- CIA triad
- Confidentiality, Integrity, Availability — the three core goals of information security.
- Confidentiality
- Preventing unauthorized disclosure of data; protected by encryption and access controls.
- Integrity
- Ensuring data is accurate and unaltered except by authorized parties; protected by hashing and digital signatures.
- Availability
- Ensuring authorized users have timely, reliable access to systems and data.
- DAD triad
- Disclosure, Alteration, Destruction — the opposite of CIA; names the threats to each goal.
- Authenticity
- Assurance that data, a transaction, or a message is genuine and from its claimed source.
- Non-repudiation
- Assurance that a party cannot deny an action; achieved via digital signatures and logging.
- Defense in depth
- Layering multiple, overlapping controls so that if one fails, others still protect the asset.
- Security governance
- The framework of policies, roles, and oversight by which senior management directs and controls security.
- Due diligence
- Doing the research and developing the plans and policies needed to protect the organization.
- Due care
- Acting on due diligence — implementing and maintaining reasonable controls (the prudent person rule).
- Prudent person rule
- Acting with the care a reasonable, prudent person would in similar circumstances; reduces negligence liability.
- Policy
- A high-level management statement of intent and goals; mandatory and broad.
- Standard
- A mandatory, specific requirement that supports a policy (e.g., 'use AES-256').
- Procedure
- Detailed, mandatory step-by-step instructions for a task.
- Baseline
- A minimum required level of security that systems must meet.
- Guideline
- A recommended, discretionary (optional) best practice.
- Risk
- The likelihood that a threat exploits a vulnerability, and the resulting impact on an asset.
- Threat
- Any potential event or actor that could harm an asset by exploiting a vulnerability.
- Threat agent / actor
- The entity (person, group, or process) that carries out a threat.
- Vulnerability
- A weakness in a system, process, or control that a threat can exploit.
- Exposure
- An instance of being susceptible to loss from a threat exploiting a vulnerability.
- Asset
- Anything of value to the organization — data, systems, people, facilities, or reputation.
- Asset value (AV)
- The monetary worth assigned to an asset, used in quantitative risk analysis.
- Exposure factor (EF)
- The percentage of an asset's value lost if a specific risk event occurs.
- Single Loss Expectancy (SLE)
- Expected loss from one occurrence: SLE = Asset Value × Exposure Factor.
- Annualized Rate of Occurrence (ARO)
- The expected number of times a risk event occurs in one year.
- Annualized Loss Expectancy (ALE)
- Expected yearly cost of a risk: ALE = SLE × ARO.
- SLE formula
- SLE = AV × EF (Asset Value times Exposure Factor).
- ALE formula
- ALE = SLE × ARO (Single Loss Expectancy times Annualized Rate of Occurrence).
- Qualitative risk analysis
- Subjective ranking of risk (high/medium/low) using scenarios and judgment — fast, not dollar-based.
- Quantitative risk analysis
- Objective, dollar-based risk analysis using AV, EF, SLE, ARO, and ALE.
- Residual risk
- The risk that remains after controls are applied; senior management formally accepts it.
- Total risk
- The risk before any controls are applied (threats × vulnerabilities × asset value).
- Risk mitigation
- Reducing risk to an acceptable level by implementing controls.
- Risk transference
- Shifting the financial impact of a risk to a third party, such as insurance.
- Risk avoidance
- Eliminating a risk by ceasing the activity that creates it.
- Risk acceptance
- A documented, management-approved decision to tolerate a risk.
- Risk deterrence
- Discouraging a threat actor from acting (e.g., warnings, visible controls).
- Control cost rule
- A countermeasure should never cost more than the asset (or the ALE reduction) it provides.
- Safeguard / countermeasure
- A control that reduces the likelihood or impact of a risk.
- Administrative controls
- Policies, procedures, training, and personnel practices (management controls).
- Technical / logical controls
- Hardware and software controls such as firewalls, encryption, and access control.
- Physical controls
- Controls that protect facilities and equipment (locks, fences, guards, cameras).
- Preventive control
- A control that stops an incident before it happens (e.g., a lock, MFA).
- Detective control
- A control that identifies an incident in progress or after it (e.g., logs, IDS, cameras).
- Corrective control
- A control that restores systems after an incident (e.g., backups, patches).
- Deterrent control
- A control that discourages a threat (e.g., warning signs, visible cameras).
- Compensating control
- An alternative control used when the primary one isn't feasible.
- Threat modeling
- Systematically identifying and prioritizing threats to a system during design.
- STRIDE
- Threat model: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
- DREAD
- A risk-rating model: Damage, Reproducibility, Exploitability, Affected users, Discoverability.
- Security control frameworks
- Structured sets of controls — e.g., NIST SP 800-53, ISO/IEC 27001/27002, COBIT.
- ISO/IEC 27001
- International standard for an Information Security Management System (ISMS).
- ISO/IEC 27002
- Code of practice giving guidance on information security controls.
- NIST Cybersecurity Framework
- A framework of five functions: Identify, Protect, Detect, Respond, Recover.
- ISC2 Code of Ethics — Canon 1
- Protect society, the common good, necessary public trust, and the infrastructure.
- ISC2 Code of Ethics — Canon 2
- Act honorably, honestly, justly, responsibly, and legally.
- ISC2 Code of Ethics — Canon 3
- Provide diligent and competent service to principals.
- ISC2 Code of Ethics — Canon 4
- Advance and protect the profession.
- Code of Ethics canon order
- Canons are applied in order; when they conflict, the earlier (society) outranks the later (profession).
- GDPR
- EU General Data Protection Regulation — protects personal data of EU residents; heavy fines for noncompliance.
- HIPAA
- U.S. law protecting the privacy and security of health information (PHI).
- GLBA
- Gramm-Leach-Bliley Act — requires financial institutions to protect customers' personal financial data.
- SOX
- Sarbanes-Oxley Act — requires accurate financial reporting and internal controls for public companies.
- PCI DSS
- Payment Card Industry Data Security Standard — protects cardholder data (industry standard, not law).
- Intellectual property — patent
- Grants exclusive rights to an invention for a limited time (about 20 years).
- Intellectual property — trademark
- Protects words, symbols, or logos identifying goods/services.
- Intellectual property — copyright
- Protects original works of authorship (software, writing, art).
- Trade secret
- Confidential business information that gives a competitive edge, protected as long as it's kept secret.
- Business continuity plan (BCP)
- A plan to keep critical business functions operating during and after a disruption.
- Disaster recovery (DR)
- Processes and procedures to restore IT systems and operations after a disaster.
- Business Impact Analysis (BIA)
- Identifies critical functions and sets recovery objectives (MTD, RTO, RPO) — the heart of continuity planning.
- Maximum Tolerable Downtime (MTD)
- The longest a function can be unavailable before unacceptable harm; drives the RTO.
- Recovery Time Objective (RTO)
- The target time to restore a function after a disruption; must be less than the MTD.
- Recovery Point Objective (RPO)
- The maximum acceptable amount of data loss, measured backward in time; drives backup frequency.
- Work Recovery Time (WRT)
- Time to verify systems and data after recovery before resuming normal operations.
- MTBF
- Mean Time Between Failures — the average time a repairable component runs before failing.
- MTTR
- Mean Time To Repair — the average time to restore a failed component.
- Critical business functions
- The functions an organization must perform to survive; identified by the BIA.
- Senior management role in BCP
- Senior management must champion, fund, and ultimately own the BCP.
- Data classification
- Labeling data by sensitivity so the right level of protection is applied.
- Government classification levels
- Top Secret, Secret, Confidential, Unclassified (high to low sensitivity).
- Commercial classification levels
- Common scheme: Confidential, Private, Sensitive, Public.
- Data owner
- The senior business manager accountable for data; assigns classification and protection requirements.
- Data custodian
- Implements and maintains the controls protecting data day to day — usually IT.
- Data controller
- Under privacy law, the entity that decides why and how personal data is processed.
- Data processor
- A party that processes personal data on behalf of, and on the instructions of, the controller.
- System owner
- The person responsible for a system's operation and security throughout its lifecycle.
- Data steward
- Responsible for data quality, definitions, and appropriate use within a business area.
- Data user
- An end user who accesses data to perform their job, following handling rules.
- Data states
- At rest (stored), in transit (moving), and in use (being processed in memory).
- Data at rest
- Stored data — protect with full-disk and database encryption.
- Data in transit
- Moving data — protect with TLS, IPsec, or VPNs.
- Data in use
- Data being processed in memory — hardest to protect (e.g., secure enclaves).
- Data lifecycle
- Create, store, use, share, archive, and destroy — each stage needs appropriate protection.
- Data remanence
- Residual data left on media after deletion or formatting that may be recoverable.
- Clearing
- Overwriting media so data can't be recovered by normal means; suitable for internal reuse.
- Purging
- Stronger sanitization (degaussing or multiple overwrites) to allow external release of media.
- Destruction
- Physically destroying media (shred, pulverize, incinerate) for the most sensitive data.
- Degaussing
- Using a strong magnetic field to erase data from magnetic media; does not work on SSDs.
- NIST SP 800-88
- Guidelines for media sanitization defining Clear, Purge, and Destroy levels.
- Data Loss Prevention (DLP)
- Technology that detects and blocks unauthorized exfiltration of sensitive data.
- Scoping
- Selecting only the security controls from a baseline that apply to a given system.
- Tailoring
- Adjusting a baseline of controls to fit an organization's specific needs.
- Data retention policy
- Defines how long data must be kept and when it must be securely destroyed.
- PII
- Personally Identifiable Information — data that can identify a specific individual.
- PHI
- Protected Health Information — individually identifiable health data under HIPAA.
- Data anonymization
- Removing identifiers so data can no longer be linked to an individual.
- Pseudonymization
- Replacing identifying fields with pseudonyms so re-identification needs separate, protected data.
- Tokenization
- Replacing sensitive data with a non-sensitive token, with the real value stored securely elsewhere.
- Data masking
- Hiding parts of data (e.g., showing only the last 4 digits) to limit exposure.
- Labeling vs. marking
- Labeling = machine-readable classification; marking = human-readable classification on documents.
- Information lifecycle protection
- Applying classification, handling, and disposal rules to data from creation to destruction.
- Asset inventory
- A maintained record of all assets and their owners — the basis for protecting them.
- Data sovereignty
- Data is subject to the laws of the country in which it is physically stored.
- Security model
- A formal statement of rules that a system enforces to meet a security policy.
- Bell-LaPadula model
- Confidentiality model: no read up (Simple Security) and no write down (*-Property).
- Bell-LaPadula simple security property
- No read up — a subject can't read data above its clearance.
- Bell-LaPadula star property
- No write down — a subject can't write data to a lower level.
- Biba model
- Integrity model: no read down (Simple Integrity) and no write up (*-Integrity).
- Biba simple integrity axiom
- No read down — a subject can't read data of lower integrity.
- Biba star integrity axiom
- No write up — a subject can't write to a higher integrity level.
- Clark-Wilson model
- Integrity model using well-formed transactions and separation of duties (the access triple).
- Brewer-Nash (Chinese Wall)
- Confidentiality model that changes access dynamically to prevent conflicts of interest.
- Take-Grant model
- A model describing how rights can be passed (taken or granted) between subjects.
- Reference monitor
- The abstract concept that mediates ALL access between subjects and objects.
- Security kernel
- The hardware/software that implements the reference monitor concept.
- Trusted Computing Base (TCB)
- All hardware, software, and firmware that enforces a system's security policy.
- Security perimeter
- The boundary separating the TCB from the rest of the system.
- Common Criteria
- An international standard for evaluating product security, rated by EAL (1-7).
- Evaluation Assurance Level (EAL)
- A Common Criteria rating from EAL1 (lowest) to EAL7 (highest) assurance.
- Protection rings
- Hierarchical privilege levels (Ring 0 = kernel, outer rings = user) isolating processes.
- Trusted Platform Module (TPM)
- A hardware chip that securely stores keys and supports measured boot and disk encryption.
- Cryptography
- The science of protecting information using encryption, hashing, and related techniques.
- Plaintext / ciphertext
- Plaintext is readable data; ciphertext is the encrypted, unreadable form.
- Symmetric encryption
- One shared secret key for encrypting and decrypting; fast but key distribution is hard.
- Asymmetric encryption
- A public/private key pair; slower but solves key exchange and enables signatures.
- AES
- Advanced Encryption Standard — the dominant symmetric block cipher (128/192/256-bit keys).
- DES / 3DES
- Older symmetric ciphers; DES (56-bit) is broken, 3DES is deprecated.
- RSA
- A widely used asymmetric algorithm based on the difficulty of factoring large numbers.
- ECC
- Elliptic Curve Cryptography — asymmetric crypto giving strong security with smaller keys.
- Diffie-Hellman
- A key-exchange algorithm that lets two parties derive a shared secret over an insecure channel.
- Hashing
- A one-way function producing a fixed-length digest used to verify integrity (e.g., SHA-256).
- SHA-256
- A secure hashing algorithm producing a 256-bit digest; used for integrity and signatures.
- MD5 / SHA-1
- Older hash functions now considered insecure (collision attacks) — avoid for security.
- Digital signature
- A hash of a message encrypted with the sender's PRIVATE key — gives integrity, authenticity, non-repudiation.
- Encrypt for confidentiality
- Encrypt with the RECIPIENT's public key; only their private key can decrypt.
- Sign for authenticity
- Sign with YOUR private key; anyone can verify with your public key.
- Public Key Infrastructure (PKI)
- The framework of certificate authorities, certificates, and policies that manages public keys.
- Certificate Authority (CA)
- A trusted entity that issues and signs digital certificates binding a key to an identity.
- Digital certificate (X.509)
- A signed document binding a public key to an identity, issued by a CA.
- Hybrid cryptography
- Using asymmetric encryption to exchange a fast symmetric session key (e.g., TLS).
- Salt
- Random data added to a password before hashing to defeat precomputed (rainbow) attacks.
- HMAC
- A keyed hash providing integrity and authenticity of a message.
- Key escrow
- Storing a copy of cryptographic keys with a trusted third party for recovery.
- Perfect forward secrecy
- Session keys that, if compromised, don't expose past or future sessions.
- Block vs. stream cipher
- Block ciphers encrypt fixed-size blocks (AES); stream ciphers encrypt bit/byte by byte (RC4).
- Kerckhoffs's principle
- A cryptosystem should be secure even if everything but the key is public.
- Physical security — CPTED
- Crime Prevention Through Environmental Design — using layout to deter crime.
- Mantrap / access control vestibule
- A two-door entry that allows only one person at a time, preventing tailgating.
- Fire suppression — water vs. gas
- Water (sprinklers) for general areas; clean-agent gas for equipment rooms to avoid damage.
- Faraday cage
- An enclosure that blocks electromagnetic signals (and emanations like TEMPEST).
- TEMPEST
- Standards to prevent data leakage via electromagnetic emanations from equipment.
- OSI model
- A seven-layer model: Physical, Data Link, Network, Transport, Session, Presentation, Application.
- OSI Layer 1 — Physical
- Cables, signals, and hubs; transmits raw bits.
- OSI Layer 2 — Data Link
- MAC addresses and switches; frames on the local network.
- OSI Layer 3 — Network
- IP addressing and routing; routers and IPsec operate here.
- OSI Layer 4 — Transport
- End-to-end delivery; TCP and UDP, port numbers.
- OSI Layer 5 — Session
- Establishes, manages, and tears down sessions.
- OSI Layer 6 — Presentation
- Data translation, encoding, and encryption formatting.
- OSI Layer 7 — Application
- User-facing protocols: HTTP, DNS, SMTP.
- TCP/IP model
- A four-layer model: Link, Internet, Transport, Application — maps onto OSI.
- TCP vs. UDP
- TCP is connection-oriented and reliable (handshake); UDP is connectionless and fast.
- TCP three-way handshake
- SYN, SYN-ACK, ACK — establishes a reliable TCP connection.
- Switch (Layer 2)
- Forwards frames using MAC addresses within a local network.
- Router (Layer 3)
- Forwards packets between networks using IP addresses.
- Firewall
- A device or software that filters traffic between networks based on rules.
- Stateful firewall
- Tracks the state of connections and allows return traffic for established sessions.
- Packet-filtering firewall
- Filters traffic by IP, port, and protocol without tracking connection state.
- Next-generation firewall (NGFW)
- Adds application awareness, IPS, and deep packet inspection to a firewall.
- Proxy server
- An intermediary that forwards requests on behalf of clients, hiding internal hosts.
- DMZ
- A screened subnet between the internet and the internal network for public-facing servers.
- VLAN
- A logical network segment that isolates traffic at Layer 2 for security and performance.
- Network segmentation
- Dividing a network into zones to limit lateral movement and contain breaches.
- VPN
- An encrypted tunnel that protects traffic over an untrusted network.
- IPsec
- A Layer 3 protocol suite that secures IP traffic; used for VPNs (AH and ESP).
- IPsec AH vs. ESP
- AH provides integrity/authentication; ESP provides confidentiality (encryption) plus integrity.
- TLS
- Transport Layer Security — encrypts application traffic (HTTPS); successor to SSL.
- SSH
- Secure Shell — encrypted remote administration; replaces Telnet.
- Insecure legacy protocols
- Telnet, FTP, HTTP, SNMPv1/2, and WEP transmit data in the clear — avoid them.
- WPA2 / WPA3
- Wi-Fi security protocols; WPA3 is the current standard with stronger encryption.
- WEP
- An obsolete, broken Wi-Fi security protocol — never use it.
- IDS vs. IPS
- An IDS detects and alerts on attacks; an IPS detects and actively blocks them.
- NAC
- Network Access Control — enforces policy (e.g., patch state) before allowing a device on the network.
- DDoS attack
- Distributed Denial of Service — overwhelming a target with traffic from many sources.
- Man-in-the-middle (MITM)
- An attacker intercepts and possibly alters communication between two parties.
- ARP spoofing
- Forging ARP replies to associate the attacker's MAC with another host's IP.
- DNS poisoning
- Corrupting DNS records to redirect users to malicious sites.
- Software-Defined Networking (SDN)
- Decoupling network control from forwarding, managed centrally by software.
- Network access — 802.1X
- A port-based network access control standard requiring authentication before access.
- Converged protocols
- Carrying multiple traffic types over one network (e.g., VoIP, FCoE) — security implications.
- Zero Trust
- A model that trusts no one by default; verifies every request regardless of network location.
- Microsegmentation
- Fine-grained segmentation down to individual workloads, a key Zero Trust technique.
- Identification
- A subject claiming an identity (e.g., a username) — the first step of access control.
- Authentication
- Proving a claimed identity with a credential (knowledge, possession, or inherence).
- Authorization
- Determining what an authenticated identity is permitted to access and do.
- Accountability
- Tying actions back to a specific identity through logging and auditing.
- AAA
- Authentication, Authorization, and Accounting — the pillars of access control.
- Type 1 factor — something you know
- Knowledge factor: password, PIN, or passphrase.
- Type 2 factor — something you have
- Possession factor: smart card, hardware token, or phone.
- Type 3 factor — something you are
- Inherence (biometric) factor: fingerprint, iris, or face.
- Multi-factor authentication (MFA)
- Using two or more factors from DIFFERENT categories — know, have, are.
- Why two passwords isn't MFA
- Two of the same factor type (password + security question) is still single-factor.
- Biometric — FAR
- False Acceptance Rate — wrongly accepting an unauthorized person (a security failure).
- Biometric — FRR
- False Rejection Rate — wrongly rejecting an authorized person (a usability failure).
- Biometric — CER
- Crossover Error Rate — where FAR equals FRR; lower CER means a better biometric system.
- Least privilege
- Granting users and processes only the minimum access needed — and nothing more.
- Need to know
- Limiting access to the specific information required to perform a task.
- Separation of duties
- Splitting a sensitive task so no single person controls it end to end.
- Job rotation
- Periodically moving staff between roles to detect fraud and reduce dependence.
- Mandatory vacation
- Requiring time off so fraud that depends on continuous presence is exposed.
- Discretionary access control (DAC)
- The data owner decides who gets access (file permissions, ACLs).
- Mandatory access control (MAC)
- The system enforces access from labels and clearances; rigid and high-security.
- Role-based access control (RBAC)
- Access granted by job role rather than the individual; scales in enterprises.
- Attribute-based access control (ABAC)
- Access decided by attributes and policy (user, resource, time, location) — most granular.
- Rule-based access control
- Global rules applied to everyone (e.g., a firewall ruleset, time-of-day limits).
- Access Control List (ACL)
- A list specifying which subjects may access an object and with what rights.
- Capability table
- A list of the objects a specific subject is allowed to access (subject-centric).
- Single sign-on (SSO)
- One authentication grants access to multiple systems.
- Kerberos
- A symmetric-key SSO protocol using tickets and a Key Distribution Center (KDC).
- Kerberos KDC
- Key Distribution Center — issues tickets; comprises the Authentication Server and TGS.
- Kerberos TGT
- Ticket-Granting Ticket — proves a user authenticated, used to request service tickets.
- SAML
- Security Assertion Markup Language — XML standard for web SSO and federation.
- OAuth 2.0
- An authorization framework that lets apps access resources without sharing passwords.
- OpenID Connect (OIDC)
- An authentication layer on top of OAuth 2.0 for federated login.
- Federation
- Linking identity across organizations so one set of credentials works across trusted domains.
- Identity provider (IdP)
- The system that authenticates users and asserts identity to service providers.
- Provisioning / deprovisioning
- Creating and removing user access; timely deprovisioning prevents orphan accounts.
- Privileged Access Management (PAM)
- Controlling, monitoring, and securing accounts with elevated rights.
- Identity proofing
- Verifying that a person is who they claim before issuing credentials.
- Session management
- Securely creating, maintaining, and terminating sessions (timeouts, tokens).
- Just-in-time (JIT) access
- Granting elevated access only when needed and for a limited time.
- Account lockout
- Disabling an account after repeated failed logins to slow brute-force attacks.
- Security assessment
- A broad review of a system's controls and risk posture against requirements.
- Security audit
- An independent, systematic evaluation of controls against a standard or policy.
- Vulnerability scan
- An automated check that identifies known weaknesses without exploiting them.
- Penetration test
- An authorized, simulated attack that actively exploits weaknesses to show real impact.
- Scan vs. pen test
- A scan finds the holes; a pen test proves what an attacker could do with them.
- Black-box test
- The tester has no prior knowledge of the target (simulates an outside attacker).
- White-box test
- The tester has full knowledge of the target (architecture, source, credentials).
- Gray-box test
- The tester has partial knowledge of the target.
- Rules of engagement
- The written scope, limits, and authorization for a penetration test.
- Static application security testing (SAST)
- Analyzing source code for flaws without running it.
- Dynamic application security testing (DAST)
- Testing a running application from the outside for vulnerabilities.
- Code review
- Examining source code (manually or with tools) to find security and quality flaws.
- Fuzzing
- Feeding malformed or random input to find crashes and security flaws.
- Misuse case testing
- Testing how a system behaves under intentional misuse or attack scenarios.
- Test coverage analysis
- Measuring how much of the code or requirements the tests exercise.
- Synthetic transactions
- Scripted, simulated user interactions used to test and monitor systems.
- Log review
- Examining logs to detect anomalies, policy violations, and incidents.
- SOC 1 report
- An attestation on controls relevant to financial reporting.
- SOC 2 report
- An attestation on controls for security, availability, processing integrity, confidentiality, privacy.
- SOC 3 report
- A general-use, public summary version of a SOC 2 report.
- SOC Type I vs. Type II
- Type I = controls at a point in time; Type II = controls' operating effectiveness over a period.
- KPI vs. KRI
- KPI measures performance toward a goal; KRI measures risk exposure (an early warning).
- Vulnerability management lifecycle
- Discover, prioritize, remediate, and verify vulnerabilities continuously.
- CVSS
- Common Vulnerability Scoring System — a 0-10 severity score for vulnerabilities.
- CVE
- Common Vulnerabilities and Exposures — a standardized identifier for a known vulnerability.
- Internal vs. external testing
- Internal simulates an insider/compromised host; external simulates an internet attacker.
- Account management review
- Periodically reviewing accounts and entitlements to enforce least privilege.
- Disaster recovery testing
- Checklist, tabletop, simulation, parallel, and full-interruption tests of recovery plans.
- Tabletop exercise
- A discussion-based walkthrough of a plan with no system disruption.
- Parallel test
- Bringing recovery systems online alongside production to verify they work, without cutover.
- Full-interruption test
- Shutting down production to fully exercise recovery — most realistic, most risky.
- Security operations
- The day-to-day work of running, monitoring, and defending security controls.
- Incident
- An event that actually or potentially harms the confidentiality, integrity, or availability of assets.
- Event vs. incident
- An event is any observable occurrence; an incident is an event that causes or threatens harm.
- Incident response — Detection
- Identify and confirm that an incident has occurred.
- Incident response — Response
- Contain the incident to limit damage.
- Incident response — Mitigation
- Reduce the impact and stop the spread.
- Incident response — Reporting
- Notify stakeholders and required authorities.
- Incident response — Recovery
- Restore systems to normal operation.
- Incident response — Remediation
- Fix the root cause so the incident can't recur.
- Incident response — Lessons Learned
- Review the response and improve the plan and controls.
- Containment
- Limiting the scope and damage of an incident before eradication and recovery.
- NIST SP 800-61
- Incident handling guide: Preparation; Detection & Analysis; Containment, Eradication & Recovery; Post-Incident.
- CSIRT
- Computer Security Incident Response Team — the group that handles incidents.
- SIEM
- Security Information and Event Management — aggregates and correlates logs for detection and analysis.
- SOAR
- Security Orchestration, Automation, and Response — automates incident handling workflows.
- Logging and monitoring
- Recording events and watching them to detect, investigate, and prove activity.
- Clipping level
- A threshold of activity that, when exceeded, triggers an alert (e.g., failed logins).
- Egress monitoring
- Watching outbound traffic to detect data exfiltration.
- Change management
- A controlled process for requesting, evaluating, approving, and documenting system changes.
- Configuration management
- Maintaining known-good, documented configurations and baselines for systems.
- Patch management
- Identifying, testing, and deploying software updates to fix vulnerabilities.
- Backup — full
- Backs up all selected data; fastest to restore, slowest to back up.
- Backup — incremental
- Backs up changes since the last backup of any type; fast backup, slow restore.
- Backup — differential
- Backs up changes since the last full backup; slower backup, faster restore.
- 3-2-1 backup rule
- Keep 3 copies, on 2 media types, with 1 copy offsite.
- RAID
- Redundant Array of Independent Disks — combines disks for redundancy and/or performance.
- RAID 1 / RAID 5
- RAID 1 mirrors disks; RAID 5 stripes with parity, tolerating one disk failure.
- Hot site
- A fully equipped alternate site with near-real-time failover; fastest, most expensive.
- Warm site
- An alternate site with hardware and connectivity; data restored on demand; moderate cost.
- Cold site
- An alternate site with power and space only; cheapest, slowest to bring online.
- Redundant site
- A fully mirrored, always-on duplicate of the primary site (highest cost).
- Evidence — chain of custody
- Documentation of who handled evidence and when, preserving its integrity.
- Best evidence rule
- Original documents/evidence are preferred over copies in legal proceedings.
- Real / documentary / testimonial evidence
- Physical objects; written records; witness statements — types of evidence.
- Forensics — order of volatility
- Collect the most volatile data first (CPU/RAM) before disk and archives.
- eDiscovery
- The process of identifying and producing electronic data for legal proceedings.
- Service Level Agreement (SLA)
- A contract defining the expected level of service and remedies.
- Honeypot
- A decoy system designed to attract and study attackers.
- Whitelisting / allow-listing
- Permitting only approved applications or addresses; everything else is blocked.
- Sandboxing
- Running untrusted code in an isolated environment to contain harm.
- Software Development Lifecycle (SDLC)
- The phased process of building software: requirements, design, build, test, deploy, maintain.
- Secure SDLC
- Building security into every phase of development rather than testing for it at the end.
- Shift left
- Moving security activities earlier in development, where flaws are cheaper to fix.
- Waterfall model
- A sequential, phase-by-phase development model; rigid, suits stable requirements.
- Agile model
- Iterative development in short sprints; flexible and delivers frequently.
- DevOps
- Integrating development and operations for continuous, automated delivery.
- DevSecOps
- Embedding automated security testing throughout DevOps CI/CD pipelines.
- Spiral model
- An iterative model with heavy risk analysis in each cycle.
- CI/CD
- Continuous Integration / Continuous Delivery — automated build, test, and deployment pipelines.
- Threat modeling in design
- Identifying threats early (e.g., STRIDE) so the design mitigates them.
- Capability Maturity Model (CMM/CMMI)
- A model rating process maturity from initial to optimizing.
- BSIMM
- Building Security In Maturity Model — measures a software security program against peers.
- OWASP SAMM
- Software Assurance Maturity Model — a framework to assess and improve secure development.
- OWASP Top 10
- A community list of the most critical web application security risks.
- Broken access control
- The #1 OWASP risk — users acting outside their intended permissions.
- Injection
- Untrusted input is interpreted as a command or query (e.g., SQL injection).
- SQL injection
- Inserting malicious SQL via unvalidated input to read or alter a database.
- Cross-site scripting (XSS)
- Injecting malicious scripts into web pages viewed by other users.
- Cross-site request forgery (CSRF)
- Tricking a logged-in user's browser into making unwanted requests.
- Input validation
- Checking and sanitizing all input — the primary defense against injection attacks.
- Parameterized queries
- Using prepared statements with bound parameters to prevent SQL injection.
- Output encoding
- Encoding data before rendering it to prevent XSS.
- Buffer overflow
- Writing past a buffer's bounds to corrupt memory or execute code; prevented by bounds checking.
- Race condition (TOCTOU)
- Time-of-check to time-of-use — a flaw exploiting the gap between checking and using a resource.
- Inference
- Deducing sensitive information from data you are allowed to see.
- Aggregation
- Combining individually harmless pieces of data into sensitive information.
- Polyinstantiation
- Storing different data at different classification levels to prevent inference.
- Database — ACID
- Atomicity, Consistency, Isolation, Durability — properties of reliable transactions.
- Database normalization
- Organizing data to reduce redundancy and improve integrity.
- Stored procedure
- Precompiled SQL stored in the database; can reduce injection risk and centralize logic.
- Code repository security
- Protecting source control with access control, signing, and secret scanning.
- Software supply chain risk
- Vulnerabilities introduced through third-party libraries and dependencies.
- Software Composition Analysis (SCA)
- Scanning dependencies for known vulnerabilities and license issues.
- Sandboxing untrusted code
- Isolating code (e.g., applets, plugins) so it can't harm the host.
- Secure coding standards
- Documented rules (e.g., OWASP, CERT) for writing safe code.
- Maintenance hooks / backdoors
- Hidden developer access that must be removed before release.
- Object-oriented security
- Encapsulation, inheritance, and polymorphism affect how data is protected in code.
- API security
- Protecting APIs with authentication, authorization, rate limiting, and input validation.
- Regression testing
- Re-running tests after changes to ensure new code didn't break existing functionality.
- Code signing
- Digitally signing software so users can verify its source and integrity.