Red team: Proactively tests to identify vulnerabilities and fix them to prevent security intrusions.
Playbook: similar to a runbook that tells you how to respond to a given detection.
Compliance is the process of adhering to internal standards and external regulations and enables organizations to avoid fines and security breaches.
Security frameworks are guidelines used for building plans to help mitigate risks and threats to data and privacy.
Security controls are safeguards designed to reduce specific security risks. They are used with security frameworks to establish a strong security posture.
Security posture is an organization’s ability to manage its defense of critical assets and data and react to change. A strong security posture leads to lower risk for the organization.
A threat actor, or malicious attacker, is any person or group who presents a security risk. This risk can relate to computers, applications, networks, and data.
An internal threat can be a current or former employee, an external vendor, or a trusted partner who poses a security risk. At times, an internal threat is accidental. For example, an employee who accidentally clicks on a malicious email link would be considered an accidental threat. Other times, the internal threat actor intentionally engages in risky activities, such as unauthorized data access.
Network security is the practice of keeping an organization's network infrastructure secure from unauthorized access. This includes data, services, systems, and devices that are stored in an organization’s network.
Cloud security is the process of ensuring that assets stored in the cloud are properly configured, or set up correctly, and access to those assets is limited to authorized users. The cloud is a network made up of a collection of servers or computers that store resources and data in remote physical locations known as data centers that can be accessed via the internet. Cloud security is a growing subfield of cybersecurity that specifically focuses on the protection of data, applications, and infrastructure in the cloud.
Programming is a process that can be used to create a specific set of instructions for a computer to execute tasks. These tasks can include:
Key skills required in cybersecurity.
1. Transferable skills
-------------------
1. Communication
2. Collaboration
3. Analyse complex scenarios
4. Problem solving
5. Time management - is crucial as this requires ability to focus on high priority incidents towards resolution to minimize impact to critical assets and data.
2. Tech skills
-----------
1. Programming languages
2. Security information and event management tools (SIEM)
3. Computer forensics
4. Intrusion detection systems (IDS) - IDS monitors n/w activity and alerts for possible intrusions.
5. Threat landscape knowledge - being aware of current threat trends and actors as well as malware.
6. Incident response:
PII, SPII and Identity Theft
PII (Personally Identifiable Information): any info used to infer individual's identity.
-----------------------------------------
> Person's name
> Address
> Email address
> Physical address
> Phone address
> IP Address
> etc.
SPII (Sensitive PII)
--------------------
> Specific type of PII
> SSO
> Medial or financial info
> Biometrics (facial recog)
If SPII is stolen, This is significantly more damaging to individual.
PII and SPII are key data that a threat actor will look out for to impersonate the person to commit fraud. The term used for this is called Identity Theft.
Primary objective of identity theft is financial gain.
=========================================================================
History of Cybersecurity
- Viruses
- Malware
- Social Engineering
- Digital Age
- Computer virus (presently called malware - affect devices or networks)
- Brain virus: 1986; by Alvi brothers Pakistan.
- Moris worm
Past security attacks
Brain
Discovered in 1986, Brain was the first virus to target IBM PC platforms (and, by extension, the MS-DOS operating system). By using techniques to hide its existence, it was also the first stealth virus. Created by two brothers from Pakistan, Basit Farooq Alvi and Amjad Farooq Alvi, Brain infected the boot sector of a floppy disk.
But why was it written? The Alvi brothers were operating a computer store in the Pakistani city of Lahore when they noticed pirated copies of a computer program they had written being circulated by their customers. This got them thinking about how they could teach their customers a lesson: enter Brain, also known as Pakistani Brain.
As explained in an interview with security expert Mikko Hypponen in 2011, the virus was created solely for addressing illegal copies of their program. In addition to a message warning users that they were running bootleg software, the virus’s code also included the brothers’ names, phone numbers, and their store’s address. According to the brothers, the virus was “not made to destroy any data”. Rather, it was intended to ensure that users whose machines had become infected due to using pirated software could contact them for “vaccination”.
Nevertheless, they never expected that the first phone call would come from the United States, nor that the virus would spread to various parts of the world.
Morris
The Morris Worm, sometimes also called the Internet Worm, entered the history books as the first computer worm that was distributed over the Internet and that compromised thousands of computers, drawing massive media attention in the process. It was written and unleashed in 1988 by Robert Tappan Morris, a 23-year-old doctoral student at Cornell University and the son of Robert Morris Sr., a famous cryptographer and formerly the chief scientist at the NSA's National Computer Security Center.
Back then, the Internet consisted of approximately 60,000 machines, some 6,000 of which were infected by the worm. After the code was released from a computer at Massachusetts Institute of Technology (MIT) in November 1988, much of the then Internet was paralyzed. This ultimately led to the establishment of the first Computer Emergency Response Team (CERT).
The worm operated by exploiting vulnerabilities in Unix's sendmail, fingerd, and rsh/rexec, while also taking advantage of weak passwords. It comprised 99 lines of code and, of course, had the ability to replicate and propagate itself. It became a dangerous threat due to a flaw in its propagation mechanism, having eventually infected thousands of computers at universities, in government laboratories, as well as in companies.
Besides the damage that it caused, the worm also exposed many security weaknesses, revealing the need for reviewing password protection procedures, among other measures.
According to statements made by Robert Morris back then, the worm was never intended to be malicious or spread so quickly. It is not certain why exactly it was created and launched, although it is often thought that Morris “only” sought to find out how big the Internet was. At any rate, when Morris realized that the worm was spreading so wildly, he asked a friend to send an email to apologize for his creation and to give instructions on how to kill it. Given the chaos that the malware caused, however, his message went unnoticed.
The worm’s creator became the first person to be convicted under the then recent Computer Fraud and Abuse Act. He was sentenced to three years of probation and ordered to pay a $10,050 fine and to perform 400 hours of community service.
Attacks in Digital Age
Love Letter Malware and Equifax breach
- Onel De Guzman created the LoveLetter malware in 2000 to steal internet login credentials
- LoveLetter attack was an example of social engineering
- Equifax breach (2017 - credit reporting agency; 143 mil cust records stolen. 40% of all Americans. SSNO, home addr, credit card nos, and more; 575 million penalty) resulted in the theft of millions of customers' PII and highlighted the financial consequences of a breach
- Morris worm led to the development of computer security incident response teams (CSIRTs)
- Phishing is the use of digital communications to trick people into revealing sensitive data or deploying malicious software
Phishing
Phishing is the use of digital communications to trick people into revealing sensitive data or deploying malicious software.
Some of the most common types of phishing attacks today include:
Business Email Compromise (BEC): A threat actor sends an email message that seems to be from a known source to make a seemingly legitimate request for information, in order to obtain a financial advantage.
Spear phishing: A malicious email attack that targets a specific user or group of users. The email seems to originate from a trusted source.
Whaling: A form of spear phishing. Threat actors target company executives to gain access to sensitive data.
Vishing: The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source.
Smishing: The use of text messages to trick users, in order to obtain sensitive information or to impersonate a known source.
Malware
Malware is software designed to harm devices or networks. There are many types of malware. The primary purpose of malware is to obtain money, or in some cases, an intelligence advantage that can be used against a person, an organization, or a territory.
Some of the most common types of malware attacks today include:
Viruses: Malicious code written to interfere with computer operations and cause damage to data and software. A virus needs to be initiated by a user (i.e., a threat actor), who transmits the virus via a malicious attachment or file download. When someone opens the malicious attachment or download, the virus hides itself in other files in the now infected system. When the infected files are opened, it allows the virus to insert its own code to damage and/or destroy data in the system.
Worms: Malware that can duplicate and spread itself across systems on its own. In contrast to a virus, a worm does not need to be downloaded by a user. Instead, it self-replicates and spreads from an already infected computer to other devices on the same network.
Ransomware: A malicious attack where threat actors encrypt an organization's data and demand payment to restore access.
Spyware: Malware that’s used to gather and sell information without consent. Spyware can be used to access devices. This allows threat actors to collect personal data, such as private emails, texts, voice and image recordings, and locations.
Social Engineering
Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. Human error is usually a result of trusting someone without question. It’s the mission of a threat actor, acting as a social engineer, to create an environment of false trust and lies to exploit as many people as possible.
Some of the most common types of social engineering attacks today include:
Social media phishing: A threat actor collects detailed information about their target from social media sites. Then, they initiate an attack.
Watering hole attack: A threat actor attacks a website frequently visited by a specific group of users.
USB baiting: A threat actor strategically leaves a malware USB stick for an employee to find and install, to unknowingly infect a network.
Physical social engineering: A threat actor impersonates an employee, customer, or vendor to obtain unauthorized access to a physical location.
CISSP Security Domains [Certified Information Systems Security Professional]
1. Security and Risk Management
2. Asset Security
3. Security Architecture and Engineering
4. Communications and Network Security
5. Identity and Access Management.
6. Security Assessment and Testing.
7. Security Operations.
8. Software Development Security
1. Security and Risk management
Focuses on:
a. Defining security goals and objectives.
b. Risk mitigation
c. Compliance
d. Business continuity
e. The Law
For example, security analysts may need to update company policies related to private health information if a change is made to a federal compliance regulation such as the Health Insurance Portability and Accountability Act, also known as HIPAA.
2. Asset Security
Security digital and physical assets
Data storage, maintenance, retention and destruction of data
3. Security Architecture & Engg
Optimizing data security by ensuring effective tools, systems, and processes are in place.
For e.g., setting up and configuring a firewall to monitor and filter incoming traffic. Also processes and procedures in place to detect, report and counter breaches.
4. Communication & Network Security
Manage and secure physical networks and wireless communications
Imagine discovering that users are connecting to unsecured wireless hotspots. This could leave the organization and its employees vulnerable to attacks. To ensure communications are secure, you would create a network policy to prevent and mitigate exposure.
5. Identity and Access Management
Keep data secure by:
Ensure users follow established policies to control and manage physical assets like office spaces and logical assets such as networks and applications.
Identity and Access Management (IAM) refers to the framework of policies, technologies, and processes that ensure the appropriate individuals in an organization have the right access to the right resources at the right times for the right reasons.
Validating the identities of employees and documenting access roles are essential to maintaining the organization's physical and digital security. For example, as a security analyst, you may be tasked with setting up employees' keycard access to buildings.
6. Security Assessment and Testing [Proactive activities]
Conducting security control testing
Collecting and analyzing data
Conducting security audits to monitor for risks, threats and vulnerabilities.
For example, access to payroll information is often limited to certain employees, so analysts may be asked to regularly audit permissions to ensure that no unauthorized person can view employee salaries.
7. Security Operations
Conducting investigations and implementing preventative measures.
Imagine that you, as a security analyst, receive an alert that an unknown device has been connected to your internal network. You would need to follow the organization's policies and procedures to quickly stop the potential threat.
8. Software Development Security
Focuses on using secure coding practices, which are a set of recommended guidelines that are used to create secure applications and services. A security analyst will work with a software development team to ensure the code is secure.
Please recall the SBD Certificate that was issued to my projects in Westpac. (Secury By Design). Security team used to run a tool to review the code and if any security vulnerabilities are found, Dev team used to fix them. Later on Sonarcube took over.
- Engage security team.
- Run security tool on the codebase
- Fix any potential security vulnerabilities
- Get security certificate that is crucial to go ahead with prod deployment.
Types of Attacks
Password Attack
A password attack is an attempt to access password-secured devices, systems, networks, or data.
- Brute force
- Rainbow attack
Social engineering attack
Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables.
- Phising
- Smishing
- Vishing
- Spear Phising
- Whaling
- Social media phising
- Business email compromise
- Watering hole attack
- USB baiting
- Physical social engineering
Physical attack
A physical attack is a security incident that affects not only digital but also physical environments where the incident is deployed.
- Malicious USB cable drive
- Malicious flash drive
- Card cloning and skimming
Adverserial AI
Adversarial artificial intelligence is a technique that manipulates artificial intelligence and machine learning technology to conduct attacks more efficiently.
Supply chain attack
A supply-chain attack targets systems, applications, hardware, and/or software to locate a vulnerability where malware can be deployed. Because every item sold undergoes a process that involves third parties, this means that the security breach can occur at any point in the supply chain. These attacks are costly because they can affect multiple organizations and the individuals who work for them.
Cryptographic attack
A cryptographic attack affects secure forms of communication between a sender and intended recipient. Some forms of cryptographic attacks are:
- Birthday
- Collision
- Downgrade
Understanding Attackers
A threat actor is any person or group who presents a security risk.
Threat actor types:
Advanced Persistent Threats
Advanced persistent threats (APTs) have significant expertise accessing an organization's network without authorization. APTs tend to research their targets (e.g., large corporations or government entities) in advance and can remain undetected for an extended period of time. Their intentions and motivations can include:
- Damaging critical infrastructure, such as the power grid and natural resources
- Gaining access to intellectual property, such as trade secrets or patents
Insider Treats
Insider threats abuse their authorized access to obtain data that may harm an organization. Their intentions and motivations can include:
- Sabotage
- Corruption
- Espionage
- Unauthorized data access or leaks.
Hacktivists
Hacktivists are threat actors that are driven by a political agenda. They abuse digital technology to accomplish their goals, which may include:
- Demonstrations
- Propaganda
- Social change campaigns
- Fame
Hacker Types
A hacker is any person who uses computers to gain access to computer systems, networks, or data. They can be beginner or advanced technology professionals who use their skills for a variety of reasons. There are three main categories of hackers:
- Authorized hackers (ethicak hackers)
- Semi authorized hackers - resarchers. Don't take advantage of vulnerabilities.
- Unauthorized hackers are also called unethical hackers. They are malicious threat actors who do not follow or respect the law. Their goal is to collect and sell confidential data for financial gain.
Frameworks and Controls
Focus is how organizations protect themselves from threats, risks, and vulnerabilities by covering key principles such as: frameworks, controls, and ethics.
Security frameworks
Are guidelines used to building plans to help mitigate risks and threats to data and privacy. Security frameworks provide a structured approach to implementing a security lifecycle.
Security lifecycle: is a constantly evolving set of policies and standards that define how an organization manages risks, follows established guidelines, and meets regulatory compliance or laws.
Purpose of security framework:
- Protecting PII
- Securing financial information
- Identifying security weaknesses
- Managing organziational risks
- Aligning security with business goals.
- Identifying and documenting security goals:
- Example an org may have a security goal to align to the European GDPR (General Data Protection Regulation).
- GDPR helps European Citizens to have better control over their personal data.
- For example, analyst may be asked to Identify and document compliance with respect to GDPR.
- Setting guidelines to achieve security goals.
- For example, to implement security guidelines for GDPR, org may need to develop new policies for how to handle data requests from individual users.
- Implementing strong security processes
- Analyst may help design procedures to ensure org complies with GDPR against verified user data requests. Example, when a user attempts to update or delete their profile information.
- Monitoring and communicating results.
- Example, monitor org's internal network and report a potential security issue affecting GDPR to manager / regulatory compliance officer.
Security Control
Safeguards to reduce specific security risks. For example, your company may have a guideline that requires all employees to complete a privacy training to reduce the risk of data breaches. As a security analyst, you may use a software tool to automatically assign and track which employees have completed this training.
Secure Design
Specific frameworks and controls that organizations can voluntarily use to minimize risks to their data and to protect users
CIA Triad
The CIA triad is a foundational model that helps inform how organizations consider risk when setting up systems and security policies. CIA stands for confidentiality, integrity, and availability.
Confidentiality: Only authorised users can access specific assets or data. Strict access controls need to be put in place to ensure confidential data remains safe.
Integrity: Data is correct, authentic, and reliable. Can use form of data protection like encryption to safeguard data tampering. In Westpac in my projects, I have used Rowcount and MD5 Checksum to ensure data integraty between source and destination systems.
Availability: Data is accessible to those who are authorized to access it.
NIST CSF (National Instituate of Standards and Technology Cyber Security Framework)
The NIST Cybersecurity Framework is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.
It's important to become familiar with this framework because security teams use it as a baseline to manage short and long-term risk.
Controls, frameworks, and compliance
CIA Triad and NIST CSF are two frameworks to establish appropriate controls that mitigate threats, risks and vulnerabilities. Security frameworks are guidelines used for building plans to help mitigate risks and threats to data and privacy.
They have 4 components:
- Identifying and documenting security goals.
- Setting guidelines to achieve security goals.
- Implementing strong security processes.
- Monitoring and communicating results.
Security controls are safeguards designed to reduce specific security risks. So they are used alongside frameworks to ensure that security goals and processes are implemented correctly and that organizations meet regulatory compliance requirements.
Compliance is the process of adhering to internal standards and external regulations.
Additional controls, frameworks and compliance standards.
The Federal Energy Regulatory Commission - North American Electric Reliability Corporation (FERC-NERC)
FERC-NERC is a regulation that applies to organizations that work with electricity or that are involved with the U.S. and North American power grid. These types of organizations have an obligation to prepare for, mitigate, and report any potential security incident that can negatively affect the power grid. They are also legally required to adhere to the Critical Infrastructure Protection (CIP) Reliability Standards defined by the FERC.
The Federal Risk and Authorization Management Program (FedRAMP®)
FedRAMP is a U.S. federal government program that standardizes security assessment, authorization, monitoring, and handling of cloud services and product offerings. Its purpose is to provide consistency across the government sector and third-party cloud providers.
Center for Internet Security (CIS®)
CIS is a nonprofit with multiple areas of emphasis. It provides a set of controls that can be used to safeguard systems and networks against attacks. Its purpose is to help organizations establish a better plan of defense. CIS also provides actionable controls that security professionals may follow if a security incident occurs.
General Data Protection Regulation (GDPR)
GDPR is a European Union (E.U.) general data regulation that protects the processing of E.U. residents’ data and their right to privacy in and out of E.U. territory. For example, if an organization is not being transparent about the data they are holding about an E.U. citizen and why they are holding that data, this is an infringement that can result in a fine to the organization. Additionally, if a breach occurs and an E.U. citizen’s data is compromised, they must be informed. The affected organization has 72 hours to notify the E.U. citizen about the breach.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is an international security standard meant to ensure that organizations storing, accepting, processing, and transmitting credit card information do so in a secure environment. The objective of this compliance standard is to reduce credit card fraud.
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a U.S. federal law established in 1996 to protect patients' health information. This law prohibits patient information from being shared without their consent. It is governed by three rules:
Privacy
Security
Breach notification
Organizations that store patient data have a legal obligation to inform patients of a breach because if patients' Protected Health Information (PHI) is exposed, it can lead to identity theft and insurance fraud. PHI relates to the past, present, or future physical or mental health or condition of an individual, whether it’s a plan of care or payments for care. Along with understanding HIPAA as a law, security professionals also need to be familiar with the Health Information Trust Alliance (HITRUST®), which is a security framework and assurance program that helps institutions meet HIPAA compliance.
International Organization for Standardization (ISO)
ISO was created to establish international standards related to technology, manufacturing, and management across borders. It helps organizations improve their processes and procedures for staff retention, planning, waste, and services.
System and Organizations Controls (SOC type 1, SOC type 2)
The American Institute of Certified Public Accountants® (AICPA) auditing standards board developed this standard. The SOC1 and SOC2 are a series of reports that focus on an organization's user access policies at different organizational levels such as:
Associate
Supervisor
Manager
Executive
Vendor
Others
They are used to assess an organization’s financial compliance and levels of risk. They also cover confidentiality, privacy, integrity, availability, security, and overall data safety. Control failures in these areas can lead to fraud.
Ethics in Cybersecurity
Adhere to policy procedures and protocols.
Security Ethics are guidelines for making appropriate decisions as a security professional.
Ethical principles in Cybersecurity
- Confidentiality
- Its your ethical duty to keep proprietary and private information such as PII confidential and safe.
- For example, if you want to give computer access to your friend outside of properly documented channels, then that is a violation of above and can result in serious consequences.
- Privacy protection means safeguarding personal information from unauthorised use. For example, imagine you receive a personal email after hours from your manager requesting a colleague's home phone number. Your manager explains that they can't access the employee database at the moment, but they need to discuss an urgent matter with that person.
- Laws are rules that are recognized by a community and enforced by a governing entity. For example, consider a staff member at a hospital who has been trained to handle PII, and SPII for compliance. The staff member has files with confidential data that should never be left unsupervised, but the staff member is late for a meeting. Instead of locking the files in a designated area, the files are left on the staff member's desk, unsupervised. Upon the employee's return, the files are missing. The staff member has just violated multiple compliance regulations, and their actions were unethical and illegal, since their negligence has likely resulted in the loss of private patient and hospital data.
Ethical concerns and laws related to counterattacks
Counterattacks
USA Standpoint: Deploying a counterattack on a threat actor is illegal. You can defend, but cannot launch counter offensive. Counterattack is considered vigilantism. A vigilante is a person who is not a member of the law but decides to stop crime on own. Because threat actors are criminals, counterattacks can exacerbate the situation leading to more damage and harm.
International standpoint: ICJ / International Court of Justice: Is acceptable under the given scenarios.
- Counterattack will affect only the party that has attacked first.
- Counterattack is a direct communication asking the attacker to stop.
- Counterattack does not escalate the situation.
- Counterattack effects can be reversed.
Because counterattacks are generally disapproved of or illegal, the security realm has created frameworks and controls—such as the confidentiality, integrity, and availability (CIA) triad and others discussed earlier in the program—to address issues of confidentiality, privacy protections, and laws.
Tools and Programming Languages used in Cybersecurity
- SIEM Tools
- Security Information and Event Management
- SIEM is an application that collects and analyzes log data to monitor critical activities in an organization.
- Collect real time information.
- SIEM provides alerts for specific types of risks and threats.
- E.g. of SIEM tools - SPLUNK, Chronicle.
- Splunk: Splunk is a big data platform that simplifies the task of collecting and managing massive volumes of machine-generated data and searching for information within it. The technology is used for business and web analytics, application management, compliance, and security.
- Google Chronicle: cloud native SIEM tool. Chronicle SIEM is a cloud service, built as a specialized layer on top of core Google infrastructure, designed for enterprises to privately retain, analyze, and search the massive amounts of security and network telemetry they generate. Chronicle normalizes, indexes, correlates, and analyzes the data to provide instant analysis and context on risky activity.
- Playbook
- Is a manual that provides details about any operational activity.
- Playbooks vary from one organization to another.
- Guide analysts about security incidents before, during and after it has occurred.
- Pertain to security, compliance reviews, access management, and other org tasks that require documented processes.
- Network protocol analyzers:
- Also called packet sniffer.
- A tool designed to capture and analyse data traffic within a network.
- Example TCP Dump, Wireshark.
- Linux operating system
- Programming languages - SQL, Python
Logs: a record of events that occur within an organization's systems. E.g. record of employees logging into their systems OR accessing web services. Logs help identify vulnerabilities and breaches.
Programming languages
- Python
- Used to perform tasks that are repetitive and time consuming, and those that require a high level of detail & accuracy.
- SQL Programming
- Structured query language
- A programming language used to create, interact with, and request information from a database (an organised collection of information or data).
- There may be millions of data points in a database. So an entry-level security analyst would use SQL to filter through the data points to retrieve specific information.
- Linux
- Is an open source operating system.
- Command line
- Examining logs on what's occurring within a system. Review an error log.
Terms and definitions from Course
A
Adversarial artificial intelligence: A technique
that manipulates artificial intelligence (AI) and machine learning (ML)
technology to conduct attacks more efficiently
Antivirus software: A software program used to
prevent, detect, and eliminate malware and viruses
Asset: An item perceived as having
value to an organization
Availability: The idea that data is accessible to those who
are authorized to access it
B
Business Email Compromise (BEC): A type of phishing attack where a threat actor
impersonates a known source to obtain financial advantage
C
Cloud security: The process of ensuring that
assets stored in the cloud are properly configured and access to those assets
is limited to authorized users
Compliance: The process of adhering to
internal standards and external regulations
Computer virus: Malicious code written to
interfere with computer operations and cause damage to data and software
Confidentiality: Only authorized users can
access specific assets or data
Confidentiality, integrity, availability (CIA) triad: A model that helps inform how organizations consider risk when
setting up systems and security policies
Cryptographic attack: An attack that affects
secure forms of communication between a sender and intended recipient
Cybersecurity (or security): The practice of
ensuring confidentiality, integrity, and availability of information by
protecting networks, devices, people, and data from unauthorized access or
criminal exploitation
D
Database: An organized collection of
information or data
Data point: A specific piece of
information
H
Hacker: Any person who uses computers to gain access to
computer systems, networks, or data
Hacktivist: A person who uses hacking to
achieve a political goal
Health Insurance Portability and Accountability Act (HIPAA): A U.S. federal law established to protect patients’ health
information
I
Integrity: The idea that the data is
correct, authentic, and reliable
Internal threat: A current or former employee,
external vendor, or trusted partner who poses a security risk
Intrusion detection system (IDS): An application
that monitors system activity and alerts on possible intrusions
L
Linux: An open-source operating
system
Log: A record of events that
occur within an organization’s systems
M
Malware: Software designed to harm
devices or networks
N
National Institute of Standards and Technology (NIST) Cyber
Security Framework (CSF): A voluntary framework that
consists of standards, guidelines, and best practices to manage cybersecurity
risk
Network protocol analyzer (packet sniffer): A tool
designed to capture and analyze data traffic within a network
Network security: The practice of keeping an
organization's network infrastructure secure from unauthorized access
O
Open Web Application Security Project (OWASP): A non-profit organization focused on improving software security
Order of volatility: A sequence outlining the order of data that must be preserved from
first to last
P
Password attack: An attempt to access
password secured devices, systems, networks, or data
Personally identifiable information (PII): Any information used to infer an individual’s identity
Phishing: The use of digital
communications to trick people into revealing sensitive data or deploying
malicious software
Physical attack: A security incident that
affects not only digital but also physical environments where the incident is
deployed
Physical social engineering: An attack in
which a threat actor impersonates an employee, customer, or vendor to obtain
unauthorized access to a physical location
Privacy protection: The act of safeguarding
personal information from unauthorized use
Programming: A process that can be used to create a specific set of instructions for
a computer to execute tasks
Protected health information (PHI): Information
that relates to the past, present, or future physical or mental health or
condition of an individual
Protecting and preserving evidence: The process of properly working with fragile and volatile
digital evidence
S
Security architecture: A type of
security design composed of multiple components, such as tools and processes,
that are used to protect an organization from risks and external threats
Security controls: Safeguards designed to reduce
specific security risks
Security ethics: Guidelines for making
appropriate decisions as a security professional
Security frameworks: Guidelines used for building
plans to help mitigate risk and threats to data and privacy
Security governance: Practices that help support,
define, and direct security efforts of an organization
Security information and
event management (SIEM): An application that collects and analyzes log data
to monitor critical activities in an organization
Security posture: An organization’s ability to
manage its defense of critical assets and data and react to change
Sensitive personally identifiable information (SPII): A specific type of PII that falls under stricter handling
guidelines
Social engineering: A manipulation technique that
exploits human error to gain private information, access, or valuables
Social media phishing: A type of
attack where a threat actor collects detailed information about their target on
social media sites before initiating the attack
Spear phishing: A malicious email attack targeting a specific user or group of users,
appearing to originate from a trusted source
SQL (Structured Query Language): A programming
language used to create, interact with, and request information from a database
Supply-chain attack: An attack that targets systems, applications, hardware, and/or software to locate a
vulnerability where malware can be deployed
T
Technical skills: Skills that require
knowledge of specific tools, procedures, and policies
Threat: Any circumstance or event
that can negatively impact assets
Threat actor: Any person or group who
presents a security risk
Transferable skills: Skills from other areas that
can apply to different careers
U
USB baiting: An attack in which a threat actor strategically
leaves a malware USB stick for an employee to find and install to
unknowingly infect a network
V
Virus: refer to “computer virus”
Vishing: The exploitation of
electronic voice communication to obtain sensitive information or to
impersonate a known source
W
Watering hole attack: A type of
attack when a threat actor compromises a website frequently visited by a
specific group of users