Assets, Threats, & Vulnerabilities

Question 1

Asset

Answer 1

item perceived as having value to an organization

Question 2

Asset inventory

Answer 2

catalog of assets that need to be protected

Question 3

Asset classification

Answer 3

practice of labeling assets based on sensitivity and importance to an organization

Question 4

Asset management

Answer 4

process of tracking assets and the risks that affect them

Question 5

Compliance

Answer 5

process of adhering to internal standards and external regulations

Question 6

Data

Answer 6

information that is translated, processed, or stored by a computer

Question 7

Data at rest

Answer 7

data not currently being accessed

Question 8

Data in transit

Answer 8

data traveling from one point to antoher

Question 9

Data in use

Answer 9

data being accessed by one or more users

Question 10

Information security (InfoSec)

Answer 10

practice of keeping data in all states away from unauthorized users

Question 11

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)

Answer 11

voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk

Question 12

Policy

Answer 12

set of rules that reduce risk and protect information

Question 13

Procedures

Answer 13

step-by-step instructions to perform a specific security task

Question 14

Regulations

Answer 14

Rules set by a government or other authority to control the way something is done

Question 15

Risk

Answer 15

Anything that can impact confidentiality, integrity, and availability of an asset

Question 16

Standards

Answer 16

References that inform how to set policies

Question 17

Threat

Answer 17

Any circumstances or event that can negatively impact assets

Question 18

Vulnerability

Answer 18

weakness that can be exploited by a threat

Question 19

Access controls

Answer 19

security controls that manage access, authorization, and accountability of information

Question 20

Algorithm

Answer 20

set of rules used to solve a problem

Question 21

Application programming interface (API) token

Answer 21

small block of encrypted code that contains information about a user

Question 22

Asymmetric encryption

Answer 22

use of public and private key pair for encryption and decryption of data

Question 23

Basic auth

Answer 23

technology used to establish a user’s request to access a server

Question 24

Bit

Answer 24

smallest unit of data measurement on a computer

Question 25

Brute force attack

Answer 25

the trial and error process of discovering private information

Question 26

Cipher

Answer 26

algorithm that encrypts information

Question 27

Cryptographic key

Answer 27

mechanism that decrypts ciphertext

Question 28

Cryptography

Answer 28

process of transforming information into a form that unintended readers can’t understand

Question 29

Data custodian

Answer 29

Anyone or anything that’s responsible for the safe handling, transport, and storage of information

Question 30

Data owner

Answer 30

person that decides who can access, edit, use, or destroy their information

Question 31

Digital certificate

Answer 31

a file that verifies the identity of a public key holder

Question 32

Encryption

Answer 32

process of converting data from a readable format to an encoded format

Question 33

Hash collision

Answer 33

instance when different inputs produce the same hash value

Question 34

Hash table

Answer 34

data structure that’s used to store and reference hash values

Question 35

Hash function

Answer 35

algorithm that produces a code that can’t be decrypted

Question 36

Identity and access management (IAM)

Answer 36

collection of processes and technologies that helps organizations manage digital identities in their environment

Question 37

Information privacy

Answer 37

protection of unauthorized access and distribution of data

Question 38

Multi-factor authentication (MFA)

Answer 38

A security measure that requires a user to verify their identity in two or more ways to access a system or network

Question 39

Non-repudiation

Answer 39

concept that the authenticity of information can’t be denied

Question 40

OAuth

Answer 40

open-standard authorization protocol that shares designated access between applications

Question 41

Payment Card Industry Data Security Standards (PCI DSS)

Answer 41

set of security standards formed by major organizations in the financial industry

Question 42

Personally identifiable information (PII)

Answer 42

Any information used to infer an individual’s identity

Question 43

Principle of least privilege

Answer 43

concept of granting only the minimal access and authorization required to complete a task or function

Question 44

Protected health information (PHI)

Answer 44

Information that relates to the past, present, or future physical or mental health or condition of an individual

Question 45

Public key infrastructure (PKI)

Answer 45

encryption framework that secures the exchange of online information

Question 46

Rainbow table

Answer 46

file of pre-generated hash values and their associated plaintext

Question 47

Salting

Answer 47

additional safeguard that’s used to strengthen hash functions

Question 48

Security assessment

Answer 48

check to determine how resilient current security implementations are against treats

Question 49

Security audit

Answer 49

review of an organization’s security controls, policies, and procedures against a set of expectations

Question 50

Security controls

Answer 50

safeguards designed to reduce specific security risks

Question 51

Separation of duties

Answer 51

principle that users should not be given levels of authorization that would allow them to misuse a system

Question 52

Session

Answer 52

sequence of network HTTP basic auth requests and responses associated with the same user

Question 53

Session cookie

Answer 53

token that websites use to validate a session and determine how long that session should last

Question 53

Session hijacking

Answer 53

event when attackers obtain a legitimate user’s session ID

Question 54

Session ID

Answer 54

unique token that identifies a user and their device while accessing a system

Question 55

Single Sign-On (SSO)

Answer 55

technology that combines several different logins into one

Question 56

Symmetric encryption

Answer 56

use of a single secret key to exchange information

Question 57

user provisioning

Answer 57

process of creating and maintaining a user’s digital identity

Question 58

Advanced persistent threat APT

Answer 58

instance when a threat actor maintains unauthorized access to a system for an extended period of time

Question 59

Attack surface

Answer 59

all the potential vulnerabilities that a threat actor could exploit

Question 60

Attack tree

Answer 60

diagram that maps threats to assets

Question 61

Attack vector

Answer 61

pathways attackers use to penetrate security defenses

Question 62

Bug bounty

Answer 62

Programs that encourage freelance hackers to find and report vulnerabilities

Question 63

Common Vulnerabilities and Exposures CVE list

Answer 63

openly accessible dictionary of known vulnerabilities and exposures

Question 64

Common Vulnerability Scoring System CVSS

Answer 64

measurement system that scores the severity of a vulnerability

Question 65

CVE Numbering Authority CNA

Answer 65

organization that volunteers to analyze and distribute information on eligible CVEs

Question 66

Defense in depth

Answer 66

layered approach to vulnerability management that reduces risk

Question 67

Exploit

Answer 67

way of taking advantage of a vulnerability

Question 68

Exposure

Answer 68

mistake that can be exploited by a threat

Question 69

Hacker

Answer 69

any person who uses computers to gain access to computer systems, networks, or data

Question 70

MITRE

Answer 70

collection of non-profit research and development centers

Question 71

Security hardening

Answer 71

process of strengthening a system to reduce its vulnerability and attack surface

Question 72

Threat actor

Answer 72

any person or group who presents a security risk

Question 73

Vulnerability

Answer 73

weakness that can be exploited by a threat

Question 74

Vulnerability assessment

Answer 74

internal review process of a company’s security systems

Question 75

Vulnerability management

Answer 75

process of finding and patching vulnerabilities

Question 76

Vulnerability scanner

Answer 76

software that automatically compares existing common vulnerabilities and exposures against the technologies on the network

Question 77

Zero-day

Answer 77

an exploit that was previously unknown

Question 78

Angler phishing

Answer 78

technique where attackers impersonate customer service reps on social media

Question 79

Advanced persistent threat APT

Answer 79

instances when a threat actor maintains unauthorized access to a system for an extended period of time

Question 80

Adware

Answer 80

type of legitimate software that is sometimes used to display digital advertisements in applications

Question 81

Attack tree

Answer 81

diagram that maps threats to assets

Question 82

Baiting

Answer 82

social engineering tactic that tempts people into compromising their security

Question 83

Botnet

Answer 83

collection of computers infected by malware that are under the control of a single threat actor, known as the bot-herder

Question 84

Cross-site scripting XSS

Answer 84

injection attack that inserts code into a vulnerable website or web application

Question 85

DOM-based XSS attack

Answer 85

instance when malicious script exists in the webpage a browser loads

Question 86

Cryptojacking

Answer 86

form of malware that installs software to illegally mine cryptocurrencies

Question 87

Dropper

Answer 87

type of malware that comes packed with malicious code which is delivered and installed onto a target system

Question 88

Fileless malware

Answer 88

malware that does not need to be installed by the user because it uses legitimate programs that are already installed to infect a computer

Question 89

Hacker

Answer 89

any person or group who uses computers to gain unauthorized access to data

Question 90

Identity and access management IAM

Answer 90

collection of processes and technologies that helps organizations manage digital identities in their environment

Question 91

Injection attack

Answer 91

Malicious code inserted into a vulnerable application

Question 92

Input validation

Answer 92

programming that validates inputs from users and other programs

Question 93

Intrusion detection system IDS

Answer 93

application that monitors system activity and alerts on possible intrusions

Question 94

Loader

Answer 94

type of malware that downloads strains of malicious code from an external source and installs them onto a target system

Question 95

Malware

Answer 95

software designed to harm devices or networks

Question 96

Process of Attack Simulation and Threat Analysis PASTA

Answer 96

popular threat modeling framework that’s used across many industries

Question 97

Phishing

Answer 97

use of digital communications to trick people into revealing sensitive data or deploying malicious software

Question 98

Phishing kit

Answer 98

collection of software tools needed to launch a phishing campaign

Question 99

prepared statement

Answer 99

coding technique that executes SQL statements before passing them onto the database

Question 100

Potentially unwanted application PUA

Answer 100

type of unwanted software that is bundled in with legitimate programs which might display ads, cause device slowdown, or install other software

Question 101

Quid pro quo

Answer 101

type of baiting used to trick someone into believing that they’ll be rewarded in return for sharing access, info, or money

Question 102

Ransomware

Answer 102

type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access

Question 103

Reflected XSS attack

Answer 103

instance when malicious script is sent to a server and activated during the server’s response

Question 104

Rootkit

Answer 104

malware that provides remote, administrative access to a computer

Question 105

Scareware

Answer 105

Malware that employs tactics to frighten users into infecting their device

Question 106

Smishing

Answer 106

use of text messages to trick users to obtain sensitive info or to impersonate a known source

Question 107

Social engineering

Answer 107

manipulation technique that exploits human error to gain private info, access, or valuables

Question 108

Spear phishing

Answer 108

malicious email attack targeting a specific user or group of users, appearing to originate from a trusted source

Question 109

Spyware

Answer 109

malware that is used to gather and sell info without consent

Question 110

SQL Structured query language

Answer 110

programming language used to create, interact with, and request info from a database

Question 111

SQL injection

Answer 111

an attack that executes unexpected queries on a database

Question 112

Stored XSS attack

Answer 112

instance when malicious script is injected directly on the server

Question 113

Tailgaiting

Answer 113

social engineering tactic in which unauthorized people follow an authorized person into a restricted area

Question 114

Threat

Answer 114

any circumstance or event that can negatively impact assets

Question 115

threat actor

Answer 115

any person or group who presents a security risk

Question 116

threat modeling

Answer 116

process of identifying assets, their vulnerabilities, and how each is exposed to threats

Question 117

Trojan horse

Answer 117

malware that looks like a legitimate file or program

Question 118

Vishing

Answer 118

exploitation of electronic voice communication to obtain sensitive info or to impersonate a known source

Question 119

Watering hole attack

Answer 119

type of attack when a threat actor compromises a website frequently visited by a specific group of users

Question 120

Whaling

Answer 120

category of spear phishing attempts that are aimed at high-ranking executives in an organization

Question 121

Web-based exploits

Answer 121

malicious code or behavior that’s used to take advantage of coding flaws in a web application