- CIA triad
- Confidentiality, Integrity, Availability — the three core goals of information security.
- Confidentiality
- Preventing the unauthorized disclosure of data; protected by encryption and access controls.
- Integrity
- Ensuring data is accurate and unaltered except by authorized parties; protected by hashing and change control.
- Availability
- Ensuring authorized users have timely, reliable access to systems and data; protected by redundancy and backups.
- DAD triad
- Disclosure, Alteration, Destruction — the opposite of CIA, naming the threats to each goal.
- Authentication
- Proving a claimed identity with a credential (something you know, have, or are).
- Non-repudiation
- Assurance that a party cannot deny having performed an action; provided by digital signatures and logging.
- Privacy
- The appropriate collection, use, and protection of personal information.
- Information assurance concepts (CC)
- Confidentiality, Integrity, Availability, plus Authentication, Non-repudiation, and Privacy.
- Asset
- Anything of value to the organization that needs protection — data, hardware, software, or people.
- Threat
- Any potential event or actor that could cause harm by exploiting a vulnerability.
- Vulnerability
- A weakness in a system, process, or control that a threat can exploit.
- Risk
- The likelihood that a threat will exploit a vulnerability, and the resulting impact on an asset.
- Threat vs. vulnerability vs. risk
- Threat = potential cause of harm; vulnerability = weakness it exploits; risk = chance and impact of that happening.
- Likelihood
- The probability that a given threat will exploit a given vulnerability.
- Impact
- The magnitude of harm if a risk event occurs.
- Risk = ?
- A function of likelihood × impact, requiring a threat, a vulnerability, and an asset of value.
- Risk management process
- Identify assets/threats/vulnerabilities, assess and prioritize, choose treatment, implement controls, monitor.
- Four risk treatment options
- Avoid, Mitigate (reduce), Transfer, Accept.
- Risk avoidance
- Eliminating a risk by ceasing the activity that creates it.
- Risk mitigation
- Reducing risk to an acceptable level by implementing controls.
- Risk transference
- Shifting the financial impact of a risk to a third party, such as through insurance.
- Risk acceptance
- A documented, management-approved decision to tolerate a risk and its potential impact.
- Residual risk
- The risk that remains after controls are applied; senior management formally accepts it.
- Who owns risk?
- Senior management — they own risk and set the tone; security translates business goals into rules.
- Security control
- A safeguard that reduces risk to assets; categorized by type and by function.
- Technical (logical) control
- A control implemented with technology — firewalls, encryption, antivirus, MFA, access control lists.
- Administrative (managerial) control
- Policies, procedures, standards, and training that direct how people behave.
- Physical control
- A tangible barrier protecting facilities and hardware — locks, fences, guards, badges, CCTV.
- Three control TYPES
- Technical (logical), Administrative (managerial), and Physical.
- Preventive control
- Stops an incident before it happens — a lock, a firewall rule, MFA.
- Detective control
- Identifies an incident in progress or after the fact — CCTV, IDS, logs, audits.
- Corrective control
- Restores systems after an incident — backups, patches, antivirus removal.
- Deterrent control
- Discourages an attacker — warning signs, visible guards, lighting.
- Control type vs. function
- Type = HOW it's built (technical/admin/physical); function = WHAT it does (preventive/detective/corrective/deterrent).
- Firewall control classification
- Technical type, preventive function — it filters traffic by rules before it's allowed in.
- CCTV control classification
- Physical type, detective and deterrent function — it records activity and discourages intruders.
- Defense in depth
- Layering multiple, overlapping controls so that if one fails, others still protect the asset.
- Governance document hierarchy
- Regulation/law → policy → standard → procedure → guideline.
- Policy
- A high-level management statement of intent and goals; mandatory.
- Standard
- A specific mandatory requirement supporting a policy (e.g., 'use AES-256').
- Procedure
- Detailed step-by-step instructions for a task; mandatory.
- Guideline
- Recommended, discretionary best practice; the only non-mandatory document.
- Regulation / law
- A rule imposed by a government or authority that the organization must obey.
- ISC2 Code of Ethics — # of canons
- Four canons, applied in order.
- ISC2 Code of Ethics canon 1
- Protect society, the common good, necessary public trust and confidence, and the infrastructure.
- ISC2 Code of Ethics canon 2
- Act honorably, honestly, justly, responsibly, and legally.
- ISC2 Code of Ethics canon 3
- Provide diligent and competent service to principals.
- ISC2 Code of Ethics canon 4
- Advance and protect the profession.
- Conflicting ethics canons — which wins?
- The earlier (lower-numbered) canon — protecting society outranks advancing the profession.
- Due care
- Acting on due diligence by implementing and maintaining reasonable controls — what a prudent person would do.
- Due diligence
- Doing the research and developing the plans/policies needed to protect the organization.
- Defense in depth vs. single control
- No single control is a silver bullet; layers force an attacker to defeat several independent defenses.
- Compensating control
- An alternative control used when the primary control isn't feasible, providing similar protection.
- Business continuity (BC)
- Keeping critical business functions operating during and after a disruption — the organization-wide plan.
- Disaster recovery (DR)
- The IT-focused subset of continuity: restoring systems, data, and infrastructure after a disaster.
- BC vs. DR
- BC keeps the whole business running; DR is the IT subset that restores technology.
- Business continuity plan (BCP)
- A documented plan to keep critical functions running through a disruption.
- Disaster recovery plan (DRP)
- A documented plan to restore IT systems and data after a disruptive event.
- Business Impact Analysis (BIA)
- Identifies critical business functions and sets recovery objectives (MTD, RTO, RPO); the heart of continuity.
- Maximum Tolerable Downtime (MTD)
- The longest a function can be unavailable before unacceptable harm; sets the ceiling for the RTO.
- Recovery Time Objective (RTO)
- The target time to restore a system after a disruption; must be shorter than the MTD.
- Recovery Point Objective (RPO)
- The maximum acceptable amount of data loss measured backward in time; drives backup frequency.
- RTO vs. RPO
- RTO = time to recover; RPO = data you can afford to lose.
- RTO and MTD relationship
- RTO must always be shorter than the MTD.
- Hot site
- A fully equipped recovery site with near-real-time failover; fastest recovery, most expensive.
- Warm site
- A recovery site with hardware and connectivity; data restored on demand. Moderate cost and speed.
- Cold site
- An empty recovery space with power and cooling only; cheapest, slowest to bring online.
- Recovery sites by cost/speed
- Hot (fast, costly) → warm → cold (cheap, slow).
- Full backup
- Backs up all selected data; fastest to restore (one set), slowest to back up.
- Incremental backup
- Backs up changes since the last backup of any type; fast backup, slow restore.
- Differential backup
- Backs up changes since the last full backup; slower backup, faster restore.
- 3-2-1 backup rule
- Keep three copies of data, on two different media types, with one copy off-site.
- Event
- Any observable occurrence on a system or network.
- Incident
- An event that actually or potentially harms the confidentiality, integrity, or availability of information.
- Event vs. incident
- Every incident is an event, but only some events harm security and become incidents.
- Incident response (IR)
- The structured process to prepare for, detect, contain, eradicate, recover from, and learn from an incident.
- Incident response team
- A designated group that follows the IR plan to handle security incidents.
- NIST incident response lifecycle
- Preparation; Detection & Analysis; Containment, Eradication & Recovery; Post-Incident Activity.
- IR phase: Preparation
- Build the IR plan, team, tools, and communications, and train staff — before anything happens.
- IR phase: Detection & Analysis
- Recognize and confirm an incident, determine its scope, and prioritize it.
- IR phase: Containment, Eradication & Recovery
- Stop the spread, remove the cause, and restore systems to normal operation.
- IR phase: Post-Incident Activity
- Hold a lessons-learned review and improve the plan and controls.
- First step during an active incident
- Containment — limit the damage before eradicating the cause.
- Lessons learned
- The post-incident review that documents what happened and improves future response.
- Least privilege
- Granting users and processes only the minimum access needed to do their job, and nothing more.
- Need-to-know
- Limiting access to the specific information required to perform a task.
- Segregation (separation) of duties
- Splitting a sensitive task so no single person can complete it alone, reducing fraud and error.
- AAA model
- Authentication, Authorization, and Accountability.
- Access control sequence
- Identification → Authentication → Authorization → Accountability.
- Identification
- A subject claiming an identity, such as entering a username — the first step of access control.
- Authorization
- Determining what an authenticated identity is permitted to access and do.
- Accountability
- Tying actions back to a specific identity through logging and monitoring.
- Multi-factor authentication (MFA)
- Using two or more factors from different categories — something you know, have, and are.
- Something you know
- A knowledge authentication factor — password, PIN, or passphrase.
- Something you have
- A possession authentication factor — smart card, hardware token, or phone.
- Something you are
- An inherence (biometric) authentication factor — fingerprint, iris, or face.
- Is password + security question MFA?
- No — both are 'something you know,' so it's single-factor. MFA requires different categories.
- Discretionary access control (DAC)
- Access decided by the data owner, e.g., file permissions and ACLs. Flexible but error-prone.
- Mandatory access control (MAC)
- Access enforced by the system from labels and clearances; the most restrictive, used for classified data.
- Role-based access control (RBAC)
- Access granted by job role rather than the individual; scales well in organizations.
- DAC vs. MAC vs. RBAC
- DAC = owner decides; MAC = system enforces from labels; RBAC = by job role.
- Most restrictive access model
- Mandatory Access Control (MAC) — the system, not the owner, decides based on labels and clearances.
- Access control model for scalable provisioning
- RBAC — assign access by role so staff inherit and lose permissions as their role changes.
- Physical access control
- A tangible control protecting facilities and hardware — locks, badges, guards, CCTV.
- Mantrap (access control vestibule)
- A two-door airlock allowing one person per authentication; stops tailgating.
- Tailgating
- Following an authorized person through a secure door without authenticating.
- Piggybacking
- Being let through a secure door by an authorized person (with their awareness).
- Biometric authentication
- Verifying identity from a physical trait — fingerprint, iris, face, or voice.
- False acceptance rate (FAR)
- How often a biometric system wrongly accepts an unauthorized user (a Type II error).
- False rejection rate (FRR)
- How often a biometric system wrongly rejects an authorized user (a Type I error).
- Single sign-on (SSO)
- One authentication that grants access to multiple systems.
- Privileged account
- An account with elevated rights (e.g., administrator) that needs extra protection and monitoring.
- Provisioning / deprovisioning
- Granting access when a user joins or changes roles, and removing it promptly when they leave.
- Logical (technical) access control
- Technology-based control of access to systems and data — passwords, MFA, ACLs, encryption.
- OSI model
- A seven-layer reference model: Physical, Data Link, Network, Transport, Session, Presentation, Application.
- OSI layer 1
- Physical — cables, signals, and hardware; hubs.
- OSI layer 2
- Data Link — MAC addresses, switches, and frames.
- OSI layer 3
- Network — IP addressing and routing; routers; IPsec.
- OSI layer 4
- Transport — TCP and UDP; port numbers.
- OSI layer 5
- Session — setting up, managing, and tearing down sessions.
- OSI layer 6
- Presentation — encryption, encoding, and formatting.
- OSI layer 7
- Application — the data the user interacts with (HTTP, DNS, SMTP).
- OSI mnemonic (Layer 1→7)
- Please Do Not Throw Sausage Pizza Away.
- Switch — OSI layer
- Layer 2 (Data Link) — forwards frames by MAC address.
- Router — OSI layer
- Layer 3 (Network) — forwards packets by IP address.
- TCP/IP model
- A four-layer practical model: Network Access, Internet, Transport, and Application.
- TCP
- Transmission Control Protocol — connection-oriented, reliable, ordered delivery (Layer 4).
- UDP
- User Datagram Protocol — connectionless, fast, but unreliable (Layer 4).
- TCP vs. UDP
- TCP is reliable and connection-oriented; UDP is fast and connectionless.
- IPv4
- 32-bit IP addressing (about 4.3 billion addresses) — running out.
- IPv6
- 128-bit IP addressing — vastly more addresses than IPv4.
- Port 22
- SSH — secure remote administration.
- Port 53
- DNS — domain name resolution.
- Port 80
- HTTP — unencrypted web traffic.
- Port 443
- HTTPS (TLS) — encrypted web traffic.
- Port 3389
- RDP — Remote Desktop Protocol.
- WPA3
- The current secure WiFi encryption standard; use it instead of legacy WEP.
- WEP
- An obsolete, insecure WiFi encryption standard that should never be used.
- Malware
- Malicious software — viruses, worms, trojans, ransomware, spyware.
- Virus
- Malware that attaches to a host file and spreads when a user runs it.
- Worm
- Malware that self-replicates across networks with no user action.
- Trojan
- Malware disguised as legitimate software to trick the user into installing it.
- Ransomware
- Malware that encrypts data and demands payment for the decryption key.
- Spyware
- Malware that secretly gathers information about a user or system.
- DoS attack
- A Denial-of-Service attack that floods a system from one source to make it unavailable.
- DDoS attack
- A Distributed Denial-of-Service attack launched from many compromised machines (a botnet) at once.
- DoS vs. DDoS
- DoS floods from one source; DDoS floods from many distributed sources, making it harder to block.
- On-path (man-in-the-middle) attack
- Intercepting and possibly altering traffic between two communicating parties.
- Side-channel attack
- Extracting information through physical signals such as power use, timing, or electromagnetic leaks.
- Firewall
- A control that filters network traffic, allowing or blocking it based on a defined ruleset.
- IDS
- Intrusion Detection System — monitors traffic and alerts on suspicious activity but does not block it.
- IPS
- Intrusion Prevention System — detects and actively blocks malicious traffic.
- IDS vs. IPS
- IDS detects and alerts only; IPS detects and blocks.
- VLAN
- A virtual LAN that logically segments a network to isolate traffic.
- Network segmentation
- Dividing a network into zones to limit the spread of an attack and control traffic.
- DMZ
- A screened subnet that exposes public-facing services while shielding the internal network.
- VPN
- A Virtual Private Network — an encrypted tunnel that secures traffic across an untrusted network.
- Zero trust
- A model that trusts no user or device by default and continuously verifies every access request.
- SaaS
- Software as a Service — the provider delivers ready-to-use applications over the internet.
- PaaS
- Platform as a Service — the provider delivers a platform to build and run applications.
- IaaS
- Infrastructure as a Service — the provider delivers virtualized compute, storage, and networking.
- Cloud shared responsibility model
- The provider secures the cloud itself; the customer secures their data, access, and configuration.
- Botnet
- A network of compromised machines controlled by an attacker, often used for DDoS.
- Data at rest
- Data stored on a disk or in a database; protected with full-disk or database encryption.
- Data in transit
- Data moving across a network; protected with TLS, IPsec, or a VPN.
- Data in use
- Data decrypted in memory while being processed — the hardest state to protect.
- Three data states
- At rest (stored), in transit (moving), and in use (being processed).
- Encryption
- Converting data into an unreadable form so only authorized parties with the key can read it.
- Symmetric encryption
- Uses one shared secret key for both encrypting and decrypting (e.g., AES); fast but key distribution is hard.
- Asymmetric encryption
- Uses a public/private key pair (e.g., RSA); slower, but solves key exchange and enables signatures.
- Symmetric vs. asymmetric
- Symmetric = one shared key, fast; asymmetric = key pair, slower, solves key exchange.
- AES
- Advanced Encryption Standard — the widely used symmetric encryption algorithm.
- RSA
- A widely used asymmetric (public-key) encryption and digital-signature algorithm.
- Hashing
- A one-way function producing a fixed-length digest used to verify integrity (e.g., SHA-256).
- Encryption vs. hashing
- Encryption is reversible with a key (confidentiality); hashing is one-way (integrity).
- Digital signature
- A hash encrypted with the sender's private key, giving integrity, authenticity, and non-repudiation.
- Public/private key — encrypt vs. sign
- Encrypt for confidentiality with the recipient's public key; sign for authenticity with your own private key.
- Data classification
- Labeling data by sensitivity (public, internal, confidential, restricted) so the right protection applies.
- Logging and monitoring
- Recording and reviewing system activity to detect, investigate, and respond to problems.
- SIEM
- Security Information and Event Management — centralizes and correlates logs for detection and analysis.
- System hardening
- Reducing a system's attack surface — remove unneeded services, close ports, disable defaults, patch.
- Baseline
- A minimum required level of secure configuration to harden a system toward.
- Configuration management
- Recording, controlling, and approving changes to system settings to keep a known-good state.
- Change management
- A controlled process for evaluating, testing, approving, and documenting changes to systems.
- Patch management
- Applying vendor updates promptly to close known vulnerabilities.
- Acceptable use policy (AUP)
- A policy defining how employees may use organizational systems and data.
- BYOD policy
- Rules governing the use of personal devices for work to protect organizational data.
- Password policy
- Rules for password length, complexity, rotation, and reuse to strengthen authentication.
- Data handling policy
- Rules for how data is stored, transmitted, shared, retained, and destroyed by classification.
- Social engineering
- Manipulating people into divulging information or taking actions that compromise security.
- Phishing
- A social-engineering attack using fraudulent messages to trick users into revealing credentials or installing malware.
- Spear phishing
- A targeted phishing attack aimed at a specific person or organization using personalized details.
- Whaling
- Phishing that targets high-value executives such as a CEO or CFO.
- Vishing / smishing
- Social engineering by voice call (vishing) or SMS text (smishing).
- Security awareness training
- Educating users to recognize and avoid threats such as phishing and social engineering.
- Best defense against phishing
- Security awareness training, backed by email filtering and MFA so stolen credentials alone aren't enough.
- Data destruction / sanitization
- Removing data so it can't be recovered — overwriting, degaussing, or physical destruction.
- Principle: least functionality
- Configure systems to provide only essential capabilities, disabling unneeded ports, services, and software.
- Qualitative risk analysis
- Ranking risk subjectively as high/medium/low — fast, but not expressed in dollars.
- Quantitative risk analysis
- Assigning objective monetary values to risk (e.g., expected annual loss) to cost-justify controls.
- Threat actor
- A person or group that carries out a threat — e.g., hacktivists, insiders, nation-states, cybercriminals.
- Insider threat
- A risk posed by people inside the organization, whether malicious or careless.
- Asset inventory
- A catalog of the organization's assets and their value — the starting point of risk management.
- Security governance
- The framework of policies, roles, and oversight by which leadership directs security.
- Prudent person rule
- Acting with the care a reasonable, prudent person would in the same situation (due care + due diligence).
- Tabletop exercise
- A discussion-based walkthrough of the incident or continuity plan to test it without disrupting operations.
- Failover
- Automatically switching to a standby system or site when the primary fails.
- Redundancy
- Duplicating critical components so a single failure doesn't cause an outage (supports availability).
- Why test the BCP/DRP?
- Untested plans fail in a real disaster; testing finds gaps and trains the team before it matters.
- Business continuity vs. incident response
- BC keeps the business running through disruption; IR handles a specific security incident.
- Root cause analysis
- Determining the underlying cause of an incident so it can be fixed and prevented from recurring.
- Authentication vs. authorization
- Authentication proves who you are; authorization decides what you're allowed to do.
- Token (authentication)
- A possession factor that generates or stores a credential (e.g., a one-time code).
- Type I vs. Type II biometric error
- Type I = false rejection (authorized user denied); Type II = false acceptance (impostor allowed).
- Account lockout
- Disabling an account after repeated failed logins to slow password-guessing attacks.
- Just-in-time access
- Granting elevated privileges only when needed and for a limited time, reducing standing access.
- Physical vs. logical access control
- Physical protects facilities and hardware; logical protects systems and data via technology.
- NAT
- Network Address Translation — maps private internal IPs to a public IP, hiding internal addressing.
- Proxy server
- An intermediary that forwards and can filter or cache traffic between clients and servers.
- Network segmentation benefit
- Limits the blast radius of an attack and contains threats to one zone.
- Spoofing
- Faking a source identity such as an IP or email address to bypass controls or deceive a target.
- Sniffing
- Capturing network traffic to read data, especially when it's unencrypted.
- TLS
- Transport Layer Security — encrypts traffic in transit (the 'S' in HTTPS).
- MAC address
- A hardware address that identifies a device on a local network (used at OSI Layer 2).
- Logging — why it matters
- You can't detect or investigate what you can't see; logs provide accountability and detection.
- Default deny
- Blocking everything by default and allowing only what's explicitly permitted.
- Separation of duties (ops)
- No single person controls a critical operational task end to end, reducing fraud.
- Data retention policy
- Rules for how long data is kept and when it's securely destroyed.
- Endpoint protection
- Security controls on devices — antivirus/EDR, hardening, patching, encryption.
- Vulnerability management
- The ongoing process of identifying, prioritizing, and remediating weaknesses.
- Principle of least privilege (ops)
- Run services and grant accounts only the minimum rights needed, limiting damage from compromise.