Vocab List

Question 1

Acceptance (of Risk)

Answer 1

Senior management chooses to accept the risk of an activity as it is.

Question 2

Asset Inventory

Answer 2

A full catalog of the organization’s property (tangible, intellectual, digital, etc.), with sufficient detail/descriptions of attributes to determine specific responsibility/ownership and current configuration/disposition/protection.

Question 3

Availability

Answer 3

Ensuring data can be accessed in authorized manner, as permitted.

Question 4

Avoidance (of Risk)

Answer 4

Senior management chooses to cease the activity to remove the risk.

Question 5

Business Impact Analysis

Answer 5

The overall effort (and the artifact resulting from this effort) to assess the relative value of assets within an organization, the potential threats to those assets, and the possible damage that might be caused if an asset or assets is harmed or lost.

Question 6

Change management

Answer 6

The process, method, and resources used to modify the configuration of assets in the inventory.

Question 7

CIA Triad

Answer 7

The triad includes these three ideas: confidentiality, integrity, and availability of assets.

Question 8

Configuration Management

Answer 8

The process, method, and resources used to determine baseline settings and version of assets in the inventory.

Question 9

Due Care

Answer 9

The legal duty owed by an organization to its constituents (users/customers/employees/the public).

Question 10

Due Diligence

Answer 10

Documented efforts demonstrating the organization’s activities to provide due care.

Question 11

Governance

Answer 11

The processes, roles, and policies an organization uses to make decisions.

Question 12

[Security] Guidelines

Answer 12

Recommendations (not mandates) for security best practices, usually from sources external to the organization.

Question 13

Integrity

Answer 13

Protecting data from unauthorized modification.

Question 14

Job Rotation

Answer 14

Shifting personnel (usually within a given department) among various roles throughout the year, for security, morale, and continuity purposes.

Question 15

Least Privilege

Answer 15

Personnel are only given the minimal set of permissions necessary to perform their job function.

Question 16

Maximum Allowable Downtime (MAD)

Answer 16

[also referred to as “MTD”— maximum tolerable downtime] The amount of time an organization can suffer an interruption to its critical path and still remain an organization.

Question 17

Mitigation (of Risk)

Answer 17

Risk is reduced through the use of controls.

Question 18

Need to Know

Answer 18

Information is only disclosed to those who have a business need and permission to access it.

Question 19

[Security] Policy

Answer 19

The organization’s strategic security direction and mandates, published and signed by senior management.

Question 20

Privileged (Users/Account)

Answer 20

Those with more access/permissions than regular users can cause more harm to the organization than regular users (and, historically, have); therefore, privileged accounts must be managed in a more restrictive and thorough manner than regular accounts.

Question 21

[Security] Procedures

Answer 21

Specific instructions for performing security-related tasks.

Question 22

Recovery Point Objective (RPO)

Answer 22

The amount of data that can be lost by the organization without destroying the organization (usually measured in time, backward from the current moment; so, “the last 72 hours’ worth of data”).

Question 23

Recovery Time Objective (RTO)

Answer 23

The duration that an organization can suffer an interruption of its critical path without destroying the organization (measured as time, necessarily less than the MAD/MTD).

Question 24

Residual Risk

Answer 24

Risk that remains after controls are put into operation (risk mitigation).

Question 25

Risk

Answer 25

Potential harm to an organization.

Question 26

Separation of Duties

Answer 26

Purposefully imposing inefficiency on a business process so that one person cannot complete an entire transaction on their own, forcing collusion.

Question 27

Service Level Agreement (SLA)

Answer 27

The SLA describes, objectively, specifically, and numerically, the terms of the service the provider will deliver on a regular basis.

Question 28

[Security] Standards

Answer 28

Minimum target levels and security best practices; may be created within the organization and imposed on all business units or may be taken from external creators (such as standards bodies like ISO, PCI, or SANS).

Question 29

Threat

Answer 29

A factor that poses risk.

Question 30

Transfer (of Risk)

Answer 30

Another party is paid to share risk on the organization’s behalf.

Question 31

Vulnerability

Answer 31

An avenue that causes or enhances risk.

Question 32

Algorithm

Answer 32

A mathematical function that is used in the encryption and decryption processes.

Question 33

Antimalware Solutions

Answer 33

Solutions that inhibit, detect, quarantine, and remove malware targeting the environment.

Question 34

Asymmetric Cryptography

Answer 34

Cryptography in which two different but mathematically related keys are used, and one key is used to encrypt, and another is used to decrypt.

Question 35

Asynchronous

Answer 35

Encrypt/decrypt requests are processed in queues.

Question 36

Avalanche Effect

Answer 36

A minor change in either the key or the plaintext will have a significant, large change in the resulting ciphertext.

Question 37

Ciphertext or Cryptogram

Answer 37

The altered form of a plaintext message that is unreadable by anyone except the intended recipients.

Question 38

Coaxial Cable

Answer 38

Insulated copper wire terminating in a single pin.

Question 39

Collision

Answer 39

Occurs when a hash function generates the same output for different inputs.

Question 40

Confusion

Answer 40

Provided by mixing or changing the key values used during the repeated rounds of encryption.

Question 41

Content Distribution Networks (CDNs)

Answer 41

Also sometimes referred to as content delivery network; used to replicate portions of data geographically closer to end users in order to enhance performance/quality of service.

Question 42

Convergence

Answer 42

The practice of using one communication medium/protocol to convey multiple forms of communication.

Question 43

Cryptanalysis

Answer 43

The study of techniques for attempting to defeat cryptographic techniques and, more generally, information security services.

Question 44

Cryptosystem

Answer 44

The entire cryptographic operation and system; typically includes the algorithm, key, and key management functions, together with the services that can be provided through cryptography.

Question 45

Decryption

Answer 45

The reverse process from encryption.

Question 46

Diffusion

Answer 46

Provided by mixing up the location of the plaintext throughout the ciphertext.

Question 47

Digital Certificate

Answer 47

A digital certificate is an electronic document that contains the name of an organization or individual, the business address, the digital signature of the certificate authority issuing the certificate, the certificate holder’s public key, a serial number, and the expiration date.

Question 48

Distributed System

Answer 48

System that performs a single task using resources that are located across multiple machines.

Question 49

Embedded Systems

Answer 49

Very similar to ICS; typically processors with limited capabilities that govern machinery and equipment used for a variety of tasks, allowing for automation of commands and localized computing.

Question 50

Encapsulation

Answer 50

Embedding one protocol inside another.

Question 51

Encryption

Answer 51

Obscuring data through the use of a defined, reversible process.

Question 52

Encryption

Answer 52

The process and act of converting the message from its plaintext to ciphertext.

Question 53

Fiber Optic

Answer 53

Spun glass or plastic that conveys data via light pulses instead of electricity.

Question 54

Firewalls

Answer 54

Devices typically used to monitor inbound traffic (can sometimes monitor bidirectional traffic as well).

Question 55

Hash Function

Answer 55

A hash function is a one-way mathematical operation that reduces a message or data file into a smaller fixed length output, or hash value.

Question 56

Honeypots/Honeynets

Answer 56

Simulated environments/components that contain no raw production data.

Question 57

Industrial Control Systems (ICS)

Answer 57

Typically processors with limited capabilities that govern machinery and equipment used in manufacturing processes, allowing for automation of commands (such as patterns, recipes, and templates) and centralized control/monitoring.

Question 58

Initialization Vector (IV)

Answer 58

A nonsecret binary vector used as the initializing input algorithm for the encryption of a plaintext block sequence to increase security by introducing additional cryptographic variance and to synchronize cryptographic equipment.

Question 59

Internet of Things (IoT)

Answer 59

Current pop culture term generally used to describe IP/web-enabled appliances and devices, often for residential/consumer purposes.

Question 60

Internet Protocol (IP)

Answer 60

Part of the TCP/IP communications protocol suite; typically used to describe the process of carving messages into pieces (packets) and transmit them to a recipient in a nondeterministic manner.

Question 61

Intrusion Detection or Prevention Systems (IDS/IPS)

Answer 61

Systems that monitor traffic, often inside a specific network.

Question 62

Key Clustering

Answer 62

Occurs when different encryption keys generate the same ciphertext from the same plaintext message.

Question 63

Key/Cryptovariable

Answer 63

The input that controls the operation of the cryptographic algorithm.

Question 64

Key Space

Answer 64

The total number of possible values of keys in a cryptographic algorithm.

Question 65

Key Space

Answer 65

The total number of possible values of keys in a cryptographic algorithm.

Question 66

Network Segmentation

Answer 66

The division of the overall networked environment into various smaller networks and parts of networks in order to group users and assets (including data) according to different usages and/or sensitivities.

Question 67

Nonrepudiation

Answer 67

Inability to deny taking part in a transaction.

Question 68

OSI 7-Layer Model

Answer 68

Academic conceptual means of describing the ways computers communicate with one another.

Question 69

Plaintext/Cleartext

Answer 69

Message or data in its natural format and in readable form.

Question 70

Public Key Infrastructure (PKI)

Answer 70

The use of a third party to enhance trust in a transaction. The third party digitally signs the public keys of the participants, issuing them digital certificates; the transactional parties exchange certificates, see each other’s public keys and the signature of the trusted third party, and can verify the sender of subsequent messages.

Question 71

Sandboxing

Answer 71

The practice of abstracting contact with underlying hardware, instead constraining programs/software to run in a restricted environment that provides resources (processing, memory) at a remove.

Question 72

Software-Defined Networking (SDN)

Answer 72

An approach to networking that abstracts the hardware involved in communication away from the design and control of the overall network.

Question 73

Substitution

Answer 73

The process of exchanging one letter or byte for another.

Question 74

Symmetric Cryptography

Answer 74

The same key is required to encrypt and decrypt.

Question 75

Synchronous

Answer 75

Each encryption or decryption request is performed immediately.

Question 76

Transposition/Permutation

Answer 76

The process of reordering the plaintext to hide the message but keeping the same letters.

Question 77

Twisted Pair

Answer 77

Cable composed of pairs of copper wire wound around each other.

Question 78

Virtual Local Area Network (VLAN)

Answer 78

A network segment created through the use of logical addressing restrictions (as opposed to physical isolation).

Question 79

Virtual Private Network (VPN)

Answer 79

Encrypted tunnel that creates a secure, temporary connection between an external user and the network, typically allowing the user to have similar access/permissions to what the user would experience if access were achieved from within the network environment.

Question 80

Work Factor

Answer 80

The time and effort required to break a protective measure; in cryptography, the time and effort required to break a cryptographic algorithm.

Question 81

Business Continuity (BC)

Answer 81

Actions, processes, and tools for ensuring an organization can continue critical operations during a contingency.

Question 82

Business Impact Analysis (BIA)

Answer 82

The effort to determine the value of each asset belonging to the organization, as well as the potential risk of losing assets, the threats likely to affect the organization, and the potential for common threats to be realized.

Question 83

Critical Path

Answer 83

Those activities and functions that the organization needs to perform to stay operational.

Question 84

Differential Backup

Answer 84

All data in the environment that has changed since the last full backup was copied.

Question 85

Full Backup

Answer 85

All data in the environment is copied.

Question 86

Incident

Answer 86

An unscheduled event.

Question 87

Incremental Backup

Answer 87

All data in the environment that has changed since the last backup (full or incremental) was copied.

Question 88

Maximum Allowable Downtime (MAD)

Answer 88

The measure of how long an organization can survive an interruption of critical functions.

Question 89

Maximum Tolerable Downtime (MTD)

Answer 89

See: MAD.

Question 90

Recovery Point Objective (RPO)

Answer 90

A measure of how much data the organization can lose before the organization is no longer viable.

Question 91

Recovery Time Objective (RTO)

Answer 91

The target time set for recovering from any interruption.

Question 92

Audit

Answer 92

Review of an environment to determine compliance with a standard.

Question 93

Egress Monitoring

Answer 93

Monitoring all the ways data can be exfiltrated from an organization; often marketed under the term DLP.

Question 94

False Positive

Answer 94

Indication of an activity/situation that is not accurate; for example, wrongly reporting that a detrimental event has occurred.

Question 95

Key Performance Indicators (KPIs)

Answer 95

Metrics reflecting how the organization has performed.

Question 96

Key Risk Indicators (KRIs)

Answer 96

Metrics attempting to determine how much risk the organization faces.

Question 97

Scoping

Answer 97

Determining, prior to a review/test/audit, which aspects of an organization will be involved/reviewed.

Question 98

Tailoring

Answer 98

Determining which elements of a baseline will be applied to an environment or part of an environment.

Question 99

Accountability

Answer 99

The ability to attribute every action/event to a specific entity.

Question 100

Authentication

Answer 100

A method for verifying that the entity presenting an identity assertion is, in fact, that entity.

Question 101

Authorization

Answer 101

The set of permissions/capabilities granted to a specific entity upon the receipt of an authenticated identity assertion.

Question 102

Federation

Answer 102

Granting access to an entity to various services/organizations, based on that entity’s credentials for one organization/service.

Question 103

Identification

Answer 103

A unique value assigned to every person, device, and service that will access the environment.

Question 104

Identity Assertion

Answer 104

A value used to denote a specific entity (often a username).

Question 105

Identity Deprovisioning

Answer 105

The process of formally revoking access from an entity.

Question 106

Identity Proofing

Answer 106

When an organization validates that a person is who they claim to be; usually done at the start of employment.

Question 107

Identity Provisioning

Answer 107

The process of issuing an identity assertion to an entity.

Question 108

LDAP

Answer 108

Lightweight Directory Access Protocol; a format for storing a catalog of information, typically associated with recognizing entries on the list.

Question 109

Multifactor Authentication

Answer 109

Use of two or more different factors to verify an identity assertion; sometimes abbreviated as 2FA (for two-factor authentication) or MFA (for multifactor authentication).

Question 110

Salt

Answer 110

A random element added to plaintext before hashing, to add complexity.

Question 111

Application Programming Interfaces (APIs)

Answer 111

Sets of rules, tools, and languages used by programmers to simplify the creation of software

Question 112

Configuration/Change Management (CM) [in software development context]

Answer 112

Monitoring and managing changes to a program or documentation.

Question 113

Dynamic Application Security Testing (DAST)

Answer 113

Also sometimes referred to as “black box testing” or “play testing”; in DAST, the application is actually executed, and testers (often from the user community) perform functions with the application in a runtime state, trying to determine if the software can successfully perform required functionality but also attempting to find situations in which the software fails.

Question 114

Static Application Security Testing (SAST)

Answer 114

Also sometimes referred to as “white box testing” or “secure code review”; involves using methods and tools to review the actual source code of an application, locating known flaws and vulnerabilities.

Question 115

STRIDE Model

Answer 115

Popular software threat modeling tool.

Question 116

Compliance

Answer 116

The condition of adhering to all mandates/rules/obligations.

Question 117

Digital Rights Management (DRM)

Answer 117

A technological control solution for protecting intellectual property and sensitive data, usually at the file level; often functions by adding an additional layer of access control to protected files. Also referred to as information rights management (IRM), enterprise rights management (ERM), and other nonstandard terms.

Question 118

General Data Protection Regulation (GDPR)

Answer 118

EU personal privacy law.

Question 119

Intellectual Property

Answer 119

Intangible assets; literally, property of the mind. Ideas, concepts, and knowledge that belong to a certain entity, under protection of law.

Question 120

Personally Identifiable Information (PII)

Answer 120

Data that can be used to determine the identity of an individual.