Vocab List Flashcards
Acceptance (of Risk)
Senior management chooses to accept the risk of an activity as it is.
Asset Inventory
A full catalog of the organization’s property (tangible, intellectual, digital, etc.), with sufficient detail/descriptions of attributes to determine specific responsibility/ownership and current configuration/disposition/protection.
Availability
Ensuring data can be accessed in authorized manner, as permitted.
Avoidance (of Risk)
Senior management chooses to cease the activity to remove the risk.
Business Impact Analysis
The overall effort (and the artifact resulting from this effort) to assess the relative value of assets within an organization, the potential threats to those assets, and the possible damage that might be caused if an asset or assets is harmed or lost.
Change management
The process, method, and resources used to modify the configuration of assets in the inventory.
CIA Triad
The triad includes these three ideas: confidentiality, integrity, and availability of assets.
Configuration Management
The process, method, and resources used to determine baseline settings and version of assets in the inventory.
Due Care
The legal duty owed by an organization to its constituents (users/customers/employees/the public).
Due Diligence
Documented efforts demonstrating the organization’s activities to provide due care.
Governance
The processes, roles, and policies an organization uses to make decisions.
[Security] Guidelines
Recommendations (not mandates) for security best practices, usually from sources external to the organization.
Integrity
Protecting data from unauthorized modification.
Job Rotation
Shifting personnel (usually within a given department) among various roles throughout the year, for security, morale, and continuity purposes.
Least Privilege
Personnel are only given the minimal set of permissions necessary to perform their job function.
Maximum Allowable Downtime (MAD)
[also referred to as “MTD”— maximum tolerable downtime] The amount of time an organization can suffer an interruption to its critical path and still remain an organization.
Mitigation (of Risk)
Risk is reduced through the use of controls.
Need to Know
Information is only disclosed to those who have a business need and permission to access it.
[Security] Policy
The organization’s strategic security direction and mandates, published and signed by senior management.
Privileged (Users/Account)
Those with more access/permissions than regular users can cause more harm to the organization than regular users (and, historically, have); therefore, privileged accounts must be managed in a more restrictive and thorough manner than regular accounts.
[Security] Procedures
Specific instructions for performing security-related tasks.
Recovery Point Objective (RPO)
The amount of data that can be lost by the organization without destroying the organization (usually measured in time, backward from the current moment; so, “the last 72 hours’ worth of data”).
Recovery Time Objective (RTO)
The duration that an organization can suffer an interruption of its critical path without destroying the organization (measured as time, necessarily less than the MAD/MTD).
Residual Risk
Risk that remains after controls are put into operation (risk mitigation).
Risk
Potential harm to an organization.
Separation of Duties
Purposefully imposing inefficiency on a business process so that one person cannot complete an entire transaction on their own, forcing collusion.
Service Level Agreement (SLA)
The SLA describes, objectively, specifically, and numerically, the terms of the service the provider will deliver on a regular basis.
[Security] Standards
Minimum target levels and security best practices; may be created within the organization and imposed on all business units or may be taken from external creators (such as standards bodies like ISO, PCI, or SANS).
Threat
A factor that poses risk.
Transfer (of Risk)
Another party is paid to share risk on the organization’s behalf.
Vulnerability
An avenue that causes or enhances risk.
Algorithm
A mathematical function that is used in the encryption and decryption processes.
Antimalware Solutions
Solutions that inhibit, detect, quarantine, and remove malware targeting the environment.
Asymmetric Cryptography
Cryptography in which two different but mathematically related keys are used, and one key is used to encrypt, and another is used to decrypt.
Asynchronous
Encrypt/decrypt requests are processed in queues.
Avalanche Effect
A minor change in either the key or the plaintext will have a significant, large change in the resulting ciphertext.
Ciphertext or Cryptogram
The altered form of a plaintext message that is unreadable by anyone except the intended recipients.
Coaxial Cable
Insulated copper wire terminating in a single pin.
Collision
Occurs when a hash function generates the same output for different inputs.
Confusion
Provided by mixing or changing the key values used during the repeated rounds of encryption.
Content Distribution Networks (CDNs)
Also sometimes referred to as content delivery network; used to replicate portions of data geographically closer to end users in order to enhance performance/quality of service.
Convergence
The practice of using one communication medium/protocol to convey multiple forms of communication.
Cryptanalysis
The study of techniques for attempting to defeat cryptographic techniques and, more generally, information security services.
Cryptosystem
The entire cryptographic operation and system; typically includes the algorithm, key, and key management functions, together with the services that can be provided through cryptography.
Decryption
The reverse process from encryption.
Diffusion
Provided by mixing up the location of the plaintext throughout the ciphertext.
Digital Certificate
A digital certificate is an electronic document that contains the name of an organization or individual, the business address, the digital signature of the certificate authority issuing the certificate, the certificate holder’s public key, a serial number, and the expiration date.
Distributed System
System that performs a single task using resources that are located across multiple machines.
Embedded Systems
Very similar to ICS; typically processors with limited capabilities that govern machinery and equipment used for a variety of tasks, allowing for automation of commands and localized computing.
Encapsulation
Embedding one protocol inside another.
Encryption
Obscuring data through the use of a defined, reversible process.
Encryption
The process and act of converting the message from its plaintext to ciphertext.
Fiber Optic
Spun glass or plastic that conveys data via light pulses instead of electricity.
Firewalls
Devices typically used to monitor inbound traffic (can sometimes monitor bidirectional traffic as well).
Hash Function
A hash function is a one-way mathematical operation that reduces a message or data file into a smaller fixed length output, or hash value.
Honeypots/Honeynets
Simulated environments/components that contain no raw production data.
Industrial Control Systems (ICS)
Typically processors with limited capabilities that govern machinery and equipment used in manufacturing processes, allowing for automation of commands (such as patterns, recipes, and templates) and centralized control/monitoring.
Initialization Vector (IV)
A nonsecret binary vector used as the initializing input algorithm for the encryption of a plaintext block sequence to increase security by introducing additional cryptographic variance and to synchronize cryptographic equipment.
Internet of Things (IoT)
Current pop culture term generally used to describe IP/web-enabled appliances and devices, often for residential/consumer purposes.
Internet Protocol (IP)
Part of the TCP/IP communications protocol suite; typically used to describe the process of carving messages into pieces (packets) and transmit them to a recipient in a nondeterministic manner.
Intrusion Detection or Prevention Systems (IDS/IPS)
Systems that monitor traffic, often inside a specific network.
Key Clustering
Occurs when different encryption keys generate the same ciphertext from the same plaintext message.
Key/Cryptovariable
The input that controls the operation of the cryptographic algorithm.
Key Space
The total number of possible values of keys in a cryptographic algorithm.
Key Space
The total number of possible values of keys in a cryptographic algorithm.
Network Segmentation
The division of the overall networked environment into various smaller networks and parts of networks in order to group users and assets (including data) according to different usages and/or sensitivities.
Nonrepudiation
Inability to deny taking part in a transaction.
OSI 7-Layer Model
Academic conceptual means of describing the ways computers communicate with one another.
Plaintext/Cleartext
Message or data in its natural format and in readable form.
Public Key Infrastructure (PKI)
The use of a third party to enhance trust in a transaction. The third party digitally signs the public keys of the participants, issuing them digital certificates; the transactional parties exchange certificates, see each other’s public keys and the signature of the trusted third party, and can verify the sender of subsequent messages.
Sandboxing
The practice of abstracting contact with underlying hardware, instead constraining programs/software to run in a restricted environment that provides resources (processing, memory) at a remove.
Software-Defined Networking (SDN)
An approach to networking that abstracts the hardware involved in communication away from the design and control of the overall network.
Substitution
The process of exchanging one letter or byte for another.
Symmetric Cryptography
The same key is required to encrypt and decrypt.
Synchronous
Each encryption or decryption request is performed immediately.
Transposition/Permutation
The process of reordering the plaintext to hide the message but keeping the same letters.
Twisted Pair
Cable composed of pairs of copper wire wound around each other.
Virtual Local Area Network (VLAN)
A network segment created through the use of logical addressing restrictions (as opposed to physical isolation).
Virtual Private Network (VPN)
Encrypted tunnel that creates a secure, temporary connection between an external user and the network, typically allowing the user to have similar access/permissions to what the user would experience if access were achieved from within the network environment.
Work Factor
The time and effort required to break a protective measure; in cryptography, the time and effort required to break a cryptographic algorithm.
Business Continuity (BC)
Actions, processes, and tools for ensuring an organization can continue critical operations during a contingency.
Business Impact Analysis (BIA)
The effort to determine the value of each asset belonging to the organization, as well as the potential risk of losing assets, the threats likely to affect the organization, and the potential for common threats to be realized.
Critical Path
Those activities and functions that the organization needs to perform to stay operational.
Differential Backup
All data in the environment that has changed since the last full backup was copied.
Full Backup
All data in the environment is copied.
Incident
An unscheduled event.
Incremental Backup
All data in the environment that has changed since the last backup (full or incremental) was copied.
Maximum Allowable Downtime (MAD)
The measure of how long an organization can survive an interruption of critical functions.
Maximum Tolerable Downtime (MTD)
See: MAD.
Recovery Point Objective (RPO)
A measure of how much data the organization can lose before the organization is no longer viable.
Recovery Time Objective (RTO)
The target time set for recovering from any interruption.
Audit
Review of an environment to determine compliance with a standard.
Egress Monitoring
Monitoring all the ways data can be exfiltrated from an organization; often marketed under the term DLP.
False Positive
Indication of an activity/situation that is not accurate; for example, wrongly reporting that a detrimental event has occurred.
Key Performance Indicators (KPIs)
Metrics reflecting how the organization has performed.
Key Risk Indicators (KRIs)
Metrics attempting to determine how much risk the organization faces.
Scoping
Determining, prior to a review/test/audit, which aspects of an organization will be involved/reviewed.
Tailoring
Determining which elements of a baseline will be applied to an environment or part of an environment.
Accountability
The ability to attribute every action/event to a specific entity.
Authentication
A method for verifying that the entity presenting an identity assertion is, in fact, that entity.
Authorization
The set of permissions/capabilities granted to a specific entity upon the receipt of an authenticated identity assertion.
Federation
Granting access to an entity to various services/organizations, based on that entity’s credentials for one organization/service.
Identification
A unique value assigned to every person, device, and service that will access the environment.
Identity Assertion
A value used to denote a specific entity (often a username).
Identity Deprovisioning
The process of formally revoking access from an entity.
Identity Proofing
When an organization validates that a person is who they claim to be; usually done at the start of employment.
Identity Provisioning
The process of issuing an identity assertion to an entity.
LDAP
Lightweight Directory Access Protocol; a format for storing a catalog of information, typically associated with recognizing entries on the list.
Multifactor Authentication
Use of two or more different factors to verify an identity assertion; sometimes abbreviated as 2FA (for two-factor authentication) or MFA (for multifactor authentication).
Salt
A random element added to plaintext before hashing, to add complexity.
Application Programming Interfaces (APIs)
Sets of rules, tools, and languages used by programmers to simplify the creation of software
Configuration/Change Management (CM) [in software development context]
Monitoring and managing changes to a program or documentation.
Dynamic Application Security Testing (DAST)
Also sometimes referred to as “black box testing” or “play testing”; in DAST, the application is actually executed, and testers (often from the user community) perform functions with the application in a runtime state, trying to determine if the software can successfully perform required functionality but also attempting to find situations in which the software fails.
Static Application Security Testing (SAST)
Also sometimes referred to as “white box testing” or “secure code review”; involves using methods and tools to review the actual source code of an application, locating known flaws and vulnerabilities.
STRIDE Model
Popular software threat modeling tool.
Compliance
The condition of adhering to all mandates/rules/obligations.
Digital Rights Management (DRM)
A technological control solution for protecting intellectual property and sensitive data, usually at the file level; often functions by adding an additional layer of access control to protected files. Also referred to as information rights management (IRM), enterprise rights management (ERM), and other nonstandard terms.
General Data Protection Regulation (GDPR)
EU personal privacy law.
Intellectual Property
Intangible assets; literally, property of the mind. Ideas, concepts, and knowledge that belong to a certain entity, under protection of law.
Personally Identifiable Information (PII)
Data that can be used to determine the identity of an individual.
