Cybersecurity Course 5 Glossary Terms

A complete set of vocabulary flashcards covering the cybersecurity terms and definitions from the provided Course 5 transcript.

Advanced persistent threat (APT)

An instance when a threat actor maintains unauthorized access to a system for an extended period of time

Angler phishing

A technique where attackers impersonate customer service representatives on social media

Access controls

Security controls that manage access, authorization, and accountability of information

Adware

A type of legitimate software that is sometimes used to display digital advertisements in applications

Algorithm

A set of rules used to solve a problem

Application programming interface (API) token

A small block of encrypted code that contains information about a user

Asset

An item perceived as having value to an organization

Asset classification

The practice of labeling assets based on sensitivity and importance to an organization

Asset inventory

A catalog of assets that need to be protected

Asset management

The process of tracking assets and the risks that affect them

Asymmetric encryption

The use of a public and private key pair for encryption and decryption of data

Attack surface

The characteristics and features of the areas where an attack can come from

Baiting

A social engineering tactic that tempts people into compromising their security

Attack tree

A diagram that maps threats to assets

Attack vector

The pathways attackers use to penetrate security defenses

Basic auth

The technology used to establish a user’s request to access a server

Bit

The smallest unit of data measurement on a computer

Botnet

A collection of computers infected by malware that are under the control of a single threat actor, known as the “bot-herder"

Brute force attack

The trial and error process of discovering private information

Bug bounty

Programs that encourage freelance hackers to find and report vulnerabilities

Cipher

An algorithm that encrypts information

Common Vulnerabilities and Exposures (CVE®) list

An openly accessible dictionary of known vulnerabilities and exposures

Common Vulnerability Scoring System (CVSS)

A measurement system that scores the severity of a vulnerability

Compliance

The process of adhering to internal standards and external regulations

Cross-site scripting (XSS)

An injection attack that inserts code into a vulnerable website or web application

Cryptojacking

A form of malware that installs software to illegally mine cryptocurrencies

Encryption

The process of converting data from a readable format to an encoded format

Cryptographic key

A mechanism that decrypts ciphertext

Cryptography

The process of transforming information into a form that unintended readers can’t understand

CVE Numbering Authority (CNA)

An organization that volunteers to analyze and distribute information on eligible CVEs

Data

Information that is translated, processed, or stored by a computer

Data at rest

Data not currently being accessed

Data in transit

Data traveling from one point to another

Data in use

Data being accessed by one or more users

Data custodian

Anyone or anything that’s responsible for the safe handling, transport, and storage of information

Data owner

The person that decides who can access, edit, use, or destroy their information

Defense in depth

A layered approach to vulnerability management that reduces risk

Digital certificate

A file that verifies the identity of a public key holder

DOM-based XSS attack

An instance when malicious script exists in the webpage a browser loads

Dropper

A type of malware that comes packed with malicious code which is delivered and installed onto a target system

Exploit

A way of taking advantage of a vulnerability

Hacker

Any person who uses computers to gain access to computer systems, networks, or data

Hash collision

An instance when different inputs produce the same hash value

Exposure

A mistake that can be exploited by a threat

Fileless malware

Malware that does not need to be installed by the user because it uses legitimate programs that are already installed to infect a computer

Hash function

An algorithm that produces a code that can’t be decrypted

Hash table

A data structure that's used to store and reference hash values

Identity and access management (IAM)

A collection of processes and technologies that helps organizations manage digital identities in their environment

Information privacy

The protection of unauthorized access and distribution of data

Information security (InfoSec)

The practice of keeping data in all states away from unauthorized users

Injection attack

Malicious code inserted into a vulnerable application

Input validation

Programming that validates inputs from users and other programs

Intrusion detection system (IDS)

An application that monitors system activity and alerts on possible intrusions

Loader

A type of malware that downloads strains of malicious code from an external source and installs them onto a target system

Malware

Software designed to harm devices or networks

MITRE

A collection of non-profit research and development centers

Multi-factor authentication (MFA)

A technology that requires at least two distinct forms of identification

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)

A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk

Non-repudiation

The concept that the authenticity of information can’t be denied

OAuth

An open-standard authorization protocol that shares designated access between applications

Process of Attack Simulation and Threat Analysis (PASTA)

A popular threat modeling framework that’s used across many industries

Payment Card Industry Data Security Standards (PCI DSS)

A set of security standards formed by major organizations in the financial industry

Personally identifiable information (PII)

Any information used to infer an individual's identity

Phishing

The use of digital communications to trick people into revealing sensitive data or deploying malicious software

Phishing kit

A collection of software tools needed to launch a phishing campaign

Policy

A set of rules that reduce risk and protect information

Potentially unwanted application (PUA)

A type of unwanted software that is bundled in with legitimate programs which might display ads, cause device slowdown, or install other software

Prepared statement

A coding technique that executes SQL statements before passing them onto the database

Principle of least privilege

The concept of granting only the minimal access and authorization required to complete a task or function

Procedures

Step-by-step instructions to perform a specific security task

Protected health information (PHI)

Information that relates to the past, present, or future physical or mental health or condition of an individual

Public key infrastructure (PKI)

An an encryption framework that secures the exchange of online information

Quid pro quo

A type of baiting used to trick someone into believing that they’ll be rewarded in return for sharing access, information, or money

Rainbow table

A file of pre-generated hash values and their associated plaintext

Ransomware

Type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access

Regulations

Rules set by a government or other authority to control the way something is done

Reflected XSS attack

An instance when malicious script is sent to a server and activated during the server’s response

Risk

Anything that can impact confidentiality, integrity, or availability of an asset

Rootkit

Malware that provides remote, administrative access to a computer

Salting

An additional safeguard that’s used to strengthen hash functions

Security controls

Safeguards designed to reduce specific security risks

Spear phishing

A malicious email attack targeting a specific user or group of users, appearing to originate from a trusted source

Scareware

Malware that employs tactics to frighten users into infecting their device

Security assessment

A check to determined how resilient current security implementations against threats

Security audit

A review of an organization's security controls, policies, and procedures against a set of expectations

Security hardening

The process of strengthening a system to reduce its vulnerability and attack surface

Separation of duties

The principle that users should not be given levels of authorization that would allow them to misuse a system

Session

A sequence of network HTTP basic auth requests and responses associated with the same user

Session cookie

A token that websites use to validate a session and determine how long that session should last

Session hijacking

An event when attackers obtain a legitimate user’s session ID

Session ID

A unique token that identifies a user and their device while accessing a system

Single sign-on (SSO)

A technology that combines several different logins into one

Smishing

The use of text messages to trick users to obtain sensitive information or to impersonate a known source

Social engineering

A manipulation technique that exploits human error to gain private information, access, or valuables

Spyware

Malware that’s used to gather and sell information without consent

SQL (Structured Query Language)

A programming language used to create, interact with, and request information from a database

Threat actor

Any person or group who presents a security risk

Virus

Malicious code written to interfere with computer operations and cause damage to data and software

Vulnerability

A weakness that can be exploited by a threat

SQL injection

An attack that executes unexpected queries on a database