Assets, Threats, & Vulnerabilities Flashcards
Asset
item perceived as having value to an organization
Asset inventory
catalog of assets that need to be protected
Asset classification
practice of labeling assets based on sensitivity and importance to an organization
Asset management
process of tracking assets and the risks that affect them
Compliance
process of adhering to internal standards and external regulations
Data
information that is translated, processed, or stored by a computer
Data at rest
data not currently being accessed
Data in transit
data traveling from one point to antoher
Data in use
data being accessed by one or more users
Information security (InfoSec)
practice of keeping data in all states away from unauthorized users
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk
Policy
set of rules that reduce risk and protect information
Procedures
step-by-step instructions to perform a specific security task
Regulations
Rules set by a government or other authority to control the way something is done
Risk
Anything that can impact confidentiality, integrity, and availability of an asset
Standards
References that inform how to set policies
Threat
Any circumstances or event that can negatively impact assets
Vulnerability
weakness that can be exploited by a threat
Access controls
security controls that manage access, authorization, and accountability of information
Algorithm
set of rules used to solve a problem
Application programming interface (API) token
small block of encrypted code that contains information about a user
Asymmetric encryption
use of public and private key pair for encryption and decryption of data
Basic auth
technology used to establish a user’s request to access a server
Bit
smallest unit of data measurement on a computer
Brute force attack
the trial and error process of discovering private information
Cipher
algorithm that encrypts information
Cryptographic key
mechanism that decrypts ciphertext
Cryptography
process of transforming information into a form that unintended readers can’t understand
Data custodian
Anyone or anything that’s responsible for the safe handling, transport, and storage of information
Data owner
person that decides who can access, edit, use, or destroy their information
Digital certificate
a file that verifies the identity of a public key holder
Encryption
process of converting data from a readable format to an encoded format
Hash collision
instance when different inputs produce the same hash value
Hash table
data structure that’s used to store and reference hash values
Hash function
algorithm that produces a code that can’t be decrypted
Identity and access management (IAM)
collection of processes and technologies that helps organizations manage digital identities in their environment
Information privacy
protection of unauthorized access and distribution of data
Multi-factor authentication (MFA)
A security measure that requires a user to verify their identity in two or more ways to access a system or network
Non-repudiation
concept that the authenticity of information can’t be denied
OAuth
open-standard authorization protocol that shares designated access between applications
Payment Card Industry Data Security Standards (PCI DSS)
set of security standards formed by major organizations in the financial industry
Personally identifiable information (PII)
Any information used to infer an individual’s identity
Principle of least privilege
concept of granting only the minimal access and authorization required to complete a task or function
Protected health information (PHI)
Information that relates to the past, present, or future physical or mental health or condition of an individual
Public key infrastructure (PKI)
encryption framework that secures the exchange of online information
Rainbow table
file of pre-generated hash values and their associated plaintext
Salting
additional safeguard that’s used to strengthen hash functions
Security assessment
check to determine how resilient current security implementations are against treats
Security audit
review of an organization’s security controls, policies, and procedures against a set of expectations
Security controls
safeguards designed to reduce specific security risks
Separation of duties
principle that users should not be given levels of authorization that would allow them to misuse a system
Session
sequence of network HTTP basic auth requests and responses associated with the same user
Session cookie
token that websites use to validate a session and determine how long that session should last
Session hijacking
event when attackers obtain a legitimate user’s session ID
Session ID
unique token that identifies a user and their device while accessing a system
Single Sign-On (SSO)
technology that combines several different logins into one
Symmetric encryption
use of a single secret key to exchange information
user provisioning
process of creating and maintaining a user’s digital identity
Advanced persistent threat APT
instance when a threat actor maintains unauthorized access to a system for an extended period of time
Attack surface
all the potential vulnerabilities that a threat actor could exploit
Attack tree
diagram that maps threats to assets
Attack vector
pathways attackers use to penetrate security defenses
Bug bounty
Programs that encourage freelance hackers to find and report vulnerabilities
Common Vulnerabilities and Exposures CVE list
openly accessible dictionary of known vulnerabilities and exposures
Common Vulnerability Scoring System CVSS
measurement system that scores the severity of a vulnerability
CVE Numbering Authority CNA
organization that volunteers to analyze and distribute information on eligible CVEs
Defense in depth
layered approach to vulnerability management that reduces risk
Exploit
way of taking advantage of a vulnerability
Exposure
mistake that can be exploited by a threat
Hacker
any person who uses computers to gain access to computer systems, networks, or data
MITRE
collection of non-profit research and development centers
Security hardening
process of strengthening a system to reduce its vulnerability and attack surface
Threat actor
any person or group who presents a security risk
Vulnerability
weakness that can be exploited by a threat
Vulnerability assessment
internal review process of a company’s security systems
Vulnerability management
process of finding and patching vulnerabilities
Vulnerability scanner
software that automatically compares existing common vulnerabilities and exposures against the technologies on the network
Zero-day
an exploit that was previously unknown
Angler phishing
technique where attackers impersonate customer service reps on social media
Advanced persistent threat APT
instances when a threat actor maintains unauthorized access to a system for an extended period of time
Adware
type of legitimate software that is sometimes used to display digital advertisements in applications
Attack tree
diagram that maps threats to assets
Baiting
social engineering tactic that tempts people into compromising their security
Botnet
collection of computers infected by malware that are under the control of a single threat actor, known as the bot-herder
Cross-site scripting XSS
injection attack that inserts code into a vulnerable website or web application
DOM-based XSS attack
instance when malicious script exists in the webpage a browser loads
Cryptojacking
form of malware that installs software to illegally mine cryptocurrencies
Dropper
type of malware that comes packed with malicious code which is delivered and installed onto a target system
Fileless malware
malware that does not need to be installed by the user because it uses legitimate programs that are already installed to infect a computer
Hacker
any person or group who uses computers to gain unauthorized access to data
Identity and access management IAM
collection of processes and technologies that helps organizations manage digital identities in their environment
Injection attack
Malicious code inserted into a vulnerable application
Input validation
programming that validates inputs from users and other programs
Intrusion detection system IDS
application that monitors system activity and alerts on possible intrusions
Loader
type of malware that downloads strains of malicious code from an external source and installs them onto a target system
Malware
software designed to harm devices or networks
Process of Attack Simulation and Threat Analysis PASTA
popular threat modeling framework that’s used across many industries
Phishing
use of digital communications to trick people into revealing sensitive data or deploying malicious software
Phishing kit
collection of software tools needed to launch a phishing campaign
prepared statement
coding technique that executes SQL statements before passing them onto the database
Potentially unwanted application PUA
type of unwanted software that is bundled in with legitimate programs which might display ads, cause device slowdown, or install other software
Quid pro quo
type of baiting used to trick someone into believing that they’ll be rewarded in return for sharing access, info, or money
Ransomware
type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access
Reflected XSS attack
instance when malicious script is sent to a server and activated during the server’s response
Rootkit
malware that provides remote, administrative access to a computer
Scareware
Malware that employs tactics to frighten users into infecting their device
Smishing
use of text messages to trick users to obtain sensitive info or to impersonate a known source
Social engineering
manipulation technique that exploits human error to gain private info, access, or valuables
Spear phishing
malicious email attack targeting a specific user or group of users, appearing to originate from a trusted source
Spyware
malware that is used to gather and sell info without consent
SQL Structured query language
programming language used to create, interact with, and request info from a database
SQL injection
an attack that executes unexpected queries on a database
Stored XSS attack
instance when malicious script is injected directly on the server
Tailgaiting
social engineering tactic in which unauthorized people follow an authorized person into a restricted area
Threat
any circumstance or event that can negatively impact assets
threat actor
any person or group who presents a security risk
threat modeling
process of identifying assets, their vulnerabilities, and how each is exposed to threats
Trojan horse
malware that looks like a legitimate file or program
Vishing
exploitation of electronic voice communication to obtain sensitive info or to impersonate a known source
Watering hole attack
type of attack when a threat actor compromises a website frequently visited by a specific group of users
Whaling
category of spear phishing attempts that are aimed at high-ranking executives in an organization
Web-based exploits
malicious code or behavior that’s used to take advantage of coding flaws in a web application
