GRC & Cybersecurity Glossary

206 terms

72-Hour Breach NotificationPrivacy & Data Protection

Under GDPR, a controller must notify the supervisory authority of a personal data breach within 72 hours of becoming aware, unless it's unlikely to risk individuals' rights. High-risk breaches also require notifying affected individuals without undue delay.

802.1XNetworking

A port-based access control standard that forces a device (supplicant) to authenticate to a switch or AP (authenticator) via a RADIUS server before any traffic is allowed. It is the mechanism behind enterprise Wi-Fi (WPA2/3-Enterprise) and wired NAC.

AAASecurity Fundamentals

Authentication (prove identity), Authorization (grant the right access), and Accounting (log what was done) — the backbone of access control.

Advanced Persistent Threat (APT)Threats & Attacks

A well-resourced, stealthy adversary (often nation-state) that gains long-term access to a network and quietly maintains it to exfiltrate data over months or years. The defining trait is persistence and evasion rather than a smash-and-grab, so detection leans on behavioral analytics and threat hunting instead of signatures alone.

AES (Advanced Encryption Standard)Cryptography

The dominant symmetric block cipher, standardized by NIST in FIPS 197, using 128-bit blocks with 128/192/256-bit keys. It is fast and considered secure, but needs a secure mode of operation (use authenticated modes like GCM; never ECB).

Anonymization vs PseudonymizationPrivacy & Data Protection

Anonymized data can no longer be linked to a person and falls outside GDPR; pseudonymized data swaps identifiers for tokens but can be re-linked with a key, so it remains personal data. Pseudonymization lowers risk but does not exempt you from the rules.

ARP SpoofingThreats & Attacks

Sending forged ARP replies on a local network so traffic meant for another host (often the gateway) is sent to the attacker instead, enabling man-in-the-middle interception. It works because ARP has no authentication, and is mitigated with dynamic ARP inspection and switch port security.

Asymmetric EncryptionCryptography

Uses a public/private key pair — encrypt with one, decrypt with the other (e.g. RSA, ECC). Enables secure key exchange and digital signatures.

Attack SurfaceSecurity Fundamentals

The sum of all points where an attacker could try to enter or extract data — every exposed service, port, account, and interface.

AttestationGRC & Compliance

A formal, usually signed statement by a responsible party affirming that controls are in place and operating as described (e.g., a SOC 2 report or a FedRAMP management attestation). The signer is asserting accuracy under accountability, so it carries real legal and audit weight.

Attribute-Based Access Control (ABAC)Security Fundamentals

An access model that grants access by evaluating attributes of the user, resource, action, and environment against policy rules (e.g., 'allow if department=Finance AND time=business hours'). More granular and context-aware than role-based access alone.

AuditGRC & Compliance

An independent examination of evidence to determine whether controls are designed and operating effectively against a defined standard.

BCP vs DRRisk Management

A Business Continuity Plan (BCP) keeps the organization's critical functions running during a disruption (people, processes, facilities); Disaster Recovery (DR) is the IT-focused subset that restores systems, data, and infrastructure. DR is one component of the broader BCP.

Block vs Stream CipherCryptography

A block cipher encrypts fixed-size chunks (e.g., AES on 128-bit blocks) and needs a mode of operation, while a stream cipher (e.g., ChaCha20) encrypts byte-by-byte using a keystream. Stream ciphers suit continuous/real-time data, but reusing the same key+nonce is catastrophic.

Broken Access ControlApplication & Software Security

A flaw where users can act outside their intended permissions — reaching other users' data or admin functions by manipulating URLs, IDs, or tokens. It ranks #1 on the OWASP Top 10 and is best mitigated by enforcing authorization server-side and denying by default.

Brute ForceThreats & Attacks

Systematically trying many passwords or keys until the correct one is found. Mitigated by lockouts, rate limits, and strong/long secrets.

Business Email Compromise (BEC)Threats & Attacks

A targeted social-engineering fraud where an attacker impersonates an executive, vendor, or partner over email to trick staff into wiring money or sending data. It usually involves no malware, relying on authority and urgency, so defenses are payment-verification processes plus DMARC/SPF/DKIM and impersonation detection.

Business Impact Analysis (BIA)Risk Management

An analysis that identifies critical business functions and quantifies the operational and financial impact of their disruption over time. The BIA is the foundation of business continuity planning — it produces the RTO, RPO, and MTD values that recovery strategies must meet.

CASBCloud & Identity

Cloud Access Security Broker — a control point between users and cloud services that enforces visibility, compliance, and data security policies.

CCPA / CPRAPrivacy & Data Protection

California's privacy laws giving consumers rights to know, delete, correct, and opt out of the 'sale' or 'sharing' of personal information. CPRA expanded CCPA by adding sensitive-personal-information protections and creating a dedicated enforcement agency, the CPPA.

Chain of CustodyIncident Response & Forensics

The documented, unbroken record of who collected, handled, transferred, and stored each piece of evidence, with timestamps. Break it and the evidence can be challenged as tampered with and ruled inadmissible in court.

CIA TriadSecurity Fundamentals

The three core security goals: Confidentiality (limit disclosure), Integrity (prevent unauthorized change), and Availability (keep it accessible).

CIDRNetworking

Classless Inter-Domain Routing — a notation (e.g. 10.0.0.0/24) that expresses an IP range and subnet size by the number of network bits.

CIS ControlsFrameworks & Standards

A prioritized, prescriptive set of 18 defensive safeguards (formerly the SANS Top 20) from the Center for Internet Security. They're grouped into Implementation Groups (IG1–IG3) so smaller organizations can start with the highest-impact basics first.

Cloud Security Posture Management (CSPM)Cloud & Identity

Tools that continuously scan cloud configurations against best practices and compliance benchmarks to catch misconfigurations like public storage buckets or open ports. It targets the control-plane risk behind most cloud breaches.

Cloud Workload Protection Platform (CWPP)Cloud & Identity

Security focused on the workloads themselves — VMs, containers, and serverless functions — covering vulnerability scanning, runtime threat detection, and integrity monitoring. Memory aid: CWPP protects what's running; CSPM protects how the cloud is configured.

Cloud-Native Application Protection Platform (CNAPP)Cloud & Identity

A consolidated platform combining CSPM, CWPP, and related capabilities (like entitlement management and IaC scanning) to secure cloud apps from code to runtime. It unifies posture and workload security into one view instead of siloed tools.

CMMCFrameworks & Standards

Cybersecurity Maturity Model Certification — the DoD program verifying defense contractors' protection of FCI and CUI. Level 1 covers basic FCI safeguarding, Level 2 maps to the 110 requirements of NIST 800-171 (with C3PAO assessment for most contracts), and Level 3 adds enhanced requirements.

COBITFrameworks & Standards

ISACA's governance and management framework for enterprise IT, focused on aligning IT with business goals and value delivery. Unlike control-detail standards, it operates at the governance layer, explicitly distinguishing 'governance' (the board's direction and oversight) from 'management'.

Code SigningApplication & Software Security

Applying a digital signature to software with a private key so users can verify the publisher's identity and confirm the code hasn't been altered since signing. It provides authenticity and integrity, but not confidentiality.

Common PortsNetworking

Memorize the well-knowns and their secure variants: HTTP 80 / HTTPS 443, SSH 22, RDP 3389, DNS 53, SMTP 25 (submission 587), FTP 20-21, SMB 445, RADIUS 1812, LDAP 389 / LDAPS 636. Exam tip: prefer the encrypted variant (HTTPS, SSH, LDAPS) and flag legacy cleartext services like Telnet 23 and plain FTP.

Conditional AccessCloud & Identity

Policies that allow, block, or step up authentication based on signals like user, device health, location, and risk (e.g., require MFA from an unmanaged device). It enforces context-aware, risk-based access decisions at sign-in.

Containment, Eradication & RecoveryIncident Response & Forensics

The active response phase: limit the damage (containment), remove the threat such as malware and attacker accounts (eradication), then restore systems and validate they're clean (recovery). Containment is usually two-staged — short-term (isolate now) and long-term (rebuild and harden before going back live).

Control FamiliesGRC & Compliance

Logical groupings of related controls within a framework, such as the 20 families in NIST SP 800-53 Rev. 5 (Access Control [AC], Incident Response [IR], etc.). They let an organization assign ownership and assess controls by domain instead of as one flat list.

Control Types (Preventive / Detective / Corrective)GRC & Compliance

Preventive controls stop an incident before it happens (firewalls, access control), detective controls flag it as or after it occurs (logs, IDS, audits), and corrective controls restore normal state afterward (backups, patching). Exams often add deterrent, compensating, and recovery as further functional types.

Controller vs ProcessorPrivacy & Data Protection

Under GDPR, the controller decides why and how personal data is processed; the processor only acts on the controller's documented instructions. The controller holds primary accountability, but processors now carry direct obligations too, bound by a written data processing agreement (DPA).

Credential StuffingThreats & Attacks

An automated attack that replays username/password pairs leaked from one breach against other sites, banking on password reuse. It succeeds through reuse rather than guessing, so MFA and breached-password screening are the primary defenses.

CRL vs OCSPCryptography

Two ways to check whether a certificate has been revoked: a CRL is a periodically published list of revoked certs (bulky and can be stale), while OCSP queries the CA in real time for a single cert's status. OCSP stapling improves performance and privacy by having the server attach a fresh signed status.

Cross-Site Request Forgery (CSRF)Threats & Attacks

Tricking a logged-in user's browser into sending an unwanted authenticated request to a site that trusts them (e.g., silently changing their email). It abuses the browser automatically attaching session cookies, so the standard defenses are anti-CSRF tokens plus SameSite cookies.

Cross-Site Scripting (XSS)Threats & Attacks

Injecting malicious scripts into a trusted website so they run in other users' browsers — stealing sessions, data, or defacing pages.

CVE (Common Vulnerabilities and Exposures)Security Fundamentals

A standardized public identifier (e.g., CVE-2024-12345) assigned to a specific known vulnerability so everyone references the same flaw consistently. A CVE names the weakness — it does not by itself tell you how severe it is.

CVSS (Common Vulnerability Scoring System)Security Fundamentals

A 0–10 framework for rating a vulnerability's severity, where higher is worse (e.g., 9.0+ is Critical). The Base score reflects inherent traits, while Temporal and Environmental metrics adjust it for real-world and organization-specific context.

Cyber Kill ChainIncident Response & Forensics

Lockheed Martin's 7-stage intrusion model: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, and Actions on Objectives. The takeaway is that breaking any single link disrupts the attack, so defenders aim to detect and stop adversaries as early as possible.

Data ClassificationPrivacy & Data Protection

Labeling data by sensitivity (e.g., Public, Internal, Confidential, Restricted) so controls match the risk. Classification drives handling, encryption, retention, and access decisions — without it you can't apply right-sized protection.

Data Minimization & Purpose LimitationPrivacy & Data Protection

Two linked GDPR principles: collect only the personal data you actually need (minimization), and use it only for the specific, stated purpose it was collected for (purpose limitation). Repurposing data generally needs a fresh lawful basis or a compatibility assessment.

Data Subject Rights (DSR/DSAR)Privacy & Data Protection

GDPR rights individuals can exercise over their data: access, rectification, erasure, restriction, portability, objection, and protections around automated decision-making. Controllers generally must respond within one month, making request handling (DSARs) a core operational duty.

DDoSThreats & Attacks

Distributed Denial-of-Service — overwhelms a target with traffic from many sources to exhaust resources and make it unavailable.

Default GatewayNetworking

The router a device sends traffic to when the destination is outside its own subnet — the 'door' to other networks and the internet.

Defense in DepthSecurity Fundamentals

Layering multiple, independent controls so that if one fails, others still protect the asset. No single point of failure.

DHCPNetworking

Dynamic Host Configuration Protocol — automatically assigns IP addresses and network settings to devices when they join a network.

Diffie-Hellman (DH)Cryptography

A key-exchange protocol that lets two parties derive a shared secret over an untrusted channel without ever transmitting the secret. It only establishes a key (it does not authenticate or encrypt), so it must be paired with authentication to resist man-in-the-middle attacks.

Digital CertificateCryptography

An electronic credential issued by a CA that binds a public key to an identity (e.g. a website), enabling trusted, encrypted connections.

Digital SignatureCryptography

A value created with the signer's private key that proves authenticity, integrity, and non-repudiation; verified with their public key.

Directory Traversal (Path Traversal)Threats & Attacks

Manipulating file-path input with sequences like ../ to read or write files outside the intended directory, such as /etc/passwd or app config. The root cause is unvalidated user-supplied paths, fixed by canonicalizing and allow-listing paths rather than blocking strings.

Discretionary Access Control (DAC)Security Fundamentals

An access model where the resource owner decides who gets access and at what level (e.g., file permissions you set yourself). Flexible but riskier, because owners grant access at their discretion and rights can spread without central oversight.

DLPSecurity Fundamentals

Data Loss Prevention — tools and policies that detect and stop sensitive data from leaving the organization improperly.

DNSNetworking

Domain Name System — translates human-readable names (example.com) into IP addresses. Often called the 'phonebook of the internet'.

DNS Cache Poisoning (DNS Spoofing)Threats & Attacks

Injecting forged DNS records into a resolver's cache so victims are silently redirected to attacker-controlled servers. It undermines trust in name resolution itself, which is the problem DNSSEC (cryptographically signed DNS responses) is designed to solve.

DNSSEC (DNS Security Extensions)Networking

Adds cryptographic signatures to DNS records so resolvers can verify a response is authentic and unmodified, defeating cache poisoning and spoofing. Key nuance: DNSSEC provides integrity and authenticity, NOT confidentiality — queries are still sent in cleartext.

DoH / DoT (DNS over HTTPS / DNS over TLS)Networking

Protocols that encrypt DNS queries in transit — DoT uses a dedicated TLS port (853) while DoH tunnels queries inside ordinary HTTPS (443). They add confidentiality (which DNSSEC does not), but can blind on-network DNS-based security monitoring.

DPIA (Data Protection Impact Assessment)Privacy & Data Protection

A documented assessment required when processing is likely to result in high risk to individuals (e.g., large-scale profiling or sensitive data). It surfaces risks and mitigations up front; if high risk remains, you must consult the supervisory authority before proceeding.

DPO (Data Protection Officer)Privacy & Data Protection

An independent role required under GDPR for public authorities or organizations doing large-scale monitoring or processing of sensitive data. The DPO advises on compliance and is the contact point for regulators — they report to top management and can't be penalized for doing the job.

Due Care vs Due DiligenceGRC & Compliance

Due diligence is the ongoing investigation to understand risk ("doing your homework"); due care is acting on that knowledge with reasonable safeguards ("doing the right thing"). Memory aid: diligence = identify, care = act.

ECC (Elliptic Curve Cryptography)Cryptography

Asymmetric crypto built on elliptic-curve math that gives the same security as RSA with far smaller keys (a 256-bit ECC key roughly equals 3072-bit RSA). Smaller keys mean faster operations and less overhead, making it ideal for mobile and IoT devices.

EDRSecurity Fundamentals

Endpoint Detection and Response — continuously monitors endpoints for malicious behavior and enables investigation and response/containment.

Evidence / ArtifactGRC & Compliance

Documented proof that a control exists and operates effectively — screenshots, config exports, logs, tickets, policies, or signed approvals collected for an auditor. Good evidence is sufficient, relevant, reliable, and timestamped within the audit period.

Fail-Safe vs Fail-SecureSecurity Fundamentals

Two default behaviors when a control fails: fail-safe defaults to OPEN to protect life/availability (e.g., doors unlock in a fire), while fail-secure defaults to CLOSED/denied to protect assets (e.g., a vault stays locked). The right choice depends on whether life-safety or asset protection is the priority.

FedRAMPFrameworks & Standards

The U.S. government program standardizing security assessment and authorization for cloud services used by federal agencies. It's built on NIST 800-53 baselines, generally requires a third-party assessor (3PAO), and lets an authorization be reused across agencies ('do once, use many').

FirewallNetworking

A device or software that filters network traffic against a rule set, allowing or blocking packets to enforce a security boundary.

FISMAFrameworks & Standards

The Federal Information Security Modernization Act — the U.S. law requiring federal agencies to run an information security program for their systems. In practice it's operationalized through the NIST RMF (800-37) and the 800-53 control catalog.

Forward Proxy vs Reverse ProxyNetworking

A forward proxy sits in front of internal clients to broker their outbound requests (content filtering, egress control); a reverse proxy sits in front of servers to handle inbound requests (load balancing, TLS termination, hiding backends). Remember which side of the connection each one fronts.

Gap AssessmentGRC & Compliance

A structured comparison of an organization's current state against a target framework or requirement to find where controls are missing or weak. Its output is a prioritized gap list that feeds the remediation roadmap; it informs but does not replace a formal audit.

GRCGRC & Compliance

Governance, Risk, and Compliance — the discipline of aligning IT and security with business goals, managing risk, and meeting obligations.

HashingCryptography

A one-way function that turns data into a fixed-length digest (e.g. SHA-256). Used for integrity and password storage — not reversible.

HIPAAFrameworks & Standards

U.S. healthcare law whose Security Rule mandates administrative, physical, and technical safeguards for electronic Protected Health Information (ePHI), and whose Privacy Rule governs PHI use and disclosure. Covered entities and their business associates (bound by a BAA) must comply.

HMAC (Hash-based Message Authentication Code)Cryptography

A keyed hash that combines a secret key with a hash function (e.g., HMAC-SHA256) to verify a message's integrity and authenticity. An attacker cannot forge a valid HMAC without the key, but because both parties share that key it provides no non-repudiation.

IaaS / PaaS / SaaSCloud & Identity

Cloud service models: Infrastructure (VMs, storage), Platform (managed runtime to build on), and Software (ready-to-use apps) — each shifts more management to the provider.

IAMCloud & Identity

Identity and Access Management — the policies and tools that manage who (or what) can access which resources, and how that access is governed.

IAM Roles vs PoliciesCloud & Identity

A policy is a document defining permissions (which actions on which resources are allowed or denied); a role is an identity with attached policies that users, services, or workloads can assume temporarily. Roles deliver short-lived credentials, avoiding long-lived hard-coded keys.

Identity FederationCloud & Identity

A trust arrangement that lets users authenticate with their home identity provider (IdP) and access resources in another domain or organization without a second account. It underpins cross-company SSO using standards like SAML and OIDC.

IDS vs IPSSecurity Fundamentals

An Intrusion Detection System detects and alerts on suspicious activity; an Intrusion Prevention System sits inline and can block it in real time.

Inherent vs Residual RiskRisk Management

Inherent risk is the risk level before any controls are applied; residual risk is what remains after controls are in place. You can rarely reach zero, so residual risk is what management must formally accept.

Insider ThreatThreats & Attacks

A risk originating from someone with legitimate access (employee, contractor) — whether malicious, negligent, or compromised.

Internal vs External AuditGRC & Compliance

An internal audit is run by the organization's own staff to evaluate controls and inform management; an external audit is performed by an independent third party for objective assurance to outside stakeholders (e.g., a CPA firm issuing a SOC 2 report). The key difference is the independence external audits provide.

IOC vs IOAIncident Response & Forensics

An Indicator of Compromise is forensic evidence that a breach already happened (a malicious hash, IP, or registry key); an Indicator of Attack is behavior showing an attack in progress (lateral movement, credential dumping) regardless of the specific tools used. IOCs are reactive and signature-like; IOAs are proactive and behavior-based.

IP AddressNetworking

A unique numeric label assigned to a device on a network so data can be routed to and from it. IPv4 is 32-bit (e.g. 192.168.1.10); IPv6 is 128-bit.

IR Lifecycle (NIST SP 800-61)Incident Response & Forensics

The incident response phases — Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity — run as a continuous loop, not a one-time line. It's a cycle because lessons feed back into preparation, where most of your real-world effectiveness is won (note: 800-61 Rev 3, 2025, reframes this around the NIST CSF functions, but these four phases are still what exams test).

ISO 22301Frameworks & Standards

The international standard for Business Continuity Management Systems (BCMS) — requirements to plan for, respond to, and recover from disruptive incidents. It's where management-system concepts like the Business Impact Analysis (BIA), RTO, and RPO formally live.

ISO/IEC 27001GRC & Compliance

An international standard for an Information Security Management System (ISMS) — a risk-based, certifiable framework of requirements and controls.

ISO/IEC 27002Frameworks & Standards

The companion guidance to ISO 27001 — it details how to implement the Annex A information security controls and provides best practices. You certify against 27001 and use 27002 as the how-to reference for the controls.

ISO/IEC 27005Frameworks & Standards

The ISO standard providing guidance on information security risk management to support an ISO 27001 ISMS. It describes the risk process (identification, analysis, evaluation, treatment) without mandating any single method.

ISO/IEC 42001Frameworks & Standards

The first international management-system standard for Artificial Intelligence (an AIMS — AI Management System), published in 2023. It helps organizations govern AI responsibly — addressing risk, transparency, and ethics — and is certifiable like ISO 27001.

Jump Server / Bastion HostNetworking

A hardened, heavily monitored intermediary host that admins must connect through to reach a sensitive zone, so no direct admin path exists. It shrinks the attack surface and centralizes logging of privileged access to critical assets.

Just-in-Time (JIT) AccessCloud & Identity

Granting elevated or privileged access only for a limited window when it's actually needed, then automatically revoking it. It shrinks standing privileges and the attack surface of always-on admin accounts.

Key EscrowCryptography

An arrangement where a copy of encryption keys is held by a trusted third party so data can be recovered (for lawful access, business continuity, or lost-key recovery). It creates a high-value single point of compromise, so it demands strict access controls and separation of duties.

Key ExchangeCryptography

A method (e.g. Diffie-Hellman) for two parties to securely agree on a shared secret over an insecure channel without sending the key itself.

Key Management Service (KMS)Cloud & Identity

A managed service that creates, stores, and controls the cryptographic keys used to encrypt cloud data, with access governed by IAM and all use logged for audit. It enables envelope encryption and centralized key lifecycle control (rotation, disabling, revocation).

KPI vs KRIGRC & Compliance

A Key Performance Indicator measures how well a process meets its goals (e.g., % of systems patched on time); a Key Risk Indicator is a forward-looking metric signaling rising risk (e.g., count of overdue critical vulnerabilities). KPIs track performance, KRIs warn of trouble ahead.

Lawful Basis (GDPR)Privacy & Data Protection

GDPR requires one of six legal grounds to process personal data: consent, contract, legal obligation, vital interests, public task, or legitimate interests. You must identify and document the basis before processing — consent is just one option, not the default.

Least PrivilegeSecurity Fundamentals

Give every user, process, or system only the minimum access required to do its job — and nothing more.

Lessons Learned / Post-Incident ReviewIncident Response & Forensics

A blameless review held soon after an incident (ideally within days, while memory is fresh) to capture what happened, what worked, and what to improve. It closes the loop back into Preparation by updating playbooks, detections, and controls.

Living-off-the-Land (LOTL)Threats & Attacks

An intrusion technique that abuses legitimate, built-in system tools (like PowerShell, WMI, or PsExec) instead of dropping custom malware, to blend in and evade detection. Because the binaries are trusted, defense shifts from signatures to behavioral and command-line monitoring of how those tools are used.

Load BalancerNetworking

A device or service that distributes incoming traffic across multiple backend servers for availability and scalability, often doing health checks and TLS termination. It directly supports the 'A' (availability) goal of the CIA triad and frequently doubles as a reverse proxy and DDoS buffer.

MAC AddressNetworking

A hardware address burned into a network interface (e.g. 00:1A:2B:3C:4D:5E) used to deliver frames on the local link (Layer 2).

MalwareThreats & Attacks

Malicious software — an umbrella term for viruses, worms, trojans, ransomware, spyware, and more, designed to harm or exploit systems.

Man-in-the-Middle (MITM)Threats & Attacks

An attacker secretly intercepts and possibly alters communication between two parties who believe they're talking directly.

Mandatory Access Control (MAC)Security Fundamentals

An access model where the system enforces access by comparing classification labels (e.g., Secret, Top Secret) against user clearances, not owner discretion. Common in military/government environments because users cannot override the central policy.

Maturity ModelGRC & Compliance

A model that rates how defined, repeatable, and optimized a process is across ascending levels (e.g., CMMI: Initial → Managed → Defined → Quantitatively Managed → Optimizing). It benchmarks current capability and shows the path to improvement rather than a simple pass/fail.

MDMCloud & Identity

Mobile Device Management — centrally enforces security policy (encryption, lock, remote wipe) on phones, tablets, and laptops.

MFASecurity Fundamentals

Multi-Factor Authentication — requires two or more different factor types (know / have / are), so a stolen password alone isn't enough.

MITRE ATT&CKIncident Response & Forensics

A free, globally-used knowledge base of real-world adversary tactics (the 'why', e.g. Persistence, Exfiltration) and techniques (the 'how'), organized as a matrix. Defenders use it to map detection coverage, find gaps, and describe threats in a common language.

MTD (Maximum Tolerable Downtime)Risk Management

The longest a business function can be unavailable before the organization suffers unacceptable or irreversible harm. MTD is the ceiling: RTO + WRT must fit beneath it.

MTTD vs MTTRIncident Response & Forensics

Mean Time to Detect is the average time from when an incident begins to when it's discovered; Mean Time to Respond (or Remediate) is the average time from detection to containment/resolution. They're core SOC metrics — lowering both directly reduces an attacker's dwell time and impact.

NAC (Network Access Control)Networking

A system that authenticates and posture-checks devices before granting network access, quarantining or limiting those that fail policy (e.g., missing patches or no EDR). It commonly relies on 802.1X to enforce who and what is allowed onto the LAN.

NATNetworking

Network Address Translation — lets many devices share one public IP by rewriting source/destination addresses at the router; also hides internal addresses.

Need-to-KnowSecurity Fundamentals

A principle that limits access to information to those whose job actually requires it, even if they already hold the right clearance. Clearance alone is not enough — you also need a job-justified reason to see the data.

Network SegmentationNetworking

Dividing a network into isolated zones (via VLANs, subnets, or firewalls) so traffic between zones must pass controls, limiting an attacker's lateral movement. Microsegmentation extends this to the individual workload and is a core enabler of Zero Trust.

Network Tap vs SPAN PortNetworking

Both copy traffic for monitoring (IDS/packet capture): a SPAN (mirror) port is a switch feature that duplicates traffic to a monitoring port, while a tap is dedicated inline hardware. Know that SPAN ports can drop packets under load, whereas a tap delivers a full-fidelity copy.

NIST CSFGRC & Compliance

The NIST Cybersecurity Framework — a voluntary risk-based structure organized around functions: Govern, Identify, Protect, Detect, Respond, Recover.

NIST CSF 2.0Frameworks & Standards

A voluntary, outcome-based Cybersecurity Framework built around six core Functions: Govern, Identify, Protect, Detect, Respond, Recover. Version 2.0 (2024) added the Govern function and broadened its scope from critical infrastructure to organizations of all types.

NIST SP 800-171Frameworks & Standards

Requirements for protecting Controlled Unclassified Information (CUI) in non-federal (contractor) systems. It underpins CMMC Level 2 and appears in DoD contracts via the DFARS clause, with a self-assessment scored against its 110 requirements.

NIST SP 800-37 (RMF)Frameworks & Standards

The Risk Management Framework — a 7-step process (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor) for managing system security risk and granting an Authorization to Operate (ATO). It ties the NIST docs together: categorize with FIPS 199, select controls from 800-53, assess with 800-53A.

NIST SP 800-53Frameworks & Standards

The U.S. catalog of security and privacy controls, organized into families (e.g., AC, AU, IR), used to protect federal information systems. It's the control set FedRAMP and FISMA baselines draw from — you tailor controls based on the system's impact level (Low/Moderate/High).

Non-RepudiationCryptography

Assurance that someone cannot deny an action — e.g. a valid digital signature proves a specific party sent a message.

OAuthCloud & Identity

An authorization framework that lets an app access resources on a user's behalf via tokens, without sharing the user's password.

OpenID Connect (OIDC)Cloud & Identity

An identity layer built on OAuth 2.0 that adds authentication, returning a signed ID token (a JWT) that proves who the user is. Key distinction: OAuth handles authorization (access), OIDC adds authentication (identity).

Order of VolatilityIncident Response & Forensics

The rule for sequencing evidence collection from most-perishable to most-durable: CPU registers/cache, then RAM and running processes, network state, disk, and finally logs/backups/archives (per RFC 3227). You capture volatile data first because powering off or rebooting destroys it permanently.

OSI ModelNetworking

A 7-layer reference model for how data moves across a network: Physical, Data Link, Network, Transport, Session, Presentation, Application.

Output EncodingApplication & Software Security

Converting untrusted data into a safe form for the context where it's rendered (HTML, JavaScript, URL) so the browser displays it as text rather than executing it. It is the core defense against Cross-Site Scripting (XSS).

OWASP Top 10Application & Software Security

A community-driven list, updated roughly every few years, of the ten most critical web application security risks (e.g., Broken Access Control, Injection, Cryptographic Failures). It's an awareness and prioritization standard, not an exhaustive checklist or a compliance certification.

Parameterized QueriesApplication & Software Security

A database access technique that sends SQL commands and user-supplied values separately so input is always treated as data, never executable code. It is the primary, most reliable defense against SQL injection.

Pass-the-Hash (PtH)Threats & Attacks

A lateral-movement technique where an attacker authenticates with a stolen password hash directly, without ever cracking it to plaintext. It exploits how Windows/NTLM accepts the hash itself as proof of identity, so countermeasures include disabling NTLM, credential isolation, and limiting local-admin reuse.

Password SprayingThreats & Attacks

Trying one or a few common passwords (like 'Winter2025!') across many different accounts to stay under per-account lockout thresholds. Because attempts are spread thinly, it slips past classic lockout policies and is best caught by monitoring failed logins across the whole tenant.

Patch ManagementSecurity Fundamentals

The process of acquiring, testing, and deploying software updates to fix vulnerabilities and bugs in a controlled, timely way.

PCI DSSFrameworks & Standards

The Payment Card Industry Data Security Standard — mandatory controls for any organization that stores, processes, or transmits cardholder data. It's enforced contractually by the card brands (not a law), and reducing PCI scope (e.g., via tokenization and network segmentation) is a core strategy.

Perfect Forward Secrecy (PFS)Cryptography

A property where each session uses a unique ephemeral key, so compromising the server's long-term private key cannot decrypt past recorded sessions. It is achieved with ephemeral Diffie-Hellman (DHE/ECDHE) and is mandatory in TLS 1.3.

PhishingThreats & Attacks

A social-engineering attack that uses deceptive emails/messages to trick people into revealing credentials or running malware. Spear phishing targets a specific person.

PII vs PHI vs PCIPrivacy & Data Protection

PII is any data that identifies a person (name, SSN); PHI is individually identifiable health data regulated by HIPAA; PCI (cardholder data) is governed by PCI DSS. One record can fall under several categories at once, so know which regulation each triggers.

PKICryptography

Public Key Infrastructure — the framework of certificate authorities, certificates, and keys that binds identities to public keys and enables trust.

POA&MGRC & Compliance

Plan of Action and Milestones — a tracked list of known weaknesses with owners, remediation steps, and target completion dates.

Policy vs Standard vs Procedure vs GuidelineGRC & Compliance

A policy is the high-level mandatory intent ("we encrypt sensitive data"), a standard is the mandatory specific requirement (e.g., AES-256), and a procedure is the step-by-step how-to. Policies, standards, and procedures are mandatory; a guideline is only a recommended best practice.

PortNetworking

A numbered endpoint (0–65535) that identifies a specific service on a host, e.g. 443 = HTTPS, 22 = SSH, 53 = DNS.

Privacy by Design (and by Default)Privacy & Data Protection

A principle (codified in GDPR as data protection by design and by default) that builds privacy controls into systems from the start instead of bolting them on later. 'By default' means the most privacy-protective settings apply unless the user actively chooses otherwise.

Privilege EscalationThreats & Attacks

Gaining higher access than granted — vertical (user → admin) or horizontal (one user → another's data) — usually after an initial foothold.

Privileged Access Management (PAM)Cloud & Identity

Controls and tooling for securing accounts with elevated rights — vaulting credentials, brokering and recording sessions, and rotating secrets. The core idea is to protect and monitor the 'keys to the kingdom': admin, root, and service accounts.

Qualitative vs Quantitative Risk AnalysisRisk Management

Qualitative analysis rates risk on relative scales (High/Medium/Low, heat maps) — fast but subjective; quantitative analysis assigns dollar values (SLE, ALE) — data-driven but harder to source. Most programs blend both, starting qualitative and quantifying the top risks.

RansomwareThreats & Attacks

Malware that encrypts a victim's data (or locks systems) and demands payment for the decryption key. Often paired with data-theft extortion.

RBACCloud & Identity

Role-Based Access Control — permissions are assigned to roles, and users get access by being placed in roles. Simplifies least privilege at scale.

RemediationGRC & Compliance

Correcting an identified weakness, finding, or non-compliance to bring a control back to an acceptable state — e.g., applying a patch, tightening a permission, or updating a policy. Remediation steps, owners, and due dates are typically tracked in a POA&M until closed and validated.

Risk Acceptance AuthorityRisk Management

The principle that only a designated senior official with budget and accountability — not the analyst or engineer — can formally accept a risk on the organization's behalf. In NIST RMF this is the Authorizing Official (AO), who signs the Authorization to Operate (ATO) accepting residual risk.

Risk Appetite vs Risk ToleranceRisk Management

Risk appetite is the broad, strategic amount of risk an organization will pursue to meet objectives; risk tolerance is the specific, measurable deviation acceptable for an individual risk or objective. Appetite is set by leadership/the board, and tolerance operationalizes it with thresholds.

Risk AssessmentGRC & Compliance

The process of identifying assets, threats, and vulnerabilities, then analyzing likelihood and impact to prioritize how risk is treated.

Risk RegisterRisk Management

A living document that records identified risks with their likelihood, impact, owner, treatment decision, and status. It is the central artifact auditors and leadership use to confirm risks are tracked rather than forgotten.

Risk Treatment OptionsRisk Management

The four ways to handle a risk: mitigate (reduce via controls), transfer (shift to a third party, e.g. insurance), avoid (stop the activity), or accept (acknowledge and retain it). You can transfer the financial impact but never the ultimate accountability.

RSACryptography

An asymmetric algorithm whose security rests on the difficulty of factoring large numbers; it can both encrypt and create digital signatures with a public/private key pair. Keys must be large (2048-bit minimum, 3072-bit increasingly preferred) because short keys and future quantum computers threaten it.

RTO vs RPOGRC & Compliance

Recovery Time Objective = how fast you must restore a process after disruption; Recovery Point Objective = how much data loss (in time) is tolerable.

SaltingCryptography

Adding random data to a password before hashing so identical passwords produce different hashes — defeats precomputed (rainbow table) attacks.

SAMLCloud & Identity

Security Assertion Markup Language — an XML standard for exchanging authentication/authorization between an identity provider and a service (common for enterprise SSO).

SAST vs DAST vs IASTApplication & Software Security

SAST (Static) analyzes source code or binaries without running the app to catch flaws early; DAST (Dynamic) tests the running application from the outside like an attacker; IAST (Interactive) instruments the running app to correlate runtime behavior with the underlying code, combining strengths of both.

SBOM (Software Bill of Materials)Application & Software Security

A machine-readable inventory of all components, libraries, and dependencies in a piece of software, with versions and relationships. It enables rapid impact assessment when a new vulnerability (like Log4Shell) is disclosed and is increasingly a procurement and regulatory requirement.

SCA (Software Composition Analysis)Application & Software Security

Tooling that inventories open-source and third-party components in an application and flags ones with known vulnerabilities (CVEs) or risky licenses. It addresses the reality that most modern code is dependencies you didn't write.

Secrets ManagementApplication & Software Security

Securely storing, rotating, and controlling access to credentials like API keys, passwords, and tokens via a dedicated vault rather than hardcoding them in source code or config. Hardcoded secrets in repositories are a leading cause of breaches.

Secrets ManagerCloud & Identity

A service that securely stores, encrypts, retrieves, and automatically rotates sensitive credentials like API keys, database passwords, and tokens. It eliminates hard-coded secrets in source code and config files.

Secure SDLC (SSDLC)Application & Software Security

Embedding security activities into every phase of the software development lifecycle — requirements, design, coding, testing, and maintenance — instead of bolting it on at the end. The goal is to find and fix flaws early, when they are cheapest to remediate.

Security Awareness TrainingSecurity Fundamentals

Ongoing education that teaches employees to recognize and resist threats like phishing and social engineering, since people are a primary attack vector. It's a required administrative control under most frameworks and works best when reinforced regularly, not just once a year.

Security BaselineSecurity Fundamentals

A documented, approved minimum set of security configurations a system must meet, often drawn from CIS Benchmarks or DISA STIGs. It gives a measurable standard so you can detect and correct configuration drift over time.

Security ControlGRC & Compliance

A safeguard or countermeasure (technical, administrative, or physical) that reduces risk; classified as preventive, detective, corrective, etc.

Security Groups vs NACLsCloud & Identity

In a cloud VPC, security groups are stateful firewalls attached to instances (return traffic is auto-allowed and they support allow rules only), while Network ACLs are stateless filters at the subnet boundary that evaluate inbound and outbound separately and support both allow and deny.

Segregation of Duties (SoD)GRC & Compliance

Splitting a sensitive task across two or more people so no single person can complete it alone, reducing fraud and error (one requests a payment, another approves it). When full separation isn't feasible, compensating controls like job rotation or mandatory vacations apply.

Separation of Duties (SoD)Security Fundamentals

A control that splits a sensitive task across two or more people so no single person can complete it alone (e.g., one requests a payment, another approves it). It reduces fraud and error by removing unchecked single-person power.

Server-Side Request Forgery (SSRF)Threats & Attacks

Coercing a vulnerable server into making requests to targets the attacker can't reach directly, often the internal network or a cloud metadata endpoint. In the cloud it's especially dangerous because it can steal instance credentials, which is why metadata services moved to session-token protections (IMDSv2-style).

SHA-256Cryptography

A 256-bit cryptographic hash from the SHA-2 family producing a fixed-length, one-way, collision-resistant digest used for integrity checks and digital signatures; it is the secure replacement for broken MD5 and SHA-1. Note: a fast hash like SHA-256 is not suitable for password storage on its own — use a slow, salted KDF such as bcrypt, scrypt, or Argon2.

Shared Responsibility ModelCloud & Identity

In cloud, security duties are split: the provider secures the cloud (infrastructure); the customer secures what they put in it (data, config, access).

Shift LeftApplication & Software Security

Moving security testing and review earlier in the development process (design and coding) rather than only before release. Catching defects sooner cuts cost and rework and reduces the chance of vulnerabilities reaching production.

SIEMSecurity Fundamentals

Security Information and Event Management — aggregates and correlates logs from across the environment to detect, alert, and investigate threats.

SLE, ARO, and ALERisk Management

Single Loss Expectancy (SLE) = Asset Value x Exposure Factor; Annualized Rate of Occurrence (ARO) is how many times per year the loss is expected; Annualized Loss Expectancy (ALE) = SLE x ARO. ALE is the figure you compare against the annual cost of a control to justify spending.

Smishing & VishingThreats & Attacks

Phishing delivered over SMS/text (smishing) or voice calls (vishing) instead of email, often spoofing a bank, IT help desk, or delivery service. They exploit channels people scrutinize less, and modern variants increasingly use AI-cloned voices, making out-of-band call-back verification essential.

SOARIncident Response & Forensics

Security Orchestration, Automation & Response — a platform that connects security tools and runs automated playbooks to triage and respond to incidents at machine speed. It cuts analyst toil and shrinks response time; contrast with SIEM, which mainly detects and alerts.

SOC 1Frameworks & Standards

An AICPA audit report on a service organization's controls relevant to its clients' financial reporting (ICFR) — not general security. It exists because outsourced processing can affect a customer's financial statements; compare to SOC 2, which covers security/availability/confidentiality.

SOC 2GRC & Compliance

An AICPA attestation report on a service organization's controls over the Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy).

Social EngineeringThreats & Attacks

Manipulating people (not systems) into breaking security — through deception, urgency, authority, or trust. The human attack surface.

Software Supply-Chain RiskApplication & Software Security

The threat that an attacker compromises you indirectly through a trusted dependency, build tool, or update mechanism rather than attacking you head-on. SolarWinds and malicious npm/PyPI packages are classic examples; defenses include SCA, SBOMs, and securing the CI/CD pipeline.

SQL InjectionThreats & Attacks

An attack that inserts malicious SQL into an input field to read, modify, or destroy database data when input isn't properly validated.

SSOCloud & Identity

Single Sign-On — authenticate once and gain access to multiple applications without logging in again to each.

SSPGRC & Compliance

System Security Plan — the document describing a system, its categorization, and how each security control is implemented.

Subnet MaskNetworking

A value that splits an IP address into its network portion and host portion, defining which addresses are on the same local network (e.g. 255.255.255.0).

Supply-Chain AttackThreats & Attacks

Compromising a trusted third-party software, hardware, or service provider to reach its downstream customers — for example, poisoning a vendor's software update (SolarWinds-style). One breach can fan out to thousands of victims, which is why vendor risk management and software bills of materials (SBOMs) matter so much.

Symmetric EncryptionCryptography

Uses one shared secret key to both encrypt and decrypt (e.g. AES). Fast, but the key must be shared securely.

System HardeningSecurity Fundamentals

Reducing a system's attack surface by disabling unnecessary services, closing unused ports, removing default accounts, and applying secure settings. The goal is to leave only what's needed for the job, configured securely.

Tabletop ExerciseIncident Response & Forensics

A discussion-based drill where the IR team talks through a simulated incident to test the plan, roles, and decisions without touching production systems. It's low-cost and surfaces gaps in communication and process before a real incident does.

TCP vs UDPNetworking

TCP is connection-oriented and reliable (acknowledgements, ordering); UDP is connectionless and fast with no delivery guarantee (used for streaming, DNS, VoIP).

Third-Party / Supply-Chain RiskRisk Management

The risk that a vendor, supplier, or software dependency introduces a vulnerability, outage, or breach into your environment (e.g. the SolarWinds compromise). The durable lesson: you can outsource a function but not the risk — due diligence and continuous monitoring stay with you.

Threat HuntingIncident Response & Forensics

Proactively searching networks and endpoints for hidden threats that evaded automated defenses, driven by a hypothesis rather than an alert. It assumes a breach may already exist, which sets it apart from passive alert monitoring.

Threat ModelingRisk Management

A structured process for identifying potential threats, attack vectors, and weaknesses in a system early in design so they can be addressed before deployment. STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) is a common framework to drive the analysis.

TLS / SSLCryptography

Transport Layer Security (the modern successor to SSL) — encrypts data in transit (the 'S' in HTTPS) using certificates and key exchange.

Vendor Risk Management (VRM)Risk Management

The lifecycle process of assessing and monitoring the security and compliance posture of third parties before and throughout an engagement, using questionnaires, evidence like SOC 2 reports, and contractual security clauses. It typically tiers vendors by criticality and data access so high-risk vendors get deeper scrutiny.

VLANNetworking

Virtual LAN — logically segments one physical switch into separate broadcast domains, isolating traffic for security and performance.

VPNNetworking

Virtual Private Network — creates an encrypted tunnel over a public network so remote users/sites can communicate securely and privately.

Vulnerability Scanning vs Penetration TestingSecurity Fundamentals

A vulnerability scan is an automated, broad check that finds known weaknesses without exploiting them; a penetration test is a manual, goal-driven effort that actually exploits weaknesses to prove real impact. Scanning answers 'what might be wrong'; pen testing answers 'what an attacker could actually do'.

Vulnerability vs Threat vs RiskSecurity Fundamentals

A vulnerability is a weakness; a threat is something that could exploit it; risk is the likelihood and impact of that happening.

WAF (Web Application Firewall)Networking

A filter that inspects HTTP/HTTPS traffic at Layer 7 to block application-layer attacks like SQL injection and XSS, rather than filtering on ports and IPs. Key distinction: a network firewall filters packets/ports, while a WAF understands web requests and payloads.

Watering Hole AttackThreats & Attacks

Compromising a legitimate website that a specific target group is known to visit, then infecting those visitors. Instead of attacking the target directly, the adversary poisons a trusted destination — effective against well-defended organizations whose staff browse predictable industry sites.

WPA2 vs WPA3Networking

Wi-Fi security standards: WPA2 uses a 4-way handshake with AES-CCMP, while WPA3 adds SAE (Simultaneous Authentication of Equals) for forward secrecy and resistance to offline password guessing. Exam point: WPA3's SAE replaces the WPA2 pre-shared-key handshake that was exposed to KRACK and offline dictionary attacks.

WRT (Work Recovery Time)Risk Management

The time after systems are restored that is needed to validate data, re-enter transactions, and return the function to normal operation. The key relationship: RTO + WRT must fit within the MTD.

Zero TrustSecurity Fundamentals

A model that never assumes trust based on network location — every request is continuously verified ('never trust, always verify').

Zero-DayThreats & Attacks

A vulnerability unknown to the vendor (no patch yet) — and the attacks that exploit it before a fix exists.