the key indicator |
| VPN (Virtual Private Network) | Encrypts network traffic between a remote user and the corporate network — standard solution for secure remote access without interception |
| RPO (Recovery Point Objective) | The maximum acceptable amount of data loss measured in time — shorter RPO requires more frequent backups |
| RTO (Recovery Time Objective) | The maximum acceptable time to restore a system after a disruption — shorter RTO requires faster recovery infrastructure |
| Differential backup | Backs up all data changed since the last full backup — faster to restore than incremental; good for ransomware recovery with cloud storage |
| IPSec (Internet Protocol Security) | A protocol suite that encrypts and authenticates IP traffic — best choice for securing communications within a private cloud or between networks |
| SHA-1 | A hashing algorithm — produces a fixed-length hash but is now considered weak and outdated; do not confuse with encryption |
| RSA | An asymmetric encryption algorithm using public/private key pairs — used for key exchange and digital signatures, not bulk data encryption |
| TGT (Ticket Granting Ticket) | A Kerberos authentication token issued after login — used to request access to services without re-entering credentials |
| Time-based access control | A security control that restricts access based on time of day or schedule — example: allowing file copy only during working hours |
| Role-based access control (RBAC) | A model that grants permissions based on a user's assigned role in the organization — not time-dependent |
| Digital rights management (DRM) | Technology that controls how digital content is used, copied, or distributed — enforces usage policies on files |
| TPM (Trusted Platform Module) | A hardware chip on a motherboard that stores cryptographic keys — works with FDE to protect data at rest |
| ECC (Elliptic Curve Cryptography) | A public key cryptography method using elliptic curves — preferred when computing resources are limited; same security as RSA with smaller keys |
| HSM (Hardware Security Module) | A physical device that manages and protects cryptographic keys — more secure than software key storage |
| Misconfiguration vulnerability | A security weakness caused by incorrect settings or improper setup — most common vulnerability type overall |
| Insecure key storage | A vulnerability where cryptographic keys are stored improperly — makes encryption useless if an attacker finds the key |
| Weak cipher suite | A vulnerability where outdated or broken encryption algorithms are used — example: using MD5 or DES instead of AES |
| Wrapping unencrypted traffic inside an encrypted SSH connection — compensating control when a legacy system cannot be patched | |
| Tokenization | Replacing sensitive data with a non-sensitive placeholder token — protects data in transit or storage without encrypting it |
| Data masking | Obscuring specific data within a database so unauthorized users cannot read it — protects data while keeping it usable |
| Symmetric encryption | Encryption using the same key for both encrypting and decrypting — faster than asymmetric; used for bulk data encryption |
| Asymmetric encryption | Encryption using a public key to encrypt and a private key to decrypt — used for key exchange and digital signatures |
| Hashing | A one-way function that converts data into a fixed-length value — used to verify integrity, not to encrypt; cannot be reversed |
| Digital signature | A cryptographic mechanism using a private key to sign data — proves authenticity and supports non-repudiation |
| Steganography | The practice of hiding data inside another file such as an image or audio file — concealment not encryption |
| Non-repudiation | The assurance that someone cannot deny having sent a message — achieved through digital signatures |
| Salting | Adding a random value to a password before hashing — prevents rainbow table attacks by making identical passwords hash differently |
| Rainbow table attack | A precomputed table of password hashes used to crack passwords — defeated by salting |
| 3DES | Triple Data Encryption Standard — applies DES encryption three times; used to verify file integrity via hash comparison on vendor sites |
| Homomorphic encryption | Allows computation on encrypted data without decrypting it — used when a cloud provider must not be able to read the data |
| Rootkit | Malware that hides deep in a system and modifies core files like cmd.exe — changing a system file hash with no patches applied suggests rootkit |
| Cryptojacking | Malware that secretly uses a victim's CPU to mine cryptocurrency — no degraded login activity but shared files spread infection |
| Pass-the-hash attack | An attack where a stolen password hash is used to authenticate without knowing the plaintext password — using unique hashes per host prevents this |
| Code signing | Using a private key to digitally sign software — ensures the code has not been tampered with and verifies the developer's identity |
| Chain of custody | Documentation tracking who handled evidence and when — ensures evidence integrity and admissibility in legal proceedings |
| Legal hold | A directive to preserve all data relevant to anticipated litigation — prevents deletion of potentially important evidence |
| Order of volatility | The sequence for collecting forensic evidence from most to least volatile — RAM first, then swap files, then hard drive, then archive data |
| E-discovery | The process of identifying and collecting electronic data for legal proceedings — often precedes formal forensic analysis |
| Tabletop exercise | A discussion-based simulation of an incident scenario — used to test and validate incident response plans without real systems |
| Disaster recovery plan (DRP) | A document detailing how to restore critical systems and infrastructure after a major outage — includes system restoration order |
| SIEM (Security Information and Event Management) | A platform that aggregates and analyzes log data from across the environment to detect anomalies and generate alerts |
| WAF (Web Application Firewall) | A firewall specifically designed to filter HTTP traffic and protect web applications — blocks SQL injection and XSS attempts |
| ARO (Annualized Rate of Occurrence) | The estimated frequency that a specific threat will occur within a year — used in risk analysis to calculate ALE |
| MTBF (Mean Time Between Failures) | The average time a system operates before failing — used to assess reliability and inform insurance or continuity decisions |
| Geographic dispersion | Distributing systems or data centers across different physical locations — protects against weather events or regional disasters |
| High availability | A design principle ensuring systems remain operational with minimal downtime — requires ease of recovery and responsiveness |
| CRL (Certificate Revocation List) | A list of digital certificates that have been revoked before their expiration date — must be updated when a private key is stolen |
| OCSP (Online Certificate Status Protocol) | A real-time protocol for checking whether a specific certificate has been revoked — faster alternative to checking a CRL |
| Root certificate | The top-level certificate in a trust chain — if not installed, SSL certificates will show as untrusted |
| Self-signed certificate | A certificate signed by its own private key rather than a trusted CA — not trusted by browsers or systems by default |
| Wildcard certificate | A certificate that secures a domain and all its subdomains — example: *.example.com covers mail.example.com and app.example.com |
| ACL | Access Control List — firewall/router rules that permit or deny traffic based on source IP, destination IP, and port |
| ARO | Annualized Rate of Occurrence — how many times a threat is expected to happen per year; used in risk calculations |
| ARP | Address Resolution Protocol — maps IP addresses to MAC addresses on a local network; can be poisoned by attackers to intercept traffic |
| BEC | Business Email Compromise — attacker spoofs an executive's display name to request gift cards or wire transfers; no malicious link involved |
| CIA | Confidentiality, Integrity, Availability — the three core pillars of information security; NOT a scoring system |
| CRL | Certificate Revocation List — a published list of digital certificates that have been revoked; must be updated when a private key is stolen |
| CVE | Common Vulnerabilities and Exposures — a standardized list that names and IDs known vulnerabilities; does NOT score severity |
| CVSS | Common Vulnerability Scoring System — scores vulnerabilities from 0 to 10 based on severity; used to prioritize patching |
| DLP | Data Loss Prevention — tools that detect and block unauthorized data transfers out of the organization |
| DRM | Digital Rights Management — technology controlling how digital content is used, copied, or distributed |
| DRP | Disaster Recovery Plan — document detailing the order to bring critical systems back online after a major outage |
| ECC | Elliptic Curve Cryptography — asymmetric encryption using elliptic curves; preferred when computing resources are limited; smaller keys same security as RSA |
| EDR | Endpoint Detection and Response — detects and responds to malware threats on individual endpoints; NOT for lost device management |
| FDE | Full Device Encryption — encrypts everything on a device so it is unreadable without the key; protects data if device is lost or stolen |
| FIM | File Integrity Monitoring — monitors files for unauthorized changes; server-side tool; NOT for mobile app management |
| HSM | Hardware Security Module — a physical device that manages and protects cryptographic keys; more secure than software key storage |
| IaC | Infrastructure as Code — deploying cloud resources through config files like Terraform; enables fast consistent deployments |
| IaaS | Infrastructure as a Service — cloud model where provider manages hardware only; YOU manage OS, apps, and database security |
| IDS | Intrusion Detection System — monitors network traffic and alerts on suspicious activity; detects but does not block |
| IMTTR | Mean Time to Repair — average time to fix a system after failure; used alongside RTO to measure recovery speed |
| IoC | Indicator of Compromise — evidence that a breach occurred such as unusual IP addresses or changed file hashes; gathered during Analysis phase |
| IPSec | Internet Protocol Security — encrypts and authenticates IP traffic at the network layer; best for securing private cloud communications |
| MDM | Mobile Device Management — platform for remotely managing mobile devices; enables remote wipe, screen lock, app allowlists |
| MTBF | Mean Time Between Failures — average operating time before a system fails; used to assess reliability for insurance decisions |
| NGFW | Next-Generation Firewall — advanced firewall with deep packet inspection; filters traffic at the network perimeter |
| OCSP | Online Certificate Status Protocol — real-time check of whether a specific certificate has been revoked; faster than downloading a full CRL |
| PaaS | Platform as a Service — cloud model where vendor manages hardware and OS/runtime; YOU patch your application |
| RCA | Root Cause Analysis — identifies the underlying WHY of an incident; happens during Lessons Learned; purpose is to prevent recurrence |
| RBAC | Role-Based Access Control — grants permissions based on a user's assigned role; not time-dependent |
| RPO | Recovery Point Objective — maximum acceptable data loss measured in time; shorter RPO requires more frequent backups |
| RSA | Asymmetric encryption algorithm using public/private key pairs — used for key exchange and digital signatures; NOT for bulk data encryption |
| RTO | Recovery Time Objective — maximum acceptable time to restore a system after disruption; shorter RTO requires faster infrastructure |
| SaaS | Software as a Service — cloud model where vendor manages EVERYTHING including the app; you only manage data and user access |
| SCADA | Supervisory Control and Data Acquisition — industrial control system for power grids and utilities; designed to be STABLE, never constantly changing |
| SIEM | Security Information and Event Management — aggregates and analyzes logs across the environment to detect anomalies and generate alerts |
| SHA-1 | Secure Hash Algorithm 1 — a hashing algorithm that produces a fixed-length hash; now considered weak and outdated; NOT encryption |
| SOAR | Security Orchestration Automation and Response — automates incident response workflows; NOT a vulnerability scoring tool |
| SSH | Secure Shell — encrypted protocol for remote system access; SSH tunneling wraps unencrypted traffic inside it as a compensating control |
| TGT | Ticket Granting Ticket — a Kerberos token issued after login; used to request service access without re-entering credentials |
| TPM | Trusted Platform Module — hardware chip on a motherboard that stores cryptographic keys; works with FDE to protect data at rest |
| VDI | Virtual Desktop Infrastructure — hosts desktops on company servers; user only sees a screen; data NEVER leaves company hardware |
| VPC | Virtual Private Cloud — a cloud networking construct for isolating cloud resources; NOT a remote access solution |
| VPN | Virtual Private Network — encrypts traffic between remote user and corporate network; standard answer for secure remote access without interception |
| WAF | Web Application Firewall — filters HTTP traffic to protect web apps; blocks SQL injection and XSS attempts |
| XSS | Cross-Site Scripting — malicious scripts injected into web pages through unsanitized inputs; prevented by input validation |
| Differential backup | Backs up all data changed since the last full backup — faster to restore than incremental; good for ransomware recovery with cloud storage |
| IPSec (Internet Protocol Security) | A protocol suite that encrypts and authenticates IP traffic — best choice for securing communications within a private cloud or between networks |
| SHA-1 | A hashing algorithm — produces a fixed-length hash but is now considered weak and outdated; do not confuse with encryption |
| RSA | An asymmetric encryption algorithm using public/private key pairs — used for key exchange and digital signatures, not bulk data encryption |
| TGT (Ticket Granting Ticket) | A Kerberos authentication token issued after login — used to request access to services without re-entering credentials |
| Time-based access control | A security control that restricts access based on time of day or schedule — example: allowing file copy only during working hours |
| Role-based access control (RBAC) | A model that grants permissions based on a user's assigned role in the organization — not time-dependent |
| Digital rights management (DRM) | Technology that controls how digital content is used, copied, or distributed — enforces usage policies on files |
| TPM (Trusted Platform Module) | A hardware chip on a motherboard that stores cryptographic keys — works with FDE to protect data at rest |
| ECC (Elliptic Curve Cryptography) | A public key cryptography method using elliptic curves — preferred when computing resources are limited; same security as RSA with smaller keys |
| HSM (Hardware Security Module) | A physical device that manages and protects cryptographic keys — more secure than software key storage |
| Misconfiguration vulnerability | A security weakness caused by incorrect settings or improper setup — most common vulnerability type overall |
| Insecure key storage | A vulnerability where cryptographic keys are stored improperly — makes encryption useless if an attacker finds the key |
| Weak cipher suite | A vulnerability where outdated or broken encryption algorithms are used — example: using MD5 or DES instead of AES |
| SSH tunneling | Wrapping unencrypted traffic inside an encrypted SSH connection — compensating control when a legacy system cannot be patched |
| Tokenization | Replacing sensitive data with a non-sensitive placeholder token — protects data in transit or storage without encrypting it |
| Data masking | Obscuring specific data within a database so unauthorized users cannot read it — protects data while keeping it usable |
| Symmetric encryption | Encryption using the same key for both encrypting and decrypting — faster than asymmetric; used for bulk data encryption |
| Asymmetric encryption | Encryption using a public key to encrypt and a private key to decrypt — used for key exchange and digital signatures |
| Hashing | A one-way function that converts data into a fixed-length value — used to verify integrity, not to encrypt; cannot be reversed |
| Digital signature | A cryptographic mechanism using a private key to sign data — proves authenticity and supports non-repudiation |
| Steganography | The practice of hiding data inside another file such as an image or audio file — concealment not encryption |
| Non-repudiation | The assurance that someone cannot deny having sent a message — achieved through digital signatures |
| Salting | Adding a random value to a password before hashing — prevents rainbow table attacks by making identical passwords hash differently |
| Rainbow table attack | A precomputed table of password hashes used to crack passwords — defeated by salting |
| 3DES | Triple Data Encryption Standard — applies DES encryption three times; used to verify file integrity via hash comparison on vendor sites |
| Homomorphic encryption | Allows computation on encrypted data without decrypting it — used when a cloud provider must not be able to read the data |
| Rootkit | Malware that hides deep in a system and modifies core files like cmd.exe — changing a system file hash with no patches applied suggests rootkit |
| Cryptojacking | Malware that secretly uses a victim's CPU to mine cryptocurrency — no degraded login activity but shared files spread infection |
| Pass-the-hash attack | An attack where a stolen password hash is used to authenticate without knowing the plaintext password — using unique hashes per host prevents this |
| Code signing | Using a private key to digitally sign software — ensures the code has not been tampered with and verifies the developer's identity |
| Chain of custody | Documentation tracking who handled evidence and when — ensures evidence integrity and admissibility in legal proceedings |
| Legal hold | A directive to preserve all data relevant to anticipated litigation — prevents deletion of potentially important evidence |
| Order of volatility | The sequence for collecting forensic evidence from most to least volatile — RAM first, then swap files, then hard drive, then archive data |
| E-discovery | The process of identifying and collecting electronic data for legal proceedings — often precedes formal forensic analysis |
| Tabletop exercise | A discussion-based simulation of an incident scenario — used to test and validate incident response plans without real systems |
| Disaster recovery plan (DRP) | A document detailing how to restore critical systems and infrastructure after a major outage — includes system restoration order |
| SIEM (Security Information and Event Management) | A platform that aggregates and analyzes log data from across the environment to detect anomalies and generate alerts |
| WAF (Web Application Firewall) | A firewall specifically designed to filter HTTP traffic and protect web applications — blocks SQL injection and XSS attempts |
| ARO (Annualized Rate of Occurrence) | The estimated frequency that a specific threat will occur within a year — used in risk analysis to calculate ALE |
| MTBF (Mean Time Between Failures) | The average time a system operates before failing — used to assess reliability and inform insurance or continuity decisions |
| Geographic dispersion | Distributing systems or data centers across different physical locations — protects against weather events or regional disasters |
| High availability | A design principle ensuring systems remain operational with minimal downtime — requires ease of recovery and responsiveness |
| CRL (Certificate Revocation List) | A list of digital certificates that have been revoked before their expiration date — must be updated when a private key is stolen |
| OCSP (Online Certificate Status Protocol) | A real-time protocol for checking whether a specific certificate has been revoked — faster alternative to checking a CRL |
| Root certificate | The top-level certificate in a trust chain — if not installed, SSL certificates will show as untrusted |
| Self-signed certificate | A certificate signed by its own private key rather than a trusted CA — not trusted by browsers or systems by default |
| Wildcard certificate | A certificate that secures a domain and all its subdomains — example: *.example.com covers mail.example.com and app.example.com |
| IMTTR (Mean Time to Repair) | The average time it takes to fix a system after a failure — used alongside RTO to measure recovery capability; shorter IMTTR means faster repairs |
| ARO (Annualized Rate of Occurrence) | The estimated number of times a specific threat occurs per year — used to calculate risk; removing ransomware insurance coverage means the company assessed ransomware ARO as low or acceptable |
| Due diligence | Researching and understanding laws and regulations relevant to your security operations in a specific industry — the practice of knowing your compliance obligations |
| Compliance reporting | Documenting and reporting on how well an organization meets regulatory requirements — different from due diligence which is the research process itself |
| Attestation | A formal declaration confirming that security controls or compliance requirements have been met — often signed by an auditor or executive |
| Preparation (IR phase) | The FIRST phase of incident response — where roles, responsibilities, playbooks, and tools are set up BEFORE an incident occurs; tabletop exercises happen here |
| Lessons learned (IR phase) | The FINAL phase of incident response — conducted after recovery to review what happened, what worked, and how to prevent recurrence; root cause analysis happens here |
| Recovery (IR phase) | The phase where systems are restored to normal operation after eradication — comes before lessons learned, after eradication |
| Eradication (IR phase) | The phase where malware or attacker presence is fully removed from all affected systems — comes after containment, before recovery |
| SQL injection in logs | In log analysis, look for INSERT, DROP, SELECT, or VALUES in a URL query string — this is a live SQL injection attempt; check the database immediately for new or changed records |
| Pass-the-hash attack | An attacker uses a stolen password hash to authenticate without knowing the plaintext password — giving each machine a unique hash per host prevents the same hash from working elsewhere |
| ACL (Access Control List) | A set of rules on a firewall or router that permits or denies traffic based on source IP, destination IP, and port — deny rules block traffic; permit rules allow it |
| Firewall rule syntax | Format: access-list [direction] [action] [protocol] source [IP/mask] destination [IP/mask] — source is where traffic comes FROM, destination is where it goes TO |
| Inbound firewall rule | A rule that filters traffic entering the network — to block a malicious attacker, put their IP as the SOURCE and use DENY action |
| 0.0.0.0/0 | Means any IP address or all traffic in a firewall rule — used as destination when you want to block a source from reaching anywhere |
| /32 subnet mask | Refers to exactly one specific IP address in firewall and routing rules — used to target a single host precisely |
| Preparation phase — roles and responsibilities | Reviewing roles and responsibilities happens in the PREPARATION phase — not analysis or lessons learned; this is setup work done before an incident |
| Containment — FIRST action for malware | When malware is found on hosts, the FIRST step is always containment — isolate the infected machines to stop spread before doing anything else |
| Geographic dispersion | Spreading servers and data centers across multiple physical locations — the best protection against weather events or regional disasters causing total downtime |
| High availability — key factors | Two must-haves for high availability network design: ease of recovery (can systems come back fast?) and responsiveness (do systems respond under load?) — NOT patching ability or authentication |
| Order of volatility — correct sequence | RAM → Swap files → Hard drive → Archive data — always collect most volatile first because RAM is lost the moment power is cut |
| Incident response order | Correct order: Preparation → Detection → Analysis → Containment → Eradication → Recovery → Lessons Learned — Detection comes before Analysis, Containment comes after Analysis |
Created by:
anisa-13