Domain 1

CIA

Confidentiality, Integrity, Availability — the three goals of all security: keep secrets, keep data accurate, keep it accessible.

AAA

Authentication, Authorization, Accounting — prove who you are, get permission, then get logged doing it.

NIST

National Institute of Standards and Technology — the U.S. agency that writes the security frameworks everyone references.

GDPR

General Data Protection Regulation — the EU privacy law that fines companies for mishandling personal data.

PII

Personally Identifiable Information — data that points to a specific human (name, SSN, address).

PHI

Protected Health Information — medical data, the stuff HIPAA guards.

IAM

Identity and Access Management — the whole system for who you are and what you're allowed to touch.

MFA

Multi-Factor Authentication — proving identity with two+ types of evidence (password + phone code).

SSO

Single Sign-On — log in once, get access to many apps without re-entering credentials.

PKI

Public Key Infrastructure — the framework of keys and certificates that makes encryption and trust work.

CA

Certificate Authority — the trusted issuer that vouches for a website's identity (signs its certificate).

PAM

Privileged Access Management — tightly controls and monitors the powerful admin accounts.

ACL

Access Control List — a rulebook saying who/what can access a resource.

RBAC

Role-Based Access Control — permissions come from your job role, not from you personally.

ABAC

Attribute-Based Access Control — access decided by attributes (department, time, location), more flexible than roles.

MAC (access)

Mandatory Access Control — the system enforces access by labels/clearance, users can't override (think military).

DAC

Discretionary Access Control — the owner of a resource decides who gets in.

CRL

Certificate Revocation List — the 'do not trust' list of certificates that were cancelled early.

OCSP

Online Certificate Status Protocol — a faster, real-time way to check if one certificate is still valid.

TPM

Trusted Platform Module — a chip on the motherboard that stores keys securely (used for disk encryption).

HSM

Hardware Security Module — a dedicated device for generating and guarding cryptographic keys at scale.

FRR

False Rejection Rate — how often biometrics wrongly reject a legit user (annoying).

FAR

False Acceptance Rate — how often biometrics wrongly accept an imposter (dangerous).

CER / EER

Crossover/Equal Error Rate — the point where FRR and FAR are EQUAL; the single BEST biometric accuracy measure because it balances both error types. 'Best indication of accuracy' → lowest CER.

CRC

Cyclic Redundancy Check — a math check for accidental data errors (integrity, not security).

MAC vs DAC vs RBAC vs ABAC

MAC: system enforces via labels/clearance, users can't override. DAC: resource owner decides. RBAC: permissions tied to job role. ABAC: access by attributes (dept, time, location).

Authentication vs Authorization vs Accounting

Authentication proves who you are; authorization decides what you can do; accounting logs what you did. They happen in sequence.

Identification vs Authentication

Identification is making a claim (entering a username); authentication is proving it (password/token). Username identifies; password authenticates.

Control CATEGORIES vs TYPES

Categories (by nature): technical, managerial, operational, physical. Types (by function): preventive, deterrent, detective, corrective, compensating, directive.

Deterrent vs Preventive

Deterrent discourages an attacker ('Beware of Dog' sign) — works on the mind. Preventive actually stops them (locked gate) — works regardless.

Compensating vs Corrective

Compensating is an alternative control when the primary isn't feasible (extra monitoring because you can't patch). Corrective fixes/restores after an incident (restore from backup). Substitute vs repair.

Encryption vs Hashing vs Obfuscation

Encryption is reversible with a key (confidentiality). Hashing is one-way/irreversible (integrity). Obfuscation just makes things harder to read — not real protection.

Digital Signature vs Digital Certificate

Signature proves sender identity + that data wasn't altered (sender's private key). Certificate binds a public key to an identity, vouched for by a CA.

Non-repudiation vs Authentication

Authentication proves identity at login. Non-repudiation produces proof a specific person did something so they can't later deny it (digital signatures provide this).

Key Stretching vs Salting

Salting adds random data so identical passwords hash differently (defeats rainbow tables). Key stretching deliberately slows hashing to make brute force expensive.

Steganography vs Encryption

Encryption hides the meaning of a message. Steganography hides the existence of the message (data tucked inside an image).

CRL vs OCSP

Both check cert revocation. CRL is a downloaded list (large/stale) — the phone book. OCSP is a real-time query for one cert — calling to ask.

Certificate stapling (quickest validity check)

Server attaches a recent, pre-verified OCSP response to its cert during the handshake, so the browser doesn't make a separate CA call. Fastest because the proof arrives bundled with the cert.

Self-Encrypting Drive (SED) vs TPM

TPM stores keys, but software (BitLocker) does the encrypting — involves the user/OS. SED does encryption in hardware on the drive itself, automatically, zero user involvement. 'Remove responsibility from the user' → SED.

Asymmetric vs Symmetric — which algorithms

Asymmetric (key PAIR, public+private): RSA, ECC, DSA, Diffie-Hellman. Symmetric (ONE shared key): AES, DES, 3DES, RC4, Blowfish. Hook: RSA/ECC are the public/private 'fancy' ones; AES/DES are fast bulk-encryption workhorses.

THE asymmetric rule

Each person has a key PAIR: public (everyone sees) + private (only you). Rule: whatever ONE key does, only the OTHER undoes. Sign with private → verify with public. Encrypt with their public → only their private opens it.

Which key signs? Which key encrypts?

SIGN with YOUR PRIVATE key (only you have it → proves it's you; anyone verifies with your public). ENCRYPT for someone with THEIR PUBLIC key (only their private can open it). Signing = the key only you possess.

Symmetric key formula n(n-1)/2

Symmetric needs a unique shared key per PAIR of users. 10 users → 10×9/2 = 45. Halve because each key is shared between 2 people. This explosion is the main argument FOR asymmetric crypto.

Digital signature vs Hashing

Hashing alone = integrity (unaltered) but NOT who sent it. Digital signature = a hash encrypted with the signer's private key = integrity PLUS identity/origin. 'Unaltered AND from a trusted source' → signature, never hashing alone.

Integrity measurement vs Version control

Integrity measurement = compare a system's CURRENT state to a known-good BASELINE / master image to detect changes ('compared to the master image'). Version control = tracks revisions of code/files over time (Git). Baseline comparison vs revision history.

OCSP vs CSR

OCSP = real-time revocation CHECKING (is this cert still valid?). CSR = Certificate Signing Request — what you send to a CA to GET a cert issued. Revocation check → OCSP.