- CIA triad
- Confidentiality, Integrity, Availability — the three core goals of information security.
- Confidentiality
- Ensuring only authorized people can access data; enforced by encryption and access control.
- Integrity
- Ensuring data is accurate and unaltered; enforced by hashing and digital signatures.
- Availability
- Ensuring authorized users can access data and systems when needed; enforced by redundancy and backups.
- Non-repudiation
- Assurance that someone cannot deny an action; provided by digital signatures and logging.
- Vulnerability
- A weakness or flaw in a system that could be exploited by a threat.
- Threat
- A potential danger — an attacker or malware — that could exploit a vulnerability.
- Exploit
- The code or technique that actively takes advantage of a vulnerability.
- Risk
- The likelihood a threat exploits a vulnerability combined with the impact if it does.
- Asset
- Anything of value worth protecting — data, a server, a service, or a reputation.
- Five phases of hacking
- Reconnaissance, Scanning, Gaining Access, Maintaining Access, Clearing Tracks.
- Reconnaissance (phase 1)
- Gathering information about the target before attacking.
- Gaining Access (phase 3)
- Exploiting a weakness to get into a system, then escalating privileges.
- Maintaining Access (phase 4)
- Keeping the foothold with backdoors, rootkits, or new accounts.
- Clearing Tracks (phase 5)
- Covering the trail — clearing logs, hiding files, disabling auditing.
- White hat
- An authorized, ethical hacker who tests systems with permission to improve security.
- Black hat
- A malicious attacker who breaks into systems without authorization for harm or gain.
- Gray hat
- A hacker who probes systems without permission but without clear malicious intent.
- Script kiddie
- An unskilled attacker who uses tools and exploits written by others.
- Hacktivist
- An attacker motivated by a political or social cause.
- Defense in depth
- Layering multiple independent controls so one failure doesn't expose the asset.
- Cyber Kill Chain
- Lockheed Martin's 7 stages: recon, weaponization, delivery, exploitation, installation, C2, actions on objectives.
- MITRE ATT&CK
- A knowledge base of real-world adversary tactics and techniques across the attack lifecycle.
- Black-box testing
- A pentest where the tester has no prior knowledge of the target (external attacker view).
- White-box testing
- A pentest where the tester has full knowledge (architecture, source, credentials).
- Gray-box testing
- A pentest with partial knowledge, such as a standard user account.
- Rules of engagement
- The agreed scope, methods, timing, and limits of an authorized engagement.
- Vulnerability scan vs pentest
- A scan only identifies weaknesses; a penetration test actually exploits them.
- Authorization
- Written permission and defined scope — the only thing separating a CEH from a criminal.
- PCI-DSS
- Payment Card Industry Data Security Standard — protects cardholder data.
- HIPAA
- U.S. law protecting the privacy and security of health information.
- GDPR
- EU regulation governing personal-data privacy and protection.
- ISO/IEC 27001
- International standard for an information security management system (ISMS).
- AAA
- Authentication, Authorization, Accounting.
- Bug bounty
- A program that pays outside researchers for responsibly disclosed vulnerabilities.
- Footprinting
- Systematically gathering information to profile a target's network, people, and tech.
- Passive reconnaissance
- Gathering info with no direct contact — OSINT, WHOIS, DNS, Shodan, social media.
- Active reconnaissance
- Interacting with the target directly — ping sweeps, port scans, banner grabbing.
- OSINT
- Open-Source Intelligence — information gathered from publicly available sources.
- Google dorking
- Using search operators (site:, inurl:, intitle:, filetype:) to find exposed information.
- Shodan
- A search engine that indexes Internet-connected devices and their open services.
- WHOIS
- A query returning domain/IP registration details (registrar, contacts, name servers).
- DNS enumeration
- Querying DNS records (A, MX, NS, TXT); a zone transfer can dump the whole zone.
- DNS zone transfer (AXFR)
- Copying an entire DNS zone; if misconfigured, it leaks all records to an attacker.
- theHarvester
- A tool that gathers emails, subdomains, and hosts from public sources.
- Maltego
- An OSINT tool that maps relationships between people, domains, and infrastructure.
- Nmap
- The standard network scanner for host discovery, port scanning, and OS/version detection.
- TCP three-way handshake
- SYN → SYN/ACK → ACK — how a TCP connection is established.
- TCP connect scan (-sT)
- Completes the full handshake — reliable but easily logged.
- SYN / half-open scan (-sS)
- Sends SYN, never finishes the handshake — stealthier; the default for root.
- NULL / FIN / Xmas scans
- Send unusual TCP flag combinations to slip past simple filters.
- UDP scan (-sU)
- Probes connectionless services like DNS, SNMP, and DHCP.
- Banner grabbing
- Reading a service's response to identify its software and version.
- OS fingerprinting (-O)
- Identifying the target operating system from network behavior.
- Ping sweep
- Sending ICMP echo requests to a range to find live hosts.
- Enumeration
- Actively extracting users, shares, services, and config after scanning.
- NetBIOS / SMB ports
- 137–139 and 445 — enumerate Windows shares, users, and system names.
- SNMP port
- 161 — default community strings ('public'/'private') can leak device config.
- LDAP port
- 389 — enumerate directory objects: users, groups, and OUs.
- SMTP enumeration
- Port 25 — VRFY/EXPN/RCPT TO can reveal valid email accounts.
- NTP port
- 123 — can reveal hosts and times that sync to a server.
- NFS port
- 2049 — network file shares that may be exported insecurely.
- SNMP community strings
- Shared 'passwords' for SNMP; defaults 'public' (read) and 'private' (write) are classic findings.
- Scanning countermeasure
- Reduce exposed ports and services — you can't attack a closed port.
- netcat
- A versatile tool to read/write network connections; banner grabbing and simple backdoors.
- Wayback / archived pages
- Old site versions revealing structure or data the target later removed.
- Email footprinting
- Tracking email headers and read-receipts to map infrastructure and behavior.
- Vulnerability assessment
- A systematic review that identifies, classifies, and prioritizes weaknesses.
- CVSS
- Common Vulnerability Scoring System — a 0–10 score rating a vulnerability's severity.
- CVE
- Common Vulnerabilities and Exposures — a public catalog of IDs for known vulnerabilities.
- False positive
- A finding flagged as a vulnerability that isn't actually exploitable.
- Password cracking
- Recovering passwords from hashes via dictionary, brute-force, hybrid, or rainbow tables.
- Dictionary attack
- Tries a wordlist of likely passwords against a hash or login.
- Brute-force attack
- Tries every possible combination until the password is found.
- Hybrid attack
- Combines a dictionary with appended numbers/symbols (e.g., Password123!).
- Rainbow table
- A precomputed table of hashes used to reverse unsalted password hashes quickly.
- Salting
- Adding unique random data before hashing so identical passwords differ; defeats rainbow tables.
- Pass-the-hash
- Authenticating with a captured NTLM hash without cracking the plaintext password.
- Kerberoasting
- Requesting service tickets and cracking them offline to recover service-account passwords.
- Privilege escalation
- Gaining higher access than granted — vertical (to admin) or horizontal (to another user).
- Vertical privilege escalation
- Moving from a low-privilege account to administrator or root.
- Horizontal privilege escalation
- Moving sideways to another user's account at the same level.
- DLL hijacking
- Tricking a program into loading a malicious library to run attacker code.
- SUID exploitation
- Abusing a Linux root-owned binary with the setuid bit to gain root.
- Rootkit
- Malware that hides deep in the system (often the kernel) for stealthy privileged access.
- User-mode vs kernel-mode rootkit
- User-mode hooks normal programs; kernel-mode runs with the highest privilege and is harder to detect.
- Keylogger
- Software or hardware that records keystrokes to capture passwords and input.
- Spyware
- Malware that secretly collects information about a user or system.
- Steganography
- Hiding data inside other data (e.g., within an image) to conceal its existence.
- Clearing logs
- Deleting or altering log entries to cover the attacker's tracks.
- Malware
- Malicious software — viruses, worms, trojans, ransomware, spyware, rootkits, fileless.
- Virus
- Malware that attaches to a host file and needs user action to run and spread.
- Worm
- Self-propagating malware that spreads across networks with no user action.
- Trojan
- Malware disguised as legitimate software that opens a hidden backdoor when run.
- Ransomware
- Malware that encrypts a victim's data and demands payment for the decryption key.
- Double extortion
- Ransomware that also steals data and threatens to leak it if no ransom is paid.
- Fileless malware
- Malware that runs in memory using legitimate tools to evade disk-based detection.
- APT
- Advanced Persistent Threat — a skilled, well-resourced adversary keeping long-term stealthy access.
- Logic bomb
- Malicious code that executes when a specific condition (date/event) is met.
- Static malware analysis
- Inspecting malware without running it (strings, hashes, headers).
- Dynamic malware analysis
- Running malware in a sandbox to observe its behavior.
- Backdoor
- A hidden method of bypassing authentication to regain access to a system.
- Sniffing
- Capturing and inspecting network traffic, often to harvest credentials or data.
- Promiscuous mode
- A NIC mode that captures all traffic on a segment, not just frames addressed to it.
- Active vs passive sniffing
- Passive works on hubs; active (ARP poisoning) is needed on switched networks.
- Wireshark
- A packet analyzer used to capture and inspect network traffic in detail.
- tcpdump
- A command-line packet capture tool for Unix/Linux.
- ARP poisoning
- Sending forged ARP replies to redirect LAN traffic through the attacker (on-path).
- ARP poisoning defense
- Dynamic ARP Inspection (DAI), static ARP entries, and encryption.
- MAC flooding
- Overflowing a switch's CAM table so it fails open and broadcasts like a hub.
- MAC flooding defense
- Port security — limit the number of MAC addresses per port.
- DHCP starvation
- Exhausting the DHCP pool, then offering an attacker-controlled gateway/DNS.
- DHCP snooping
- A switch feature that blocks rogue DHCP servers and starvation attacks.
- DNS poisoning
- Injecting false DNS records so victims resolve a name to an attacker's host.
- DNSSEC
- Adds cryptographic signatures to DNS to prevent record forgery.
- On-path attack
- Secretly relaying or altering traffic between two parties (formerly man-in-the-middle).
- MAC spoofing
- Changing a device's MAC address to impersonate another or bypass filters.
- Social engineering
- Manipulating people into divulging info or actions that compromise security.
- Phishing
- A fraudulent email that tricks the victim into revealing credentials or running malware.
- Spear phishing
- Phishing targeted at a specific individual or organization.
- Whaling
- Phishing that targets high-value executives.
- Vishing
- Voice phishing — a social-engineering attack over a phone call.
- Smishing
- SMS phishing — a social-engineering attack by text message.
- Pretexting
- Inventing a believable scenario to extract information from a target.
- Tailgating / piggybacking
- Following an authorized person through a secure door without credentials.
- Impersonation
- Posing as IT, a vendor, or an executive to gain trust and access.
- Business email compromise
- Impersonating a trusted executive or vendor to authorize fraudulent payments.
- Insider threat
- An employee/contractor misusing authorized access to harm the organization.
- Social engineering defense
- Recurring security-awareness training plus phishing simulations.
- Denial-of-service (DoS)
- Overwhelming a system so legitimate users can't access it.
- DDoS
- A distributed DoS launched from many compromised machines (a botnet) at once.
- Botnet
- A network of malware-infected 'zombie' hosts controlled by an attacker.
- SYN flood
- A protocol DoS that exhausts server state with half-open TCP connections.
- Volumetric attack
- A DoS that saturates the target's bandwidth (UDP/ICMP floods, amplification).
- Application-layer DoS
- Low-volume valid-looking requests that exhaust app resources (e.g., Slowloris).
- SYN cookies
- A defense that lets a server handle SYN floods without allocating state.
- Session hijacking
- Taking over an authenticated session by stealing or predicting the session ID.
- Session fixation
- Planting a known session ID before the victim logs in, then reusing it.
- HttpOnly cookie flag
- Prevents JavaScript from reading a cookie — blunts cookie theft via XSS.
- Secure cookie flag
- Ensures a cookie is only sent over HTTPS.
- IDS
- Intrusion Detection System — detects and alerts on suspicious traffic (passive).
- IPS
- Intrusion Prevention System — detects and blocks suspicious traffic inline (active).
- Stateful firewall
- A firewall that tracks connection state to allow only valid return traffic.
- Honeypot
- A decoy system that lures attackers away from real assets and records them.
- Honeynet
- A network of honeypots that mimics a real environment.
- IDS evasion
- Fragmentation, encoding, and tunneling to break the signature an IDS looks for.
- Firewalking
- Probing which ports/services a firewall permits by manipulating TTLs.
- OWASP Top 10
- The list of the most critical web application security risks.
- Web server attack
- Targeting server software/config — traversal, defaults, unpatched CVEs.
- Directory traversal
- Using ../ to access files outside the intended web root.
- SQL injection
- Inserting malicious SQL into input so the database runs unintended commands.
- SQLi primary fix
- Parameterized queries (prepared statements) plus input validation.
- In-band SQLi
- SQL injection where results come back in the same channel (union/error-based).
- Blind SQLi
- Inferring data via true/false (boolean) or response timing (time-based).
- ' OR '1'='1
- A classic SQLi payload that makes a WHERE clause always true to bypass login.
- Cross-site scripting (XSS)
- Injecting script into a trusted site that runs in another user's browser.
- Stored XSS
- Malicious script persisted on the server and served to many users.
- Reflected XSS
- Malicious script echoed back from a request and run immediately.
- DOM-based XSS
- XSS executed entirely in the browser via the page's own JavaScript.
- XSS primary fix
- Output encoding plus a Content Security Policy (CSP).
- CSRF
- Forcing an authenticated user's browser to send an unwanted request to a trusted site.
- CSRF defense
- Anti-CSRF tokens and SameSite cookies.
- Command injection
- Running OS commands through unvalidated input.
- LFI / RFI
- Local/Remote File Inclusion — loading attacker-chosen files via input.
- SSRF
- Server-Side Request Forgery — making the server request attacker-chosen URLs.
- Broken access control
- Failing to enforce what authenticated users may do — a top OWASP risk.
- IDOR
- Insecure Direct Object Reference — accessing others' data by changing an ID.
- Input validation
- Treating all user input as untrusted and checking it server-side.
- WAF
- Web Application Firewall — filters layer-7 attacks like injection and XSS.
- Burp Suite
- A proxy/toolkit for intercepting and testing web application requests.
- Web cache poisoning
- Tricking a cache into storing and serving a malicious response.
- Clickjacking
- Tricking a user into clicking a hidden element via a transparent overlay/iframe.
- WEP
- Obsolete Wi-Fi encryption using RC4 with a weak, reused IV — completely broken.
- WPA2
- Wi-Fi security using AES-CCMP; weak pre-shared keys are crackable offline.
- WPA3
- Current Wi-Fi standard; SAE (Dragonfly) resists offline password cracking.
- Four-way handshake
- The WPA2 key exchange; capturing it enables an offline dictionary attack.
- Aircrack-ng
- A suite for capturing handshakes and cracking WEP/WPA keys.
- Evil twin
- A rogue access point impersonating a legitimate SSID to capture traffic/credentials.
- Rogue access point
- An unauthorized AP attached to a network, creating a backdoor.
- Deauthentication attack
- Forging deauth frames to knock clients off so they reconnect (often to an evil twin).
- WPS attack
- Brute-forcing the 8-digit Wi-Fi Protected Setup PIN to recover the passphrase.
- Bluejacking
- Sending unsolicited messages to a Bluetooth device.
- Bluesnarfing
- Stealing data from a Bluetooth device without permission.
- Bluebugging
- Taking control of a Bluetooth device to make calls or read data.
- KRACK
- Key Reinstallation Attack against the WPA2 four-way handshake.
- Wardriving
- Searching for Wi-Fi networks while moving, to map and target them.
- OWASP Mobile Top 10
- The list of the most critical mobile application security risks.
- Rooting / jailbreaking
- Removing an OS's built-in restrictions — also removes security protections.
- App repackaging
- Adding malware to a legitimate app and redistributing it.
- Insecure data storage
- Storing sensitive data (tokens, credentials) unprotected on a device.
- MDM
- Mobile Device Management — enforces policy, encryption, and remote wipe.
- BYOD
- Bring Your Own Device — employees use personal devices for work.
- COPE
- Corporate-Owned, Personally Enabled device model.
- Overlay attack
- Malware that draws a fake screen over a real app to steal input.
- IoT
- Internet of Things — networked physical devices, often with weak defaults.
- OWASP IoT Top 10
- Leading IoT risks: weak passwords, insecure services, no update mechanism.
- Weak default credentials
- Hard-coded/default passwords on IoT devices that are rarely changed.
- OT
- Operational Technology — systems that monitor and control physical processes.
- ICS / SCADA
- Industrial Control Systems / Supervisory Control and Data Acquisition.
- AIC priority (OT)
- OT flips the CIA triad to Availability → Integrity → Confidentiality (safety first).
- Zigbee / BLE
- Short-range IoT protocols that expand the wireless attack surface.
- IoT segmentation
- Isolating IoT/OT devices on separate networks as a key defense.
- Purdue model
- A reference architecture for segmenting ICS/OT network zones.
- Shared responsibility model
- Provider secures the cloud; customer secures data, identities, and config.
- IaaS
- Infrastructure as a Service — customer manages OS, apps, and data (the most).
- PaaS
- Platform as a Service — provider manages the runtime; customer manages apps/data.
- SaaS
- Software as a Service — provider manages almost everything (customer: data/access).
- Cloud misconfiguration
- The leading cause of cloud breaches — e.g., a public storage bucket.
- Public S3 bucket
- An object-storage bucket left readable to anyone — a classic cloud finding.
- IAM key compromise
- Stolen long-lived API keys let an attacker abuse cloud resources.
- Cryptojacking
- Using stolen cloud resources to mine cryptocurrency.
- Container
- Packages an app with its dependencies, sharing the host OS kernel (e.g., Docker).
- Container escape
- Breaking out of a container's isolation to reach the host or other containers.
- Kubernetes secrets
- Sensitive values (passwords, keys) used by pods — must be protected.
- Serverless
- Running functions without managing servers; risks include over-permissioned roles.
- Least privilege (cloud)
- Granting IAM roles only the minimum permissions needed.
- CASB
- Cloud Access Security Broker — enforces policy between users and cloud services.
- Symmetric encryption
- One shared secret key encrypts and decrypts; fast (AES, DES/3DES).
- Asymmetric encryption
- A public/private key pair; encrypt with one key, decrypt with the other (RSA, ECC).
- Hashing
- A one-way function producing a fixed-length digest (SHA-256); not reversible.
- AES
- The current symmetric block-cipher standard (Rijndael); 128/192/256-bit keys.
- RSA
- An asymmetric algorithm whose security rests on factoring large numbers.
- ECC
- Elliptic Curve Cryptography — strong asymmetric security with smaller keys.
- Diffie-Hellman
- A key-exchange algorithm that derives a shared secret over an insecure channel.
- MD5
- A broken hash function — practical collisions make it unsafe for integrity.
- SHA-1
- A broken hash function — collision attacks exist; replaced by SHA-256/SHA-3.
- SHA-256
- A secure hash producing a 256-bit digest, widely used for integrity.
- Digital signature
- A hash signed with the sender's private key; proves integrity and authenticity.
- Encrypt vs sign keys
- Encrypt FOR someone with their public key; SIGN with your own private key.
- PKI
- Public Key Infrastructure — CAs, policies, and keys that issue digital certificates.
- X.509 certificate
- A file binding a public key to a verified identity, signed by a CA.
- Certificate Authority
- A trusted entity that issues and signs digital certificates.
- CRL / OCSP
- Certificate Revocation List / Online Certificate Status Protocol — revocation checks.
- TLS handshake
- Uses asymmetric crypto to exchange a fast symmetric session key (hybrid).
- Birthday attack
- Exploits collision math to find two inputs with the same hash faster than brute force.
- ECB mode weakness
- Encrypting identical blocks identically leaks patterns — avoid ECB.
- Key escrow
- Storing copies of cryptographic keys with a trusted third party for recovery.
- PGP / GPG
- Tools for email encryption and signing using public-key cryptography.
- Disk encryption
- Protecting data at rest by encrypting the whole drive (e.g., BitLocker).
- Salting (crypto)
- Unique random data added before hashing so equal passwords differ.
- Collision
- When two different inputs produce the same hash — a flaw in MD5/SHA-1.