Interactive drill-down study tool using the Cornell method. Click domains to expand, then objectives, then individual terms to reveal definitions. Use the speaker icon to hear definitions read aloud.
Hardware, software, firmware controls (firewalls, encryption, AV, IDS)
Policies, procedures, risk assessment frameworks, governance documents
Day-to-day processes run by people (monitoring, training, patching, incident response)
Barriers, locks, cameras, guards, environmental controls, bollards, fencing
Stops the threat before it happens (e.g., firewall rules, encryption, access controls)
Discourages the threat actor (e.g., security signage, warning banners, security cameras)
Identifies that a threat is occurring or has occurred (e.g., IDS, logs, security audits)
Fixes the issue after detection (e.g., patching, restoring from backup, reimaging)
Alternative control when primary isn't feasible (e.g., extra monitoring when MFA unavailable)
Mandates specific behavior or actions (e.g., policies, acceptable-use agreements, training requirements)
Only authorized persons can access the data; enforced via encryption, access controls, data classification
Data hasn't been tampered with or altered; enforced via hashing, checksums, digital signatures
Systems and data are accessible when needed; enforced via redundancy, backups, failover, load balancing
Ensures an action cannot be denied by the party who performed it; implemented via digital signatures, audit logs, timestamps
Verifying identity via passwords, biometrics, tokens, certificates
Machine certificates, API keys, mutual TLS
RBAC, DAC, MAC, ABAC; determines what authenticated entities can do
Assesses the difference between current security posture and desired state; identifies missing or weak controls, drives remediation
Adaptive identity, Threat scope reduction, Policy-driven access control, Policy Administrator, Policy Engine
Implicit trust zones, Subject/System, Policy Enforcement Point
Bollards, Access control vestibule, Fencing, Video surveillance, Security guard, Access badge, Lighting, Sensors (Infrared, Pressure, Microwave, Ultrasonic)
Fake system to attract attackers
Network of honeypots
Fake file to detect unauthorized access
Fake data/credentials to detect misuse
Approval process, Ownership, Stakeholders, Impact analysis, Test results, Backout plan, Maintenance window, Standard operating procedure
Allow lists/deny lists, Restricted activities, Downtime, Service restart, Application restart, Legacy applications, Dependencies
Updating diagrams, Updating policies/procedures
Tracking changes to configurations, code, and documents
Public key, Private key, Key escrow
Full-disk, Partition, File, Volume, Database, Record
Securing data in transit between systems
Uses key pairs (public/private); RSA, ECC; slower but enables key exchange
Single shared key; AES, DES; faster for bulk data
Diffie-Hellman, ECDHE
AES-256, RSA, ECC, ChaCha20
Longer keys = stronger encryption; AES-256, RSA-2048+
Trusted Platform Module — hardware-based cryptographic processor
Hardware Security Module — dedicated hardware for key management
Centralized system for managing cryptographic keys
Isolated hardware environment for sensitive operations
Hiding data in images/audio
Replacing sensitive data with tokens
Showing partial data like ****-1234
One-way function producing fixed-length digest; SHA-256, SHA-3; verifies integrity
Adding random data to input before hashing; prevents rainbow table attacks
Proves authenticity and integrity; uses sender's private key to sign, public key to verify
Making weak passwords stronger via PBKDF2, bcrypt; adds computational cost
Distributed, immutable ledger; each block contains hash of previous block
Transparent record of all transactions visible to participants
Certificate authorities (CA), Certificate revocation lists (CRL), OCSP, Self-signed, Third-party, Root of trust, CSR generation, Wildcard certificates
Government-sponsored; highly funded, advanced persistent threats (APTs)
Script kiddies; use pre-built tools without deep understanding
Motivated by political/social causes; website defacement, DDoS
Employees, contractors with legitimate access; can be intentional or accidental
Financial motivation; ransomware, fraud, data theft at scale
Unauthorized technology use within organization; creates unknown attack surface
Internal/external, Resources/funding, Level of sophistication/capability
Data exfiltration, Espionage, Service disruption, Blackmail, Financial gain, Philosophical/political beliefs, Ethical (white hat), Revenge, Disruption/chaos, War
Email phishing, SMS (smishing), Instant messaging (IM)
Malicious code embedded in image files; steganography exploits
Infected documents, PDFs, executables; macro-enabled Office files
Vishing (voice phishing); social engineering via phone calls
USB drives with malware; rubber ducky attacks; autorun exploits
Client-based vs. agentless; unpatched applications
End-of-life software with no security patches
Wireless (rogue APs, evil twin), Wired (physical tap), Bluetooth (bluejacking, bluesnarfing)
Unnecessary open ports increase attack surface; port scanning reconnaissance
Factory-default usernames/passwords left unchanged on devices
MSPs, Vendors, Suppliers; compromised updates or hardware
Phishing, Vishing, Smishing, Misinformation/disinformation, Impersonation, Business email compromise (BEC), Pretexting, Watering hole, Brand impersonation, Typosquatting
Memory injection, Buffer overflow, Race conditions (TOC/TOU), Malicious update
Unpatched OS, privilege escalation flaws, kernel vulnerabilities
SQL injection (SQLi), Cross-site scripting (XSS)
Firmware vulnerabilities, End-of-life hardware, Legacy systems
VM escape (breaking out of guest to host), Resource reuse
Misconfigured storage buckets, shared responsibility model gaps, insecure APIs
Service provider, Hardware provider, Software provider vulnerabilities
Weak algorithms, short key lengths, improper implementation
Default settings, open permissions, unnecessary services enabled
Side loading (installing apps outside store), Jailbreaking (removing OS restrictions)
Unknown vulnerability with no available patch; highest risk
Encrypts files for ransom payment
Disguised as legitimate software
Self-replicating malware that spreads without user interaction
Monitors user activity and collects data
Unwanted pre-installed software
Requires host file to execute and spread
Captures keystrokes to steal credentials
Triggers malicious action on a specific condition or date
Hides deep in OS to maintain persistent, undetected access
Brute force (physical entry), RFID cloning, Environmental (power, flood, fire)
Amplified, Reflected distributed denial-of-service attacks
Poisoning, hijacking DNS records
Man-in-the-middle; intercepting communications between two parties
Reusing captured authentication tokens or credentials
Inserting unauthorized code into network traffic
SQL, command, LDAP injection to manipulate applications
Overwriting memory to execute arbitrary code
Reusing captured data to impersonate a legitimate user
Gaining higher access than authorized
Cross-site request forgery; tricking users into executing unwanted actions
Accessing files outside intended directory structure
Forcing use of weaker, vulnerable protocols
Finding two inputs that produce the same hash
Probability-based collision attack on hash functions
Trying common passwords across many accounts
Systematically trying all possible password combinations
Account lockout, Concurrent session usage, Blocked content, Impossible travel, Resource consumption, Resource inaccessibility, Out-of-cycle logging, Published/documented vulnerabilities, Missing logs
Dividing network into zones; limits lateral movement; VLANs, microsegmentation
ACLs, Permissions; restricting who can access what resources
Only approved software can execute; blocks unauthorized applications
Separating compromised or sensitive systems from the network
Applying updates to fix known vulnerabilities; regular patch management cycle
Protecting data confidentiality at rest, in transit, and in use
Continuous observation of network/system activity for anomalies
Users get minimum access needed for their role; reduces blast radius
Ensuring systems maintain approved security configurations
Properly retiring outdated systems; secure data destruction
Encryption, Endpoint protection installation, Host-based firewall, HIPS, Disabling ports/protocols, Default password changes, Removal of unnecessary software
Responsibility matrix, Hybrid considerations, Third-party vendors
Automated, version-controlled infrastructure deployment
No server management; event-driven functions; shared responsibility shifts
Small, independent services communicating via APIs; increases attack surface per service
Physical isolation (Air-gapped), Logical segmentation, SDN (Software-defined networking)
Full control but full responsibility for security
Trade-offs in control, resilience, and management
Lightweight isolated environments; Docker, Kubernetes; container escape risks
Multiple OS on one physical host; hypervisor security critical
Internet of Things; limited security features, large attack surface, hard to patch
Industrial control systems; critical infrastructure; air-gapping essential
Real-time operating system; embedded, time-critical; limited security options
Purpose-built hardware; firmware-based; difficult to update
Redundancy, failover, clustering for continuous operation
Availability, Resilience, Cost, Responsiveness, Scalability, Ease of deployment, Risk transference, Ease of recovery, Patch availability, Inability to patch, Power, Compute
Strategic positioning of security devices in the network
DMZ, internal, external; segmented trust boundaries
Total exposure points; minimize by removing unnecessary services
Wired, wireless, VPN; each has different security implications
Fail-open (allows traffic when device fails), Fail-closed (blocks traffic when device fails)
Active vs. passive, Inline vs. tap/monitor
Secure admin access point; hardened intermediary for managing critical systems
Intermediary between clients and servers; content filtering, caching
Intrusion Prevention/Detection System; monitors and blocks threats
Distributes traffic across multiple servers for availability
Network monitoring devices for traffic analysis and threat detection
802.1X (port-based network access control), EAP (Extensible Authentication Protocol)
Web Application Firewall; protects web apps from common attacks
Unified Threat Management; all-in-one security appliance
Next-Generation Firewall; deep packet inspection, application awareness
Transport vs. application layer firewall filtering
Virtual Private Network; encrypted tunnel for remote access
TLS, IPSec; encapsulating data for secure transmission
Software-Defined Wide Area Network; intelligent traffic routing
Secure Access Service Edge; cloud-delivered security and networking
Regulated, Trade secret, Intellectual property, Legal information, Financial information, Human- and non-human-readable
Sensitive, Confidential, Public, Restricted, Private, Critical
Data at rest, Data in transit, Data in use
Laws requiring data to stay in specific jurisdictions (GDPR)
Physical location of data storage affects legal requirements
Geographic restrictions, Encryption, Hashing, Masking, Tokenization, Obfuscation, Segmentation, Permission restrictions
Load balancing vs. clustering for continuous operation
Fully operational backup facility; fastest recovery
Basic facilities only; slowest, cheapest recovery option
Partial equipment ready; moderate recovery time and cost
Spreading infrastructure across locations to avoid single-region disasters
Using different OS/vendors to prevent single-point failures
Distributing across cloud providers for resilience
Maintaining essential functions during disruption
Planning for People, Technology, Infrastructure needs
Tabletop exercises, Fail over testing, Simulation, Parallel processing
Onsite/offsite, Frequency, Encryption, Snapshots, Recovery, Replication, Journaling
Generators, UPS (Uninterruptible Power Supply)
Establish (define standard configs), Deploy (push to systems), Maintain (audit/update regularly)
Mobile devices, Workstations, Switches, Routers, Cloud infrastructure, Servers, ICS/SCADA, Embedded systems, RTOS, IoT devices
Installation considerations: Site surveys, Heat maps
MDM (Mobile Device Management), Deployment models (BYOD, COPE, CYOD), Connection methods (Cellular, Wi-Fi, Bluetooth)
WPA3, AAA/RADIUS, Cryptographic protocols, Authentication protocols
Input validation, Secure cookies, Static code analysis, Code signing
Running untrusted code in isolated environment for analysis
Continuous observation of system behavior and network traffic
Security evaluation before purchasing
Ownership, Classification of assets
Inventory management, Enumeration of all assets
Sanitization (wiping), Destruction (physical), Certification, Data retention policies
Automated scanning for known vulnerabilities
Static analysis (SAST), Dynamic analysis (DAST), Package monitoring
OSINT, Proprietary, Info-sharing organizations, Dark web intelligence
Simulated attacks to find exploitable vulnerabilities
Programs for reporting vulnerabilities ethically
Review of systems and procedures for security gaps
Validating findings; identifying false positives and false negatives
Ranking vulnerabilities by severity and business impact
Common Vulnerability Scoring System; standardized severity rating
Common Vulnerabilities and Exposures; unique vulnerability identifiers
Percentage of asset loss if vulnerability is exploited
Applying fixes to resolve identified vulnerabilities
Transferring risk through cyber insurance policies
Isolating vulnerable systems to limit exposure
Alternative protections when primary fix isn't possible
Documented acceptance of unresolved vulnerabilities
Rescanning, Audit, Verification of applied fixes
Documenting findings, trends, and remediation status
Systems, Applications, Infrastructure
Collecting logs from multiple sources into central repository
Automated notifications when thresholds or rules are triggered
Regular automated assessment of systems for vulnerabilities
Generating summaries of security status and incidents
Long-term storage of logs and security data for compliance
Quarantine and Alert tuning to reduce noise
Security Content Automation Protocol; automated compliance checking
Standard security configuration baselines (CIS, DISA STIGs)
Security Information and Event Management; correlates and analyzes security events
Detects and removes known malware via signatures and heuristics
Data Loss Prevention; prevents unauthorized data exfiltration
Network device alerts sent to management station
Network traffic flow data for analysis and monitoring
Tools that identify known vulnerabilities in systems
Rules, Access lists, Ports/protocols, Screened subnets
Trends analysis, Signature-based detection
Agent-based, Centralized proxy, URL scanning, Content categorization, Block rules, Reputation
Blocking malicious domains at DNS resolution level
Group Policy, SELinux for mandatory access control
Protocol selection, Port selection, Transport method
DMARC, DKIM, SPF authentication; Email gateway filtering
Detecting unauthorized changes to critical files
Data Loss Prevention; preventing unauthorized data exfiltration
Network Access Control; controlling device access to network based on compliance
Endpoint/Extended Detection and Response; advanced threat detection and automated response
Detecting anomalous user activity patterns using AI/ML
Creating and removing user accounts and access rights
Role-based permissions following least privilege principle
Verifying a person's identity before granting access
Sharing identity information across organizations
Single Sign-On; LDAP, OAuth, SAML for unified authentication
Different IAM systems working together seamlessly
Formal verification of identity claims
Mandatory Access Control; system-enforced access based on labels
Discretionary Access Control; owner-controlled permissions
Role-Based Access Control; permissions based on job role
Attribute-Based Access Control; dynamic policies based on attributes
Access decisions based on predefined rules
Limiting access to specific hours
Minimum access needed for job function
Biometrics, Hard/soft tokens, Security keys (FIDO2)
Something you know, Something you have, Something you are, Somewhere you are
Length, Complexity, Reuse prevention, Expiration, Age policies
Secure storage and generation of unique passwords
FIDO2, biometrics, magic links; eliminating password-based risk
Granting elevated access only when needed, automatically revoked
Secure storage for privileged account credentials
Temporary credentials that expire after use
User provisioning, Resource provisioning, Guard rails, Security groups, Ticket creation, Escalation, Enabling/disabling services, CI/CD, Integrations and APIs
Efficiency/time saving, Enforcing baselines, Standard configurations, Secure scaling, Employee retention, Reaction time, Workforce multiplier
Complexity, Cost, Single point of failure, Technical debt, Ongoing supportability
Preparation, Detection, Analysis, Containment, Eradication, Recovery, Lessons learned
Regular incident response training for all staff
Tabletop exercise, Simulation for response readiness
Determining the fundamental cause of an incident
Proactively searching for threats before detection alerts
Legal hold, Chain of custody, Acquisition, Reporting, Preservation, E-discovery
Records of allowed and blocked network traffic
Records of application events, errors, and transactions
Device-level activity and security events
Operating system authentication and authorization events
Intrusion detection and prevention alert records
Network traffic, connection, and flow records
Contextual information about data (timestamps, users, locations)
Results from automated vulnerability assessments
Scheduled security status and compliance reports
Real-time visual displays of security metrics
Full network traffic recordings for deep analysis
Recommended practices; flexible, not mandatory
AUP (Acceptable Use Policy), Information security policies, Business continuity, Disaster recovery, Incident response, SDLC, Change management
Password standards, Access control standards, Physical security standards, Encryption standards
Change management procedures, Onboarding/offboarding, Playbooks
Regulatory, Legal, Industry, Local/regional, National, Global requirements
Regular review and update of governance documents
Boards, Committees, Government entities, Centralized/decentralized
Owners, Controllers, Processors, Custodians/stewards
Finding and documenting potential risks to the organization
Ad hoc, Recurring, One-time, Continuous assessments
High/Medium/Low categorization of risk likelihood and impact
SLE (Single Loss Expectancy), ALE (Annual Loss Expectancy), ARO (Annualized Rate of Occurrence)
Key risk indicators, Risk owners, Risk threshold documentation
Amount of risk an organization is willing to accept
Expansionary (high risk), Conservative (low risk), Neutral stance
Shifting risk to another party (e.g., insurance)
Acknowledging risk; Exemption, Exception
Eliminating the risk source entirely
Reducing likelihood or impact of the risk
Communicating risk status to stakeholders
Recovery Time Objective — maximum acceptable downtime
Recovery Point Objective — maximum acceptable data loss in time
Mean Time to Repair — average time to fix a failure
Mean Time Between Failures — average time between system failures
Penetration testing, Right-to-audit clause, Evidence of internal audits, Independent assessments, Supply chain analysis
Due diligence, Conflict of interest evaluation
Service Level Agreement — defines expected service performance
Memorandum of Agreement/Understanding — outlines mutual intentions
Master Service Agreement — overarching contract terms
Work Order / Statement of Work — specific project deliverables
Non-Disclosure Agreement — protects confidential information
Business Partners Agreement — defines partner responsibilities
Ongoing assessment of vendor security posture
Security questionnaires for vendor evaluation
Defining boundaries for vendor interactions
Internal and External reporting of compliance status
Fines, Sanctions, Reputational damage, Loss of license, Contractual impacts
Ongoing obligation to maintain reasonable security practices
Formal confirmation of compliance with policies
Ongoing checks from within and outside the organization
Using tools to continuously monitor compliance status
Local/regional, National, Global privacy laws
Individual whose personal data is being processed
Data controller determines purpose; processor handles data on behalf
Who owns and is responsible for the data
Cataloging data assets and defining how long data is kept
Individual's right to have personal data deleted (GDPR Art. 17)
Formal verification and certification of compliance
Compliance audits, Audit committee, Self-assessments
Regulatory examinations, Assessment, Independent third-party audit
Testing physical security controls and access
Red team; simulating real-world attacks
Blue team; testing detection and response capabilities
Purple team; combining offensive and defensive approaches
Tester has full knowledge of the target (white box)
Tester has limited knowledge (gray box)
Tester has no prior knowledge (black box)
Passive (no direct contact) and Active (direct interaction) information gathering
Simulated phishing exercises to test employee awareness
Identifying suspicious emails, links, and attachments
Reporting suspicious messages through proper channels
Risky behavior, Unexpected behavior, Unintentional behavior recognition
Documentation of security policies for all employees
Being alert to security threats in daily activities
Recognizing signs of insider threats
Training on strong password practices and tools
Risks of unknown USB devices and cables
Training to recognize and resist manipulation attempts
Protecting sensitive information in daily operations
Security considerations for non-office environments
Initial training and Recurring training schedules
Creating comprehensive security awareness programs
Delivering and managing awareness programs effectively