1/394
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced | Call with Kai | Chat |
|---|
No analytics yet
Send a link to your students to track their progress
ISMS
Information Security Management System. The complete management framework for governing information security in an organization. Defined by ISO 27001.
ISO 27001
Certifiable standard defining requirements for an ISMS. Process-based, not a technical checklist. Third-party auditors verify compliance and issue certification.
ISO 27002
Companion to ISO 27001. Detailed implementation guidance for each control in 27001's Annex A. Not certifiable on its own.
ISO 31000
General risk management framework. Not security-specific, not certifiable. Applies to all organizational risk types.
NIST CSF
Voluntary cybersecurity framework organized into 6 functions: Govern, Identify, Protect, Detect, Respond, Recover. Widely adopted outside federal government.
NIST SP 800-53
Categorizes security controls into different groups and acts as a catalog of them
NIST SP 800-171
Security requirements for protecting CUI in non-federal systems. Applies to DoD contractors. Basis for CMMC certification.
CUI
Controlled Unclassified Information. Government data that requires protection but isn't classified. Handled by contractors under 800-171.
NIST RMF
Federal process for authorizing IT systems to operate. Six steps: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor.
ATO
Authority to Operate. Authorization granted by an Authorizing Official allowing a federal system to process government data. Typically valid 3 years.
FISMA
Federal Information Security Modernization Act. Requires federal agencies to implement NIST-based security programs and obtain ATOs for systems.
PCI DSS
Payment Card Industry Data Security Standard. 12 requirements for any organization storing, processing, or transmitting cardholder data. Contractually mandatory, not law.
GDPR
EU regulation protecting personal data of EU residents. Applies globally to any org handling EU data. 72-hour breach notification, right to erasure, fines up to 4% global revenue.
HIPAA
US law protecting PHI. Three rules: Privacy, Security, Breach Notification. Applies to covered entities and business associates.
PHI
Protected Health Information. Individually identifiable health information. 18 defined identifiers make health data PHI under HIPAA.
SOC 2
Auditing framework for service organizations. Based on Trust Services Criteria: Security (required), Availability, Processing Integrity, Confidentiality, Privacy.
SOC 2 Type I
Point-in-time audit verifying controls are designed correctly. Less rigorous than Type II.
SOC 2 Type II
Audit covering a period (6-12 months) verifying controls operated effectively throughout. What enterprise customers require.
SOX
Sarbanes-Oxley Act. US law requiring public companies to maintain effective internal controls over financial reporting. Executives personally liable. Key IT impacts: audit log retention (7 years), access controls, separation of duties, change management.
RFC 3227
IETF guidelines for digital evidence collection. Defines order of volatility and chain of custody requirements.
Order of Volatility
Sequence for evidence collection: CPU/cache → RAM → network state → running processes → disk cache → disk → remote logs → archival media. Most volatile first.
Chain of Custody
Documentation proving evidence integrity from collection through legal proceedings. Every person who touched evidence, when, and what they did.
ALE
Annual Loss Expectancy. Expected yearly loss from a risk. ALE = SLE × ARO.
SLE
Single Loss Expectancy. Cost of one occurrence of a risk event. SLE = Asset Value × Exposure Factor.
ARO
Annual Rate of Occurrence. How many times per year a risk event is expected. Once per 10 years = 0.1.
Exposure Factor
Percentage of asset value lost in a single risk event. Total destruction = 1.0.
Risk Transference
Shifting loss responsibility to another party. Insurance, outsourced security providers.
OSI Model
7-layer network model: Physical, Data Link, Network, Transport, Session, Presentation, Application.
Layer 1 Physical
OSI layer - Cables, hubs, radio waves. Raw bit transmission.
Layer 2 Data Link
OSI Layer - Ethernet, MAC addresses, switches, ARP. Frame transmission within a network.
Layer 3 Network
OSI Layer - IP, ICMP, IPSec, routing. Packet transmission across networks.
Layer 4 Transport
TCP, UDP. Ports live here. End-to-end communication, segmentation.
Layer 5 Session
Session establishment and management. NetBIOS.
Layer 6 Presentation
Encryption, compression, format translation. TLS/SSL operates here.
Layer 7 Application
HTTP, DNS, SMTP, FTP, SNMP. User-facing protocols.
TCP
Transmission Control Protocol. Connection-oriented, reliable, ordered delivery. Three-way handshake (SYN, SYN-ACK, ACK). Layer 4.
UDP
User Datagram Protocol. Connectionless, no guaranteed delivery, fast. Used for DNS, VoIP, streaming. Layer 4.
IPSec
Suite of Layer 3 protocols providing confidentiality, integrity, and authentication for IP packets. Used in site-to-site VPNs.
AH
Authentication Header. IPSec protocol providing integrity and authentication only. No encryption.
ESP
Encapsulating Security Payload. IPSec protocol providing encryption, integrity, and authentication. Almost always preferred over AH.
IPSec Tunnel Mode
Encrypts entire original IP packet including headers. Used in VPNs. Hides source/destination.
IPSec Transport Mode
Encrypts payload only. Original IP headers visible. Used for end-to-end host communication.
IKE
Internet Key Exchange. Negotiates IPSec security associations. Runs on UDP port 500. Phase 1 establishes secure channel; Phase 2 negotiates IPSec parameters.
TLS
Transport Layer Security. Successor to SSL. Encrypts communications at Layer 6. Current standard is Version 1.3.
SSL
Secure Sockets Layer. Predecessor to TLS. All versions broken. SSL 3.0 vulnerable to POODLE. Never use.
TLS Handshake
Negotiation process: Client Hello → Server Hello → Certificate verification → Key exchange → Session key derivation → Finished.
Forward Secrecy
Property where session keys are temporary and not derived from the server's long-term private key. Compromising the private key later cannot decrypt past sessions. Provided by ECDHE.
Diffie-Hellman
Key exchange protocol allowing two parties to establish a shared secret over a public channel without transmitting the secret. Basis for forward secrecy.
PKI
System of CAs, certificates, and policies enabling trusted public key distribution and identity verification.
Certificate Authority (CA)
Trusted third party that issues and signs digital certificates, vouching for identity.
Root CA
Top of the certificate hierarchy. Self-signed, pre-installed in OS/browsers. Private key kept offline. Never signs end-entity certs directly.
Intermediate CA
Signed by Root CA. Used for day-to-day certificate signing. Compromise can be contained without touching the root.
Chain of Trust
Verification path from end-entity certificate up through intermediate CAs to a trusted root CA. Verified locally using math, not network requests.
Digital Certificate
Public key + identity information, signed by a CA. Contains subject, issuer, public key, validity dates, serial number, signature, SANs.
Self-Signed Certificate
Signed by its own private key rather than a CA. No third-party trust. Browser warnings. Acceptable for internal use only.
Certificate Revocation List (CRL)
CA-published list of revoked certificate serial numbers. Periodically downloaded by clients. Can be stale.
OCSP
Online Certificate Status Protocol. Real-time query to CA: is this certificate still valid? Adds latency, creates CA dependency.
OCSP Stapling
Server periodically fetches its own OCSP response and attaches it to the TLS handshake. Client gets freshness proof without separate CA request.
Certificate Pinning
Application hardcodes which certificate or CA it accepts for a server. Rejects valid certs from other CAs. Strong MITM defense.
DV Certificate
Domain Validation. CA only verifies domain control. Automated, cheap, fast. No identity verification beyond domain ownership.
OV Certificate
Organization Validation. CA verifies domain and organization identity. Requires documentation.
EV Certificate
Extended Validation. Strictest identity verification. Historically showed green bar in browsers.
Wildcard Certificate
Covers a domain and all direct subdomains. *.example.com covers mail.example.com but not sub.mail.example.com.
SAN Certificate
Subject Alternative Names. Single certificate covering a specific list of multiple domains.
Key Escrow
Copy of a private key held by a third party. Backup mechanism, but means someone else has your private key.
Registration Authority (RA)
Handles identity verification on behalf of a CA. CA still does the actual signing.
Hash Function
One-way function producing fixed-size output from arbitrary input. Deterministic, collision-resistant, avalanche effect.
SHA-256
Current standard hash algorithm. 256-bit output. Part of SHA-2 family. No practical collision attacks known.
SHA-1
160-bit hash. Broken. Practical collisions demonstrated in 2017 (SHAttered). Deprecated.
MD5
128-bit hash. Completely broken. Collisions findable in seconds. Never use for security. Acceptable for non-security checksums.
SHA-3
Hash algorithm using Keccak sponge construction. Entirely different design from SHA-2. NIST backup if SHA-2 is ever broken.
Collision Attack
Finding two different inputs that produce the same hash output.
Birthday Attack
Exploiting a paradox probability to find hash collisions. Effective search space is square root of output size.
Asymmetric Cryptography
Two mathematically linked keys: public and private. What one encrypts only the other decrypts. Basis for PKI and digital signatures.
Digital Signature
Hash of content encrypted with private key. Recipient decrypts with public key and compares hashes. Proves authenticity and integrity.
Symmetric Cryptography
Same key encrypts and decrypts. Fast, but key distribution problem.
Forward Proxy
Sits between clients and internet. Hides/anonymizes clients. Can filter content.
Reverse Proxy
Sits between internet and backend servers. Hides servers, handles load balancing and caching.
Load Balancer
Distributes traffic across multiple servers. Algorithms: round robin, least connections, IP hash. Increases availability.
SDN
Software-Defined Networking. Separates control plane (where to send traffic) from data plane (actually moving traffic) into centralized software. Network-wide visibility vs. traditional per-device routing.
IDS
Intrusion Detection System. Passive, out-of-band monitoring. Detects and alerts on threats. Cannot block traffic.
IPS
Intrusion Prevention System. Inline, in the traffic stream. Detects threats and can take action to block them.
WAF
Web Application Firewall. Analyzes HTTP traffic including queries and APIs. Can act as IPS for web-layer attacks.
UTM
Unified Threat Management. All-in-one security device combining firewall, IPS, IDS, anti-malware, VPN, DLP, analytics.
NGFW
Next-Generation Firewall. Combines packet inspection, IPS, IDS, firewall, antivirus beyond traditional firewall capabilities.
Jump Server
Provides access between security zones for authorized users. Must be secured, monitored, and maintain separate audit logs.
Air Gap
Physical separation between networks requiring physical media to transfer data. Strongest isolation measure.
VLAN
Virtual Local Area Network. Logical network segmentation using software. Isolates traffic without separate physical hardware.
VPN
Virtual Private Network. Encrypted logical connection over public network. Two types: IPSec (Layer 3, site-to-site) and SSL/TLS (Layer 6, remote access).
Split Tunnel VPN
Only predefined traffic goes through VPN tunnel. Other traffic travels normally. More efficient, less secure.
Full Tunnel VPN
All traffic routes through VPN regardless of destination. More bandwidth, more secure.
Site-to-Site VPN
Permanent VPN connection between two locations. Always on. Typically uses IPSec tunnel mode.
Remote Access VPN
On-demand VPN for individual users. SSL/TLS most common. Not always on.
802.1X
IEEE standard for port-based network access control. Uses EAP framework to authenticate devices to a RADIUS server before granting network access.
EAP-TLS
Certificate-based mutual authentication. Certificates required on both client and server. Most secure, hardest to manage at scale.
EAP-TTLS
Only server-side certificate required. Reduces management overhead. May require client software.
EAP-FAST
Cisco protocol for fast re-authentication of roaming devices. Uses symmetric shared secret key after initial auth.
RADIUS
Remote Authentication Dial-In User Service. Centralized authentication server. Used with 802.1X.
Fail-Open
Device failure mode where all traffic is allowed through. Prioritizes availability over security.
Fail-Closed
Device failure mode where all traffic is blocked. Prioritizes security over availability.