Cisco CyberOps Associate (CBROPS 200-201) – Core Vocabulary

Comprehensive vocabulary flashcards covering foundational terms, technologies, and concepts likely to appear on the Cisco CyberOps Associate (CBROPS 200-201) exam.

CIA Triad

Foundational security model consisting of Confidentiality, Integrity, and Availability.

Confidentiality

Assurance that information is accessible only to authorized users.

Integrity

Assurance that data is accurate and has not been tampered with.

Availability

Assurance that systems and data are accessible to authorized users when needed.

Risk

The potential for loss or damage when a threat exploits a vulnerability.

Threat

Any circumstance or event with the potential to harm an asset.

Vulnerability

A weakness that can be exploited by a threat actor.

Exploit

A technique or code that takes advantage of a vulnerability.

Defense-in-Depth

Layered security strategy that deploys multiple, complementary controls.

Discretionary Access Control (DAC)

Access model where data owners decide who may access their resources.

Mandatory Access Control (MAC)

Access model enforcing system-wide rules set by a central authority.

Role-Based Access Control (RBAC)

Model granting permissions based on a user’s job role.

Attribute-Based Access Control (ABAC)

Model using attributes (user, resource, environment) to make access decisions.

Time-Based Access Control

Permissions granted or denied based on temporal conditions.

AAA (Authentication, Authorization, Accounting)

Framework controlling user identity, access privileges, and activity logging.

CVSS

Common Vulnerability Scoring System used to rate severity of security flaws.

Attack Vector (CVSS)

How an attacker can exploit a vulnerability (network, adjacent, local, physical).

Attack Complexity (CVSS)

Conditions beyond attacker control that must exist for exploitation.

Privileges Required (CVSS)

Level of access required by an attacker to exploit a vulnerability.

User Interaction (CVSS)

Whether exploitation requires action by a user other than the attacker.

Scope (CVSS)

Whether a successful exploit can affect resources beyond the vulnerable component.

Temporal Metrics (CVSS)

Scores that change over time, such as exploit code maturity.

Environmental Metrics (CVSS)

Organization-specific factors influencing vulnerability severity.

5-Tuple

Network identification set: source IP, destination IP, source port, destination port, protocol.

Rule-Based Detection

Security monitoring using predefined signatures or rules.

Behavioral Detection

Monitoring that identifies anomalies relative to a baseline of normal activity.

Statistical Detection

Use of statistics to determine deviations indicating potential threats.

SIEM

Security Information and Event Management platform aggregating and analyzing logs.

SOAR

Security Orchestration, Automation, and Response platform automating incident workflows.

Log Management

Collection, storage, and analysis of log data for security and compliance.

Agentless Protection

Security monitoring performed without installing software on endpoints.

Agent-Based Protection

Security monitoring that relies on software agents installed on devices.

Threat Intelligence (TI)

Information about adversaries, TTPs, and indicators to inform defense.

Threat Hunting

Proactive search for hidden threats in an environment.

Malware Analysis

Process of studying malicious code to understand capabilities and indicators.

Reverse Engineering

Analyzing software to determine its design and functionality from compiled code.

Sliding Window Anomaly Detection

Technique that examines a moving window of data to detect anomalies.

DevSecOps

Integration of security practices into DevOps workflows.

TCPdump

Command-line packet capture tool for network traffic analysis.

NetFlow

Cisco protocol that summarizes IP traffic flows for monitoring and analysis.

Next-Generation Firewall (NGFW)

Firewall combining traditional filtering with application awareness and threat prevention.

Stateful Firewall

Firewall tracking active connections to make filtering decisions.

Application Visibility and Control (AVC)

Technology classifying and managing application traffic.

Web Content Filtering

Control that blocks or allows web requests based on policies.

Email Content Filtering

Scanning and policy enforcement for inbound and outbound email.

Access Control List (ACL)

Ordered set of permit/deny rules applied to interfaces or services.

NAT/PAT

Network Address Translation / Port Address Translation for IP address sharing.

TOR

Anonymizing network that routes traffic through volunteer relays.

Tunneling

Encapsulating one protocol within another to traverse a network.

Full Packet Capture

Recording of every packet’s payload and header for analysis.

Session Data

Summarized record of communication sessions (e.g., flow records).

Transaction Data

Details about application-layer requests and responses.

Statistical Data

Aggregated metrics such as counts, averages, or variances.

Metadata

Information describing data attributes, not the content itself.

Alert Data

Generated notifications indicating potential security events.

Protocol-Based Attack

Exploitation targeting flaws in network protocol implementations.

Denial of Service (DoS)

Attack aimed at making a service unavailable to users.

Distributed DoS (DDoS)

Coordinated DoS launched from multiple systems.

Man-in-the-Middle (MitM)

Attack where adversary intercepts and alters communications between parties.

SQL Injection

Web attack injecting malicious SQL statements into input fields.

Command Injection

Web attack forcing execution of arbitrary commands on a host OS.

Cross-Site Scripting (XSS)

Injecting malicious scripts into webpages viewed by other users.

Social Engineering

Manipulating people to divulge confidential information or perform actions.

Command and Control (C2)

Channel attackers use to remotely control compromised systems.

Ransomware

Malware encrypting data and demanding payment for decryption.

Evasion Technique

Method used by attackers to avoid detection (e.g., encryption, proxies).

PKI

Public Key Infrastructure managing digital certificates and key pairs.

X.509 Certificate

Standard format for public key certificates used in TLS/SSL.

Cipher Suite

Set of algorithms used to secure a TLS/SSL session.

Key Exchange

Process in which parties establish a shared secret for encryption.

Host-Based Intrusion Detection System (HIDS)

Monitors endpoint activities for signs of malicious behavior.

Antimalware / Antivirus

Software detecting and removing malicious code on hosts.

Host-Based Firewall

Firewall running directly on an endpoint to control inbound/outbound traffic.

Chain of Custody

Documentation that tracks evidence handling to preserve integrity.

Indicator of Compromise (IOC)

Observable artifact signifying a potential intrusion (hash, IP, domain).

Indicator of Attack (IOA)

Evidence of malicious intent or behavior preceding a compromise.

Best Evidence

Most reliable information directly proving a fact in an investigation.

Corroborative Evidence

Data supporting findings by providing additional validation.

Indirect Evidence

Information suggesting but not directly proving a fact.

PCAP

File format containing captured packet data.

IDS/IPS

Intrusion Detection/Prevention Systems monitoring traffic for malicious activity.

False Positive

Benign activity incorrectly identified as malicious.

False Negative

Malicious activity that goes undetected by security tools.

True Positive

Correctly detected malicious activity.

True Negative

Correctly identified benign activity.

Deep Packet Inspection (DPI)

Analysis of packet payloads and headers for advanced filtering.

Traffic Tap

Passive device duplicating network traffic for monitoring.

Regular Expression

Pattern-matching syntax used for searching and parsing text.

Asset Management

Process of inventorying and tracking organizational resources.

Patch Management

Regular deployment of updates to fix vulnerabilities.

NIST SP 800-61

Guideline for computer security incident handling.

Incident Response Phases

Preparation, Detection & Analysis, Containment & Eradication & Recovery, Post-Incident.

NIST SP 800-86

Guide to integrating forensic techniques into incident response.

Evidence Collection Order

Priority sequence for gathering data, typically volatile first.

Data Preservation

Maintaining evidence in an unaltered state for legal admissibility.

Network Profiling

Establishing baselines for throughput, session duration, ports, and asset space.

Server Profiling

Baseline of listening ports, users, processes, tasks, and applications on servers.

PII

Personally Identifiable Information requiring protection (e.g., SSN, name, DOB).

PHI

Protected Health Information regulated under HIPAA.

Intellectual Property (IP)

Proprietary knowledge or creations that grant competitive advantage.