Assets, Threats, and Vulnerabilities Flashcards

(155 cards)

1
Q

Asset classification

A

The practice of labeling assets based on sensitivity and importance to an organization. This helps prioritize security measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Asset inventory

A

A catalog of assets that need to be protected.

It is essential for effective asset management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Asset management

A

The process of tracking assets and the risks that affect them.

It ensures that assets are secure and effectively utilized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Data

A

Information that is translated, processed, or stored by a computer.

Data can be structured or unstructured.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Data at rest

A

Data not currently being accessed.

Examples include files stored on a hard drive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Data in transit

A

Data traveling from one point to another.

This includes data sent over the internet or a network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Data in use

A

Data being accessed by one or more users.

This is often the most vulnerable state of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Information security (InfoSec)

A

The practice of keeping data in all states away from unauthorized users.

It encompasses various security measures and policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Policy

A

A set of rules that reduce risk and protect information.

Policies guide the organization’s security posture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Procedures

A

Step-by-step instructions to perform a specific security task.

They ensure consistent execution of security measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Regulations

A

Rules set by a government or other authority to control the way something is done.

Regulations can dictate compliance requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Standards

A

References that inform how to set policies.

They provide a baseline for compliance and best practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Likelihood x Impact = Risk

A

One way to interpret risk is to consider the potential effects that negative events can have on a business. A way to present this idea is with a specific calculation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Restricted, confidential, internal-only, and public

A

The 4 most common classification schemes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Restricted

A

Highest level classification scheme. This category is reserved for incredibly sensitive assets, like need-to-know information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Confidential

A

Second highest classification scheme. This scheme refers to assets whose disclosure may lead to a significant negative impact on an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Internal-only

A

Third highest classification scheme. This scheme describes assets that are available to employees and business partners.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Public

A

This is the lowest level classification scheme. These assets have no negative consequences to the organization if they’re released.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Risk register

A

A central record of potential risks to an organization’s assets, information systems, and data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Access controls

A

Security controls that manage access, authorization, and accountability of information.

Access controls are essential for protecting sensitive data from unauthorized access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Algorithm

A

A set of rules used to solve a problem.

Algorithms are fundamental to programming and data processing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Application programming interface (API) token

A

A small block of encrypted code that contains information about a user.

API tokens are commonly used for authentication in web services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Asymmetric encryption

A

The use of a public and private key pair for encryption and decryption of data.

Asymmetric encryption enhances security by using two keys instead of one.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Basic auth

A

The technology used to establish a user’s request to access a server.

Basic auth is a simple authentication scheme built into the HTTP protocol.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Bit
The smallest unit of data measurement on a computer. ## Footnote A bit can be either 0 or 1.
26
Brute force attack
The trial and error process of discovering private information. ## Footnote Brute force attacks are often used to crack passwords.
27
Cipher
An algorithm that encrypts information. ## Footnote Ciphers can be symmetric or asymmetric.
28
Cryptographic key
A mechanism that decrypts ciphertext. ## Footnote Cryptographic keys are crucial for data security.
29
Cryptography
The process of transforming information into a form that unintended readers can’t understand. ## Footnote Cryptography ensures the confidentiality and integrity of data.
30
Data custodian
Anyone or anything that’s responsible for the safe handling, transport, and storage of information. ## Footnote Data custodians play a vital role in data governance.
31
Data owner
The person that decides who can access, edit, use, or destroy their information. ## Footnote Data owners have the ultimate responsibility for data security.
32
Digital certificate
A file that verifies the identity of a public key holder. ## Footnote Digital certificates are essential for establishing secure communications.
33
Encryption
The process of converting data from a readable format to an encoded format. ## Footnote Encryption is critical for protecting sensitive information.
34
Hash collision
An instance when different inputs produce the same hash value. ## Footnote Hash collisions can lead to security vulnerabilities.
35
Hash function
An algorithm that produces a code that can’t be decrypted. ## Footnote Hash functions are used in data integrity verification.
36
Hash table
A data structure that's used to store and reference hash values. ## Footnote Hash tables allow for efficient data retrieval.
37
Identity and access management (IAM)
A collection of processes and technologies that helps organizations manage digital identities in their environment. ## Footnote IAM is essential for maintaining security and compliance.
38
Information privacy
The protection of unauthorized access and distribution of data. ## Footnote Information privacy concerns are increasingly important in the digital age.
39
Non-repudiation
The concept that the authenticity of information can’t be denied. ## Footnote Non-repudiation ensures that a sender cannot deny sending a message.
40
OAuth?
An open-standard authorization protocol that shares designated access between applications. ## Footnote OAuth is widely used for securing APIs.
41
Payment Card Industry Data Security Standards
What does PCI DSS stand for? ## Footnote PCI DSS is a set of security standards designed to protect card information.
42
Principle of least privilege
The concept of granting only the minimal access and authorization required to complete a task or function. ## Footnote This principle helps minimize potential damage from security breaches.
43
Public key infrastructure (PKI)?
An encryption framework that secures the exchange of online information. ## Footnote PKI is essential for secure communications over the internet.
44
Rainbow table
A file of pre-generated hash values and their associated plaintext. ## Footnote Rainbow tables are used to crack password hashes.
45
Salting
An additional safeguard that’s used to strengthen hash functions. ## Footnote Salting helps prevent rainbow table attacks.
46
Security assessment
A check to determine how resilient current security implementations are against threats. ## Footnote Security assessments help identify vulnerabilities.
47
Security audit
A review of an organization's security controls, policies, and procedures against a set of expectations. ## Footnote Security audits ensure compliance with regulations and standards.
48
Security controls
Safeguards designed to reduce specific security risks. ## Footnote Security controls can be technical, administrative, or physical.
49
Separation of duties
The principle that users should not be given levels of authorization that would allow them to misuse a system. ## Footnote This principle helps prevent fraud and errors.
50
Session
A sequence of network HTTP basic auth requests and responses associated with the same user. ## Footnote Sessions help maintain stateful interactions with users.
51
Session cookie
A token that websites use to validate a session and determine how long that session should last. ## Footnote Session cookies are essential for user experience in web applications.
52
Session hijacking
An event when attackers obtain a legitimate user’s session ID. ## Footnote Session hijacking is a serious security threat.
53
Session ID
A unique token that identifies a user and their device while accessing a system. ## Footnote Session IDs are crucial for tracking user sessions.
54
Symmetric encryption
The use of a single secret key to exchange information. ## Footnote Symmetric encryption is faster than asymmetric encryption but less secure.
55
User provisioning
The process of creating and maintaining a user's digital identity. ## Footnote User provisioning is critical for effective identity management.
56
Payment Card Industry Data Security Standards (PCI DSS)
A set of security standards formed by major organizations in the financial industry.
57
Application programming interface
What does API stand for?
58
Identity and access management
What does IAM stand for?
59
Public key infrastructure
What does PKI stand for?
60
Single Sign-On
What does SSO stand for?
61
Data steward
The person or group that maintains and implements data governance policies set by an organization.
62
Knowledge, ownership, and characteristic
What are three factors that can be used to authenticate a user?
63
Knowledge
A factor used to authenticate a user: something the user knows.
64
Ownership
A factor used to authenticate a user: something the user possesses.
65
Characteristic
A factor used to authenticate a user: something the user is.
66
Single sign-on (SSO)
A technology that combines several different logins into one.
67
Guest accounts, user accounts, service accounts, and privileged accounts.
What are the most common types of user accounts?
68
Guest account
A type of account provided to external users who need to access an internal network, like customers, clients, contractors, or business partners.
69
User account
A type of account assigned to staff based on their job duties.
70
Service account
A type of account granted to applications or software that needs to interact with other software on the network.
71
Privileged account
A type of account that elevates permissions or administrative access.
72
Advanced persistent threat (APT)
An instance when a threat actor maintains unauthorized access to a system for an extended period of time.
73
Attack surface
All the potential vulnerabilities that a threat actor could exploit.
74
Attack tree
A diagram that maps threats to assets.
75
Attack vector
The pathways attackers use to penetrate security defenses.
76
Common Vulnerabilities and Exposures (CVE®) list
An openly accessible dictionary of known vulnerabilities and exposures.
76
Bug bounty
Programs that encourage freelance hackers to find and report vulnerabilities.
77
Common Vulnerability Scoring System (CVSS)
A measurement system that scores the severity of a vulnerability.
78
CVE Numbering Authority (CNA)
An organization that volunteers to analyze and distribute information on eligible CVEs.
79
Defense in depth
A layered approach to vulnerability management that reduces risk.
80
Exploit
A way of taking advantage of a vulnerability.
81
Exposure
A mistake that can be exploited by a threat.
82
MITRE
A collection of non-profit research and development centers.
83
Security hardening
The process of strengthening a system to reduce its vulnerability and attack surface.
84
Vulnerability assessment
The internal review process of a company’s security systems.
85
Vulnerability management
The process of finding and patching vulnerabilities.
86
Vulnerability scanner
Software that automatically compares existing common vulnerabilities and exposures against the technologies on the network.
87
Zero-day
An exploit that was previously unknown.
88
Perimeter layer, Network layer, Endpoint layer, Application layer, and Data layer
Name five attack surfaces
89
Perimeter layer
An attack surface like authentication systems that validate user access.
90
Network layer
An attack surface which is made up of technologies like network firewalls and others.
91
Endpoint layer
An attack surface which describes devices on a network, like laptops, desktops, or servers.
92
Application layer
An attack surface which involves the software that users interact with.
93
Data layer
An attack surface which includes any information that’s stored, in transit, or in use.
94
External scan
A scan that tests the perimeter layer outside of the internal network.
95
Internal scan
A scan that starts from the opposite end by examining an organization's internal systems.
96
Authenticated scan
A scan that tests a system by logging in with a real user account or even with an admin account.
97
Unauthenticated scan
A scan that simulates external threat actors that do not have access to your business resources.
98
Limited scan
A scan that analyzes particular devices on a network, like searching for misconfigurations on a firewall.
99
Comprehensive scan
A scan that analyzes all devices connected to a network.
100
Patch update
A software and operating system update that addresses security vulnerabilities within a program or product.
101
Open-box testing, Closed-box testing, Partial knowledge testing
Name three common penetration testing strategies
102
Open-box testing
A type of pen test when the tester has the same privileged access that an internal developer would have—information like system architecture, data flow, and network diagrams. This strategy goes by several different names, including internal, full knowledge, white-box, and clear-box penetration testing.
103
Closed-box testing
A type of pen test when the tester has little to no access to internal systems—similar to a malicious hacker. This strategy is sometimes referred to as external, black-box, or zero knowledge penetration testing.
104
Partial knowledge testing
A type of pen test when the tester has limited access and knowledge of an internal system—for example, a customer service representative. This strategy is also known as gray-box testing.
105
Proactive simulations
A simulation where one assumes the role of an attacker by exploiting vulnerabilities and breaking through defenses. This is sometimes called a red team exercise.
106
Reactive simulations
A simulation where one assumes the role of a defender responding to an attack. This is sometimes called a blue team exercise.
107
Identification, Vulnerability analysis, Risk assessment, and Remediation
Name the common steps of a vulnerability assessment.
108
Identification
A step in a vulnerability assessment. A vulnerable server is flagged because it's running an outdated operating system (OS).
109
Vulnerability analysis
A step in a vulnerability assessment. Research is done on the outdated OS and its vulnerabilities.
110
Risk assessment
A step in a vulnerability assessment. After doing your due diligence, the severity of each vulnerability is scored and the impact of not fixing it is evaluated.
111
Remediation
A step in a vulnerability assessment. Finally, the information that you’ve gathered can be used to address the issue.
112
Competitors, State actors, Criminal syndicates, Insider threats, and Shadow IT
What are five typical categories of threat actors.
113
Competitors
A category of a threat actor. This refers to rival companies who pose a threat because they might benefit from leaked information.
114
State actors
A category of a threat actor. This refers to government intelligence agencies.
115
Criminal syndicates
A category of a threat actor. This refers to organized groups of people who make money from criminal activity.
116
Insider threats
A category of a threat actor. This can be any individual who has or had authorized access to an organization’s resources. This includes employees who accidentally compromise assets or individuals who purposefully put them at risk for their own benefit.
117
Shadow IT
A category of a threat actor. This refers to individuals who use technologies that lack IT governance. A common example is when an employee uses their personal email to send work-related communications.
118
Common Vulnerabilities and Exposures
What does CVE stand for?
119
Common Vulnerability Scoring System
What does CVSS stand for?
120
CVE Numbering Authority
What does CNA stand for?
121
Angler phishing
A technique where attackers impersonate customer service representatives on social media.
122
Adware
A type of legitimate software that is sometimes used to display digital advertisements in applications.
123
Attack tree
A diagram that maps threats to assets.
124
Baiting
A social engineering tactic that tempts people into compromising their security.
125
Cross-site scripting (XSS)
An injection attack that inserts code into a vulnerable website or web application.
126
Cryptojacking
A form of malware that installs software to illegally mine cryptocurrencies.
127
DOM-based XSS attack
An instance when malicious script exists in the webpage a browser loads.
128
Dropper
A type of malware that comes packed with malicious code which is delivered and installed onto a target system.
129
Fileless malware
Malware that does not need to be installed by the user because it uses legitimate programs that are already installed to infect a computer.
130
Injection attack
Malicious code inserted into a vulnerable application.
131
Input validation
Programming that validates inputs from users and other programs.
132
Loader
A type of malware that downloads strains of malicious code from an external source and installs them onto a target system.
133
Process of Attack Simulation and Threat Analysis (PASTA)
A popular threat modeling framework that’s used across many industries.
134
Phishing kit
A collection of software tools needed to launch a phishing campaign.
135
Prepared statement
A coding technique that executes SQL statements before passing them onto the database.
136
Potentially unwanted application (PUA)
A type of unwanted software that is bundled in with legitimate programs which might display ads, cause device slowdown, or install other software.
137
Quid pro quo
A type of baiting used to trick someone into believing that they’ll be rewarded in return for sharing access, information, or money.
138
Reflected XSS attack
An instance when malicious script is sent to a server and activated during the server’s response.
139
Rootkit
Malware that provides remote, administrative access to a computer.
140
Scareware
Malware that employs tactics to frighten users into infecting their device.
141
SQL injection
An attack that executes unexpected queries on a database.
142
Stored XSS attack
An instance when malicious script is injected directly on the server.
143
Tailgating
A social engineering tactic in which unauthorized people follow an authorized person into a restricted area.
144
Threat modeling
The process of identifying assets, their vulnerabilities, and how each is exposed to threats.
145
Trojan horse
Malware that looks like a legitimate file or program.
146
Watering hole attack
A type of attack when a threat actor compromises a website frequently visited by a specific group of users.
147
Web-based exploits
Malicious code or behavior that’s used to take advantage of coding flaws in a web application.
148
Prepared statements, Input sanitization, and Input validation
What are three ways to escape user inputs?
149
Prepared statements
A coding technique that executes SQL statements before passing them on to a database.
150
Input sanitization
Programming that removes user input which could be interpreted as code.
151
Input validation
Programming that ensures user input meets a system's expectations.
152
Cross-site scripting
What does XSS stand for?
152
Process of Attack Simulation and Threat Analysis
What does PASTA stand for?
153
Potentially unwanted application
What does PUA stand for?