Cyber Security Knowledge Base:
Principles and Acronyms
Introduction to the Knowledge Base
Welcome to the Cybersecurity Knowledge Base. This resource is designed to provide clear, concise, and interconnected definitions for a wide range of cybersecurity terms. Our goal is to help you understand key concepts, their practical applications, and their importance in a modern security program.
A successful cybersecurity strategy relies on multiple layers of controls, people, and processes. This knowledge base is structured to reflect that complexity, organizing terms into logical categories.
How to use this resource: You can navigate through the categories below or use a search bar to quickly find a specific term. Each entry includes a definition, how it's used in practice, and its importance to a secure environment.
Governance, Risk & Compliance
This section covers the strategic oversight and planning required to align security efforts with business and legal requirements.
Governance, Risk and Compliance (GRC)
What it is: A comprehensive program that aligns an organization's security policies, risk management, and compliance with its business objectives.
How it's used: To structure oversight, controls, audits, and reporting across the organization. It provides a formal framework for managing security as a business function.
Examples and Context: A GRC program often maps to established frameworks like ISO 27001 and NIST 800-53 to guide its implementation and measure its success.
Why it Matters: GRC ensures that security is not an isolated function but is integrated into the core strategy of the business, helping to manage legal obligations, reduce liability, and build stakeholder trust.
Related Topics: Risk Assessment, Security Policy, ISO/IEC 27001
Business Continuity Plan (BCP)
What it is: A plan to keep critical business functions running during and after a major disruption.
How it's used: It defines the procedures, roles, and resources needed to maintain essential operations in the face of an incident that disrupts business as usual.
Examples and Context: A BCP might outline alternative work sites, communication strategies, and emergency procedures for departments like finance or customer support. It is often developed alongside a Disaster Recovery Plan.
Why it Matters: A BCP minimizes the business impact of an incident, allowing the organization to continue serving customers and fulfilling its mission, even under duress.
Related Topics: Disaster Recovery Plan, Recovery Time Objective (RTO), Recovery Point Objective (RPO)
Disaster Recovery Plan (DRP)
What it is: A plan to restore an organization's IT systems and data after a major incident, such as a natural disaster or cyberattack.
How it's used: A DRP details the technical strategies, runbooks, and responsibilities for bringing infrastructure and applications back online.
Examples and Context: A DRP focuses specifically on technology, outlining procedures for restoring servers, databases, and network connectivity. It complements a BCP, which is broader in scope.
Why it Matters: A DRP ensures that the technical foundation of the business can be restored efficiently and effectively, helping to meet the Recovery Time and Recovery Point Objectives.
Related Topics: Business Continuity Plan (BCP), Recovery Time Objective (RTO), Recovery Point Objective (RPO)
Recovery Time Objective (RTO)
What it is: The maximum acceptable amount of time that can pass before a service is restored and operational after an outage.
How it's used: RTO is a key metric that guides the design of an organization’s resilience architecture and its disaster recovery strategy. The lower the RTO, the more robust and costly the solution typically is.
Examples and Context: An RTO might be set in minutes for a critical e-commerce platform or in days for a non-essential internal application.
Why it Matters: It sets a clear, measurable goal for how quickly a business must recover from an incident, directly influencing the choice of backup and replication technologies.
Related Topics: Disaster Recovery Plan (DRP), Recovery Point Objective (RPO)
Recovery Point Objective (RPO)
What it is: The maximum acceptable amount of data loss, measured in time, that an organization is willing to tolerate.
How it's used: RPO is a critical factor in determining the frequency of backups and the strategy for data replication.
Examples and Context: An RPO of 15 minutes means that data backups must occur at least every 15 minutes to ensure no more than that amount of data is lost in an incident.
Why it Matters: RPO defines the business tolerance for data loss, dictating how often data needs to be saved and synchronized to meet continuity goals.
Related Topics: Disaster Recovery Plan (DRP), Recovery Time Objective (RTO)
Risk Assessment (RA)
What it is: The process of identifying, analyzing, and prioritizing potential risks to an organization's assets.
How it's used: The output of a risk assessment informs a mitigation plan and the selection of security controls. It helps an organization decide which risks to accept, mitigate, transfer, or avoid.
Examples and Context: A risk assessment might use qualitative methods (high/medium/low) or quantitative methods (financial cost) to evaluate the likelihood and impact of a threat.
Why it Matters: It provides a data-driven approach to security, ensuring resources are allocated to address the most significant threats to the organization.
Related Topics: Governance, Risk and Compliance (GRC), Risk Assessment (RA)
Data Protection Impact Assessment (DPIA)
What it is: A process to assess the privacy risks associated with processing personal data, especially for high-risk activities.
How it's used: Required under certain data protection laws, a DPIA helps organizations identify and minimize the privacy risks of a new project or system before it is deployed.
Examples and Context: A DPIA is mandatory for activities like large-scale processing of sensitive data or public monitoring of individuals. It's a key requirement of regulations like GDPR and POPIA.
Why it Matters: It helps organizations comply with privacy laws and demonstrates a commitment to protecting personal information, thereby avoiding significant fines and reputational damage.
Related Topics: General Data Protection Regulation (GDPR), Protection of Personal Information Act (POPIA)
Security Policy
What it is: Formal statements that define the required security behavior and controls for an organization.
How it's used: Security policies are the foundation for more detailed standards, procedures, and enforcement mechanisms.
Examples and Context: Common policies include an Acceptable Use Policy (AUP), a Password Policy, and an Access Control Policy.
Why it Matters: Policies set the baseline for a secure culture and provide the legal and organizational basis for enforcing security measures.
Related Topics: Governance, Risk and Compliance (GRC), Least Privilege (PoLP)
Frameworks & Standards
These are the blueprints and best practices that organizations use to build, manage, and measure their security programs.
ISO/IEC 27001 (ISO 27001)
What it is: The international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).
How it's used: Organizations use this standard to manage a risk-based security program and can seek formal certification to demonstrate their commitment to information security.
Examples and Context: The standard includes a set of controls (Annex A) that are detailed in ISO 27002.
Why it Matters: ISO 27001 provides a globally recognized benchmark for information security, helping businesses build trust with partners and customers and meet contractual obligations.
Related Topics: Governance, Risk and Compliance (GRC), NIST Cybersecurity Framework
NIST Cybersecurity Framework (NIST CSF)
What it is: A flexible framework to help organizations manage and reduce cybersecurity risk. It is organized around five key functions: Identify, Protect, Detect, Respond, and Recover.
How it's used: The NIST CSF is used to assess an organization's security maturity, identify gaps, and plan for improvements.
Examples and Context: The framework uses "profiles," "tiers," and "outcomes" to provide a detailed, customizable roadmap for security improvements.
Why it Matters: NIST CSF offers a clear, high-level approach that is widely adopted, especially in the US, providing a common language for discussing security risks and progress.
Related Topics: NIST Special Publication 800-53, Governance, Risk and Compliance (GRC)
NIST Special Publication 800-53 (NIST 800-53)
What it is: A catalog of security and privacy controls for information systems and organizations.
How it's used: Organizations, particularly those in the US federal sector, use NIST 800-53 to select and baseline controls for their systems.
Examples and Context: The controls are organized into families, such as Access Control (AC), Audit and Accountability (AU), and Identification and Authentication (IA).
Why it Matters: It provides a highly detailed, comprehensive list of security controls, serving as a practical tool for designing and implementing secure systems.
Related Topics: NIST Cybersecurity Framework, Security Policy
Center for Internet Security Controls (CIS Controls)
What it is: A prioritized set of best practices for cyber defense, organized into 18 controls.
How it's used: Organizations use the CIS Controls to implement foundational-to-advanced safeguards against common cyberattacks.
Examples and Context: The controls are divided into three "Implementation Groups" (IG1–IG3), making it easier for organizations of different sizes to adopt them.
Why it Matters: The CIS Controls are a highly practical, actionable set of steps that can significantly improve an organization's security posture by focusing on the most critical areas.
Related Topics: Defense in Depth (DiD)
MITRE ATT&CK
What it is: A globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations.
How it's used: Security teams use ATT&CK to map their detections, analyze threat intelligence, and understand how adversaries might operate in their environment.
Examples and Context: The framework includes matrices for Enterprise, Mobile, and Industrial Control Systems (ICS).
Why it Matters: ATT&CK provides a standardized language for describing and understanding adversary behavior, allowing security teams to be more proactive in their defense and more precise in their threat hunting.
Related Topics: MITRE D3FEND, Tactics, Techniques, and Procedures (TTPs), Threat Intelligence Platform (TIP)
MITRE D3FEND
What it is: A knowledge graph of defensive countermeasures that are linked to the attack techniques in MITRE ATT&CK.
How it's used: D3FEND is used by security teams to design effective detections and defensive patterns that directly counter known adversary TTPs.
Examples and Context: Defensive patterns include concepts like "Hardening," "Isolate," and "Detect."
Why it Matters: D3FEND provides a crucial link between offensive and defensive security, helping organizations to develop a more strategic and targeted defense.
Related Topics: MITRE ATT&CK
Payment Card Industry Data Security Standard (PCI DSS)
What it is: A set of security standards for all organizations that handle, process, or store cardholder data.
How it's used: Organizations must meet these requirements to maintain compliance with payment card brands.
Examples and Context: Compliance is typically validated through a Self-Assessment Questionnaire (SAQ) or a Report on Compliance (ROC) conducted by a Qualified Security Assessor (QSA).
Why it Matters: PCI DSS is a mandatory standard for protecting credit card data, helping to prevent breaches and maintain the integrity of the payment ecosystem.
General Data Protection Regulation (GDPR)
What it is: A comprehensive EU data protection law that governs the processing of personal data for EU citizens.
How it's used: GDPR defines the lawful basis for processing data, establishes the rights of individuals (data subjects), and sets out the obligations for organizations (data controllers and processors).
Examples and Context: GDPR applies extraterritorially, meaning it can impact any organization in the world that processes the data of EU citizens.
Why it Matters: GDPR established a new global benchmark for data privacy, holding organizations accountable for how they handle personal information with the threat of significant fines.
Related Topics: Data Protection Impact Assessment (DPIA)
Protection of Personal Information Act (South Africa) (POPIA)
What it is: A South African law that regulates the processing of personal information.
How it's used: It sets out eight conditions for the lawful processing of personal information, along with penalties for non-compliance.
Examples and Context: POPIA has similar aims and principles to the GDPR, and compliance is mandatory for South African organizations.
Why it Matters: It is the primary legal framework for data privacy in South Africa, ensuring a consistent standard for the protection of personal information.
Related Topics: Data Protection Impact Assessment (DPIA), General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA/CPRA)
What it is: A California privacy law that grants consumers new rights over their personal data.
How it's used: The law requires organizations to provide consumers with notices, the right to access and delete their data, and the ability to opt-out of the sale of their information.
Examples and Context: The California Privacy Rights Act (CPRA) is an amendment that expanded and strengthened the provisions of the original CCPA.
Why it Matters: CCPA and CPRA set a precedent for consumer data rights in the United States, forcing businesses to be more transparent and give consumers more control over their personal information.
Identity & Access Management
This section focuses on the policies and technologies used to manage who can access what, when, and how.
Identity and Access Management (IAM)
What it is: The framework of policies and technologies to manage the digital identities of users and control their access to resources.
How it's used: IAM encompasses provisioning (creating accounts), authentication (verifying identity), authorization (granting access), and auditing (monitoring activity).
Examples and Context: Key components include an Identity Provider (IdP), Single Sign-On (SSO), and Multi-Factor Authentication (MFA).
Why it Matters: IAM is the cornerstone of modern security, ensuring that only authorized individuals can access sensitive data and systems, thereby preventing data breaches and insider threats.
Related Topics: Identity Provider (IdP), Multi-Factor Authentication (MFA), Role-Based Access Control (RBAC)
Identity Provider (IdP)
What it is: A service that creates, manages, and stores digital identities. It is the central source of truth for authenticating users.
How it's used: When a user tries to access an application, the application redirects them to the IdP to verify their credentials.
Examples and Context: Popular IdPs include Azure AD/Entra ID, Okta, and ADFS.
Why it Matters: An IdP centralizes identity management, simplifying the user experience and improving security by providing a single point of authentication.
Related Topics: Single Sign-On (SSO)
Single Sign-On (SSO)
What it is: A feature that allows a user to authenticate once and gain access to multiple applications and services without re-entering their credentials.
How it's used: SSO works by using an Identity Provider to issue a security token after the initial login, which is then trusted by other applications.
Examples and Context: Common protocols for SSO include SAML and OIDC.
Why it Matters: SSO improves user experience and security by centralizing authentication and reducing the risk of users reusing weak passwords across different services.
Related Topics: Identity Provider (IdP), Security Assertion Markup Language (SAML), OpenID Connect (OIDC)
Multi-Factor Authentication (MFA)
What it is: An authentication method that requires a user to provide two or more independent verification factors to gain access to an account.
How it's used: By combining "something you know" (a password), "something you have" (a phone or token), and/or "something you are" (biometrics), MFA significantly reduces the risk of account takeover.
Examples and Context: Common forms of MFA include a password plus a one-time code from an authenticator app (like TOTP).
Why it Matters: MFA is one of the most effective and widely recommended security controls to protect against credential theft.
Related Topics: Two-Factor Authentication (2FA), FIDO2
Two-Factor Authentication (2FA)
What it is: A specific subset of MFA that uses exactly two independent factors for authentication.
How it's used: The most common form is a password combined with a one-time code (OTP) sent via SMS or a mobile app.
Examples and Context: SMS-based 2FA is a popular but less secure form compared to Time-based One-Time Passwords (TOTP) from a dedicated authenticator app.
Why it Matters: It provides a significant security boost over a single password, and it is a foundational step for protecting user accounts.
Related Topics: Multi-Factor Authentication (MFA)
FIDO2
What it is: A modern, passwordless authentication standard that uses public-key cryptography to provide a highly secure and phishing-resistant login experience.
How it's used: Users can log in using a physical security key or a built-in "passkey" on their device (like a fingerprint reader or facial recognition).
Examples and Context: FIDO2 is a combination of the WebAuthn standard and the CTAP protocol.
Why it Matters: FIDO2 eliminates the need for passwords, which are the most common source of credential theft, and is fundamentally resistant to phishing attacks.
Related Topics: Web Authentication (WebAuthn), Multi-Factor Authentication (MFA)
Web Authentication (WebAuthn)
What it is: A W3C standard that defines an API for strong, phishing-resistant authentication in browsers and web applications.
How it's used: WebAuthn is the primary component of FIDO2, allowing websites to interact with "authenticators" on a user's device.
Examples and Context: This allows for secure logins using platform authenticators (like a laptop's fingerprint scanner) or roaming authenticators (like a USB security key).
Why it Matters: WebAuthn is the technology that enables the promise of a passwordless internet, providing a secure and seamless login experience.
Related Topics: FIDO2
Role-Based Access Control (RBAC)
What it is: An authorization model where access decisions are based on the user's job role and the permissions assigned to that role.
How it's used: Administrators assign users to specific roles (e.g., "HR Manager," "Database Administrator"), and those roles are granted specific permissions.
Examples and Context: This approach simplifies access management and helps enforce the principle of Least Privilege.
Why it Matters: RBAC provides a manageable and scalable way to control access, preventing users from having more privileges than they need to perform their jobs.
Attribute-Based Access Control (ABAC)
What it is: A fine-grained authorization model where access decisions are made using a combination of attributes about the user, the resource, and the environment.
How it's used: Policies are defined using attributes, such as "allow access to any document with the 'confidential' tag for any user in the 'compliance' group between 9 AM and 5 PM."
Examples and Context: ABAC provides a more flexible and context-aware alternative to the rigid roles of RBAC.
Why it Matters: ABAC allows for highly granular access control policies that can adapt to changing conditions, making it suitable for complex, dynamic environments.
Related Topics: Policy-Based Access Control (PBAC)
Policy-Based Access Control (PBAC)
What it is: A general term for authorization models driven by a central policy engine and context-aware rules.
How it's used: PBAC unifies access rules across multiple applications and services, ensuring consistent enforcement.
Examples and Context: The Open Policy Agent (OPA) is a popular open-source policy engine that uses a language called Rego for this purpose.
Why it Matters: PBAC provides a single, consistent way to manage access policies across a distributed microservices architecture, which is common in modern applications.
Related Topics: Attribute-Based Access Control (ABAC), Open Policy Agent (OPA)
Privileged Access Management (PAM)
What it is: A set of controls for managing and securing accounts with elevated privileges (e.g., root, administrator).
How it's used: PAM solutions typically vault credentials, control and record privileged sessions, and provide audit trails.
Examples and Context: A PAM solution might require an administrator to request temporary access to a server, which is then automatically granted for a limited time (Just-In-Time Access).
Why it Matters: PAM is a critical control for protecting an organization's most sensitive assets by preventing the misuse or theft of administrative credentials.
Related Topics: Privileged Identity Management (PIM), Just-In-Time Access (JIT)
Privileged Identity Management (PIM)
What it is: The lifecycle and governance for privileged identities, focusing on the management of permissions and roles.
How it's used: PIM solutions allow for time-bound elevation of privileges, requiring users to request access only when they need it for a specific task.
Examples and Context: PIM is often used in cloud environments to manage and audit administrative roles, such as an AWS IAM role or an Azure AD PIM role.
Why it Matters: PIM reduces the risk of "standing privileges," where an account has elevated access 24/7, making it a highly attractive target for attackers.
Related Topics: Privileged Access Management (PAM), Just-In-Time Access (JIT)
Just-In-Time Access (JIT)
What it is: The practice of granting a user access to a system or resource only when they need it and for a limited duration.
How it's used: A user requests access for a specific task, which is automatically approved for a short period (e.g., one hour). After the time expires, the access is automatically revoked.
Examples and Context: JIT is a core component of both PAM and PIM solutions.
Why it Matters: By minimizing the time that an account has elevated privileges, JIT significantly reduces the window of opportunity for an attacker to exploit a compromised account.
Related Topics: Privileged Access Management (PAM), Privileged Identity Management (PIM), Least Privilege (PoLP)
Just Enough Administration (JEA)
What it is: A security practice that limits an administrator's rights to only the minimum set of permissions needed to perform a specific task.
How it's used: JEA creates a restricted environment where administrators can run specific cmdlets or scripts without having full administrative privileges on the host.
Examples and Context: PowerShell JEA is a common implementation, allowing an admin to restart a service on a server without being able to install new software or change system-level settings.
Why it Matters: JEA is a practical application of the Principle of Least Privilege that significantly reduces the risk of lateral movement if an administrator account is compromised.
Related Topics: Least Privilege (PoLP)
Security Assertion Markup Language (SAML)
What it is: An XML-based standard for exchanging authentication and authorization data between an identity provider and a service provider.
How it's used: SAML is the most common protocol for enabling Single Sign-On (SSO) for enterprise applications.
Examples and Context: SAML 2.0 defines the structure of the "claims" or "tokens" that an Identity Provider sends to an application to verify a user's identity.
Why it Matters: SAML is a foundational technology for enterprise SSO, providing a secure and standardized way for different systems to trust a centralized identity source.
Related Topics: Single Sign-On (SSO), OpenID Connect (OIDC)
OpenID Connect (OIDC)
What it is: An identity layer built on top of the OAuth 2.0 authorization framework for authentication.
How it's used: OIDC is a modern, lightweight standard for SSO and login flows, particularly popular for consumer-facing applications and APIs.
Examples and Context: OIDC uses a JSON Web Token (JWT), known as an ID token, to carry identity information.
Why it Matters: OIDC provides a simple, API-friendly protocol for authentication that is now widely adopted by large tech companies and web services.
Related Topics: OAuth 2.0, Single Sign-On (SSO)
OAuth 2.0
What it is: An authorization framework that enables an application to obtain limited access to a user's resources on another service without the user having to share their credentials.
How it's used: OAuth 2.0 grants limited access via "tokens" and is the standard protocol for delegating permissions (e.g., "Allow this app to access your profile on another service").
Examples and Context: Common OAuth flows include the "authorization code" flow and the "client credentials" flow.
Why it Matters: OAuth 2.0 is the backbone of modern API security, allowing for secure, delegated access to resources while protecting user credentials.
Related Topics: OpenID Connect (OIDC)
JSON Web Token (JWT)
What it is: A compact, URL-safe format for securely transmitting information between parties as a JSON object.
How it's used: JWTs are often used as bearer tokens to carry identity or authorization information from a client to a server, verifying the sender's identity with a digital signature.
Examples and Context: JWTs are a key component of OpenID Connect (OIDC). They can be signed (JWS) to ensure integrity or encrypted (JWE) for confidentiality.
Why it Matters: JWTs provide a stateless way to handle authorization, allowing applications to verify a user's permissions without having to contact a central database for every request.
Related Topics: OpenID Connect (OIDC)
Network Security & Architecture
This section covers the technologies and design principles used to protect an organization's network perimeter and internal traffic.
Firewall (FW)
What it is: A device or service that enforces a set of rules to control network traffic entering and leaving a system or network.
How it's used: Firewalls permit or deny connections based on rules, such as source/destination IP address, port, and protocol.
Examples and Context: Early firewalls were "stateful" and only looked at IP and port information, while modern Next-Generation Firewalls (NGFWs) are application-aware.
Why it Matters: The firewall is a foundational security control that acts as the first line of defense, separating trusted internal networks from untrusted external ones.
Related Topics: Next-Generation Firewall (NGFW)
Next-Generation Firewall (NGFW)
What it is: An advanced firewall that includes traditional firewall features as well as deeper packet inspection and application awareness.
How it's used: NGFWs can enforce granular policies based on the application (e.g., block Facebook but allow Zoom) and perform advanced threat prevention.
Examples and Context: Additional features often include an integrated Intrusion Prevention System (IPS), URL filtering, and SSL decryption.
Why it Matters: NGFWs provide a more intelligent and effective layer of defense than traditional firewalls by understanding the context and content of network traffic, not just the source and destination.
Related Topics: Firewall (FW), Intrusion Prevention System (IPS)
Intrusion Detection System (IDS)
What it is: A system that monitors network traffic or a host for malicious activity or policy violations and generates alerts.
How it's used: An IDS analyzes traffic against a database of known attack signatures or against a baseline of normal behavior to spot anomalies.
Examples and Context: There are two main types: Network-based IDS (NIDS) and Host-based IDS (HIDS). An IDS is a passive control, meaning it only alerts and does not block traffic.
Why it Matters: An IDS provides critical visibility into potential threats and policy violations, giving security analysts the information they need to investigate incidents.
Related Topics: Intrusion Prevention System (IPS)
Intrusion Prevention System (IPS)
What it is: A security control that actively monitors network traffic for threats and takes automated action to block them.
How it's used: An IPS sits inline with network traffic and can prevent attacks in real-time by dropping malicious packets or resetting connections.
Examples and Context: An IPS often uses a combination of signature-based and behavioral-based detection to stop threats. It is frequently integrated into a Next-Generation Firewall.
Why it Matters: An IPS provides an active layer of defense that automatically stops attacks before they can reach their target, reducing the mean time to respond (MTTR).
Related Topics: Intrusion Detection System (IDS), Next-Generation Firewall (NGFW)
Web Application Firewall (WAF)
What it is: A security solution that monitors and filters HTTP traffic between a web application and the internet.
How it's used: A WAF protects web applications from common attacks, such as those listed in the OWASP Top 10.
Examples and Context: A WAF can be a physical appliance, a software solution, or a cloud service that acts as a Layer 7 reverse proxy.
Why it Matters: A WAF provides a dedicated layer of protection for web applications, protecting against application-specific threats like SQL Injection and Cross-Site Scripting (XSS) that traditional network firewalls cannot detect.
Related Topics: SQL Injection (SQLi), Cross-Site Scripting (XSS)
Secure Web Gateway (SWG)
What it is: A security solution that inspects and controls outbound web traffic from an organization's network.
How it's used: An SWG performs functions like URL filtering, malware scanning, and Data Loss Prevention to protect users from web-based threats and prevent data exfiltration.
Examples and Context: Modern SWGs are often delivered from the cloud as part of a SASE architecture.
Why it Matters: An SWG is crucial for protecting an organization's users by ensuring their web Browse is secure and that they don't access malicious or inappropriate content.
Related Topics: Secure Access Service Edge (SASE)
Cloud Access Security Broker (CASB)
What it is: A security control point for an organization's use of SaaS applications and cloud services.
How it's used: A CASB provides visibility, policy enforcement, and Data Loss Prevention for data stored in and accessed from cloud applications.
Examples and Context: A CASB can be used to discover "shadow IT" (unapproved applications) and to enforce policies like "block the download of a confidential file from a corporate Google Drive to an unmanaged personal device."
Why it Matters: A CASB extends an organization's security policies to the cloud, providing a critical layer of control in an era of distributed work and cloud adoption.
Related Topics: Secure Access Service Edge (SASE)
Zero Trust Network Access (ZTNA)
What it is: A modern security model that grants granular, context-aware access to applications based on the principle of "never trust, always verify."
How it's used: ZTNA replaces the traditional VPN model with a more secure approach, providing app-level access based on the user's identity, device posture, and other contextual factors.
Examples and Context: Unlike a VPN that grants access to an entire network, ZTNA only grants access to a specific application or resource.
Why it Matters: ZTNA is a core component of a Zero Trust architecture, significantly reducing the attack surface by eliminating implicit trust and making network access more secure.
Related Topics: Software-Defined Perimeter (SDP), Secure Access Service Edge (SASE), Least Privilege (PoLP)
Software-Defined Perimeter (SDP)
What it is: An approach to network security that conceals network services from unauthorized users until a strong identity verification is complete.
How it's used: An SDP creates a "dark cloud edge" around applications, making them invisible to the internet. Access is granted on a per-session, per-application basis.
Examples and Context: SDP is a technology that implements the principles of a Zero Trust architecture.
Why it Matters: By making network resources invisible by default, SDP dramatically reduces the network attack surface and prevents attackers from discovering and exploiting vulnerabilities.
Related Topics: Zero Trust Network Access (ZTNA)
Network Access Control (NAC)
What it is: A solution that controls which devices can connect to an organization's network based on their identity and security posture.
How it's used: NAC can quarantine or remediate devices that do not comply with security policies (e.g., a laptop without up-to-date antivirus software).
Examples and Context: NAC is often implemented using the 802.1X standard.
Why it Matters: NAC is essential for securing the network perimeter by ensuring that every device that connects, whether wired or wireless, meets the organization's security standards.
Related Topics: 802.1X Port-Based Network Access Control
802.1X Port-Based Network Access Control
What it is: An IEEE standard for authenticating devices on wired and wireless local area networks (LANs).
How it's used: It uses the Extensible Authentication Protocol (EAP) and a RADIUS server to authenticate clients before allowing them to connect to the network.
Examples and Context: EAP-TLS is a certificate-based authentication method used with 802.1X for high-assurance network access.
Why it Matters: 802.1X provides a robust, centralized mechanism for authenticating all devices on a network, preventing unauthorized devices from connecting and gaining access.
Related Topics: Network Access Control (NAC), Extensible Authentication Protocol-TLS (EAP-TLS)
Virtual Private Network (VPN)
What it is: A technology that creates an encrypted "tunnel" over an untrusted network (like the internet), allowing for secure communication.
How it's used: VPNs are widely used for remote access, allowing employees to securely connect to a corporate network from home or while traveling. They can also be used for site-to-site connectivity between offices.
Examples and Context: Common VPN protocols include IPsec and SSL/TLS.
Why it Matters: A VPN provides a secure way to extend a private network over public infrastructure, protecting data in transit from eavesdropping and interception.
Related Topics: Zero Trust Network Access (ZTNA)
Software-Defined Wide Area Network (SD-WAN)
What it is: A virtualized WAN architecture that uses centralized policy-based routing to manage network traffic across various connections.
How it's used: SD-WAN optimizes application performance, reduces network costs, and simplifies management by intelligently routing traffic based on performance and security requirements.
Examples and Context: SD-WAN is often a core component of a Secure Access Service Edge (SASE) architecture.
Why it Matters: SD-WAN provides a more flexible and efficient way to manage complex WAN environments, particularly as organizations rely on multiple cloud services and distributed workforces.
Related Topics: Secure Access Service Edge (SASE)
Secure Access Service Edge (SASE)
What it is: A cloud-delivered architecture that converges networking and security services into a single, unified platform.
How it's used: SASE unifies services like a Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), and SD-WAN.
Examples and Context: SASE delivers all these controls from an "edge" location, close to the user, regardless of their physical location.
Why it Matters: SASE simplifies IT infrastructure and provides consistent security policy enforcement for a modern, distributed workforce by bringing security to the user rather than forcing the user to connect to the corporate network.
Related Topics: Secure Service Edge (SSE), Zero Trust Network Access (ZTNA)
Security Service Edge (SSE)
What it is: The security-focused half of a SASE architecture. It includes the cloud-delivered security services, but not the networking component (SD-WAN).
How it's used: SSE provides essential security controls like SWG, CASB, ZTNA, and DLP.
Examples and Context: SSE is the "network-agnostic" part of SASE, focusing on securing the user, device, and data regardless of the underlying network infrastructure.
Why it Matters: For organizations that want to prioritize cloud-delivered security without a full-scale network transformation, SSE provides a focused solution that still supports a SASE-like model.
Related Topics: Secure Access Service Edge (SASE), Zero Trust Network Access (ZTNA)
Micro-segmentation
What it is: A network security practice that divides a network into many small, isolated segments to control traffic flow and limit lateral movement.
How it's used: Micro-segmentation creates a granular perimeter around individual workloads or endpoints, allowing for fine-grained policy enforcement.
Examples and Context: Policies can be based on identity or workload labels rather than traditional network constructs like IP addresses.
Why it Matters: By limiting an attacker's ability to move from a compromised system to other parts of the network, micro-segmentation is a key control in a Zero Trust environment.
Related Topics: Network Segmentation
Access Control List (ACL)
What it is: An ordered set of rules that controls network traffic by specifying which packets are permitted or denied.
How it's used: ACLs are configured on routers, switches, and firewalls to filter traffic based on criteria such as source/destination IP address, port, and protocol.
Examples and Context: ACLs can be stateless (checking each packet independently) or stateful (aware of the connection state).
Why it Matters: ACLs are a fundamental building block of network security, providing a basic but effective way to control traffic flow and enforce network policy.
Virtual LAN (VLAN)
What it is: A logical network segmentation technique that divides a physical network into multiple isolated broadcast domains at Layer 2.
How it's used: VLANs separate traffic for different groups of users or devices (e.g., separating guest Wi-Fi traffic from corporate network traffic) to improve performance and security.
Examples and Context: VLANs use 802.1Q tagging to identify which logical network a packet belongs to.
Why it Matters: VLANs are a simple way to create network segmentation, limiting an attacker's ability to access different parts of the network from a single point of entry.
Related Topics: Network Segmentation
Domain Name System Security Extensions (DNSSEC)
What it is: A suite of DNS extensions that adds an extra layer of security to the DNS protocol by using digital signatures.
How it's used: DNSSEC ensures the authenticity and integrity of DNS records by cryptographically signing them, preventing an attacker from redirecting traffic to a malicious server.
Examples and Context: It uses a chain of trust to validate records, including DS (delegation signer) and RRSIG (resource record signature) records.
Why it Matters: DNSSEC prevents DNS spoofing and cache poisoning, protecting users from being redirected to fraudulent websites or malicious services.
Remote Browser Isolation (RBI)
What it is: A security technology that executes web Browse sessions in a secure, isolated environment (e.g., a remote container or cloud service), away from the user's endpoint.
How it's used: The user's browser receives a safe, pixel-streamed or DOM-mirrored version of the web page, so any web-borne malware or zero-day exploits are contained and cannot affect the local device.
Examples and Context: RBI is used in environments where users must access high-risk websites or in industries where data exfiltration is a major concern.
Why it Matters: RBI provides a strong defense against web-based threats by physically isolating the Browse session from the user's machine, making it impossible for drive-by downloads or browser-based exploits to succeed.
Enterprise Browser
What it is: A managed browser that includes built-in security and policy controls beyond what is available in a standard consumer browser.
How it's used: An enterprise browser can enforce data loss prevention (DLP) policies, log Browse activity, control which extensions can be installed, and even record sessions for high-risk workflows.
Examples and Context: It is used in environments where sensitive data is accessed via the web, or where strict compliance with data handling is required.
Why it Matters: An enterprise browser turns the web browser into a managed and secure endpoint, providing a more granular level of control over web access and data handling than is possible with traditional security controls.
Endpoint & Device Security
This section focuses on protecting individual devices, such as computers, servers, and mobile devices, from malware and other threats.
Endpoint Detection and Response (EDR)
What it is: A security solution that continuously monitors an endpoint (e.g., a laptop or server) to collect telemetry, detect threats, and enable response actions.
How it's used: An EDR agent on the device records file activity, network connections, and process execution, allowing security teams to investigate and contain incidents.
Examples and Context: EDR is often used by a Blue Team for threat hunting and incident response. It provides far more visibility and control than traditional antivirus.
Why it Matters: EDR provides the visibility and tools necessary to detect sophisticated threats that bypass traditional defenses, reducing the time an attacker can remain undetected on a compromised device.
Related Topics: Extended Detection and Response (XDR), Managed Detection and Response (MDR), Next-Gen Antivirus (NGAV)
Extended Detection and Response (XDR)
What it is: A unified security solution that provides detection and response capabilities across a broader range of sources than EDR, including endpoints, network, email, and cloud.
How it's used: XDR correlates events from multiple security tools to create a more complete picture of an attack, reducing the time it takes to detect and respond to threats.
Examples and Context: XDR often integrates with a SIEM or SOAR platform.
Why it Matters: By consolidating data from multiple sources, XDR reduces alert fatigue and allows security teams to find and stop attacks faster and more effectively.
Related Topics: Endpoint Detection and Response (EDR), Security Information and Event Management (SIEM)
Managed Detection and Response (MDR)
What it is: An outsourced service that provides 24/7 threat monitoring, investigation, and response.
How it's used: An MDR provider uses its own security analysts and technology (often EDR/XDR) to monitor a client's environment, investigate alerts, and take action to contain threats.
Examples and Context: MDR is a type of "SOC-as-a-service" and is a popular choice for organizations that lack the in-house resources to run a security operations center (SOC).
Why it Matters: MDR provides organizations with expert, round-the-clock threat detection and response capabilities without the cost and complexity of building their own security operations team.
Related Topics: Endpoint Detection and Response (EDR)
Mobile Device Management (MDM)
What it is: A set of tools and policies for administering and securing mobile devices, such as smartphones and tablets.
How it's used: MDM solutions can enforce security policies, manage app inventory, and perform remote actions like locking or wiping a lost device.
Examples and Context: MDM is a core component of a broader Unified Endpoint Management (UEM) strategy.
Why it Matters: MDM is essential for securing corporate data on mobile devices, ensuring compliance with security policies and protecting against theft or loss.
Related Topics: Unified Endpoint Management (UEM)
Unified Endpoint Management (UEM)
What it is: A platform that provides unified management and security for a wide range of endpoints, including mobile devices, PCs, and IoT devices.
How it's used: UEM consolidates the functions of MDM and traditional PC management into a single console.
Examples and Context: UEM can manage app deployment, patch management, and security policy enforcement across an entire fleet of devices.
Why it Matters: UEM simplifies IT and security by providing a single, consistent way to manage all an organization's endpoints, regardless of the operating system or form factor.
Related Topics: Mobile Device Management (MDM)
Next-Gen Antivirus (NGAV)
What it is: An advanced form of antivirus software that uses behavioral analysis and machine learning to detect and prevent malware, rather than relying on traditional signature-based methods.
How it's used: NGAV can block both known and unknown (zero-day) threats by analyzing the behavior of files and processes on an endpoint.
Examples and Context: NGAV is often integrated with an Endpoint Detection and Response (EDR) solution to provide more comprehensive protection.
Why it Matters: NGAV provides a more robust defense against modern malware and fileless attacks that can easily bypass traditional, signature-based antivirus solutions.
Related Topics: Endpoint Detection and Response (EDR)
Application Allow-Listing
What it is: A security practice that only allows approved applications to run on a system, blocking all others by default.
How it's used: Allow-listing prevents unknown or unapproved binaries from executing, providing a strong defense against malware and unauthorized software.
Examples and Context: Applications can be controlled by their cryptographic hash, digital publisher certificate, or installation path.
Why it Matters: Allow-listing is one of the most effective security controls for preventing the execution of unauthorized code, which is a common method for initial access and lateral movement in attacks.
Patch Management
What it is: The process of deploying software and operating system updates to address security vulnerabilities and other bugs.
How it's used: Patch management involves identifying, testing, and deploying patches in a systematic and timely manner, often driven by a defined Service Level Agreement (SLA).
Examples and Context: This includes deploying monthly security patches for operating systems and updates for all installed applications.
Why it Matters: Patch management is a fundamental security practice for reducing an organization's attack surface by eliminating known, exploitable vulnerabilities.
Security Operations & Analytics
This section covers the tools and metrics used by security teams to detect, analyze, and respond to threats.
Security Information and Event Management (SIEM)
What it is: A platform that collects, aggregates, and correlates security events and logs from various sources across an organization's IT infrastructure.
How it's used: A SIEM is used for threat detection, compliance reporting, and incident investigations. It uses rules and analytics to identify suspicious activity.
Examples and Context: Modern SIEMs often include User and Entity Behavior Analytics (UEBA) to detect anomalies.
Why it Matters: A SIEM provides a central nervous system for security, giving teams the visibility they need to identify potential attacks and meet regulatory compliance requirements.
Related Topics: Security Orchestration, Automation and Response (SOAR), User and Entity Behavior Analytics (UEBA), Extended Detection and Response (XDR)
Security Orchestration, Automation and Response (SOAR)
What it is: A platform that helps security teams automate incident response workflows and manage security operations.
How it's used: SOAR uses "playbooks" and "runbooks" to automate tasks, such as enriching an alert with threat intelligence, blocking a malicious IP, or creating an incident case.
Examples and Context: A SOAR platform often integrates with a SIEM and EDR to automatically respond to alerts, reducing the workload on security analysts.
Why it Matters: SOAR improves the efficiency and effectiveness of a security operations center (SOC) by automating repetitive tasks, allowing analysts to focus on more complex investigations.
Related Topics: Security Information and Event Management (SIEM)
User and Entity Behavior Analytics (UEBA)
What it is: A security technology that uses machine learning and statistical analysis to detect anomalous behavior by users or entities.
How it's used: UEBA establishes a baseline of normal behavior and then flags deviations, helping to detect insider threats, compromised accounts, and other subtle security incidents.
Examples and Context: An example might be a user who suddenly starts downloading a large amount of data or logging into a server they have never accessed before.
Why it Matters: UEBA is an essential tool for identifying threats that don't match a known signature, providing a powerful way to detect sophisticated and low-and-slow attacks.
Related Topics: Security Information and Event Management (SIEM)
Threat Intelligence Platform (TIP)
What it is: A system that aggregates, enriches, and manages threat intelligence feeds from various sources.
How it's used: A TIP helps security teams manage and operationalize threat intelligence, using it to enrich alerts and block known indicators of compromise.
Examples and Context: A TIP might support standardized formats like STIX/TAXII for sharing threat intelligence.
Why it Matters: A TIP turns raw threat data into actionable intelligence, allowing organizations to stay ahead of new threats and proactively strengthen their defenses.
Related Topics: Indicators of Compromise (IOC), Indicators of Attack (IOA)
Indicators of Compromise (IOC)
What it is: Digital artifacts or forensic data that indicate a computer system or network has been compromised.
How it's used: IOCs, such as malicious file hashes, IP addresses, or domain names, are used in detection systems and blocking lists.
Examples and Context: An IOC might be the hash of a known malware file or a command and control (C2) server's IP address.
Why it Matters: IOCs are a critical tool for detecting past or ongoing attacks, allowing security teams to quickly identify and contain a threat.
Related Topics: Indicators of Attack (IOA), Threat Intelligence Platform (TIP)
Indicators of Attack (IOA)
What it is: Behavioral patterns or a sequence of actions that suggest an attack is in progress, even if the individual actions are not malicious on their own.
How it's used: IOAs enable a more proactive form of threat detection by focusing on the adversary's intent rather than a specific file or IP address.
Examples and Context: An IOA might be a user account logging in from an unusual location, followed by the creation of a new user account, and then an attempt to access a sensitive database.
Why it Matters: IOAs provide a more robust form of detection than IOCs, as they can identify new, unknown attacks and are harder for an adversary to change or bypass.
Related Topics: Indicators of Compromise (IOC), Threat Intelligence Platform (TIP)
Mean Time to Detect (MTTD)
What it is: The average time it takes for an organization to discover a security incident.
How it's used: MTTD is a key performance indicator (KPI) for a security operations center (SOC).
Examples and Context: A low MTTD is better, as it indicates a more effective and responsive security team.
Why it Matters: Reducing MTTD is a critical goal for security teams, as it directly impacts the ability to contain and remediate a threat before it can cause significant damage.
Related Topics: Mean Time to Respond/Recover (MTTR)
Mean Time to Respond/Recover (MTTR)
What it is: The average time it takes to contain, mitigate, and restore a system or service after a security incident has been detected.
How it's used: MTTR is a KPI that measures the effectiveness and efficiency of the incident response team.
Examples and Context: A low MTTR is better, as it indicates a fast and effective response capability.
Why it Matters: Reducing MTTR is essential for minimizing the business impact of a security incident, such as data loss, financial cost, and reputational damage.
Related Topics: Mean Time to Detect (MTTD)
Application Security & DevSecOps
This section covers the practices and tools used to build security into software throughout its entire development lifecycle.
Secure Software Development Lifecycle (SSDLC)
What it is: The practice of integrating security into every phase of the software development lifecycle (SDLC), from design to deployment and maintenance.
How it's used: SSDLC includes activities like threat modeling, security code reviews, and using security tools (e.g., SAST, DAST) as part of the CI/CD pipeline.
Examples and Context: SSDLC is a "shift-left" concept, aiming to find and fix vulnerabilities as early as possible when they are cheaper to remediate.
Why it Matters: SSDLC produces more secure software by making security a continuous and proactive effort rather than a last-minute audit.
Related Topics: Threat Modelling, CI/CD Pipeline
Static Application Security Testing (SAST)
What it is: A type of application security testing that analyzes an application's source code or compiled binary for vulnerabilities without executing the code.
How it's used: SAST is often integrated directly into a CI/CD pipeline to provide early detection of code flaws.
Examples and Context: A SAST tool might find a SQL injection vulnerability by analyzing how user input is handled in a specific function of the code.
Why it Matters: SAST helps developers find and fix security bugs early in the development process, a time when remediation is most efficient.
Related Topics: Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST)
Dynamic Application Security Testing (DAST)
What it is: A type of application security testing that analyzes a running application from the outside to find vulnerabilities.
How it's used: DAST tools act like an attacker, sending various inputs to the application to identify runtime issues like misconfigurations or injection vulnerabilities.
Examples and Context: A DAST scan might find a Cross-Site Scripting (XSS) vulnerability by injecting a script into a web form and seeing if it executes.
Why it Matters: DAST provides a real-world, "black-box" view of an application's security posture and can find vulnerabilities that SAST may miss, such as those related to misconfiguration or server-side issues.
Related Topics: Static Application Security Testing (SAST), Interactive Application Security Testing (IAST)
Interactive Application Security Testing (IAST)
What it is: A hybrid approach to application security testing that combines the insights of SAST and DAST by instrumenting the application from the inside.
How it's used: An IAST agent runs within the application server and observes its behavior during testing, providing context about vulnerabilities that a DAST tool would miss and confirming findings from a SAST tool.
Examples and Context: An IAST tool can pinpoint the exact line of code where a DAST-identified vulnerability exists.
Why it Matters: IAST provides highly accurate and contextual vulnerability data, making it easier for developers to understand and fix security issues quickly.
Related Topics: Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST)
Runtime Application Self-Protection (RASP)
What it is: A security technology that is embedded directly into an application and can detect and block attacks in real-time.
How it's used: RASP observes the application's behavior and can automatically prevent exploits from succeeding, even those targeting zero-day vulnerabilities.
Examples and Context: A RASP agent can stop a SQL injection attack by detecting and blocking malicious SQL queries before they reach the database.
Why it Matters: RASP provides a powerful layer of defense for applications in a production environment, acting as a last line of defense against attacks that have bypassed other controls.
Software Composition Analysis (SCA)
What it is: A security practice that analyzes third-party and open-source components used in an application to identify risks.
How it's used: SCA tools scan a project's dependencies to find vulnerable versions, outdated components, or components with problematic licenses.
Examples and Context: SCA tools are used to generate a Software Bill of Materials (SBOM).
Why it Matters: SCA is a critical control for managing software supply chain risk, as a single vulnerability in an open-source library can affect thousands of applications.
Related Topics: Software Bill of Materials (SBOM)
Software Bill of Materials (SBOM)
What it is: A formal, machine-readable inventory of all the software components and their versions that make up an application.
How it's used: An SBOM improves supply-chain transparency and makes it easier for organizations to understand their risk exposure when a new vulnerability is discovered.
Examples and Context: Standard formats for an SBOM include SPDX and CycloneDX.
Why it Matters: SBOMs are becoming a mandatory requirement in many industries and government contracts, providing a crucial tool for managing software supply-chain security.
Related Topics: Software Composition Analysis (SCA)
Threat Modelling
What it is: A systematic process for identifying potential threats to an application or system and designing appropriate controls and mitigations.
How it's used: Threat modeling is a proactive practice that is performed early in the Secure Software Development Lifecycle (SSDLC).
Examples and Context: Common threat modeling methods include STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) and PASTA.
Why it Matters: Threat modeling helps security and development teams design more secure systems by identifying and addressing potential security issues before they are coded.
Related Topics: Secure Software Development Lifecycle (SSDLC), Security by Design
CI/CD Pipeline
What it is: An automated workflow for building, testing, and deploying software.
How it's used: A CI/CD pipeline is where security tools like SAST, DAST, and SCA are integrated to enforce security "gates" and scanning before a new release is deployed.
Examples and Context: CI/CD stands for Continuous Integration/Continuous Delivery.
Why it Matters: Integrating security into the CI/CD pipeline is the foundation of a modern DevSecOps approach, ensuring that security is a continuous part of the development process.
Related Topics: Static Application Security Testing (SAST), Software Composition Analysis (SCA)
Infrastructure as Code (IaC)
What it is: The practice of managing and provisioning infrastructure through declarative code and templates, rather than manual configuration.
How it's used: IaC templates can be scanned by security tools to enforce policies and identify misconfigurations before they are deployed.
Examples and Context: Popular IaC tools include Terraform and AWS CloudFormation.
Why it Matters: IaC allows security teams to "shift left" their infrastructure security by scanning templates for misconfigurations before the infrastructure is even created, preventing common cloud security mistakes.
Related Topics: Open Policy Agent (OPA)
Open Policy Agent (OPA)
What it is: A general-purpose policy engine that uses a high-level declarative language called Rego to define and enforce policies.
How it's used: OPA is used to authorize decisions in a wide range of contexts, from microservices access control to validating IaC templates.
Examples and Context: OPA is used by tools like Gatekeeper for Kubernetes to enforce security policies.
Why it Matters: OPA provides a single, unified policy framework that can be used to enforce security across a diverse set of applications, cloud services, and infrastructure components.
Related Topics: Policy-Based Access Control (PBAC), Infrastructure as Code (IaC)
Cloud Security
This section covers the specialized tools and practices used to secure workloads, data, and infrastructure in cloud environments.
Cloud Security Posture Management (CSPM)
What it is: A security solution that continuously assesses an organization's cloud configurations against best practices and security benchmarks.
How it's used: CSPM tools detect misconfigurations and "configuration drift" in cloud environments.
Examples and Context: A CSPM tool might flag a publicly accessible S3 bucket or a virtual machine with an unencrypted disk.
Why it Matters: CSPM is essential for preventing the most common cause of cloud data breaches: human error and misconfiguration.
Related Topics: Cloud-Native Application Protection Platform (CNAPP)
Cloud Workload Protection Platform (CWPP)
What it is: A security solution that protects servers, containers, and serverless functions in the cloud.
How it's used: CWPPs provide runtime protection, vulnerability scanning, and hardening capabilities for cloud workloads.
Examples and Context: A CWPP is essentially an EDR or Endpoint Protection Platform (EPP) for the cloud.
Why it Matters: CWPPs provide a dedicated layer of protection for the actual code and compute resources running in the cloud, helping to prevent exploits and malware.
Related Topics: Cloud-Native Application Protection Platform (CNAPP)
Cloud Infrastructure Entitlements Management (CIEM)
What it is: A security solution that manages and right-sizes identities and permissions in cloud platforms.
How it's used: CIEM analyzes the "permissions gap," identifying which identities have excessive privileges and finding "toxic combinations" of permissions that could be exploited.
Examples and Context: A CIEM tool might show a graph of which identities have access to which resources, making it easier to enforce the Principle of Least Privilege.
Why it Matters: CIEM is crucial for managing the complex and often excessive permissions in cloud environments, helping to prevent privilege escalation and unauthorized access.
Related Topics: Cloud-Native Application Protection Platform (CNAPP), Least Privilege (PoLP)
Cloud-Native Application Protection Platform (CNAPP)
What it is: A unified security platform that combines the functions of CSPM, CWPP, CIEM, and application security testing into a single solution.
How it's used: CNAPP provides end-to-end cloud application protection, from development ("shift-left") to runtime.
Examples and Context: A CNAPP platform can scan an IaC template for vulnerabilities, monitor the running workload, and ensure the identity that deployed it has the correct permissions.
Why it Matters: CNAPP provides a holistic view of cloud risk and helps organizations manage security across the entire lifecycle of a cloud-native application.
Related Topics: Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP), Cloud Infrastructure Entitlements Management (CIEM)
Key Management Service (KMS)
What it is: A cloud service that manages the lifecycle of cryptographic keys for applications and data.
How it's used: KMS is used to encrypt and decrypt data, rotate keys, and audit their usage.
Examples and Context: Cloud providers offer their own KMS services, which are often backed by Hardware Security Modules (HSMs).
Why it Matters: A KMS provides a centralized, secure, and auditable way to manage cryptographic keys, which is essential for protecting sensitive data in the cloud.
Related Topics: Hardware Security Module (HSM), Bring Your Own Key (BYOK), Hold Your Own Key (HYOK)
Hardware Security Module (HSM)
What it is: A physical, tamper-resistant device for storing and performing cryptographic operations on keys.
How it's used: HSMs are used to protect root keys and other highly sensitive keys that must never leave a secure hardware boundary.
Examples and Context: Many cloud-provider KMS services are backed by FIPS 140-2 or FIPS 140-3 validated HSMs to meet high-security and compliance requirements.
Why it Matters: HSMs provide the highest level of security for cryptographic keys, ensuring that even if the host system is compromised, the keys remain protected.
Related Topics: Key Management Service (KMS)
Bring Your Own Key (BYOK)
What it is: A cloud security practice where a customer generates their own encryption keys on-premises and securely imports them into a cloud provider's Key Management Service (KMS).
How it's used: BYOK gives customers greater control over their key lifecycle and allows them to maintain a copy of the key outside the cloud environment.
Examples and Context: This is often a feature of a cloud provider's KMS.
Why it Matters: BYOK provides an additional layer of security and trust for customers with strict compliance or security requirements, as they can prove that the keys were never generated by the cloud provider.
Related Topics: Hold Your Own Key (HYOK), Key Management Service (KMS)
Hold Your Own Key (HYOK)
What it is: A cloud security model where the customer's encryption keys never leave a customer-controlled environment.
How it's used: The keys are stored on-premises (often in an HSM) and the cloud service is configured to make a real-time request to the on-premise system for every cryptographic operation.
Examples and Context: HYOK is typically implemented using a proxy KMS architecture.
Why it Matters: HYOK provides the maximum level of control and compliance, as the cloud provider never has access to the customer's encryption keys, which is a requirement for some highly regulated industries.
Related Topics: Bring Your Own Key (BYOK)
Data Security
This section covers the tools and policies used to protect sensitive data at rest, in transit, and in use.
Data Loss Prevention (DLP)
What it is: Policies and tools designed to prevent the unauthorized exfiltration of sensitive data from an organization.
How it's used: DLP solutions monitor endpoints, network traffic, email, and cloud services for the presence of sensitive data and can block its transfer or encrypt it.
Examples and Context: DLP uses techniques like regex matching and machine learning classifiers to identify sensitive data like credit card numbers or Social Security numbers.
Why it Matters: DLP is a crucial control for preventing accidental or malicious data breaches and for meeting regulatory compliance requirements.
Related Topics: Data Security Posture Management (DSPM), Data Classification
Data Security Posture Management (DSPM)
What it is: A security solution that discovers, classifies, and safeguards sensitive data across an organization's entire environment.
How it's used: DSPM continuously assesses data stores and other locations to identify sensitive data, determine who has access to it, and assess its exposure risk.
Examples and Context: A DSPM tool can find sensitive data in databases, SaaS applications, and data lakes, and then alert on overly permissive access policies.
Why it Matters: DSPM provides a critical, data-centric view of risk, helping organizations understand where their sensitive data resides and who has access to it, a prerequisite for effective data protection.
Related Topics: Data Loss Prevention (DLP), Data Classification
Database Activity Monitoring (DAM)
What it is: A security technology that monitors and audits all activity on a database.
How it's used: DAM tools can detect misuse and anomalies, such as an administrator account suddenly running queries on a sensitive table it doesn't normally access.
Examples and Context: DAM solutions can be agent-based (installed on the database server) or network-based (sniffing database traffic).
Why it Matters: DAM provides a critical layer of visibility and control for the most sensitive data in an organization, helping to detect insider threats and prevent data exfiltration.
Information Rights Management (IRM/DRM)
What it is: A technology that provides persistent protection for documents and files via encryption and policy.
How it's used: IRM controls are applied directly to a file, controlling who can view, print, edit, or forward it, even after it has left the organization's network perimeter.
Examples and Context: A document might be encrypted with an IRM policy that only allows certain users to view it for 24 hours.
Why it Matters: IRM provides a strong defense against data leakage by ensuring that data remains protected no matter where it is stored or who has it.
Data Classification
What it is: The process of categorizing data by its sensitivity and the required handling and security requirements.
How it's used: A data classification policy drives the selection of security controls, such as who can access it, how it should be stored, and how long it should be retained.
Examples and Context: Data is often classified into categories like "Public," "Internal," and "Confidential."
Why it Matters: Data classification is the foundation of a data security program, ensuring that the right level of security is applied to the right data.
Related Topics: Data Security Posture Management (DSPM)
Email & Messaging Security
This section covers the security protocols and threats specific to email and other messaging platforms.
Sender Policy Framework (SPF)
What it is: A DNS record that specifies which mail servers are authorized to send email on behalf of a domain.
How it's used: Receiving mail servers check the SPF record to verify that a message from a domain is coming from an approved server.
Examples and Context: An SPF record might look like v=spf1 include:mail.google.com ~all, which tells receivers that only Google's mail servers are authorized to send email for this domain.
Why it Matters: SPF is a foundational email authentication protocol that helps prevent sender spoofing, a common technique used in phishing and spam.
Related Topics: DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting & Conformance (DMARC)
DomainKeys Identified Mail (DKIM)
What it is: An email authentication protocol that uses a digital signature to verify the legitimacy of a message.
How it's used: The sending mail server signs the email with a private key, and the receiving mail server uses a public key (published in DNS) to validate the signature.
Examples and Context: DKIM protects the integrity of the email's headers and body, ensuring it hasn't been altered in transit.
Why it Matters: DKIM provides a strong, cryptographically secure way to verify that a message is from the sender it claims to be, protecting against spoofing and tampering.
Related Topics: Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting & Conformance (DMARC)
Domain-based Message Authentication, Reporting & Conformance (DMARC)
What it is: A policy that tells receiving mail servers how to handle email that fails SPF or DKIM authentication.
How it's used: A DMARC record, published in DNS, instructs receivers to "reject," "quarantine," or "p=none" (monitor) messages that fail authentication. It also provides reports on message authentication results.
Examples and Context: DMARC requires that the "From" address of a message "align" with either the SPF or DKIM domain.
Why it Matters: DMARC enforces email authentication standards and provides crucial visibility into how an organization's domain is being used, making it one of the most important tools for fighting phishing.
Related Topics: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM)
Business Email Compromise (BEC)
What it is: A social-engineering scam that uses impersonation to trick an employee into making a fraudulent payment or transferring sensitive data.
How it's used: An attacker might impersonate an executive, supplier, or colleague via email to convince a target to perform an unauthorized action.
Examples and Context: A BEC scam often uses a spoofed email address or a lookalike domain and typically does not use malware.
Why it Matters: BEC is a highly lucrative and damaging type of attack that can result in significant financial losses and is one of the most common cybercrimes.
Related Topics: Phishing
Vulnerability & Testing
This section covers the tools and processes used to identify and prioritize security weaknesses in systems and applications.
Common Vulnerabilities and Exposures (CVE)
What it is: A publicly disclosed catalog of security vulnerabilities and exposures.
How it's used: CVE provides a standardized reference ID for each vulnerability, which is used by security advisories, vulnerability scanners, and patch management systems.
Examples and Context: CVEs are maintained by MITRE and are a key component of the Known Exploited Vulnerabilities Catalog (KEV).
Why it Matters: CVEs provide a consistent way for security professionals to discuss and track vulnerabilities, ensuring that everyone is referring to the same issue.
Related Topics: Known Exploited Vulnerabilities Catalog (KEV), Common Vulnerability Scoring System (CVSS)
Known Exploited Vulnerabilities Catalog (KEV)
What it is: A list of vulnerabilities that are known to have been exploited in the wild.
How it's used: Published by the US Cybersecurity and Infrastructure Security Agency (CISA), the KEV catalog helps organizations prioritize patching efforts by focusing on vulnerabilities that are actively being used by attackers.
Examples and Context: KEVs are often assigned a CVE ID.
Why it Matters: The KEV catalog is a critical tool for prioritizing patching, as it helps organizations move beyond a simple CVSS score and focus on the vulnerabilities that pose an immediate and real-world threat.
Related Topics: Common Vulnerabilities and Exposures (CVE)
Common Vulnerability Scoring System (CVSS)
What it is: An open industry standard for rating the severity of a security vulnerability.
How it's used: CVSS scores vulnerabilities on a scale from 0 to 10 and can be used to help prioritize remediation efforts.
Examples and Context: A CVSS score is made up of a "base" score (inherent qualities), a "temporal" score (how a vulnerability changes over time), and an "environmental" score (how it applies to a specific environment).
Why it Matters: CVSS provides a consistent, transparent way to assess the risk of a vulnerability, allowing organizations to make informed decisions about where to focus their remediation efforts.
Related Topics: Common Vulnerabilities and Exposures (CVE)
Vulnerability Assessment (VA)
What it is: A process of scanning systems and networks to identify security weaknesses and misconfigurations.
How it's used: Vulnerability assessments are a routine and proactive activity for identifying potential weaknesses.
Examples and Context: Vulnerability scans can be unauthenticated (from the outside) or authenticated (with credentials, which is preferred as it provides a more comprehensive view).
Why it Matters: A vulnerability assessment is a fundamental security practice that provides a snapshot of an organization's security posture and a list of issues to be addressed.
Related Topics: Penetration Testing (PT)
Penetration Testing (PT | PEN Testing)
What it is: A simulated, authorized attack on a system or network to find exploitable vulnerabilities.
How it's used: A penetration test goes beyond a simple scan, as a human tester actively tries to exploit vulnerabilities to demonstrate the potential impact of an attack and validate existing controls.
Examples and Context: Penetration tests can be "black-box" (no prior knowledge of the system), "grey-box" (some knowledge), or "white-box" (full knowledge of the system).
Why it Matters: Penetration testing provides a real-world evaluation of an organization's defenses, helping to identify exploitable weaknesses and providing a crucial validation of security controls.
Related Topics: Vulnerability Assessment (VA), Red Team
Breach and Attack Simulation (BAS)
What it is: A technology that continuously tests an organization's security controls by automatically emulating attacks.
How it's used: BAS platforms run automated scenarios that mimic adversary behaviors and test the efficacy of detection and prevention controls.
Examples and Context: A BAS tool might test if an EDR can detect a specific type of malware or if a firewall can block a known command and control (C2) server.
Why it Matters: BAS provides a way to continuously validate security controls, helping to identify gaps in coverage and ensure that defenses remain effective as the environment changes.
Threats & Attack Techniques
This section defines common threats and the methodologies used by adversaries to carry out attacks.
Advanced Persistent Threat (APT)
What it is: A term used to describe a skilled, well-resourced adversary (often a nation-state or an organized crime group) with a long-term objective.
How it's used: APTs are known for their ability to gain and maintain persistent access to a target network, often using highly sophisticated techniques to evade detection.
Examples and Context: An APT group might be targeting intellectual property, financial gain, or political espionage.
Why it Matters: APTs pose a significant threat to an organization's most sensitive assets due to their advanced capabilities, persistence, and resources.
Tactics, Techniques, and Procedures (TTPs)
What it is: A term used to describe the behaviors and methods used by an adversary in an attack.
How it's used: TTPs are used to describe an adversary's actions, from their initial access to their final objective (impact).
Examples and Context: The MITRE ATT&CK framework provides a comprehensive taxonomy for TTPs.
Why it Matters: TTPs provide a more robust way to describe an adversary's actions than simply looking for an Indicator of Compromise (IOC), as adversaries are more likely to change their tools (IOCs) than their fundamental methods (TTPs).
Related Topics: MITRE ATT&CK
Command and Control (C2)
What it is: The communication channel used by malware to receive commands and exfiltrate data from a compromised system.
How it's used: Attackers use C2 to maintain control over a network of compromised devices, often using a variety of protocols to evade detection.
Examples and Context: C2 channels can use common protocols like DNS, HTTP, or even messaging services like Slack to blend in with normal network traffic.
Why it Matters: Detecting and blocking C2 traffic is a critical part of a security strategy, as it can prevent an attacker from continuing their operations inside a network.
Remote Access Trojan (RAT)
What it is: A type of malware that provides an attacker with remote, unauthorized control over a host system.
How it's used: A RAT allows an attacker to perform a wide range of actions, such as keylogging, taking screenshots, stealing data, or installing other malware.
Examples and Context: A RAT is often delivered to a victim via a phishing email or a malicious link.
Why it Matters: RATs are a powerful tool for attackers to maintain a persistent foothold in a network, making them a significant threat.
Distributed Denial of Service (DDoS)
What it is: An attack that attempts to overwhelm a service with a flood of traffic from many different sources, disrupting its availability.
How it's used: Attackers use a network of compromised devices (a botnet) to launch a coordinated attack against a target.
Examples and Context: A DDoS attack might target a website, a DNS server, or a network firewall. It can be mitigated by services that "scrub" malicious traffic, such as a CDN.
Why it Matters: DDoS attacks can cause significant financial and reputational damage by making an organization's services unavailable to customers.
Man-in-the-Middle (MitM)
What it is: An attack where an adversary secretly intercepts and alters communication between two parties who believe they are communicating directly with each other.
How it's used: An MitM attack can be used to steal credentials, inject malicious content, or eavesdrop on sensitive communications.
Examples and Context: An MitM attack can be prevented by using secure protocols like TLS and by validating certificates (e.g., with certificate pinning).
Why it Matters: MitM attacks are a serious threat to data confidentiality and integrity, as they can bypass traditional network defenses and compromise encrypted traffic.
Phishing
What it is: A social-engineering attack that uses fraudulent messages to trick users into revealing sensitive data or installing malware.
How it's used: Phishing attacks are typically delivered via email, but can also occur via SMS or social media.
Examples and Context: Variants include spear-phishing (a targeted attack against a specific individual), and whaling (a targeted attack against an executive).
Why it Matters: Phishing is one of the most common and effective ways for attackers to gain initial access to an organization's network, making Security Awareness Training (SAT) a critical defense.
Vishing
What it is: A form of phishing that uses voice communication (phone calls or VoIP) to trick a victim.
How it's used: An attacker might impersonate a tech support agent, a bank representative, or a government official to elicit sensitive information or convince the victim to take an action.
Examples and Context: Vishing attacks often use "spoofing" to make the caller ID appear legitimate.
Why it Matters: Vishing is often used in combination with other techniques and can be a highly effective way to gain trust and bypass an employee's normal security caution.
Smishing
What it is: A form of phishing that uses SMS or text messages to trick a victim.
How it's used: An attacker sends a text message with a malicious link to a fake website or a payload to install malware.
Examples and Context: A smishing message might claim to be from a bank or a delivery service and ask the user to click a link to "verify their information."
Why it Matters: Smishing is a popular attack vector because people are often less cautious about messages received on their mobile devices, and mobile devices have limited security controls.
Credential Stuffing
What it is: An automated attack that uses a list of stolen usernames and passwords from a data breach to attempt to log in to accounts on other websites.
How it's used: Attackers rely on the fact that many users reuse their passwords across multiple services.
Examples and Context: Credential stuffing can be mitigated by using Multi-Factor Authentication (MFA) and bot defense solutions.
Why it Matters: Credential stuffing is a highly scalable and effective way for attackers to gain access to accounts, making the use of unique passwords and MFA a critical defense.
Brute Force Attack
What it is: A systematic attack that attempts to gain access to an account or decrypt a password by trying every possible combination of passwords or keys.
How it's used: Attackers use automated tools to rapidly guess credentials until they find the correct one.
Examples and Context: Brute force attacks can be mitigated by using rate limits, account lockouts, and Multi-Factor Authentication (MFA).
Why it Matters: Brute force attacks are a persistent threat to any system with a login page, making strong password policies and other preventative controls essential.
SQL Injection (SQLi)
What it is: An application-level attack that injects malicious SQL code into an input field to manipulate a database.
How it's used: A successful SQLi attack can allow an attacker to exfiltrate or modify data, or even gain a full shell on the database server.
Examples and Context: SQLi can be prevented by using "parameterized queries," which separate the data from the SQL code.
Why it Matters: SQLi is a critical web application vulnerability that can lead to catastrophic data breaches, making it a key focus of web application firewalls and secure coding practices.
Related Topics: Web Application Firewall (WAF)
Cross-Site Scripting (XSS)
What it is: A web application attack that injects malicious scripts into web pages viewed by other users.
How it's used: A successful XSS attack can be used to steal a user's session cookies, deface a website, or redirect the user to a malicious page.
Examples and Context: XSS can be prevented by encoding all user-provided output before rendering it on a page and by using a Content Security Policy (CSP).
Why it Matters: XSS is a common and dangerous web application vulnerability that can be used to compromise user accounts and steal sensitive data.
Related Topics: Web Application Firewall (WAF)
Cross-Site Request Forgery (CSRF)
What it is: A web application attack that tricks a user's browser into sending an unwanted request to a web server where they are already authenticated.
How it's used: CSRF abuses the trust that a web server has in a user's browser session to perform an action on the user's behalf.
Examples and Context: CSRF can be prevented by using anti-CSRF tokens and setting the SameSite attribute on cookies.
Why it Matters: CSRF can be used to perform unauthorized actions, such as changing a user's password or making a fraudulent financial transaction, and can be difficult for a user to detect.
Server-Side Request Forgery (SSRF)
What it is: A web application attack that coerces a server to make a request to an internal or external resource on behalf of an attacker.
How it's used: A successful SSRF attack can be used to access internal metadata services, exfiltrate data from internal servers, or scan internal networks.
Examples and Context: SSRF can be prevented by implementing strict egress controls and by using updated metadata services like AWS IMDSv2.
Why it Matters: SSRF is a powerful attack vector that can be used to pivot from a public-facing application into a private network, making it a critical vulnerability to prevent.
Remote Code Execution (RCE)
What it is: The ability for an attacker to run arbitrary code on a target system.
How it's used: RCE is often the result of an "exploit chain," where a series of vulnerabilities are combined to achieve full control of a system.
Examples and Context: RCE is considered a "high-severity" class of vulnerability.
Why it Matters: RCE is the most dangerous type of vulnerability, as it gives an attacker complete control over a system, allowing them to steal data, install malware, or pivot to other systems.
Living off the Land (LotL)
What it is: An attack technique that uses legitimate, built-in tools and processes on a target system to evade detection.
How it's used: Instead of bringing their own malware, an attacker uses tools like PowerShell, WMI, or PsExec to move laterally and carry out their objectives.
Examples and Context: LotL attacks can be difficult to detect because the tools being used are a normal part of the operating system.
Why it Matters: LotL is a popular technique for sophisticated attackers because it is highly effective at evading detection by traditional, signature-based security tools.
Logging & Telemetry
This section covers the protocols and data types used to collect security-relevant information from systems and networks.
Syslog
What it is: A standard protocol for transporting log messages from devices and applications to a central server.
How it's used: Security devices, operating systems, and applications can be configured to forward their logs via Syslog to a SIEM for analysis.
Examples and Context: Syslog is defined in RFC 5424 and RFC 3164.
Why it Matters: Syslog is a foundational technology for security monitoring, providing a standardized way to collect logs from a wide range of devices.
NetFlow/IPFIX
What it is: A network protocol that exports metadata about network traffic flows from network devices.
How it's used: NetFlow data is used for traffic analysis, anomaly detection, and capacity planning.
Examples and Context: NetFlow data is lightweight and can be used to identify "top talkers" on a network or detect data exfiltration patterns without capturing the full packet contents.
Why it Matters: NetFlow provides a critical layer of visibility into network traffic, helping security teams understand network behavior and spot potential threats.
Packet Capture (PCAP)
What it is: A raw capture of network packets, including the full payload of the traffic.
How it's used: PCAP files are used for deep forensic analysis and network troubleshooting.
Examples and Context: PCAP files require a significant amount of storage space and are typically used to analyze specific incidents.
Why it Matters: Packet captures provide the most detailed view of network traffic and are an invaluable tool for understanding exactly what happened during a security incident.
eBPF
What it is: A technology that allows for in-kernel programmable hooks, providing a powerful way to collect telemetry and enforce policies at runtime.
How it's used: eBPF is used by modern security solutions to gain deep visibility into a system's kernel without having to load a kernel module.
Examples and Context: eBPF is a key component of modern CNAPP and EDR solutions.
Why it Matters: eBPF provides a highly performant and secure way to gain deep observability into a system's behavior, which is essential for detecting advanced threats.
Cryptography & PKI
This section covers the foundational principles and technologies used to secure data through encryption, hashing, and digital signatures.
Public Key Infrastructure (PKI)
What it is: A framework for issuing and managing digital certificates and cryptographic keys.
How it's used: PKI enables a wide range of security services, including TLS encryption, code signing, and email security.
Examples and Context: A PKI is made up of a Certificate Authority (CA), registration authorities, and a certificate revocation system.
Why it Matters: PKI provides the foundation of trust for secure digital communication, ensuring that we can verify the identity of a website or a user.
Certificate Authority (CA)
What it is: A trusted entity that issues and signs digital certificates.
How it's used: A CA establishes a "chain of trust" that allows users to verify the identity of a website or a user by checking the CA's digital signature.
Examples and Context: A CA can be a public service (like Let's Encrypt) or a private, internal service.
Why it Matters: CAs are the backbone of a PKI, providing the trust anchor that allows for secure communication on the internet.
Certificate Signing Request (CSR)
What it is: A file containing a public key and identity information that is submitted to a Certificate Authority to request a new certificate.
How it's used: The CSR is submitted to a CA, which then signs it with its private key and issues a new certificate.
Examples and Context: CSRs are typically in a PEM or PKCS#10 format.
Why it Matters: A CSR is a critical step in the process of obtaining a new certificate, as it proves that the certificate request is from the owner of the private key.
Online Certificate Status Protocol (OCSP)
What it is: A protocol for real-time checking of a certificate's revocation status.
How it's used: When a client connects to a server, it can query an OCSP responder to see if the server's certificate has been revoked.
Examples and Context: OCSP "stapling" improves performance by allowing the server to include the OCSP response in the TLS handshake, eliminating the need for the client to make a separate request.
Why it Matters: OCSP provides a timely way to check if a certificate is still valid, which is a critical part of preventing a Man-in-the-Middle attack.
Related Topics: Certificate Revocation List (CRL)
Certificate Revocation List (CRL)
What it is: A list of revoked certificates that have been issued by a Certificate Authority (CA).
How it's used: CRLs are published periodically by a CA and are downloaded by clients to check if a certificate is still valid.
Examples and Context: CRLs are an alternative to OCSP for checking a certificate's revocation status.
Why it Matters: A CRL is a critical component of a PKI, providing a way to invalidate a certificate if its private key is compromised.
Related Topics: Online Certificate Status Protocol (OCSP)
Perfect Forward Secrecy (PFS)
What it is: A property of a cryptographic system that ensures the compromise of a long-term key does not expose past encrypted sessions.
How it's used: PFS is achieved by using ephemeral (temporary) key exchange methods for each session.
Examples and Context: The Diffie-Hellman Key Exchange (DHE or ECDHE) is a popular key exchange method that provides PFS and is a preferred configuration for TLS.
Why it Matters: PFS is a critical security property for any encrypted communication, as it ensures that even if an attacker obtains the server's private key, they cannot decrypt past communications.
Transport Layer Security (TLS)
What it is: The protocol that provides confidentiality, integrity, and authenticity for data in transit over a network.
How it's used: TLS is used to secure a wide range of protocols, including HTTP (HTTPS), email, and VPNs.
Examples and Context: TLS 1.2 and TLS 1.3 are the widely used current versions of the protocol.
Why it Matters: TLS is the foundation of secure communication on the internet, protecting sensitive data from eavesdropping and tampering.
Related Topics: Public Key Infrastructure (PKI)
Advanced Encryption Standard (AES)
What it is: A symmetric encryption standard that is widely used to encrypt data.
How it's used: AES is used to encrypt data at rest (e.g., a hard drive) and in transit (e.g., a TLS session).
Examples and Context: AES is available in various modes, such as AES-GCM and AES-CBC.
Why it Matters: AES is considered the global standard for symmetric encryption, providing a highly secure and efficient way to protect data.
Rivest | Shamir | Adleman (RSA)
What it is: An asymmetric encryption and digital signature algorithm.
How it's used: RSA is used for key exchange in TLS and for digital signatures in a PKI.
Examples and Context: RSA uses a pair of keys: a public key for encryption and a private key for decryption.
Why it Matters: RSA is a foundational algorithm for asymmetric cryptography, but it is being increasingly complemented by more efficient algorithms like ECC.
Related Topics: Elliptic Curve Cryptography (ECC)
Elliptic Curve Cryptography (ECC)
What it is: A type of public-key cryptography that uses elliptic curves to generate cryptographic keys.
How it's used: ECC is used for key exchange and digital signatures and is a popular choice for modern protocols like TLS 1.3.
Examples and Context: ECC keys are smaller and require less computational power than RSA keys of the same security strength.
Why it Matters: ECC provides a more efficient and powerful alternative to RSA, making it a critical technology for securing resource-constrained devices and high-volume communication.
Related Topics: Rivest–Shamir–Adleman (RSA)
Secure Hash Algorithm 2 (SHA-256)
What it is: A cryptographic hash function that produces a 256-bit (32-byte) digest.
How it's used: SHA-256 is used for integrity verification (e.g., verifying a file download) and for creating digital signatures.
Examples and Context: SHA-256 is part of the SHA-2 family of hash functions.
Why it Matters: A cryptographic hash function provides a way to verify the integrity of data, ensuring that it has not been altered or tampered with.
Hash-Based Message Authentication Code (HMAC)
What it is: A mechanism for message authentication that uses a cryptographic hash function and a secret key.
How it's used: HMAC ensures both the integrity and authenticity of a message.
Examples and Context: HMAC is used in APIs and security tokens to verify that a message is from the sender it claims to be and that it hasn't been altered in transit.
Why it Matters: HMAC provides a simple and effective way to protect the integrity and authenticity of messages, which is a critical requirement for API security and other modern protocols.
OT | ICS | IoT
This section covers the specialized security concepts for industrial and physical systems, which are often different from traditional IT.
Industrial Control Systems (ICS)
What it is: Control systems used for industrial processes, such as manufacturing, water treatment, and power generation.
How it's used: ICS operates factories, utilities, and pipelines.
Examples and Context: ICS includes components like PLCs, DCS, and SCADA.
Why it Matters: The security of ICS is critical because a cyberattack on these systems can lead to physical damage, environmental harm, or disruption of essential services.
Related Topics: Supervisory Control and Data Acquisition (SCADA), Programmable Logic Controller (PLC), Internet of Things (IoT)
Supervisory Control and Data Acquisition (SCADA)
What it is: A type of Industrial Control System (ICS) used for supervisory control and data collection from field devices.
How it's used: SCADA systems provide remote monitoring and control of industrial processes, often via a graphical interface (HMI).
Examples and Context: A SCADA system might be used to control a pipeline, a power grid, or a water treatment plant.
Why it Matters: The security of SCADA systems is critical because they provide a high-level view and control over physical processes, making them a prime target for attackers.
Related Topics: Industrial Control Systems (ICS)
Programmable Logic Controller (PLC)
What it is: An industrial digital computer used for the automation of electromechanical processes.
How it's used: A PLC is a ruggedized device that controls machinery and processes in a factory or an industrial setting.
Examples and Context: A PLC might be used to control an assembly line, a conveyor belt, or a chemical mixing process.
Why it Matters: The security of PLCs is critical because a cyberattack on a PLC can directly cause physical damage to machinery or disrupt an industrial process.
Related Topics: Industrial Control Systems (ICS)
Internet of Things (IoT)
What it is: A network of physical objects ("things") embedded with sensors, software, and other technologies to connect and exchange data with other devices and systems over the internet.
How it's used: IoT devices collect data and automate actions.
Examples and Context: IoT includes everything from smart speakers and thermostats to industrial sensors and medical devices.
Why it Matters: The security of IoT devices is often weak and varies widely, creating a massive attack surface that can be exploited by attackers to gain a foothold in a network.
Related Topics: IIoT
Industrial Internet of Things (IIoT)
What it is: A subset of the Internet of Things (IoT) that focuses on industrial applications for manufacturing and operations.
How it's used: IIoT integrates sensors with OT and IT systems to enable data collection and analytics.
Examples and Context: IIoT often uses edge gateways to provide a secure and manageable way to connect sensors and industrial devices to a central network.
Why it Matters: The security of IIoT devices is critical for industrial operations, as a compromised sensor or device can be used to disrupt a manufacturing process or cause physical damage.
Related Topics: Internet of Things (IoT)
Wireless & Access
This section covers security standards and concepts for wireless networks and other access controls.
Wi-Fi Protected Access 2 (WPA2)
What it is: A legacy Wi-Fi security standard that uses AES-CCMP encryption to authenticate clients and encrypt wireless traffic.
How it's used: WPA2 is used to secure wireless networks.
Examples and Context: WPA2 has been superseded by WPA3, as it is vulnerable to certain attacks.
Why it Matters: While still widely used, WPA2 is an older standard, and organizations should move to WPA3 to ensure a higher level of security for their wireless networks.
Related Topics: Wi-Fi Protected Access 3 (WPA3)
Wi-Fi Protected Access 3 (WPA3)
What it is: The current Wi-Fi security standard that provides stronger authentication and encryption.
How it's used: WPA3 uses Simultaneous Authentication of Equals (SAE) for stronger key exchange and provides forward secrecy.
Examples and Context: WPA3 includes a feature called OWE (Opportunistic Wireless Encryption) for securing open networks, such as public Wi-Fi.
Why it Matters: WPA3 provides a significant security boost over WPA2, protecting against key reinstallation attacks and providing a higher level of confidentiality and integrity.
Related Topics: Wi-Fi Protected Access 2 (WPA2)
Extensible Authentication Protocol-TLS (EAP-TLS)
What it is: A certificate-based authentication method used with 802.1X for wired and wireless networks.
How it's used: EAP-TLS performs a mutual authentication between the client and the network, using digital certificates to verify identity.
Examples and Context: EAP-TLS is a high-assurance method that does not rely on passwords, making it highly resistant to credential theft.
Why it Matters: EAP-TLS provides one of the strongest forms of network authentication, ensuring that only trusted, authenticated devices can connect to a network.
Related Topics: 802.1X Port-Based Network Access Control
Network Segmentation
What it is: The practice of dividing a network into zones with controlled pathways between them.
How it's used: Network segmentation limits the "blast radius" of an attack and enforces security policies between different parts of the network.
Examples and Context: Segmentation can be achieved using VLANs, firewalls, and Software-Defined Networking (SDN).
Why it Matters: Network segmentation is a core tenet of the Defense in Depth principle, making it a critical control for limiting an attacker's ability to move laterally within a network.
Related Topics: Micro-segmentation, Virtual LAN (VLAN)
Network Deception
What it is: The use of decoys, honeypots, and other fake assets to detect and confuse attackers.
How it's used: Deception technology creates a fake environment that looks real to an attacker, triggering an alert as soon as they interact with it.
Examples and Context: Network deception can use "breadcrumbs" and fake credentials to lure attackers into a controlled environment.
Why it Matters: Network deception provides an effective way to detect lateral movement and insider threats early in an attack, reducing the time an attacker can remain undetected.
Backups & Resilience
This section covers the strategies used to ensure data and systems can be recovered after a destructive event.
Immutable Backups
What it is: Backups that cannot be altered, modified, or deleted for a set period of time.
How it's used: Immutable backups protect against ransomware and other malware that attempt to encrypt or delete an organization's backups.
Examples and Context: Immutable backups can be achieved using WORM (Write Once, Read Many) storage or object lock features in cloud storage.
Why it Matters: Immutable backups are an essential last line of defense against ransomware, ensuring that even if an attacker gains full access to a network, they cannot destroy the data needed for recovery.
Related Topics: Air-Gapped Backup
Air-Gapped Backup
What it is: A backup that is physically or logically isolated from all networks.
How it's used: Air-gapped backups prevent remote compromise of the backup, as an attacker cannot reach it from the network.
Examples and Context: An air-gapped backup might be a tape drive that is physically removed from the system or a logical "vault" that is only connected to the network during the backup window.
Why it Matters: An air-gapped backup provides the highest level of protection against a cyberattack, ensuring that a clean copy of the data is available for recovery.
Related Topics: Immutable Backups
Core Principles & Teams
This section covers the foundational principles and the different teams that work to secure an organization.
Security Awareness Training (SAT)
What it is: Education and training programs designed to improve users' security behaviors and make them a more effective part of the defense.
How it's used: SAT uses a combination of training campaigns, phishing simulations, and other educational materials to reduce the risk of human-based errors.
Examples and Context: A SAT program might include a monthly phishing simulation to test employees' ability to spot a malicious email.
Why it Matters: People are often the weakest link in the security chain, and SAT is one of the most effective ways to reduce human-based risk and protect against social-engineering attacks like phishing.
Least Privilege (PoLP)
What it is: A core security principle that dictates a user, process, or system should be granted only the minimum level of access necessary to perform its function.
How it's used: The Principle of Least Privilege should be applied across all aspects of an organization's security, from user permissions to system configurations.
Examples and Context: This principle is implemented through solutions like Role-Based Access Control (RBAC), Just-in-Time Access (JIT), and Just Enough Administration (JEA).
Why it Matters: Least privilege limits the potential damage from a compromised account or system, as an attacker will only have access to a very limited set of resources.
Defense in Depth (DiD)
What it is: A security strategy that uses multiple, overlapping layers of controls to protect a system or asset.
How it's used: DiD assumes that no single security control is foolproof, so it uses a layered approach to provide a "compensating safeguard" if one layer fails.
Examples and Context: A defense-in-depth strategy includes controls at the network, host, application, and data layers, as well as a focus on people and processes.
Why it Matters: Defense in depth provides a resilient security posture that can withstand an attack even if a single control is bypassed, making it a cornerstone of modern cybersecurity.
Security by Design
What it is: The practice of building security into systems and applications from the outset, rather than adding it as an afterthought.
How it's used: Security by design is a proactive approach that uses concepts like Threat Modelling and secure coding practices to embed security into the architecture and code of a system.
Examples and Context: Security by design is a core tenet of the "shift-left" concept in modern application security.
Why it Matters: It is significantly more efficient and effective to build security into a system from the beginning than it is to try to fix it later.
Red Team
What it is: An offensive security team that simulates a real-world adversary to test an organization's defenses.
How it's used: A red team uses adversary emulation to test the efficacy of an organization's Blue Team's detection and response capabilities.
Examples and Context: A red team engagement is typically a comprehensive, multi-layered attack against a specific set of objectives.
Why it Matters: A red team provides a crucial, realistic test of an organization's security, helping to identify gaps in defense and response.
Related Topics: Blue Team, Purple Team, Penetration Testing (PT)
Blue Team
What it is: A defensive security team that monitors, detects, and responds to threats.
How it's used: The blue team operates the Security Operations Center (SOC) and is responsible for incident response.
Examples and Context: A blue team uses tools like SIEM and EDR to perform their functions.
Why it Matters: The blue team is the first line of defense against an active threat, and its effectiveness is measured by metrics like MTTD and MTTR.
Related Topics: Red Team, Purple Team
Purple Team
What it is: A collaborative function between the Red Team and Blue Team.
How it's used: A purple team engagement involves the red team performing an attack while the blue team actively works with them to improve their detections and controls in real-time.
Examples and Context: Purple team exercises are often conducted as a continuous improvement loop.
Why it Matters: The purple team concept breaks down the traditional silos between offense and defense, providing a highly effective way to improve an organization's overall security posture.