C Flashcards
CAM Table
Maps MAC addresses to IP address, allowing a switch to send traffic to the correct port.
Capture The Flag
An exercise that pits technologists against one another in an attempt to attack a system and achieve a specific goal, such as stealing a sensitive file. 8
Card Cloning Attack
A kind of attack that focuses on capturing information from cards like RFID and magstripe cards often used for entry access. 8
Carrier unlocking
Allows mobile phones to be used with other cellular providers. 8
CCMP (Counter Mode With Cipher Block Chaining Message Authentication Code Protocol)
Encryption technology used in the WPA2 protocol. It implements AES (Advanced Encryption Standard) with a 128- bit key as a stream cipher. 8
Cellular
A kind of wireless connection that provides connectivity for mobile devices like cell phones by dividing geographic areas into “cells”, with tower coverage allowing wireless communications between devices and towers or cell sites. 8
Center For Internet Security (CIS)
An industry organization that publishes hundreds of benchmarks for commonly used platforms. 8
Centralized
Centralized approach to commuting places a significant portion of an organization’s infrastructure within a Single environment. 8
Centralized Proxy
Traffic is routed through the device. 9
Certificate
Certificates can be stored on a system or paired with a storage device or security token and are often used to identify systems or devices as well as individuals. 9
Certificate Authorities (CA)
CA are the glue that binds the public key infrastructure together. These neutral organizations offer notarization services for digital certificates. 9
Certificate Chaining
The use of a series of intermediate CAs in the certificate authority trust model. 9
Certificate Revocation List (CRL)
Used to ensure that the certificate was not revoked. 9
Certificate Signing Request (CSR)
Provides your public key to the certificate authority to create an X.509 digital certificate containing your identifying information and a copy of your public key. The CA then digitally signs the certificate using the CA’s private key and provides you with a copy of your signed digital certificate.
Certificate Stapling
This is an extension to the Online Certificate Status Protocol (OCSP) that relieves some of the burden placed upon certificate authorities by the original protocol. The web server contacts the OCSP server itself and receives a signed and timestamped response from the OCSP server, which it then attaches to the digital certificate. 9
Certification
The comprehensive evaluation, made in support of the accreditation process, of the technical and nontechnical security features of an IT system and other safeguards to establish the extent to which a particular design and implementation meets a set of specified security requirements.9
Chain of Custody
The process by which investigators document the handling of evidence from collection through use in court. 9
Challenge Handshake Authentication Protocol (CHAP)
A protocol that challenges a user or system to verify its identity without sending a secrete key over the network. 9
Change Management
Process that defines how the organization will review, approve, and implement proposed changes to information systems in a manner that manages both Cybersecurity and operational risk.9
Choose Your Own Device (CYOD)
The organization owns the device but allows the user to select and maintain it.
Chosen Plain Text
The attacker obtains the ciphertexts corresponding to a set of plain texts of their own choosing.
CIA Triad
The 3 essential security principles of confidentiality, integrity, and availability. 9
Cipher
A system that hides the true meaning of a message. Ciphers use a variety of techniques to alter and/or rearrange the characters or words of a message to achieve confidentiality. 9
Clean Desk Policy
A policy used to instruct workers how and why to clean off their desks at the end of each work period. In relation to security, such a policy has a primary goal of reducing disclosure of sensitive information. 10
Closed Circuit Television (CCTV)
Displays what the camera is seeing on a screen. Some CCTV systems include recording capabilities as well. 10
Closed Sourc Intelligence
Intelligence information, typically from a commercial vendor that is provided only to specific groups. 10
Cloud Access Security Broker (CASB)
A security policy enforcement solution that consistently enforces security policies across cloud providers. 10
Cloud Auditors
Independent organizations that provide third-party assessments of cloud services and operations. 10
Cloud Bursting
Moving the execution of an application to the cloud on an as-needed basis. 10
Cloud Carriers
The intermediaries that provide the connectivity that allows the delivery of cloud services from providers to consumers. 10
Cloud Computing
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources. 10
Cloud Consumers
The organizations and individuals who purchase cloud services from cloud service providers.
Cloud Partners
The organizations that offer ancillary products or services that support or integrate with the offerings of a cloud service provider. 10
Cloud Service Providers
The firms that offer cloud computing services to their customers.
Clustering
Describes groups of computers connected together to perform the same task.
Code Injection Attacks
Attacks seeking to insert attacker-written code into the legitimate code created by web application developer. 10
Code of Conduct/Ethics
A document that describes expected behavior of employees and affiliates and covers situations not specifically addressed in policy.10
Code Repositories
Centralized locations for the storage and management of application source code. 10
Code Review
A form of vulnerability assessment where flaws in code or errors in logic are detected by combing through source code. 10
Code Signing
A way for developers to confirm the authenticity of their code to end users.10
Code Aisles
Server room aisles that blow cold air from the floor.11
Cold Sites
Standby facilities large enough to handle the processing load of an organization and with appropriate electrical and environmental support systems. 11
Collisions
Cases where a hash function produces the same value for two different methods. 11
Column Level Encryption (CLE)
Allows for specific columns within tables
Common Configuration Enumeration (CCE)
Provides a standard nomenclature for discussing configuration issues. 11
Common Name
Clearly describes the certificate owner.
Common Platform enumeration (CPE)
Provides a standard nomenclature for describing security related software flaws. 11
Common Vulnerabilities and Exposure (CVE)
Common Vulnerabilities and Exposure (CVE) Provides a standard nomenclature for describing security related software flaws. 11
Common Vulnerability Scoring System (CVSS)
Common Vulnerability Scoring System (CVSS) – Security Content Automation Protocol (SCAP) Component that provides a standardized scoring system for describing the characteristics and severity of security vulnerabilities. 11
Community Cloud
Cloud delivery model in which the infrastructure is shared by organizations with something in common. 11
Company Owned Business ONLY (COBO)
Company Owned Business ONLY (COBO) – Most frequently used to describe company owned devices used only for business work. 11
Compensating Controls
Gap controls that fill in the coverage between other types of vulnerability mitigation techniques. 11
Compliance Reporting
Ensures that organizations meet the regulatory requirements and maintain transparency within the organization and with external stakeholders. 11
Compliance Risk
The risk that a security breach causes an organization to run afoul of legal or regulatory requirements. 11
Computer Based Training (CBT)
Computer Based Training (CBT)- method of Delivery training content to users by digital means.
Concurrent Session Usage
An indicator of compromise that occurs when a session is used from more than one location or device at a time. 11
Confidential
Information that requires some protection. 11
Confidentiality
Ensures that unauthorized individuals are not able to gain access to sensitive information. 11
Confidentiality Metric (C)
Confidentiality Metric – A metric that describes the type of information disclosure that might occur if an attacker successfully exploits the vulnerability. 12
Configuration Management
The Process of logging, auditing, and monitoring activities related to security controls and security mechanisms over time. This data is then used to identify agents of change, such as object, subjects, programs, communication pathways, or even the network itself. 12
Conflicts of interest
Arises when a vendor has a competing interest that could influence their behavior in a way that is not aligned with the best interest of the organization. 12
Conservative Risk Appetite
Organizations tend to avoid high risk and focus on maintaining stability and protecting existing assets. 12
Container
Standardized software packages that include all code and libraries to facilitate execution on any hardware and operating system supporting the same containerization platform. 12
Containerization
This is an increasingly common solution to handling separation of work and personal use contexts on devices. 12
Containment
Prevention of the spread of malicious code or other attacks.
Content filters
Devices or software that allow or block traffic based on content rules. 12
Content Aware authentication
Goes beyond PINs, passwords, and biometrics to better reflect user behavior. 12
Continuity of Operations
Ensuring that operations will continue even if issues ranging from single system failures to wide scale natural disasters occur. 12
Continuous Delivery (CD)
Continuous Delivery (CD) – Sometimes called continuous delivery; it rolls out tested changes into production automatically as soon as they have been tested. 12
Continuous Integration (CI)
Continuous Integration (CI)– A development practice that checks code into a shared repository on a consistent, ongoing basis.
Continuous Monitoring
A monitoring practice that uses automation to facilitate 24/7 monitoring of systems and networks. 12
Continuous Risk Assessment
Involves ongoing monitoring and analysis of risks. 12
Continuous Validation
Using continuous integration and continuous deployment methods requires building continuous validation and automated Secuity testing into the pipeline testing process. 12
Control Objectives
The requirements of the level of protection required to preserve the confidentiality, integrity, and availability of an organization’s information and systems. 13
Control Objectives for Information and Related Technologies (COBIT)
Control Objectives for Information and Related Technologies (COBIT)– Describes the common requirements that organizations should have in place surrounding their information systems. 13
Cookie
A plain-text file stored on your machine that contains information about you (and your preferences) for use by a database server. Although cookies are frequently used for various legitimate purposes, they can also be used by malicious websites to track user activities. 13
Corporate-Owned
Provides the greatest control but least flexibility for devices.
Corporate-Owned, personally Enabled (COPE)
Corporate-Owned, personally Enabled (COPE)– Corporate provided devices that allow reasonable personal use while meeting enterprise security and control needs. 13
Corrective Controls
A type of access control that modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred. 13
Credential Harvesting
The process of gathering credentials like usernames and passwords.
Credential Management Policy
A document that describes the account life cycle from provisioning through active use and decommissioning. 13
Credential Reply
Attacks are form of network attack that requires the attacker to be able to capture valid network data and to re-send it or to delay it so that the attacker’s own use of the data is successful. 13
Credentialed Scanning
Access operating systems, databases, and applications, among other sources. 13
Cross Site Request Forgery (XSRF/CSRF)
Cross Site Request Forgery (XSRF/CSRF) An attack that is similar in nature to that of XSS. However, with XSRF, the attack is focused on the visiting user’s web browser more so than the website being visited. 13
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)–Running a script routine on a user’s machine from a website without their permission. 13
Crossover Error Rate (CER)
Crossover Error Rate (CER)–The point at which the false rejection rate (FRR) and the false acceptance rate (FAR) are equal. Sometimes called equal error rate (ERR)
Cryptanalysis
The study of methods to defeat codes and ciphers. 13
Cryptocurrency
The first major application of the blockchain. Blockchain allows the existence of a currency that has no central regulator. 13
Cryptography
Algorithms applied to data that are designed to ensure confidentiality, integrity, authentication, and/or nonrepudiation. The art of creating and implementing secret codes and ciphers. 14
Cryptology
Together, cryptography and cryptanalysis are commonly referred to as cryptology. 14
Cryptosystems
Specific implementations of a code or cipher in hardware and software. 14
Cryptovariables
Cryptographic keys
Curl
A tool that is found on linux systems and that is used to transfer data via URLs.
CVSS base score
A single number representing the overall risk posed by the vulnerability. 14
CVSS Vector
A vector that uses a single line format to convey the ratings of a vulnerability on all 6 of the metrics. 14
Cyber kill chain
A seven-step process of mapping attacks from their beginning to end. 14
Cybersecurity Framework CSF
– NIST cybersecurity framework provides organization against cybersecurity risks.
Cybersecurity Insurance
Insurance policy designed to protect an organization against cybersecurity risks. 14
CYOD
Choose Your Own Device