1/102
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced | Call with Kai | Chat |
|---|
No analytics yet
Send a link to your students to track their progress
Cross-Site Request Forgery
CSRF
CSRF
Authenticated browser is tricked into performing unwanted actions on a web application
session hijacking
Attacker takes over a valid user session often by stealing a session token or cookie
session token prediction
Attacker guesses or predicts weak session token values to take over a session
Common Vulnerabilities and Exposures
CVE
CVE
Standardized identifier used to consistently reference a known vulnerability
Common Vulnerability Scoring System
CVSS
CVSS
Scoring system used to rate vulnerability severity
CVE vs CVSS
One identifies the vulnerability; the other scores its severity
Infrastructure as Code
IaC
IaC
Infrastructure managed and provisioned using scripts code or automated configuration
Network Access Control
NAC
NAC
Controls network access by checking devices or users against security policies before allowing connection
Mobile Device Management
MDM
MDM
Centralized management of mobile devices including policies remote wipe encryption and compliance checks
Business Email Compromise
BEC
BEC
Targeted business email fraud involving invoices payments executives vendors or finance roles
Short Message Service
SMS
smishing
Social engineering using SMS text messages
vishing
Social engineering using voice calls
typosquatting
Using lookalike or misspelled domains to trick users
File Transfer Protocol
FTP
FTP
File transfer protocol using port 21
Simple Mail Transfer Protocol
SMTP
SMTP
Mail transport protocol commonly associated with port 25 and mail relay risk
Hypertext Transfer Protocol
HTTP
HTTP
Unencrypted web protocol using port 80
Web Application Firewall
WAF
WAF
Layer 7 web application control used to filter HTTP traffic and mitigate web app attacks
Intrusion Prevention System
IPS
IPS
Broader network prevention tool that detects and blocks malicious traffic
WAF vs IPS
One focuses on web application HTTP traffic; the other broadly blocks network threats
Mean Time to Repair
MTTR
MTTR
Average time needed to repair or restore a system after failure
Mean Time Between Failures
MTBF
MTBF
Average time between system failures
MTTR vs RTO
One is actual average repair time; the other is the recovery time target
Recovery Point Objective
RPO
RPO
Maximum acceptable data loss measured in time
Recovery Time Objective
RTO
RTO
Maximum acceptable time to restore a service after disruption
Open-Source Intelligence
OSINT
OSINT
Using publicly available information to gather intelligence about risks vulnerabilities or targets
Secure Multipurpose Internet Mail Extensions
S/MIME
S/MIME
Email certificate technology used to sign and encrypt email content
Simultaneous Authentication of Equals
SAE
SAE
WPA3 authentication method based on Diffie-Hellman style key agreement
Management Frame Protection
MFP
MFP
Wireless protection against eavesdropping forging and tampering with management frames
Wi-Fi Protected Access 3
WPA3
WPA3
Latest wireless security standard using SAE and stronger protections than WPA2
Personally Identifiable Information
PII
PII
Data that can identify a specific person directly or indirectly
General Data Protection Regulation
GDPR
GDPR
European Union privacy regulation focused on personal data rights and processing requirements
California Consumer Privacy Act
CCPA
CCPA
Broad California privacy law similar in approach to GDPR
Gramm-Leach-Bliley Act
GLBA
GLBA
Financial-sector privacy regulation rather than broad horizontal privacy law
Payment Card Industry Data Security Standard
PCI DSS
PCI DSS
Industry standard for protecting payment card data
Federal Information Security Management Act
FISMA
FISMA
US federal law focused on security requirements for federal information systems
database encryption
Encrypts an entire collection of database records while supporting efficient database operations
volume encryption
Protects an entire disk or storage volume rather than database-aware records and queries
resource provisioning
Allocating and adjusting hardware software infrastructure and compute resources based on need
user provisioning
Creating modifying and removing user accounts and access during the employee lifecycle
ad hoc assessment
Risk assessment performed as needed in response to a specific event threat or change
one-time assessment
Comprehensive point-in-time risk evaluation used as a baseline or independent review
continuous assessment
Ongoing risk monitoring or evaluation rather than a single scheduled review
recurring assessment
Risk review performed on a regular schedule such as monthly quarterly or annually
business continuity policy
Guidelines for keeping critical operations running during unexpected interruptions
incident response policy
Guidelines for detecting responding to containing and recovering from security incidents
fileless malware
Malware using memory command line WMI PowerShell or legitimate tools without obvious files on disk
hybrid warfare
State actor strategy combining espionage disinformation hacking diplomacy or soft power
national legal implications
Country-level laws and regulations governing how personal data must be handled
operational control
Day-to-day security process such as log monitoring backups media handling or configuration management
technical control
Technology-based security mechanism such as encryption firewalls access controls or IDS IPS
managerial control
Administrative oversight such as policies risk assessments planning and security governance
asset ownership
Assigning accountability for hardware software or data assets
data owner
Role that decides how data is used accessed classified and protected
data custodian
Role that manages and controls access to data based on owner-defined requirements
data processor
Entity that handles personal data according to another entity’s instructions
data controller
Entity that decides why and how personal data is processed
journaling
Tracks transactions and changes so recovery can occur to the exact point of failure
snapshot
Point-in-time capture of a system or data state
replication
Real-time or near-real-time duplication of data to another location
serverless
Running code without managing the underlying infrastructure
microservices
Application design using small independently deployable services
router
Layer 3 device used to route traffic between networks
bridge
Layer 2 device used to connect network segments
switch
Layer 2 device commonly used to connect devices within a LAN
hub
Layer 1 device that broadcasts traffic to all connected ports
cloud compute isolation
Separation between instances or workloads so one compromised instance does not affect another
external compliance reporting
Compliance status shared with outside stakeholders regulators or the public
internal compliance reporting
Compliance status shared with internal management
RAD
Fast prototyping and rapid application development methodology
Scrum
Agile framework using sprints roles and iterative delivery
availability of skilled personnel
Key factor for ongoing supportability of a security automation tool
data plane
Zero Trust component responsible for transmitting data after access decisions are made