FBLA Cybersecurity Study Guide

Cybersecurity

Protecting systems, networks, and programs from digital attacks

Confidentiality

Ensuring information is accessible only to authorized users

Integrity

Ensuring data is not altered or corrupted

Availability

Ensuring data and systems are accessible when needed

CIA Triad

The three core principles of cybersecurity: confidentiality, integrity, and availability

Non-Repudiation

Proof that a sender cannot deny performing an action

Identification

Verifying a user's identity

Authentication

Verifying credentials to grant access

Authorization

Granting access to resources based on permissions

Accounting

Tracking user actions and system usage

Implicit Deny

Denying all access unless explicitly allowed

Least Privilege

Giving users only the access they need to perform their job

Zero Trust

Security model that assumes no user or system is trusted by default

Honeypot

A fake system designed to attract and detect attackers

Honeynet

A network of honeypots used to study attacker behavior

Attestation

Verifying that a system or user meets security requirements

Binary

Base-2 number system used in computing and cryptography

Hexadecimal

Base-16 number system used to represent binary data compactly

Decimal

Base-10 number system used by humans

Malware

Any software designed to harm or exploit systems

Virus

Malware that self-replicates and spreads through files or programs

Worm

Malware that spreads across networks without user interaction

Trojan Horse

Malware disguised as legitimate software

Spyware

Malware that secretly monitors user activity

Adware

Software that displays unwanted advertisements

Logic Bomb

Malware triggered by a specific event or time

Ransomware

Malware that encrypts data and demands payment

Rootkit

Malware that hides deep within an operating system

Botnet

Network of infected computers controlled by an attacker

Backdoor

Hidden access that bypasses system security

Zero-Day Vulnerability

A newly discovered flaw with no available patch

Unpatched Software

Software missing security updates

Insider Threat

A malicious or careless person inside an organization

Threat Actor

Individual or group that carries out cyber attacks

Social Engineering

Manipulating people to reveal confidential information

Phishing

Fake emails or messages to steal information

Spear Phishing

Targeted phishing aimed at specific individuals

Whaling

Phishing aimed at executives or high-value targets

Vishing

Voice-based phishing using phone or VoIP

SQL Injection

Injecting malicious code into a database through input fields

Cross-Site Scripting (XSS)

Injecting malicious scripts into websites

DDoS Attack

Flooding a system with traffic from multiple sources

Cryptographic Collision

Two different inputs producing the same hash

Birthday Attack

Exploiting hash collisions using probability

Wireless Vulnerability

Weakness in wireless networks such as weak encryption

Security by Design

Building security into every stage of system development

Threat Modeling

Identifying and prioritizing threats during system design

Secure SDLC

Integrating security into the software development lifecycle

Microservices Security

Increased risk due to multiple services and endpoints

Logical Segmentation

Separating systems using software controls

Physical Segmentation

Separating systems using physical infrastructure

Virtualization

Using virtual machines to isolate systems

Containerization

Running applications in isolated environments

Internet of Things (IoT) Risk

Security threats from connected smart devices

Backup

Copy of data used for recovery

UPS

Battery backup providing short-term power

RAID

Disk system that improves redundancy and performance

Sandbox

Isolated environment for testing untrusted code

Code Review

Examining code to detect vulnerabilities

Input Validation

Checking user input to prevent attacks

Secure Configuration

Maintaining approved system settings

Cryptography

Protecting data using encryption techniques

Symmetric Encryption

Uses the same key to encrypt and decrypt data

Asymmetric Encryption

Uses a public and private key pair

Public Key

Key used to encrypt data

Private Key

Key used to decrypt data

Hashing

Converting data into a fixed-length value for integrity

Shift Cipher

Encryption by shifting letters

Caesar Cipher

Simple shift cipher named after Julius Caesar

Substitution Cipher

Replacing characters with other characters

Data at Rest

Stored data

Data in Transit

Data being transferred

Data in Use

Data actively being processed

MAC

Mandatory Access Control using sensitivity labels

DAC

Discretionary Access Control managed by the owner

RBAC

Role-Based Access Control using job roles

Digital Certificate

Verifies identity using encryption

Certificate Authority (CA)

Organization that issues digital certificates

Token

Temporary authentication credential

Business Continuity Plan

Ensures operations continue during disruptions

Disaster Recovery Plan

Restores systems after failure

Full Backup

Complete copy of all data

Incremental Backup

Copies only changed data

Differential Backup

Copies data changed since last full backup

Firewall

Filters traffic based on security rules

WAF

Web Application Firewall

Change Management

Controlling system changes to reduce risk

Security Awareness Training

Educating employees about security risks

CISO

Chief Information Security Officer

HTTPS

Secure web protocol using TLS

SSH

Secure remote access protocol

TLS

Encryption protocol for secure communication

WPA2/WPA3

Secure wireless encryption standards

WEP

Weak wireless encryption protocol

IDS

Intrusion Detection System that monitors traffic

IPS

Intrusion Prevention System that blocks threats

Strong Password

Long password with letters, numbers, and symbols

Patch Management

Updating systems to fix vulnerabilities

Tokenization

Replacing sensitive data with tokens

Data Masking

Hiding sensitive data