Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
cyber
| Term | Definition |
|---|---|
| Cross-site scripting (XSS) | An attack where malicious scripts are injected into web pages through unsanitized inputs — prevented by input validation |
| Input validation | A security technique that checks and sanitizes user-submitted data before processing — the fix for XSS vulnerabilities |
| SQL injection | An attack where malicious SQL code is inserted into a query field to manipulate or expose a database — a software vulnerability |
| Buffer overflow | When a program writes more data to a buffer than it can hold, overwriting adjacent memory — can allow attackers to run arbitrary code |
| Firmware vulnerability | A weakness in low-level software embedded in hardware like BIOS or routers — a BIOS update patch addresses this type |
| Jailbreaking | Modifying a mobile device OS to remove manufacturer restrictions — bypasses built-in security controls and allows unauthorized apps |
| Side loading | Installing apps on a mobile device from outside the official app store — often bypasses security vetting |
| VM escape | An attack where a process inside a virtual machine breaks out to interact with the hypervisor or other VMs |
| Penetration testing | A simulated, authorized cyberattack on a system to find exploitable vulnerabilities — more targeted and hands-on than a vulnerability scan |
| Bug bounty | A program where a company invites external researchers to find and report vulnerabilities in exchange for compensation |
| Red team | A group that plays the adversary role — conducts offensive security assessments including pentesting and social engineering |
| Vulnerability assessment | A systematic process of identifying and cataloging security weaknesses — after remediating findings, always rescan to verify fixes |
| Root cause analysis (RCA) | Identifying the underlying reason an incident occurred — purpose is to prevent future incidents of the same nature |
| CVE (Common Vulnerabilities and Exposures) | A standardized list of publicly known cybersecurity vulnerabilities with unique identifiers — identifies vulnerabilities but does not score them |
| CVSS (Common Vulnerability Scoring System) | A framework for quantitatively measuring vulnerability severity on a scale of 0–10 — used to prioritize patching |
| False positive | A vulnerability scanner result that flags something as a vulnerability when it actually is not — a scanner error |
| hping | A command-line tool used to craft and send custom TCP/IP packets — used for firewall testing and security assessments |
| Incident response (IR) phases | In order: Preparation → Detection → Analysis → Containment → Eradication → Recovery → Lessons Learned |
| IoC (Indicator of Compromise) | Artifacts or evidence (IP addresses, file hashes) that suggest a system has been breached — gathered during the Analysis phase |
| Analysis (IR phase) | The phase where the team investigates the scope and source of an incident — understanding where it originated |
| Containment (IR phase) | The phase where affected systems are isolated to prevent further spread — happens before eradication |
| Segmentation | Dividing a network into separate zones to limit attack spread — used for legacy servers running critical apps |
| Hardening | Reducing a system's attack surface by disabling unnecessary services and configuring security settings — disable web-based admin on routers |
| ARP poisoning | An attack associating the attacker's MAC with a legitimate IP — enables traffic interception on the local network |
| DNS poisoning | Corrupting a DNS cache so domain names resolve to malicious IPs — redirects users to attacker-controlled sites |
| IaaS (Infrastructure as a Service) | Cloud model where the provider manages hardware — the customer is responsible for OS, applications, and data including database security |
| PaaS (Platform as a Service) | Cloud model where provider manages hardware and OS/platform — vendor patches firmware, OS, and runtime; you patch your app |
| SaaS (Software as a Service) | Cloud model where provider manages everything — vendor patches hardware, OS, and application; customer manages data only |
| Shared responsibility model | Framework defining which security tasks belong to the cloud provider vs. customer — varies by IaaS, PaaS, or SaaS model |
| Serverless architecture | Cloud model where provider manages server allocation dynamically — low-cost, cloud-based app hosting with no infrastructure management |
| Containers | Lightweight, portable application packaging — ideal for constantly changing environments; reduce OS patch burden by sharing the host OS |
| Virtualization | Creating virtual instances of hardware — allows multiple VMs on one physical server to reduce hardware costs |
| VDI (Virtual Desktop Infrastructure) | Hosts desktop environments on central servers — keeps data on company servers while allowing remote access, even by offshore teams |
| Infrastructure as Code (IaC) | Managing cloud infrastructure through configuration files — enables fast, consistent, and easy cloud resource deployments |
| Load balancer | Distributes incoming traffic across multiple servers — improves performance and availability for multi-server applications |
| Version control | A system that tracks code changes over time — used to track modifications to infrastructure code or application source |
| MDM (Mobile Device Management) | Software platform for remotely managing and securing mobile devices — can enforce policies, lock, or wipe devices |
| Remote wipe | An MDM feature that erases all data on a lost or stolen device remotely — prevents malicious use after loss |
| Screen lock | An MDM-enforced PIN or password requirement before device use — prevents unauthorized access to a lost device |
| FDE (Full Device Encryption) | Encrypts all data on a device so it is unreadable without the key — best protection if remote wipe is not possible |
| Business Email Compromise (BEC) | An attack where criminals impersonate executives via email — classic sign is a spoofed display name with gift card or wire transfer requests |
| Phishing | A social engineering attack using deceptive emails or links to steal credentials or install malware — fake login page is the key indicator |
| VPN (Virtual Private Network) | Encrypts network traffic between a remote user and the corporate network — standard solution for secure remote access without interception |
| RPO (Recovery Point Objective) | The maximum acceptable amount of data loss measured in time — shorter RPO requires more frequent backups |
| RTO (Recovery Time Objective) | The maximum acceptable time to restore a system after a disruption — shorter RTO requires faster recovery infrastructure |
| Differential backup | Backs up all data changed since the last full backup — faster to restore than incremental; good for ransomware recovery with cloud storage |
| IPSec (Internet Protocol Security) | A protocol suite that encrypts and authenticates IP traffic — best choice for securing communications within a private cloud or between networks |
| SHA-1 | A hashing algorithm — produces a fixed-length hash but is now considered weak and outdated; do not confuse with encryption |
| RSA | An asymmetric encryption algorithm using public/private key pairs — used for key exchange and digital signatures, not bulk data encryption |
| TGT (Ticket Granting Ticket) | A Kerberos authentication token issued after login — used to request access to services without re-entering credentials |
| Time-based access control | A security control that restricts access based on time of day or schedule — example: allowing file copy only during working hours |
| Role-based access control (RBAC) | A model that grants permissions based on a user's assigned role in the organization — not time-dependent |
| Digital rights management (DRM) | Technology that controls how digital content is used, copied, or distributed — enforces usage policies on files |
| TPM (Trusted Platform Module) | A hardware chip on a motherboard that stores cryptographic keys — works with FDE to protect data at rest |
| ECC (Elliptic Curve Cryptography) | A public key cryptography method using elliptic curves — preferred when computing resources are limited; same security as RSA with smaller keys |
| HSM (Hardware Security Module) | A physical device that manages and protects cryptographic keys — more secure than software key storage |
| Misconfiguration vulnerability | A security weakness caused by incorrect settings or improper setup — most common vulnerability type overall |
| Insecure key storage | A vulnerability where cryptographic keys are stored improperly — makes encryption useless if an attacker finds the key |
| Weak cipher suite | A vulnerability where outdated or broken encryption algorithms are used — example: using MD5 or DES instead of AES |
| SSH tunneling | Wrapping unencrypted traffic inside an encrypted SSH connection — compensating control when a legacy system cannot be patched |
| Tokenization | Replacing sensitive data with a non-sensitive placeholder token — protects data in transit or storage without encrypting it |
| Data masking | Obscuring specific data within a database so unauthorized users cannot read it — protects data while keeping it usable |
| Symmetric encryption | Encryption using the same key for both encrypting and decrypting — faster than asymmetric; used for bulk data encryption |
| Asymmetric encryption | Encryption using a public key to encrypt and a private key to decrypt — used for key exchange and digital signatures |
| Hashing | A one-way function that converts data into a fixed-length value — used to verify integrity, not to encrypt; cannot be reversed |
| Digital signature | A cryptographic mechanism using a private key to sign data — proves authenticity and supports non-repudiation |
| Steganography | The practice of hiding data inside another file such as an image or audio file — concealment not encryption |
| Non-repudiation | The assurance that someone cannot deny having sent a message — achieved through digital signatures |
| Salting | Adding a random value to a password before hashing — prevents rainbow table attacks by making identical passwords hash differently |
| Rainbow table attack | A precomputed table of password hashes used to crack passwords — defeated by salting |
| 3DES | Triple Data Encryption Standard — applies DES encryption three times; used to verify file integrity via hash comparison on vendor sites |
| Homomorphic encryption | Allows computation on encrypted data without decrypting it — used when a cloud provider must not be able to read the data |
| Rootkit | Malware that hides deep in a system and modifies core files like cmd.exe — changing a system file hash with no patches applied suggests rootkit |
| Cryptojacking | Malware that secretly uses a victim's CPU to mine cryptocurrency — no degraded login activity but shared files spread infection |
| Pass-the-hash attack | An attack where a stolen password hash is used to authenticate without knowing the plaintext password — using unique hashes per host prevents this |
| Code signing | Using a private key to digitally sign software — ensures the code has not been tampered with and verifies the developer's identity |
| Chain of custody | Documentation tracking who handled evidence and when — ensures evidence integrity and admissibility in legal proceedings |
| Legal hold | A directive to preserve all data relevant to anticipated litigation — prevents deletion of potentially important evidence |
| Order of volatility | The sequence for collecting forensic evidence from most to least volatile — RAM first, then swap files, then hard drive, then archive data |
| E-discovery | The process of identifying and collecting electronic data for legal proceedings — often precedes formal forensic analysis |
| Tabletop exercise | A discussion-based simulation of an incident scenario — used to test and validate incident response plans without real systems |
| Disaster recovery plan (DRP) | A document detailing how to restore critical systems and infrastructure after a major outage — includes system restoration order |
| SIEM (Security Information and Event Management) | A platform that aggregates and analyzes log data from across the environment to detect anomalies and generate alerts |
| WAF (Web Application Firewall) | A firewall specifically designed to filter HTTP traffic and protect web applications — blocks SQL injection and XSS attempts |
| ARO (Annualized Rate of Occurrence) | The estimated frequency that a specific threat will occur within a year — used in risk analysis to calculate ALE |
| MTBF (Mean Time Between Failures) | The average time a system operates before failing — used to assess reliability and inform insurance or continuity decisions |
| Geographic dispersion | Distributing systems or data centers across different physical locations — protects against weather events or regional disasters |
| High availability | A design principle ensuring systems remain operational with minimal downtime — requires ease of recovery and responsiveness |
| CRL (Certificate Revocation List) | A list of digital certificates that have been revoked before their expiration date — must be updated when a private key is stolen |
| OCSP (Online Certificate Status Protocol) | A real-time protocol for checking whether a specific certificate has been revoked — faster alternative to checking a CRL |
| Root certificate | The top-level certificate in a trust chain — if not installed, SSL certificates will show as untrusted |
| Self-signed certificate | A certificate signed by its own private key rather than a trusted CA — not trusted by browsers or systems by default |
| Wildcard certificate | A certificate that secures a domain and all its subdomains — example: *.example.com covers mail.example.com and app.example.com |
| IMTTR (Mean Time to Repair) | The average time it takes to fix a system after a failure — used alongside RTO to measure recovery capability; shorter IMTTR means faster repairs |
| ARO (Annualized Rate of Occurrence) | The estimated number of times a specific threat occurs per year — used to calculate risk; removing ransomware insurance coverage means the company assessed ransomware ARO as low or acceptable |
| Due diligence | Researching and understanding laws and regulations relevant to your security operations in a specific industry — the practice of knowing your compliance obligations |
| Compliance reporting | Documenting and reporting on how well an organization meets regulatory requirements — different from due diligence which is the research process itself |
| Attestation | A formal declaration confirming that security controls or compliance requirements have been met — often signed by an auditor or executive |
| Preparation (IR phase) | The FIRST phase of incident response — where roles, responsibilities, playbooks, and tools are set up BEFORE an incident occurs; tabletop exercises happen here |
| Lessons learned (IR phase) | The FINAL phase of incident response — conducted after recovery to review what happened, what worked, and how to prevent recurrence; root cause analysis happens here |
| Recovery (IR phase) | The phase where systems are restored to normal operation after eradication — comes before lessons learned, after eradication |
| Eradication (IR phase) | The phase where malware or attacker presence is fully removed from all affected systems — comes after containment, before recovery |
| SQL injection in logs | In log analysis, look for INSERT, DROP, SELECT, or VALUES in a URL query string — this is a live SQL injection attempt; check the database immediately for new or changed records |
| Pass-the-hash attack | An attacker uses a stolen password hash to authenticate without knowing the plaintext password — giving each machine a unique hash per host prevents the same hash from working elsewhere |
| ACL (Access Control List) | A set of rules on a firewall or router that permits or denies traffic based on source IP, destination IP, and port — deny rules block traffic; permit rules allow it |
| Firewall rule syntax | Format: access-list [direction] [action] [protocol] source [IP/mask] destination [IP/mask] — source is where traffic comes FROM, destination is where it goes TO |
| Inbound firewall rule | A rule that filters traffic entering the network — to block a malicious attacker, put their IP as the SOURCE and use DENY action |
| 0.0.0.0/0 | Means any IP address or all traffic in a firewall rule — used as destination when you want to block a source from reaching anywhere |
| /32 subnet mask | Refers to exactly one specific IP address in firewall and routing rules — used to target a single host precisely |
| Preparation phase — roles and responsibilities | Reviewing roles and responsibilities happens in the PREPARATION phase — not analysis or lessons learned; this is setup work done before an incident |
| Containment — FIRST action for malware | When malware is found on hosts, the FIRST step is always containment — isolate the infected machines to stop spread before doing anything else |
| Geographic dispersion | Spreading servers and data centers across multiple physical locations — the best protection against weather events or regional disasters causing total downtime |
| High availability — key factors | Two must-haves for high availability network design: ease of recovery (can systems come back fast?) and responsiveness (do systems respond under load?) — NOT patching ability or authentication |
| Order of volatility — correct sequence | RAM → Swap files → Hard drive → Archive data — always collect most volatile first because RAM is lost the moment power is cut |
| Incident response order | Correct order: Preparation → Detection → Analysis → Containment → Eradication → Recovery → Lessons Learned — Detection comes before Analysis, Containment comes after Analysis |
| Nation-state threat actor | A government-sponsored attacker with large financial resources — hired to attack critical systems in other countries; most sophisticated and well-funded threat actor |
| Hacktivist | An attacker motivated by political or ideological beliefs — uses hacking to promote a cause; NOT hired by governments |
| Unskilled attacker | Also called a script kiddie — uses existing tools without deep knowledge; low resources, low sophistication |
| Insider threat | A current or former employee who misuses authorized access — copying large amounts of data after hours is a classic sign |
| Whistleblower | Someone who exposes wrongdoing from inside an organization — NOT an attacker hired by governments |
| Key stretching | A technique that makes weak passwords harder to crack by running them through a hashing algorithm many times — examples: PBKDF2, bcrypt |
| Pretexting | Creating a fabricated story or scenario to manipulate someone into providing information — the attacker invents a fake identity or situation |
| Typosquatting | Registering a domain name that is a misspelling of a legitimate site — relies on users making typos in URLs |
| Phishing | A social engineering attack using deceptive emails or links to steal credentials — fake login page is the key indicator; employee enters credentials and gets page not found |
| SSO (Single Sign-On) | Allows users to log in once with domain credentials and access multiple applications — reduces number of credentials employees must maintain |
| MFA (Multifactor Authentication) | Requiring two or more verification factors to log in — prevents attackers from using stolen passwords alone; does NOT reduce number of credentials |
| Jump server | A hardened intermediary server that admins must pass through to access systems in a protected network segment — also called a bastion host; prevents direct access |
| RADIUS | Remote Authentication Dial-In User Service — a protocol for centralized authentication; NOT an access method for reaching protected segments |
| Active reconnaissance | Directly interacting with a target system to gather information — port scanning and service scanning are active; you are touching the target |
| Passive reconnaissance | Gathering information without directly interacting with the target — OSINT, watching traffic; you are NOT touching the target |
| Rules of engagement | The document that defines the scope, boundaries, and terms of a penetration test — what is allowed, what is off limits, timing, and reporting |
| Adaptive identity | A Zero Trust concept that continuously evaluates identity and adjusts access dynamically based on risk signals — relevant to the data plane |
| Zero Trust data plane | The enforcement layer of Zero Trust that handles actual access decisions in real time — adaptive identity operates here |
| vs :443 | = unencrypted web traffic to block. :443 = encrypted HTTPS port to ALLOW. Web filters blocking non-encrypted sites should search for not :443 |
| Honeypot | A decoy system designed to attract attackers — identifies attacker activity without affecting production systems; looks like a real target but is isolated |
| Whaling | A phishing attack specifically targeting high-level executives like CEOs — phone call from someone impersonating a CEO asking for gift cards = whaling |
| Vishing | Voice phishing — social engineering conducted over the phone to extract information or get actions taken |
| Smishing | SMS phishing — social engineering conducted via text message; pretending to be payroll via text = smishing |
| Shadow IT | When employees or departments set up technology without IT approval — marketing department installing its own software without telling IT |
| Data in transit | Data moving between locations over a network — VPNs protect data in transit by encrypting it during transmission |
| Data in use | Data actively being processed or accessed in memory — protected by access controls and encryption at the application level |
| Capacity planning | Determining how many staff or resources are needed to sustain operations during a disruption — part of business continuity planning |
| Geolocation policy | A control that restricts access to data or systems based on the user's physical location or country — blocks access from high-risk countries |
| Application allow list | A security control that only permits pre-approved applications to execute — best way to block UNKNOWN programs from running |
| Sanitization | Securely wiping data from storage media before disposal or reuse — wiping hard drives before recycling = sanitization |
| Destruction | Physically destroying storage media so data cannot be recovered — shredding, degaussing, incineration |
| Least privilege | Giving users only the minimum access needed to do their job — restricting admin console to only two people = least privilege |
| Risk register | A document that lists identified risks, responsible parties, likelihood, impact, and thresholds — used to track and manage organizational risk |
| Change management procedure | The formal process for requesting, reviewing, approving, and implementing changes to IT systems — must be followed BEFORE patching production systems |
| Warm site | A backup data center with some equipment pre-installed but not fully operational — cost-effective middle ground; RTO/RPO of hours to days |
| Hot site | A fully operational backup data center that can take over immediately — most expensive, near-zero RTO/RPO |
| Cold site | An empty facility with power and connectivity but no equipment — cheapest, longest RTO/RPO (days to weeks) |
| SOW (Statement of Work) | A document outlining project scope, deliverables, cost, and completion timeframe — what a client requests when hiring a security company |
| SLA (Service Level Agreement) | Defines service performance standards like uptime guarantees and response times — NOT a project scoping document |
| Non-repudiation | The assurance that a sender cannot deny having sent a message — achieved through digital signatures; allows attribution of messages to individuals |
| Tuning | Adjusting SIEM or security tool settings to ignore known benign activity and reduce false positives — the act of marking something as normal and suppressing future alerts |
| User provisioning script | An automation script that creates accounts with correct permissions automatically — eliminates manual errors in account setup |
| Password spraying | Trying one common password against many different usernames — avoids lockouts by not hammering one account; same password across many users in logs |
| Brute force attack | Trying many different passwords against one account until one works — triggers account lockout; many failed attempts on same username |
| Masking | Hiding part of sensitive data while showing some — showing only last four digits of a credit card = masking; partial visibility |
| Ransomware | Malware that encrypts files and demands payment — files with new extensions across all systems + ransom message = ransomware; NOT spyware |
| Compensating control | An alternative security measure used when the standard control cannot be implemented — disabling services AND adding firewall to a legacy system = compensating controls |
| Intellectual property | Proprietary company data like trade secrets, patents, and research — R&D employees work with intellectual property |
| Insider threat vs shadow IT | Insider threat = malicious or negligent employee misusing access. Shadow IT = unauthorized technology use without malice — marketing department installing software = shadow IT not insider threat |
| NAC (Network Access Control) | Controls which devices can connect to the wired network — authenticates and evaluates devices before granting network access; protects the wired attack surface |
| Decommissioning triggers | A device should be decommissioned when it cannot meet encryption standards OR cannot receive authorized security updates — not just because it is moved or reconfigured |
Created by:
anisa-13