ITSSA Exam Preparation: Cybersecurity Topics and Models

A comprehensive set of vocabulary flashcards covering the STRIDE and DREAD models, common code injection attacks, encryption methods, and cyber adversary profiles based on ITSSA exam notes.

Vulnerability

A weakness or flaw in a system that could be exploited, such as an unlocked window in a house.

Attack Vector

The path or method an attacker uses to exploit a vulnerability, such as a burglar climbing through an unlocked window.

STRIDE Model

A threat modelling framework developed by Microsoft to help software engineers identify security threats during the design and development of software systems.

Spoofing

A threat where an attacker pretends to be someone or something they are not to violate the security property of Authentication.

Tampering

The unauthorized modification of data during transmission, storage, or in memory, which violates the security property of Integrity.

Repudiation

Occurs when someone performs an action and later denies having done it because the system has insufficient evidence to prove otherwise; it violates Non-repudiation.

Information Disclosure

The exposure of confidential information to unauthorized people, violating the security property of Confidentiality.

Denial of Service (DoS)

An attack that prevents legitimate users from accessing a service by overwhelming the system, violating the security property of Availability.

Elevation of Privilege

An attack where an individual gains permissions they should not have to become more powerful inside a system, violating the security property of Authorization.

Cookie Theft

Also known as session hijacking; a cyber attack where an attacker steals session cookies from a user's browser to impersonate the victim.

Command Injection

A vulnerability occurring when an attacker executes arbitrary operating system commands through an application because user input is not sanitized.

SQL Injection (SQLi)

Occurs when user input changes the structure of a SQL query, making the input part of the SQL command rather than treated as data.

Tautology Attack

An SQL injection attack aimed at authentication bypass by using input like $' \text{ OR } 1=1 --$ to force a query to resolve to True.

Prepared Statements

A universal fix for SQL injection where application code structure is pre-compiled with placeholders so that user input is treated strictly as literal data.

DREAD Model

A risk assessment framework used to rank and prioritize security threats based on Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability.

Cross-Site Scripting (XSS)

An attack where malicious client-side code is injected into a web page and executed in another user's browser, exploiting the trust the browser has in the website.

Stored XSS

A type of XSS where the malicious script is permanently stored on the server, such as in forum posts or blog comments.

Reflected XSS

A type of XSS where the malicious script is reflected immediately by the server through search results, error pages, or URL parameters.

Output Encoding

A prevention technique for XSS that converts special characters into HTML entities to force the browser to treat input as harmless plaintext.

Symmetric Encryption

A method of protection where the same secret key is used for both encryption and decryption, such as AES or Blowfish.

Asymmetric Encryption

A method using a pair of keys—a public key shared with everyone and a private key kept secret—used for digital signatures and key exchange (e.g., RSA).

Phishing

Mass-sent fraudulent communications, typically via email, designed to deceive recipients into revealing credentials.

Ransomware

Malware that encrypts critical system files or databases and demands financial payment for the decryption key.

DNS Tunnelling

The encapsulation of command and control (C2) traffic or data exfiltration within standard DNS queries to bypass firewall inspection.

Nation State Actors

State-sponsored groups, often referred to as APTs (Advanced Persistent Threats), motivated by geopolitical dominance and espionage.

Hacktivists

Adversaries driven by political, social, or religious ideologies to bring public awareness to a cause or damage an organization's reputation.

Script Kiddies

Unskilled individuals who use pre-packaged automated tools and scripts for notoriety or thrill-seeking.