Domain 1: Attacks, Threats, Vulnerabilities
This type of malware pretends to be a legitimate program but secretly performs malicious actions once installed.
trojan
This network security device separates a trusted internal network from an untrusted external network.
firewall
This access control model grants permissions based on a user's assigned job functions within an organization.
role-based access control (RBAC or RoBAC)
This type of security control continuously monitors logs and alerts analysts when suspicious activity is detected.
SIEM (security information & event manager)
This type of security test checks whether employees follow policies such as password rules, visitor procedures, or clean desk requirements.
compliance audit
This social-engineering attack relies on creating a false sense of urgency—often by pretending to be a boss or authority figure—to trick someone into acting quickly.
pretexting
This security concept ensures that even if one control fails, other controls remain in place to provide protection.
defense in depth / layered defense
This wireless security protocol uses AES encryption and is the most secure option for modern Wi-Fi networks.
WPA3
This phase of the incident response process involves documenting lessons learned to improve future response efforts.
post-incident activity / lessons learned phase
This risk management strategy involves adding security controls to reduce the likelihood or impact of a threat.
risk mitigation
This attack occurs when an adversary manipulates a website’s input field to execute unauthorized SQL statements on a backend database.
SQL injection (SQLi)
This type of network architecture places public-facing services—such as web or email servers—on a separate segment isolated from the internal network.
DMZ (demilitarized zone)
This authentication method uses something you have—often a cryptographic token—to generate time-based, one-time passwords.
TOTP (time-based one time password)
This process involves tracking and documenting the custody, control, and transfer of digital evidence.
chain of custody
This legal requirement forces organizations to notify customers and regulators after certain types of data breaches.
breach notification laws
This wireless attack involves a rogue device tricking clients into connecting by spoofing the SSID of a trusted access point.
evil twin attack
This cloud deployment model provides access to shared infrastructure but restricts it to a specific group of organizations with similar requirements.
community cloud
This endpoint security tool isolates applications in lightweight virtual containers to prevent malware from escaping into the host system.
sandboxing
This log type contains information about successful and failed logins, privilege escalations, and account lockouts—critical for detecting identity-based attacks.
authentication/security logs
This U.S. law governs the protection of health information and sets standards for confidentiality, integrity, and availability in medical systems.
HIPAA (Health Insurance Portability and Accountability Act)
This advanced attack technique involves compromising a target earlier in the supply chain—such as a software vendor or hardware manufacturer—to infiltrate downstream systems undetected.
supply chain attack/compromise
This security principle requires systems to run only the minimum features, applications, and services necessary to function to reduce the attack surface.
system hardening / principle of least functionality
This secure network protocol replaces insecure legacy protocols like Telnet by encrypting remote administrative sessions and supporting key-based authentication.
SSH (secure shell)
This threat-hunting technique begins with a hypothesis—such as “an attacker is using living-off-the-land binaries”—and then searches for indicators that support or disprove it.
hypothesis-driven hunting
This governance framework uses five functions—Identify, Protect, Detect, Respond, Recover—to help organizations manage and reduce cybersecurity risk.
NIST CSF (National Institute of Standards and Technology's Cybersecurity Framework)