1.1-1.4

Public key

Used for encryption and validation of digital

signatures

Private key

Used for decryption and digital signatures

Key escrow

Stores cryptographic keys

Encryption

Changing plaintext into ciphertext

Level

The scope or layer at which encryption is applied

Full disk

Encrypts entire storage disk

Partition

Encrypts specific sections of storage device

File

Encrypts individual files, databases or records within

Volume

Encrypts a single volume

Database

Encrypts a database

Record

Encrypts a single database record

Transport/communication

Encrypted using SSL/TLS (data in transport)

Asymmetric

Uses two keys, a private key and a public key

Symmetric

Uses one key and encrypts a large amount of

data using block cipher

Key exchange

Delivers cryptographic keys from a sender

to a receiver securely

Algorithms

Employs intricate mathematical operations to

ensure the irreversibility of encryption (specific procedures for encrypting and decrypting)

Key length

The length of cryptographic keys impacts

resistance against attacks

Tools

The hardware and software solutions applied to

encryption

Trusted Platform Module (TPM)

ensures the

Stores keys, passwords and digital certificates

Hardware Security Module (HSM)

safeguards and manages digital keys, providing hardware level security

Key management system

manages cryptographic keys throughout their lifecycle

Secure enclave

Used to protect user data, biometric information, and cryptographic keys from potential software-based attacks (located in processor)

Obfuscation

Deliberately obscuring code

Steganography

Hiding data inside data, image, or audio

files

Tokenization

Transforming sensitive data into unique

tokens that hold no inherent value

Data masking

Concealing specific data within a database, inaccessible to unauthorized users

Hashing

Converts data into fixed sized string, ensuring data integrity

Salting & Peppering

Adding random values to a credential

Digital signatures

Ensures the authenticity, integrity, and

non-repudiation of a document

Key stretching

technique designed to transform a password into a longer, more complex key

Blockchain

A decentralized digital ledger for secure

transaction

Open public ledger

shared transparent record accessible

to all for verifying transactions

Certificates

Mechanisms that underpin secure digital

interactions

Certificate authorities (CA)

Organizations that issue digital certificates

Certificate Revocation Lists (CRLs)

Catalogs of

invalidated digital certificates, ensuring security

Online Certificate Status Protocol (OCSP)

Real-time checks of digital certificate validity

Self-signed

self-generated digital certificate lacking third-party validation, for internal use only

Third-party

Public-facing certificates issued by external

entities to verify the authenticity of data

Root of trust

Verify its authenticity by checking the certificate’s chain of trust

Certificate Signing Request (CSR) generation

Sent from and applicant to a CA to get digital identity certificate

Wildcard

A single certificate securing multiple servers using the same domain name

Diffusion

ensures that a small change in the plaintext results in a significantly different ciphertext, making it harder for attackers to find patterns and reverse the encryption

Approval process

Having the project and budget

authorized

Ownership

Person responsible for security task

Test results

Testing new security measures before implementation

Backout plan

Having a rollback option

Maintenance window

Designated times for changes

Standard operating procedure

Rulebook on how to

carry out tasks

Allow lists/deny lists

which activities or entities are permitted or prohibited

Restricted activities

changes that might limit certain operations

Downtime

Unplanned or extended time things cannot be accessed

Service restart

Can cause disruption to a system

Application restart

Weakness that can emerge on restart

Legacy applications

Vulnerabilities on older applications

no longer supported

Dependencies

Services, system drivers, and

interconnections that are intertwined

Updating diagrams

Outlines your current environment

Updating policies/procedures

Reflect changes that are

pivotal to maintain a secure environment

Version control

Tracks changes to documents and projects

CIA (CIANA)

(Confidentiality, Integrity, Availability) Non-repudiation and authentication are also part of this triad

Non-repudiation

Prevents denial of one’s actions, ensuring accountability

AAA

Authentication, Authorization, Accounting

Authenticating systems

Uses 802.1x to authenticate devices

Authorization models

Controls access permissions

Gap analysis

Helps to achieve the desired state security by analyzing the difference between what is and what should be (the gap)

Zero trust

Never trust, always verify

Control plane

Manages and configures network devices and resources

Adaptive identity

Flexible approach to identity management

Threat scope reduction

Reducing the attack surface

Policy engine

processes and evaluates access requests against set policies

Policy administrator

manages and updates access policies

Policy-driven access control

Access granted based on policies rather than static permissions

Implicit trust zones

Areas where trust is assumed by default

Subject/system

Entities requesting or being granted access

Policy enforcement point

Access decisions are executed here based on policies

Infrared sensor

Detects heat signatures

Pressure sensor

Detects weight or pressure changes such as footsteps

Microwave sensor

Emits pulses and detects frequency alterations

Ultrasonic sensor

Uses soundwaves to detect presence or movement

Honeypot

Lures attackers so that we can monitor the

latest attack methods

Honeynet

Network of honeypots

Honeyfile

Bait file designed to detect and track

unauthorized access attempts discreetly

Honeytoken

Piece of data used to alert when accessed, no real world value (only a trap)

Technical controls

Technology based measures eg. firewalls and encryption (hardware, software and firmware)

Managerial Controls (Administrative controls)

documented in org. security policy and focus and managing risk

Operational Controls

Day to day security management such as monitoring and access management

Physical controls

Measures to protect physical assets, including locks, surveillance cameras, and security personnel.

Preventive controls

Aimed at preventing security incidents or breaches

Detterent controls

Aimed at discouraging or dettering possible threats

Detective controls

Designed to discover or detect unwanted or unauthorized activity

Corrective controls

Intended to correct or mitigate damage after a security incident has occurred.

Compensating controls

Alternative measures that provide the same level of security when primary controls are not feasible. They are used to address specific risks.

Directive controls

Provide instructions on how to handle security related situations (guide or constrain user actions with recommended actions)

Functional controls

deterrent, preventive, detective, and corrective

Risk

the possibility or likelihood of a threat exploiting a vulnerability resulting in a loss

Threat

any circumstance or event that has the potential to compromise confidentiality, integrity, or availability

Vulnerability

weakness. It can be a weakness in the hardware, the software, the configuration, or even the users operating the system.