- CIA triad
- Confidentiality, Integrity, Availability — the three core goals of information security.
- Confidentiality
- Preventing unauthorized disclosure of data; enforced by encryption and access control.
- Integrity
- Ensuring data is accurate and unaltered except by authorized parties; enforced by hashing and change control.
- Availability
- Ensuring authorized users have timely, reliable access; enforced by redundancy, backups, and fault tolerance.
- Accountability
- Tying actions back to a specific identity through logging and monitoring.
- Non-repudiation
- Assurance a party cannot deny an action; achieved with digital signatures and logging.
- Least privilege
- Granting users and processes only the minimum access needed to do their job.
- Need-to-know
- Limiting access to the specific information a person requires, even within their clearance.
- Separation of duties
- Splitting a sensitive task so no single person can complete it alone.
- Dual control
- Requiring two authorized people to act together to perform one sensitive operation.
- Job rotation
- Periodically moving staff between duties to detect fraud and reduce single-person dependence.
- Mandatory vacation
- Requiring time off so hidden fraudulent activity can surface in an employee's absence.
- Defense in depth
- Layering multiple, overlapping controls so one failure doesn't expose the asset.
- Administrative control
- A managerial control such as a policy, procedure, training, or background check.
- Technical (logical) control
- A control implemented in technology, such as a firewall, encryption, or ACL.
- Physical control
- A control protecting the environment, such as locks, guards, fences, or cameras.
- Preventive control
- A control that stops an incident before it happens (lock, MFA, input validation).
- Detective control
- A control that identifies an incident in progress or after it (logs, IDS, CCTV).
- Corrective control
- A control that fixes or restores after an incident (backups, patches).
- Deterrent control
- A control that discourages an attacker (warning signs, visible cameras).
- Compensating control
- An alternative control used when the primary control isn't feasible (extra monitoring).
- Recovery control
- A control that restores operations after a disruption (disaster recovery, backups).
- Due diligence
- Doing the research and developing the plans/policies needed to protect the organization.
- Due care
- Acting on due diligence by implementing and maintaining reasonable controls (prudent-person rule).
- ISC2 Code of Ethics canons
- Applied in order: (1) protect society and the infrastructure; (2) act honorably; (3) provide diligent service to principals; (4) advance the profession.
- Data classification
- Labeling data by sensitivity (public, confidential, secret) so the right protection is applied.
- Data owner
- The senior business manager accountable for data who sets its classification.
- Data custodian
- The party (usually IT) that implements and maintains the controls protecting data day to day.
- Data remanence
- Residual data left on media after deletion or formatting that may be recoverable.
- Clearing (sanitization)
- Overwriting media so it can be safely reused within the organization.
- Purging (sanitization)
- Degaussing or strong overwrite/crypto-erase so media can be released externally.
- Destruction (sanitization)
- Physically shredding, pulverizing, or incinerating media for the most sensitive data.
- Change management
- A controlled process to request, evaluate, approve, test, and document system changes.
- Change control board (CCB)
- The group that reviews and approves proposed changes before they are implemented.
- Baseline (security)
- A documented minimum required level of security configuration for a system.
- Security awareness training
- Educating users to recognize threats like phishing and follow security policy.
- Policy
- A high-level management statement of security intent and goals (mandatory).
- Standard
- A specific, mandatory requirement that supports a policy (e.g., 'use AES-256').
- Procedure
- Detailed step-by-step instructions to carry out a task (mandatory).
- Guideline
- A recommended, discretionary best practice (the only optional document type).
- Asset management lifecycle
- Tracking assets from acquisition through use, maintenance, and secure disposal.
- Social engineering
- Manipulating people into breaking security (phishing, pretexting, tailgating).
- AAA
- Authentication, Authorization, and Accounting — prove identity, grant access, log activity.
- Identification
- A subject claiming an identity (e.g., a username) — the first step of access control.
- Authentication
- Proving a claimed identity with a credential (knowledge, possession, or inherence).
- Authorization
- Determining what an authenticated identity is permitted to access and do.
- Accounting (accountability)
- Logging and tracking what an identity did, for audit and forensics.
- Multi-factor authentication (MFA)
- Using two or more factors from different categories (know, have, are).
- Something you know
- A knowledge factor: password, PIN, or passphrase.
- Something you have
- A possession factor: smart card, hardware token, or phone.
- Something you are
- An inherence (biometric) factor: fingerprint, iris, or face.
- False Acceptance Rate (FAR)
- How often a biometric wrongly accepts an impostor (Type II error) — the security risk.
- False Rejection Rate (FRR)
- How often a biometric wrongly rejects a real user (Type I error) — the usability problem.
- Crossover Error Rate (CER)
- The point where FAR equals FRR; a lower CER means a more accurate system.
- Discretionary access control (DAC)
- Access decided by the data owner (e.g., file permissions, ACLs).
- Mandatory access control (MAC)
- Access enforced by the system from labels and clearances; rigid and high-security.
- Role-based access control (RBAC)
- Access granted by job role rather than the individual; scales well in enterprises.
- Attribute-based access control (ABAC)
- Access decided by attributes and policy (user, resource, time, location); most granular.
- Rule-based access control
- Global rules applied to everyone (e.g., a firewall ruleset or time-of-day limits).
- Single sign-on (SSO)
- One authentication that grants access to multiple systems.
- Kerberos
- A symmetric-key SSO protocol using tickets and a Key Distribution Center (KDC).
- SAML
- An XML standard for exchanging authentication/authorization data — web SSO and federation.
- OAuth
- An open standard for delegated authorization between applications and APIs.
- OpenID Connect (OIDC)
- An identity layer on top of OAuth that provides federated authentication.
- RADIUS
- A protocol that centralizes authentication, authorization, and accounting for network access.
- TACACS+
- A Cisco AAA protocol that separates authentication, authorization, and accounting (encrypts the full payload).
- LDAP
- A protocol for querying and modifying a directory of users and resources.
- Federation
- Allowing identities from one trusted domain to access resources in another.
- Zero trust
- Trusting no user or device by default and verifying every access request continuously.
- Privileged access management (PAM)
- Securing, monitoring, and limiting accounts with elevated (admin) privileges.
- Identity lifecycle
- Provisioning, periodic review/recertification, and prompt deprovisioning of accounts.
- Deprovisioning
- Promptly disabling/removing access when a user leaves to prevent orphan accounts.
- Transitive trust
- Trust that flows through a chain — if A trusts B and B trusts C, A may trust C.
- Provisioning
- Creating accounts and granting initial access based on role and need.
- Risk
- The likelihood a threat exploits a vulnerability and the resulting impact on an asset.
- Threat
- Any potential event or actor that could cause harm by exploiting a vulnerability.
- Vulnerability
- A weakness in a system, process, or control that a threat can exploit.
- Exposure factor (EF)
- The percentage of an asset's value lost if a specific risk event occurs.
- Single Loss Expectancy (SLE)
- Expected loss from one event: SLE = Asset Value × Exposure Factor.
- Annualized Rate of Occurrence (ARO)
- The expected number of times a risk event occurs in one year.
- Annualized Loss Expectancy (ALE)
- Expected yearly cost of a risk: ALE = SLE × ARO; used to cost-justify controls.
- Qualitative risk analysis
- Subjective risk ranking (high/medium/low) — fast, but not in dollars.
- Quantitative risk analysis
- Objective, dollar-based risk analysis using SLE, ARO, and ALE.
- Risk mitigation
- Reducing risk to an acceptable level by implementing controls.
- Risk transference
- Shifting the financial impact of a risk to a third party, such as insurance.
- Risk avoidance
- Eliminating a risk by ceasing the activity that creates it.
- Risk acceptance
- A documented, management-approved decision to tolerate a risk and its impact.
- Residual risk
- The risk that remains after controls are applied; management formally accepts it.
- Risk appetite
- The amount and type of risk an organization is willing to accept to meet objectives.
- Risk tolerance
- The acceptable variation around the organization's risk appetite.
- Vulnerability scan
- An automated check that identifies known weaknesses without exploiting them.
- Penetration test
- An authorized, simulated attack that actively exploits weaknesses to prove impact.
- CVE
- Common Vulnerabilities and Exposures — a unique identifier for a known vulnerability.
- CVSS
- Common Vulnerability Scoring System — a 0–10 standard severity score for a vulnerability.
- SIEM
- Security Information and Event Management — aggregates and correlates logs for detection.
- Event vs. incident
- An event is any observable occurrence; an incident is an event that harms or threatens security.
- Log correlation
- Linking related events across sources to reveal an attack that no single log shows.
- Continuous monitoring
- Ongoing collection and analysis of security data to detect issues in near real time.
- Baseline (monitoring)
- A picture of normal behavior used to spot anomalies.
- Black-box test
- A penetration test with no prior knowledge of the target (simulates an outsider).
- White-box test
- A penetration test with full knowledge of the target's internals.
- Gray-box test
- A penetration test with partial knowledge of the target.
- Security audit
- An independent, systematic evaluation of controls against a standard or policy.
- PII
- Personally Identifiable Information — data that can identify a specific individual.
- GDPR
- The EU regulation governing the processing and protection of personal data.
- HIPAA
- U.S. law protecting the privacy and security of health information (PHI).
- PCI DSS
- A security standard for organizations that handle payment card data.
- Incident response lifecycle
- Preparation; Detection & Analysis; Containment, Eradication & Recovery; Post-Incident (NIST 800-61).
- Preparation (IR)
- Building the policy, the CSIRT, tooling, and training before an incident happens.
- Detection & analysis
- Identifying and confirming a real incident from events; determining scope and severity.
- Containment
- Limiting the spread and damage of an incident (short-term then long-term).
- Eradication
- Removing the threat — malware, compromised accounts, and the root cause.
- Recovery (IR)
- Restoring systems to validated normal operation and monitoring for recurrence.
- Lessons learned
- The post-incident review that improves detection, controls, and the plan.
- CSIRT
- Computer Security Incident Response Team — the group that handles security incidents.
- Chain of custody
- Documentation of who handled evidence and when, preserving its integrity for legal use.
- Order of volatility
- Collect evidence by how fast it disappears — memory before disk before backups.
- Digital forensics
- The collection, preservation, and analysis of digital evidence.
- Business continuity plan (BCP)
- A plan to keep critical business functions operating during and after a disruption.
- Disaster recovery (DR)
- Processes and procedures to restore IT systems after a disruptive event.
- Business Impact Analysis (BIA)
- Identifies critical functions and sets recovery objectives (MTD, RTO, RPO).
- Maximum Tolerable Downtime (MTD)
- The longest a function can be unavailable before unacceptable harm occurs.
- Recovery Time Objective (RTO)
- The target time to restore a function after a disruption; must be shorter than MTD.
- Recovery Point Objective (RPO)
- The maximum acceptable data loss measured backward in time; drives backup frequency.
- Hot site
- A fully equipped recovery site with near-real-time failover — fastest, most expensive.
- Warm site
- A recovery site with hardware and connectivity; data restored on demand — moderate.
- Cold site
- An empty recovery space with power/cooling only — cheapest, slowest to bring online.
- Full backup
- A backup of all selected data; fastest to restore (one set).
- Incremental backup
- Backs up changes since the last backup of any type; fast backup, slow restore.
- Differential backup
- Backs up changes since the last full backup; slower backup, faster restore.
- 3-2-1 backup rule
- Keep three copies of data, on two media types, with one stored off-site.
- Tabletop exercise
- A discussion-based walkthrough of the incident or recovery plan.
- Escalation
- Raising an incident to higher-level responders or management as severity grows.
- Symmetric encryption
- One shared secret key for both encrypt and decrypt (AES); fast, hard to distribute.
- Asymmetric encryption
- A public/private key pair (RSA, ECC); slower, solves key exchange, enables signatures.
- AES
- The current symmetric block cipher standard (128/192/256-bit keys).
- RSA
- A widely used asymmetric algorithm for encryption and digital signatures.
- Diffie-Hellman
- An asymmetric method for two parties to agree on a shared secret over an insecure channel.
- Hashing
- A one-way function producing a fixed-length digest to verify integrity (SHA-256).
- SHA-2 / SHA-3
- Current secure hash algorithm families; use these instead of broken MD5/SHA-1.
- HMAC
- A keyed hash providing both integrity and authenticity of a message.
- Salting
- Adding random data to a password before hashing so identical passwords differ.
- Key stretching
- Slowing password hashing with bcrypt, PBKDF2, scrypt, or Argon2 to resist cracking.
- Digital signature
- A hash of a message encrypted with the sender's private key; gives integrity, authenticity, non-repudiation.
- Encrypt vs. sign
- Encrypt with the recipient's PUBLIC key (confidentiality); sign with YOUR PRIVATE key (authenticity).
- Hybrid cryptography
- Using asymmetric crypto to exchange a fast symmetric session key (e.g., TLS).
- Public Key Infrastructure (PKI)
- The framework of CAs, certificates, and policies that manages public keys and trust.
- Certificate Authority (CA)
- A trusted entity that issues and signs digital certificates.
- Digital certificate (X.509)
- A document binding a public key to a verified identity, signed by a CA.
- CRL
- Certificate Revocation List — a published list of certificates no longer trusted.
- OCSP
- Online Certificate Status Protocol — a real-time check of a certificate's revocation status.
- Key escrow
- Storing a copy of a key with a trusted third party for recovery or legal access.
- HSM
- Hardware Security Module — a tamper-resistant device that generates and stores keys.
- TLS
- The protocol that secures application traffic (HTTPS) using hybrid cryptography.
- IPsec
- A protocol suite that secures IP traffic at Layer 3 (AH for integrity, ESP for confidentiality).
- SSH
- A protocol for secure remote administration and file transfer.
- Birthday attack
- An attack that exploits hash collision probability to find two inputs with the same digest.
- Man-in-the-middle (crypto)
- An attacker secretly relays/alters communication between two parties.
- Rainbow table
- A precomputed table of hashes used to crack unsalted password hashes quickly.
- OSI model
- Seven layers: Physical, Data Link, Network, Transport, Session, Presentation, Application.
- Layer 1 — Physical
- Cables, signals, and hubs — raw bit transmission.
- Layer 2 — Data Link
- MAC addresses and switches; frames between adjacent nodes.
- Layer 3 — Network
- IP addressing and routers; IPsec operates here.
- Layer 4 — Transport
- TCP and UDP; ports and end-to-end delivery.
- TCP vs. UDP
- TCP is connection-oriented and reliable; UDP is connectionless and fast.
- Switch
- A Layer 2 device that forwards frames by MAC address.
- Router
- A Layer 3 device that forwards packets between networks by IP address.
- Firewall
- A device/software that filters network traffic against a rule set.
- Packet-filter firewall
- Inspects each packet in isolation against rules; no memory of sessions.
- Stateful firewall
- Tracks the state of active connections; allows return traffic for known sessions.
- Proxy firewall
- Terminates and inspects traffic at the application layer on behalf of clients.
- WAF
- Web Application Firewall — protects web apps from attacks like SQL injection and XSS.
- IDS
- Intrusion Detection System — monitors and alerts but does not block (passive).
- IPS
- Intrusion Prevention System — sits inline and can block malicious traffic (active).
- Signature-based detection
- Detects threats by matching known attack patterns.
- Anomaly-based detection
- Detects threats by flagging deviations from a normal baseline.
- HIDS vs. NIDS
- HIDS runs on a host; NIDS watches network traffic.
- VPN
- A Virtual Private Network — an encrypted tunnel over an untrusted network.
- DMZ
- A screened subnet hosting public-facing services, isolated from the internal network.
- VLAN
- A logically segmented broadcast domain on a switch for isolation.
- Network access control (NAC)
- Checks a device's identity and posture before allowing it onto the network.
- NAT / PAT
- Network/Port Address Translation — maps private addresses to public ones.
- DoS / DDoS
- Attacks that overwhelm a target to deny service; DDoS uses many sources.
- ARP poisoning
- Falsifying ARP replies to redirect traffic on a LAN (enables MITM).
- DNS poisoning
- Corrupting DNS data to redirect users to a malicious address.
- Spoofing
- Forging a source address or identity to impersonate a trusted entity.
- WPA3
- The current Wi-Fi security standard with strong encryption and offline-attack protection.
- 802.1X / EAP
- A framework for port-based network access control and authentication.
- Rogue access point
- An unauthorized wireless AP that creates an unsecured entry into the network.
- Evil twin
- A malicious AP impersonating a legitimate one to capture traffic.
- IoT security
- Hardening internet-connected devices that often ship insecure by default.
- Secure protocol swaps
- Replace HTTP→HTTPS, FTP/Telnet→SFTP/SSH, WEP→WPA3, SNMPv1/2→SNMPv3.
- Malware
- Malicious software: viruses, worms, trojans, ransomware, rootkits, spyware, logic bombs.
- Virus
- Malware that attaches to a file and needs a user to run it to spread.
- Worm
- Self-replicating malware that spreads across networks with no user action.
- Trojan
- Malware disguised as legitimate software to deliver a hidden payload.
- Ransomware
- Malware that encrypts a victim's data and demands payment for the key.
- Rootkit
- Malware with deep, privileged access that hides its presence from the OS.
- Spyware
- Malware that secretly collects information about a user or system.
- Logic bomb
- Malicious code that stays dormant until a trigger condition is met.
- Fileless malware
- Malware that runs in memory using legitimate tools, leaving little on disk.
- Phishing
- A social-engineering attack using fraudulent messages to steal data or deliver malware.
- Spear phishing
- A targeted phishing attack aimed at a specific person or organization.
- Advanced persistent threat (APT)
- A stealthy, long-term, well-resourced intrusion, often state-sponsored.
- EDR
- Endpoint Detection and Response — continuously monitors endpoints to detect and respond.
- Antivirus / anti-malware
- Software that detects and removes malicious code on endpoints.
- Application allowlisting
- Permitting only approved programs to run; blocks everything else by default.
- Patch management
- Acquiring, testing, and applying software updates to fix vulnerabilities.
- System hardening
- Reducing the attack surface via secure config, removing unneeded services, and patching.
- Host-based firewall
- A firewall running on an individual endpoint to filter its traffic.
- Mobile device management (MDM)
- Software enforcing security policy on mobile devices (passcode, encryption, remote wipe).
- BYOD
- Bring Your Own Device — using personal devices for work; needs containerization/policy.
- Containerization (mobile)
- Isolating work data and apps from personal data on a device.
- Remote wipe
- Erasing a lost or stolen device's data remotely to protect it.
- Shared responsibility model
- Cloud provider secures the infrastructure; the customer always owns its data and access.
- IaaS
- Infrastructure as a Service — customer secures the OS, apps, and data.
- PaaS
- Platform as a Service — customer secures apps and data; provider manages OS/runtime.
- SaaS
- Software as a Service — provider secures most; customer manages data, access, settings.
- Cloud misconfiguration
- A leading cloud breach cause (e.g., a public storage bucket) — on the customer's side.
- CASB
- Cloud Access Security Broker — enforces policy between users and cloud services.
- Hypervisor
- Software that creates and runs VMs; Type 1 runs on bare metal, Type 2 on a host OS.
- VM escape
- An attack that breaks out of a guest VM to reach the hypervisor or other VMs.
- VM sprawl
- Uncontrolled growth of unmanaged virtual machines, increasing risk.
- Container (technology)
- A lightweight, isolated package of an app and its dependencies sharing the host OS kernel.
- Input validation
- Checking and sanitizing all user input to prevent injection attacks.
- SQL injection
- Inserting malicious SQL through unvalidated input to read or alter a database.
- Confidentiality vs. integrity
- Confidentiality keeps data secret; integrity keeps data accurate and unaltered.
- DAD triad
- Disclosure, Alteration, Destruction — the opposite of (and threats to) the CIA triad.
- Data lifecycle
- Create, store, use, share, archive, and destroy — protect data at each stage.
- Data in transit
- Data moving across a network; protect it with TLS, IPsec, or a VPN.
- Data at rest
- Stored data; protect it with full-disk or database encryption.
- Data in use
- Data being processed in memory; the hardest state to protect.
- Acceptable use policy (AUP)
- A policy defining how employees may use organizational systems and data.
- Tailgating
- Following an authorized person through a secure door without authenticating.
- Pretexting
- A social-engineering attack using a fabricated scenario to extract information.
- Background check
- An administrative, preventive control that vets personnel before granting access.
- Government data classification
- Top Secret, Secret, Confidential, and Unclassified levels.
- Commercial data classification
- Labels such as Confidential, Private, Sensitive, and Public.
- Type I vs. Type II error
- Type I = false rejection (FRR); Type II = false acceptance (FAR) in biometrics.
- Biometric throughput
- How quickly a biometric system can process users (enrollment/verification speed).
- Mandatory access control example
- A soldier with Secret clearance cannot open a Top Secret file regardless of the owner.
- Account lockout
- Disabling an account after repeated failed logins to deter brute-force attacks.
- Password policy
- Rules for length, complexity, age, and reuse that strengthen knowledge factors.
- Token (authentication)
- A possession factor that generates or stores one-time or cryptographic credentials.
- OTP
- One-Time Password — a code valid for a single login or short window.
- Mutual authentication
- Both parties authenticate each other, not just the client to the server.
- Access control list (ACL)
- A list specifying which subjects may access an object and what they may do.
- Constrained interface
- Restricting what a user can do by limiting the controls they can see/use.
- Total cost of ownership (TCO)
- The full lifecycle cost of a control or asset, used in risk decisions.
- Return on security investment
- Comparing the cost of a control to the reduction in expected loss (ALE) it provides.
- Inherent risk
- The risk present before any controls are applied.
- Control gap
- The difference between the current and the desired level of risk reduction.
- False positive (alert)
- A benign event wrongly flagged as malicious — wastes analyst time.
- False negative (alert)
- A real threat that goes undetected — the more dangerous error.
- Patch / config audit
- Verifying systems are patched and configured to the secure baseline.
- Threat modeling
- Systematically identifying and prioritizing threats to a system during design.
- Risk register
- A documented inventory of identified risks, owners, and treatments.
- SOC 2 report
- An independent audit of an organization's security/availability controls.
- First responder action
- After detection, the typical first technical step is containment — stop the spread.
- Eradication vs. recovery
- Eradication removes the threat and root cause; recovery restores normal operations.
- Tabletop vs. full-interruption test
- Tabletop is a discussion; full-interruption actually fails over to recovery systems.
- Work Recovery Time (WRT)
- Time to verify and restore data/functionality after systems are back online.
- Evidence integrity (hashing)
- Hashing collected evidence proves it has not changed since collection.
- Write blocker
- A forensic tool that allows reading a drive without altering its contents.
- Mean time to recover (MTTR)
- The average time to restore a system after a failure.
- Playbook (IR)
- A predefined set of steps for responding to a specific type of incident.
- Recovery site selection
- Choose hot/warm/cold based on the RTO and budget the BIA produced.
- Block vs. stream cipher
- Block ciphers encrypt fixed-size blocks (AES); stream ciphers encrypt bit/byte by byte.
- ECB vs. CBC mode
- ECB encrypts blocks independently (insecure patterns); CBC chains blocks for security.
- GCM mode
- An authenticated encryption mode providing both confidentiality and integrity.
- 3DES
- A legacy symmetric cipher applying DES three times; now deprecated for AES.
- ECC
- Elliptic Curve Cryptography — asymmetric crypto with strong security at small key sizes.
- Perfect forward secrecy
- Session keys aren't compromised even if a long-term key is later exposed.
- Key management lifecycle
- Generate, distribute, store, rotate, and destroy keys securely.
- Nonce
- A number used once to prevent replay and ensure uniqueness in crypto operations.
- Steganography
- Hiding data within other data (e.g., inside an image) rather than encrypting it.
- Replay attack
- Capturing and re-sending valid data to gain unauthorized access; nonces/timestamps defend.
- Layer 5 — Session
- Establishes, manages, and terminates sessions between applications.
- Layer 6 — Presentation
- Translates, encrypts, and compresses data (TLS sits around 6/7).
- Layer 7 — Application
- Where user-facing protocols live: HTTP, DNS, SMTP, FTP.
- TCP three-way handshake
- SYN, SYN-ACK, ACK — establishes a TCP connection.
- Port (well-known)
- HTTPS 443, HTTP 80, SSH 22, DNS 53, RDP 3389.
- Subnetting
- Dividing a network into smaller segments to improve control and isolation.
- Reverse proxy
- A proxy that sits in front of servers, handling and filtering inbound requests.
- Honeypot
- A decoy system used to detect, deflect, or study attackers.
- MAC filtering
- Allowing only known hardware addresses onto a network (weak on its own).
- Sniffing (eavesdropping)
- Capturing network traffic to read unencrypted data; encryption defends against it.
- Air gap
- Physically isolating a system from untrusted networks for high security.
- Drive-by download
- Malware that installs simply by visiting a compromised or malicious web page.
- Watering-hole attack
- Compromising a site a target group frequently visits to infect them.
- Zero-day
- A vulnerability exploited before a patch exists; no signature yet to detect it.
- Backdoor
- A hidden method to bypass normal authentication and gain access.
- Botnet
- A network of compromised machines controlled by an attacker (often for DDoS).
- HIPS
- Host Intrusion Prevention System — blocks malicious activity on an endpoint.
- Secure baseline image
- A hardened, approved OS image deployed to ensure consistent, secure configuration.
- Least functionality
- Configuring systems to provide only essential capabilities, reducing attack surface.
- Type 1 vs. Type 2 hypervisor
- Type 1 runs on bare metal; Type 2 runs as an app on a host OS.
- Snapshot risk
- VM snapshots may contain sensitive data and can revert security patches if restored.
- Sandboxing
- Running untrusted code in an isolated environment to contain any harm.
- Cross-site scripting (XSS)
- Injecting malicious scripts into a web page viewed by other users.