NIST 800-181 Cybersecurity Workforce Framework Save

NIST 800-181 categories

Securely Provision, Operate and Maintain, Protect and Defend

NIST 800-181

A workforce framework that categorizes cybersecurity roles into specialty areas.

Securely Provision tasks

System design, security architecture, and software development.

Operate and Maintain tasks

System administration, network monitoring, and patch management.

Protect and Defend tasks

Intrusion detection, incident response, and threat analysis.

CIA Triad

Confidentiality, Integrity, Availability.

Least Privilege

Users should have only the minimum access needed to perform their job.

Defense in Depth

A layered security approach using multiple defensive strategies.

Zero Trust Security

A security model that assumes no user or system is automatically trusted.

risk assessment

The process of identifying and analyzing potential threats and vulnerabilities.

phishing

A social engineering attack tricking users into revealing sensitive information.

DDoS attack

A Distributed Denial-of-Service attack that overwhelms a system with traffic.

malware

Malicious software designed to harm or exploit a system.

Man-in-the-Middle (MitM) attack

An attacker intercepts communication between two parties.

ransomware

Malware that encrypts data and demands payment for decryption.

brute force attack

Repeatedly trying passwords until the correct one is found.

SQL injection

An attack that exploits vulnerabilities in a database query.

zero-day vulnerability

A software flaw unknown to the vendor, leaving it unpatched.

trojan horse

Malware disguised as legitimate software.

spyware

Malware that secretly gathers user information.

firewall

A security device that monitors and controls network traffic.

IDS (Intrusion Detection System)

A system that detects unauthorized access or anomalies in a network.

IPS (Intrusion Prevention System)

A system that actively blocks detected threats.

network segmentation

Dividing a network into sections to enhance security.

VLAN (Virtual Local Area Network)

A logical subdivision of a network to separate traffic.

port scanning

A technique to identify open ports on a network.

honeypot

A decoy system designed to lure and detect attackers.

MAC filtering

Allowing or denying network access based on MAC addresses.

air-gapped network

A network that is physically isolated from unsecured networks.

access control list (ACL)

A set of rules that control network traffic.

encryption

The process of converting data into a secure format.

symmetric encryption

Encryption using the same key for both encryption and decryption.

asymmetric encryption

Encryption using a public and private key pair.

hashing

A one-way transformation of data into a fixed-length string.

digital signature

A cryptographic method to verify authenticity and integrity.

VPN (Virtual Private Network)

A secure tunnel for encrypted communication over the internet.

Multi-Factor Authentication (MFA)

A security method requiring multiple forms of verification.

Single Sign-On (SSO)

A system allowing users to log in once and access multiple applications.

Access Token

A credential used to authenticate a user session.

Wireshark

Network packet analysis.

Nmap

Network scanning and reconnaissance.

Metasploit

A penetration testing framework.

Splunk

Security event logging and analysis.

tracert command

Shows the path packets take to a destination.

netstat command

Displays active network connections.

ipconfig command

Displays network adapter information.

GDPR

General Data Protection Regulation for protecting personal data in the EU.

HIPAA

A U.S. law protecting medical information.

PCI DSS

A security standard for handling credit card data.

SOC 2 compliance

A security framework for cloud and IT service providers.

Incident Response Plan (IRP)

A documented plan outlining how to detect, respond to, and recover from security incidents.

Six phases of the incident response lifecycle

Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

Digital Forensics

The practice of investigating cyber incidents by analyzing digital evidence.

Chain of Custody in Digital Forensics

The process of maintaining a documented history of evidence handling.

Forensic Image

A bit-for-bit copy of a storage device for investigation.

Memory Forensics

The analysis of volatile memory (RAM) to detect malware or system intrusions.

Forensic Imaging Tool

FTK Imager or Autopsy.

Sandbox in Cybersecurity

A controlled environment for safely testing suspicious files or applications.

Live Analysis in Forensic Investigations

Examining an active system to gather evidence before shutdown.

Purpose of Log Analysis in Incident Response

To identify suspicious activity and security breaches.

Security Baseline

A set of minimum security configurations for a system.

Principle of 'Least Functionality'

Removing unnecessary services and applications to reduce attack surfaces.

Windows Group Policy

A tool used to enforce security settings on Windows machines.

Standard User vs Administrator Account

A standard user has limited permissions, while an administrator has full control over system settings.

Rootkit

Malware designed to gain privileged access and hide its presence on a system.

User Account Control (UAC) in Windows

A security feature that limits administrative privileges unless explicitly granted.

SELinux

A security module in Linux for enforcing access control policies.

Immutable Operating System

An OS that prevents changes to its core components to enhance security.

Patching

The process of applying updates to fix security vulnerabilities.

Endpoint Detection and Response (EDR) Solution

A tool for monitoring and responding to threats on individual devices.

WPA3

The latest Wi-Fi security standard that improves encryption and security.

MAC address spoofing

Changing a device's MAC address to impersonate another device.

rogue access point

An unauthorized wireless access point that poses a security risk.

public cloud

A public cloud is shared across multiple users, while a private cloud is dedicated to a single organization.

cloud encryption

Encrypting data stored in the cloud to prevent unauthorized access.

cloud security best practices

Use MFA, encrypt data, implement access controls, and monitor activity logs.

shared responsibility model in cloud security

A security framework where cloud providers and users both have security responsibilities.

Identity as a Service (IDaaS)

A cloud-based authentication and identity management service.

Infrastructure as Code (IaC)

Managing cloud infrastructure through code instead of manual configuration.

CASB (Cloud Access Security Broker)

A security tool that monitors and controls cloud-based applications.

tailgating in cybersecurity

When an unauthorized person follows an authorized person into a secure area.

pretexting

A social engineering tactic where attackers create a fake scenario to obtain information.

baiting in cybersecurity

Luring victims with fake offers or malicious USB devices.

shoulder surfing

Observing someone's screen or keyboard to steal credentials.

vishing

Voice phishing - using phone calls to trick victims into revealing sensitive information.

smishing

SMS phishing - using text messages to trick users into clicking malicious links.

best way to prevent social engineering attacks

Security awareness training and verifying identities before sharing sensitive information.

insider threat

A security risk posed by employees or contractors with access to sensitive data.

two-person integrity (TPI)

A security measure that requires two people to approve a critical action.

role of security awareness training

Educating employees on cybersecurity best practices to prevent attacks.

Threat Hunting

Proactively searching for cyber threats within an organization's network.

Cyber Threat Intelligence (CTI)

The collection and analysis of threat data to improve security defenses.

MITRE ATT&CK framework

A knowledge base of adversary tactics and techniques used in cyberattacks.

Security Operations Center (SOC)

A centralized unit responsible for monitoring and responding to security incidents.

Red Team vs. Blue Team

The Red Team simulates attacks, while the Blue Team defends against them.

Purple Teaming

A collaboration between Red and Blue Teams to improve security defenses.

security orchestration, automation, and response (SOAR)

To automate and streamline security processes.

advanced persistent threat (APT)

A long-term, targeted cyberattack by a sophisticated adversary.

cyber resilience

The ability to maintain security and recover quickly from cyber incidents.

best way to stay updated on cybersecurity threats

Follow security blogs, attend conferences, and participate in cybersecurity competitions.