Cysa+ Domain 1

Confidentiality

Ensures that unauthorized individuals are not able to gain access to sensitive information

Integrity

Ensures that there are no unauthorized modifications to information or systems, whether intentionally or unintentionally.

Availability

Ensures that information and systems are ready to meet the needs of legitimate users at the time they request them

Privacy

focuses on the ways an organization can use and share information collected about individuals

Vulnerability

A weakness in a device, system, application, or process that might allow an attack to take place. Vulnerabilities are internal factors that cybersecurity professionals can control (e.g., upgrading outdated software).

Threat

An outside force that may exploit a vulnerability. Threats can be malicious (e.g., a hacker) or nonmalicious (e.g., an earthquake

Risk

The combination of a threat and a corresponding vulnerability

Adversarial Threat

Individuals, groups, or organizations deliberately attempting to undermine security (e.g., nation-states, trusted insiders, competitors).

Accidental Threat

Individuals mistakenly performing an action that undermines security during routine work (e.g., a system administrator accidentally deleting a critical disk volume).

Structural Threat

Equipment, software, or environmental controls failing due to resource exhaustion, exceeding operational capability (extreme heat), or age.

Environmental Threat

Natural or human-made disasters outside organizational control (e.g., fires, severe storms, power failures).

Technical controls

Systems, devices, software, and settings that enforce CIA requirements (e.g., secure network building, endpoint security).

Operational controls

Practices and procedures that bolster cybersecurity (e.g., conducting penetration testing, using reverse engineering).

Network Access Control (NAC)

Limiting network access to authorized individuals & Ensuring that systems accessing the network meet basic security requirements.

Triple-homed Firewalls

connect to three different networks: the Internet, the internal network, and a special network known as the demilitarized zone (DMZ) or screened subnet

DMZ

A network zone designed to house systems that receive outside connections (e.g., web and email servers). Placing these systems here isolates them, so if they are compromised, they pose little threat to the internal network.

Rule Base/ACL

Firewalls evaluate connection requests against a rule base, which is an access control list (ACL).

Default Deny Principle

If there is no rule explicitly allowing a connection, the firewall will deny that connection

Port 20,21

FTP

Port 22

SSH

Port 23

Telnet

Port 25

SMTP

Port 53

DNS

Port 80

HTTP

Port 443

HTTPS

Packet filtering firewalls

checking only packet characteristics against rules; often found in routers.

Stateful inspection firewalls

Maintain information about the state of each connection; the most basic standalone firewall products

Next-generation firewalls (NGFWs)

Incorporate contextual information about users, applications, and business processes; current state-of-the-art.

Web application firewalls (WAFs)

Specialized firewalls designed to protect against web application attacks (e.g., SQL injection, cross-site scripting).

Jump Box

A server placed in a screened subnet to act as a secure transition point between networks, providing a trusted path.

Honeypots

Systems designed by experts to falsely appear vulnerable and lucrative to attackers. They simulate a successful attack and monitor activity to learn attacker intentions

DNS Sinkholes

Feed false information to malicious software.

Hardening

involves making configurations as attack-resistant as possible.

Compensating Controls

Alternate means

Mandatory Access Control (MAC)

administrators set all security permissions, and end users cannot modify them

Discretionary Access Control (DAC)

the file owner controls the permissions

Sandboxing

An approach used to detect malicious software based on its behavior rather than signatures. It is then isolated

Cybersecurity Automation (SOAR)

provide many opportunities to automate tasks that cross multiple systems.

Application Programming Interfaces (APIs)

the primary means of integrating diverse security tools. allow programmatic interaction with services, often performing the same actions as web-based interfaces, but enabling code to automate those actions

Webhooks

send a signal from one application to another using a web request (e.g., triggering a vulnerability scan when a new vulnerability is reported by a threat intelligence platform).

Decompiler

Attempts to recover source code from binary code.

Firewall

Filters network connections based on source, destination, and port.

Serverless computing

Describes cloud computing, often specifically Function as a Service (FaaS), which relies on a system that executes functions only as they are called (AWS, Azure)

Virtualization

Uses software to run virtual computers on underlying real hardware, allowing multiple operating systems to act as if they are on their own separate hardware.

Containerization

Provides application-level virtualization by packaging applications with their own required components (libraries, configuration files, etc.) into a dedicated, lightweight, and portable environment.

Windows Registry

A critical database that contains operating system settings used by programs, services, drivers, and the OS itself

Common Windows Configuration File Location

Directories where configuration information is often stored on Windows systems (C:\ProgramData\ or C:\Program Files\)

Common Linux Configuration File Location

(/etc/ directory)

Intrusion Prevention Systems (IPSs)

Security devices that can detect and actively stop attacks.

Intrusion Detection Systems (IDSs)

Security devices that detect attacks and alarm or notify security staff

Unified Threat Management (UTM) devices

Devices that combine a number of security services into one solution

Virtual Private Cloud (VPC)

An option provided by cloud service providers that builds an on-demand, semi-isolated environment, typically on a private subnet.

Hybrid Network Architecture

Network architecture that combines both on-premises and cloud infrastructure and systems.

Network Segmentation

The separation of networks or systems to provide a layered defense, which can reduce the attack surface and limit the scope of regulatory compliance efforts.

Air Gap

A type of physical segmentation that ensures there is absolutely no connection between infrastructures

Jump Box (Jump Server)

A system that resides in a segmented environment and is used to access and manage the devices in that segment

Virtual Private Network (VPN)

A common means of providing remote access that uses encryption to provide a secure connection between a system/device and a network

Software-Defined Networking (SDN)

Technology that makes networks programmable, allowing network resources and traffic to be controlled centrally with more intelligence than traditional physical networks.

Zero Trust

A modern security architecture concept that removes inherent trust in systems, services, and individuals inside security boundaries, moving security further toward deeply layered models.

Secure Access Service Edge (SASE)

A network architecture design that uses software-defined wide area networking (SD-WAN) combined with security functionality (like CASBs and zero trust) to secure the network at the endpoint and network layer

SAML

An XML-based language used to send authentication and authorization data between IDPs and SPs to enable single sign-on.

Cloud Access Security Broker (CASB)

Policy enforcement points (local or cloud-based) that enforce security policies when cloud resources and services are used

Public Key Infrastructure (PKI)

Used to issue cryptographic certificates for encryption, authentication, and code signing, relying on asymmetric encryption.

Network Flows

Data captured by network devices that describes the flow of traffic passing through, including source and destination information. (Seeing the source IP, destination IP, how many packets were sent, and the port/protocol used)

Router-Based Monitoring

Relying on routers or switches to provide information about network traffic flow and the status of the device itself. (Using technologies like NetFlow, sFlow, or J-Flow to capture traffic data)

Active Monitoring

Techniques that actively reach out to remote systems and devices to gather data. (Pinging remote systems using ICMP or measuring link bandwidth with iPerf)

Passive Monitoring

Capturing information about the network as traffic passes a specific location without adding additional traffic. (Using a network tap to capture a copy of all traffic sent between two systems)

Data Exfiltration

The process where attackers successfully move data out of their target systems back to themselves. (A large, unexpected data transfer from a sensitive file store to an outside system)

Beaconing

Repeated activity, sometimes called a heartbeat, sent to a Command-and-Control (C&C) system as part of a botnet or malware remote control system. (A host reaching out to a remote site via HTTP every 10 seconds in a repeated pattern)

Heuristics

Using network security devices and defined rules to detect issues based on behaviors that are known to be malicious. (An Intrusion Detection System (IDS) flagging attack traffic based on established rules)

Protocol Analysis

Using a tool to capture packets and check for unexpected traffic or common protocols running over uncommon ports. (Finding unexpected VPN traffic or identifying a common protocol being sent over an alternate service port)

Scans and Sweeps

Activities that are often a precursor to focused attacks, detected by behaviors like sequential testing of service ports or connecting to many IP addresses. (Using the nmap tool to sequentially test all 65,535 service ports on a target system)

Rogue Devices

Devices that are connected to a network but should not be, either by policy or because they were added by an attacker. (An attacker connecting their own device to an open, unauthenticated wired network)

Endpoint Detection and Response (EDR)

Tools deployed with agents on endpoint systems to monitor for, detect, and automatically respond to potential security issues and compromises.

Security Information and Event Management (SIEM)

Tools that leverage centralized logging and data gathering with analysis capabilities to identify security issues. (A system that combines flow data, system logs, and threat intelligence to identify widespread attacks)

Security Orchestration, Automation, and Response (SOAR)

Tools used to integrate security systems and automate response tasks via pre-defined action sets called playbooks. (Automatically triggering a firewall block based on alerts received from an Intrusion Prevention System (IPS))

Wireshark

A graphical tool used for packet capture and inspection, providing deep detail into network traffic. (Analyzing captured traffic to determine the specific user agent and destination IP address of a browsing session)

Tcpdump

A command-line tool used for packet capture, often found on Linux systems. (Using the command tcpdump -i eth0 -s0 -v port 80 to capture HTTP traffic)

Hashing

A process used to compare a potentially malicious file to a known-good original by generating and comparing fixed-size, one-directional outputs

PowerShell

The native command-line shell scripting environment for Windows systems.

grep

A common command-line tool used to perform string (text) searches within files, often combined with other commands.

Regular Expressions (Regex)

Flexible patterns used in searches to match a flexible set of text entries. (Using the pattern cys[abc] to match the strings "cysa," "cysb," and "cysc")

JSON

A human-readable text format using JavaScript notation for data interchange.

XML

A markup language for data interchange that uses angle brackets for opening and closing statements.

Sender Policy Framework (SPF)

An email authentication technique where organizations publish a list of their authorized email sending servers via DNS records. (A DNS record specifying that only Server A and Server B are allowed to send email from a specific domain)

DomainKeys Identified Mail (DKIM)

An email authentication protocol that digitally signs the body and header of a message to ensure it is from the claimed sender.

DMARC

A protocol that uses SPF and DKIM results to determine an email message's authenticity and provides policy options for handling unauthenticated messages.

Simple Network Management Protocol (SNMP)

A protocol commonly used to collect information about the status of network devices like routers. (Monitoring for high load and other signs of bandwidth utilization at the router level).

ps

A built-in Linux command that provides information about CPU and memory utilization, start time, and the command that started each process. (Checking a process's details to determine how long it has been running).

top

A built-in Linux tool that interactively displays CPU utilization, memory usage, and details about running processes. (Using the tool to quickly identify top consumers of resources by pressing 'A').

df

A built-in Linux command that displays a report of the system's disk usage. (Using the -h flag to show filesystem usage in a human-readable format).

w

A built-in Linux tool that indicates which accounts are currently logged into the system. (Determining who may be running a suspicious process).

Pipes (\vert)

A command-line technique used to send the output data from one command-line tool directly as input to another.

Whois

The general process of checking an IP address or domain via a Whois server to obtain registration and contact information

AbuseIPDB

A public tool that allows users to search for IP addresses, domains, or networks to determine if they have been reported for abusive activities.

nmap

A scanning tool used to perform network scans, sweeps, and probes

Threat Intelligence

Data about adversaries, their motivations, capabilities, and the methods they may use

Strategic Intelligence

Broad information about threats and actors, helping organizations respond to overall trends.

Tactical Threat Intelligence

Detailed technical and behavioral information useful to security professionals for defense.