WGU D488 CYBERSECURITY ARCHITECTURE AND ENGINEERING STUDY GUIDE FOR END SEMESTER PAPER EXAM 2026

WGU D488 CYBERSECURITY ARCHITECTURE AND ENGINEERING STUDY GUIDE FOR END SEMESTER PAPER EXAM 2026 Impact The severity of a threat if realized. Single Loss Expectancy (SLE) The amount of loss in a single occurrence of the risk factor. Annual Rate of Occurrence (ARO) The amount of single occurrence that happen in a year. Annual Loss Expectancy (ALE) Estimate of the amount of loss that occurs over a year. ALE = SLE x ARO Quantitative risk The challenge of quantitative risk as that the cost of components or equipment is not always clear. Mean Time To Recovery (MTTR) The average time that a device will take to recover from any failure. Mean Time Between Failures (MTBF) the average length of time between failures of a product or component List Cybersecurity Framework 5 core functions 1. identity 2. Protect 3. Detect 4. Respond 5. Recover Cybersecurity Cybersecurity Residual Risk the risk that remains after management implements internal controls or some other response to risk Risk Appetite The amount of risk a company is willing to accept to achieve its goals and objectives. To avoid undue risk, risk appetite must be in alignment with company strategy. ISO 31000 Framework - used to integrate the risk management process into their management and operational systems - can be adapted to an organization's specific operations and objectives begins with an evaluation of an organization's risk contexts, including all major factors both inside and outside the organization that affect its objective's and operation's COBIT Framework - current framework version is COBIT5 - based on the following principles: - meeting stakeholder needs - covering the enterprise end-to-end - applying a single, integrated framework - enabling a holistic approach - separating governance from management COSO Committee of Sponsoring Organizations of the Treadway Commission an initiative of 5 private sector organizations collaborating on the development of risk management frameworks. Risk Management Life cycle phases identify Assess Control Review NIST Cybersecurity Framework core Cybersecurity Cybersecurity Identify Protect Detect Respond Recover KPI (Key Performance Indicator) A formal mechanism designed to measure performance of a program against desired goals. Key risk indicators (KRIs) Metrics that provide an early warning of increasing levels of uncertainty in a particular business area. Risk Register A document in which the results of risk analysis and risk response planning are recorded. tradeoff analysis Comparing potential benefits to potential risks and determining a course of action based on adjusting factors that contribute to each area Managing people risks Separation of duties Job rotation Mandatory vacation Least Privilege Employment and Term Procedures Software as a Service (SaaS) represents the lowest amount of responsibility for the customer as the facilities, utilities, physical security, platform and applications are the responsibility of the provider platform as as service Provides a selection of operating systems that can be loaded and configured by the customer, the underlying infrastructure, facilities, utilities, and physical security are the responsibility of the provider. Infrastructure as a Service (IaaS) Cybersecurity Cybersecurity Provides the hardware hosted at the provider facility using the providers physical security controls and utilities, such as power. Vendor Lock-in When a customer is completely dependent on a vendor for products or services because switching is either impossible or would result in substantial complexity and costs. Vendor Lock-out When a vendors product is developed in a way that makes it inoperable with other products, the ability to integrate with other vendor products is not a feasible option, or does not exist. Vendor Viability A vendor that has a viable and in-demand product and the financial means to remain in business on an ongoing basis. Source Code Escrow Identifies that a copy of vendor developed source code is provided to a trusted third party in case the vendor ceases to be in business Support Availability Defines the steps taken to verify the type and level of support to be provided by the vendor in support of their product or service. Often defined by an SLA meeting client requirements Describes the formal measures taken to validate that the vendor's delivered service or product offering aligns to established requirements Incident reporting Requirements Legal contracts should clearly identify the requirement for vendors to provide timely notification regarding any security incidents Supply Chain Describes all of the suppliers, vendors, and partners needed to deliver a final product. Cloud Security Alliance (CSA) Security Trust and Risk (STAR) Program that demonstrates a cloud service providers adherence to key principles of transparency, auditing, and best practice security operations System and Organization Controls (SOC) Cybersecurity Cybersecurity Uses standards established by the American institute of Certified Public Accountants (AICPA) to evaluate the policies, processes, and procedures in place and designed to protect technology and financial operations. ISO 27000 Series One of the most widely referenced and often discussed security models • Framework for information security that states organizational security policy is needed to provide management direction and support • Provides a common basis for developing organizational security CMMC (Cybersecurity Maturity Model Certification) A set of cybersecurity standards developed by the United States Department of Defense and designed to help fortify the DoD supply chain by requiring suppliers to demonstrate that they have mature cybersecurity capabilities Protected Health Information (PHI) Any information about health status, provision of health care, or payment for health care that can be linked to an individual. This is interpreted rather broadly and includes any part of a patient's medical record or payment history. Personal Identifiable Financial Information (PIFI) Personal information about a consumer provided to a financial institution that can include account number, credit/debit card number, name, social security number and other information. Intellectual Property (IP) A legal term for intangible property such as "creations of the mind" such as inventions and designs that are used in a commercial setting. Intellectual property is protected by law. Data Classification Levels Public - Disclosure would not cause a negative impact to the organization. Sensitive - Disclosure would cause harm to the organization. Data in this classification requires special consideration and well crafted protections to ensure its confidentiality, integrity and availability. Confidential - Disclosure would cause considerable harm to the organization Data Retention Cybersecurity Cybersecurity How long data must be kept and how it is to be secured. Defines minimum and maximum amount of time to be kept. Data Destruction Describes the legally compliant means by which data is removed made inaccessible Sanitization A general term describing the means by which information is removed from media and includes methods such as clear, purge, and damage Crypto Erase Refers to the sanitization of the key used to perform decryption of data, making recovery of the data effectively impossible. This is particularly important when considering cloud platforms where data is stored on a device inaccessible to the owner Clear A type of sanitization that involves multiple block-level overwrite cycles. Purge A type of sanitization that provides effective protection from all recovery techniques, including clean-room method Damage Physically breaking a storage device to render it useless or inoperable Data sovereignty (Geographic considerations) Identifies that the laws governing the country in which data is stored have control over the data and describes the legal dynamics of data collection and use in a global economy. Attestation of Compliance (AOC) Describes the set of policies, contracts, and standards identified as essential in the agreement between two parties It essentially defines how the relations will be governed between two parties. NIST A non regulatory agency in the United States that establishes standards and best practices across the entire science and technology field. International Organization for Standardization (ISO) Cybersecurity Cybersecurity Manages and publishes a cybersecurity framework referred to as ISO 27K which includes over a dozen standards including 27002 which defines security controls GDPR (General Data Protection Regulation) Provisions and requirements protecting the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US's Privacy Shield requirements. Seven Principles of GDPR • Lawfulness , fairness , and transparency • Purpose limitation • Storage limitation . • Accuracy •Integrity and confidentiality (security) •Accountability •data minimization COPPA (Children's Online Privacy Protection Act) Requires websites to protect information of children under 13 years of age PCI DSS payment card industry data security standard - credit card, prevent identity theft identifies controls to prevent fraud Capability Maturity Model Integration (CMMI) A process improvement approach that provides organizations with the essential elements of effective processes CMMI (Capability Maturity Model Integration) Scores Level 1 Initial- Processes do not exist and work is reactive in nature. Level 2: Managed - Many work activities are defined via processes but work is still frequently reactive in nature. Level 3: Defined- The majority of work is well defined via processes and proactive measures are in place Level 4: Quantitatively managed Level 5: Optimizing Cloud Security Alliance (CSA) STAR Certification Cybersecurity Cybersecurity Independent third-party assessment of a cloud provider's security posture Assessment Authorization (A&A) Six Distinct Phases Categorization Selection Implementation Assessment Authorization Continuous Monitoring categorizaiton The process of identifying an item of data as belonging to a category predetermined by the researcher or generated from the information provided by informants and impact levels Selection To ensure appropriate security measures, security controls are selected based on the categorization. This selection adheres to guidelines outlined in NIST special publication (SP) 800-53, ensuring the system is equipped with necessary protections. Common Criteria (CC) A set of standards in which computer system users can specify their security functional and assurance requirements in a given system Due Care Reasonable and expected protections put in place to protect an asset Due Dilligence Describes the ongoing and documented effort to continuously evaluate and improve the mechanisms by which assets are protected. Legal Hold a court order that suspends the processing or destruction of paper or electronic records; also known as a preservation order, preservation notice, or litigation hold. e-discovery Identifying and retrieving relevant electronic information to support litigation efforts Wassenaar Arrangement Cybersecurity Cybersecurity Established to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations. Legally Enforceable Documents Used to govern the relationship between parties and fortify the legal rights of an organization and serve as an enforcement mechanism Master Service Agreement (MSA) A contract that establishes precedence and guidelines for any business documents that are executed between two parties. Non-Disclosure Agreement (NDA) a legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes but wish to restrict access to or by third parties Memorandum of Understanding (MOU) An agreement between two or more parties to enable them to work together that is not legally enforceable but is more formal than an unwritten agreement. Widely considered as non-binding. Interconnection Security Agreement (ISA) As defined by NIST (in Publication 800-47), it is "an agreement established between the organizations that own and operate connected IT systems to document the technical requirements of the interconnection. The ISA also supports a Memorandum of Understanding or Agreement (MOU/A) between the organizations." Service Level Agreement (SLA) Part of a service contract where the service expectations are formally defined. Operational Level Agreement (OLA) An internal agreement covering the delivery of services that support the IT organization in its delivery of services Privacy Level Agreement (PLA) An agreement whereby the cloud provider states the level and types of personal data protection(s) in place. Cybersecurity Cybersecurity (NIST) Special Publication (SP) 800-34 Rev-1 "Contingency Planning Guide for Federal Information Systems steps Develop the continuity planning policy statement. Conduct the business impact analysis. Identify preventive measures. Create contingency strategies. Develop an information system contingency plan. Ensure plan testing, training, and exercises. Ensure plan maintenance. disaster recovery plan A component of the overall BCP plan. The BCP is much broader in scope and covers a longer time period. Disaster recovery plan is focused on the immediate needs of a disaster. Business Impact Analysis (BIA) A process that helps an organization identify critical systems and components that are essential to the organization's success. Recovery Point Objective (RPO) the amount of data that can be lost without irreparable harm to the business or an organization is willing to reenter or potentially lose Recovery Time Objective (RTO) the maximum tolerable time to restore an organization's information system following a disaster, representing the length of time that the organization is willing to attempt to function without its information system Alternate Operating Facilities Cybersecurity Cybersecurity The decision to use an alternate operating facility is part of a continuity plan and must be collaborative, risk based decision. Disaster Recovery Site Strategies Cold Site Warm Site Hot Site Mobile Site Cold Sites (Disaster recovery): A separate facility that does not have any computer equipment, but is a place where employees can move after a disaster. will take weeks to activate due to needing all the equipment to be acquired and provisioned before it can be used. Warm Sites (Disaster recovery): A "preventative" warm site allows a business to pre-install hardware and pre-configure their bandwidth needs. In the event of a disaster, the business can then load their software and restore their business systems. Is expensive to operate and maintain but can be activated in hours. Hot Sites (Disaster recovery): A separate and fully equipped facility where the company can move immediately after a disaster and resume business. Can be activated and used within minutes but also expensive to maintain. Mobile site A versatile site that utilizes independent and portable units like trailers or tents to deliver recovery capabilities. This approach falls somewhere between a cold and warm site, with moderate costs and activation times spanning days to weeks. NIST SP800-61 National Institute of Standards and Technology. Computer Security Incident Handling Guide. After Action Report (AAR) Cybersecurity Cybersecurity The official internal report of the entire event, such as a disaster, which should contain the facts of the incident reflected in a chronologic, accurate manner. Parallel test activate plan recovery environment but do not switch operations there. An advantage of this test is that it doesn't impact live production systems. Full-Interruption Test Regular operations are stopped and where processing is moved to the alternate site. This test is the best at clearly demonstrating the effectiveness of BCDR plan, however is riskiest because it impacts normal busing operations. Edge Services Describe devices directly accessible from the internet and provide access to internal services. Edge devices for the initial defensive layer of protection. Traditional Firewall Traditional firewalls don't provide visibility into high protocols such HTTP. It doesn't inspect the traffic; malicious http traffic is simply web traffic. Routers Forward traffic between subnets by inspecting IP addresses and so operate at layer 3 the network layer of the OSI model Load Balancer A special purpose device, or appliance, containing specialized software allowing the configuration of traffic management rules. A common implementation of load balancers is to distribute traffic among one of many web servers to better handle high-volume workloads. Network Address Translation (NAT) A technique that allows private IP addresses to be used on the public Internet. A NAT gateway must be used for a private subnet to connect to the internet. Internet Gateway (IGW) In a cloud environment, the internet Gateway is a Virtual Private Cloud (VPC) component used to allow communication between the VPC and the internet. Distributed Denial of Service (DDoS) Protection Cybersecurity Cybersecurity Rate Limiting Web Application Firewall (WAF) Blackhole Routing Cloud Service Providers DDos Mitigation Software/Appliance Rate Limiting used to reduce a certain type of traffic to a reasonable amount Web Application Firewall (WAF) A firewall that operates at the application level, specifically designed to protect web applications by examining requests at the application stack level. Uses sophisticated rules to prevent CSRF cross site request forgery, XSS, SQLi and many other attacks from reaching target. Blackhole Routing Retrieves all the traffic intended for an endpoint and drops both legitimate and malicious traffic into nothingness Cloud Service Providers Provide DDOS protection as a service and using this approach requires updating DNS to point traffic to the service provider in order for it to be inspected prior to reaching the intended service DDoS Mitigation Software/Appliance reflects the methods used to reduce the impact of a distributed denial of service (DDoS) attack. Can be implemented through the use of special software or by deploying a virtual appliance designed to provide DDoS protection Next-generation firewall (NGFW) A firewall innovation that includes advanced, built-in features, including Application Control, IDS and/or IPS functionality, user awareness, and context awareness. Also, allows for protocal inspection like Http to detect malicious traffic Cybersecurity Cybersecurity Unified Threat Management (UTM) comprehensive security management tool that combines multiple security tools, including firewalls, virtual private networks, intrusion detection systems, and web content filtering and anti-spam software Forward Proxy A security appliance or host positioned at the client network edge such as the DMZ that forwards user traffic to the cloud network if the contents of that traffic comply with policy Non-Transparent Proxy A server that redirects requests and responses for clients configured with the proxy address and port. Client must be configured with proxy server address and port number such as 8080 Transparent Proxy Server A proxy server that must be implemented on a switch or router or other inline network appliance. It intercepts client traffic without the client having to be reconfigured. Reverse Proxy A type of proxy server that protects servers from direct contact with client requests from the outside-in. WAF Can be deployed in three different ways Network based - a separate host or VM configured to perform waf functions. The most costly to acquire and maintain but best performance and flexibility. Host-based - software that runs on the same host as the web application servers. Complicates the configuration and can require a lot of computational resources. Cloud based - WAF functionality provided by a service provider and delivered via a cloud platform. less expensive and minimal installation effort and maintenance requirements API Gateway Provides a mechanism allowing software interfaces to be detached from the main application. Can offload the inspection and protection of data interface traffic. API gateways are common to cloud platforms and provide high levels of extensibility. XML Gateway Cybersecurity Cybersecurity XML gateways transform how services and sensitive data are exposed as APIs to developers, mobile users, and the cloud. They can be either hardware or software, and they can implement security controls such as DLP, AV, and anti-malware services. DNSSEC (Domain Name System Security Extensions) A security protocol that provides authentication of DNS data and upholds DNS data integrity. DNS poisoning An attack that substitutes DNS addresses so that the computer is automatically redirected to an attacker's device. Traditional DNS has no inherent way to verify the data in its cache, so the the data is stored in cache until the TTL expires or data is manually cleared Domain Name System Security Extensions (DNSSEC) A suite of extensions to DNS used to protect the integrity of DNS records and prevent some DNS attacks. Helps mitigate spoofing and poisoning attacks by providing validation process for DNS responses, provides origin authentication of DNS data. Resource Record Set (RRset) Package of resource records that are created to extend traditional DNS with DNSSEC functionality Zone Signing Key used to sign the RRset of a zone in order for it to be verified as trustworthy by receiving systems Key Signing Key (KSK) DNSSEC uses a series of keys to secure the server and the zones. KSK is an authentication key that signs all the DNSKEY records at the root of the zone, and it is part of the chain of trust. VPN (Virtual Private Network) a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network Network Access Control (NAC) Cybersecurity Cybersecurity Security technique in which devices are scanned to determine its current state prior to being allowed access onto a given network. Uses dynamic VLAN assignment to sandbox systems that don't meet security standards. NIDS (network-based intrusion detection system) A system designed to monitor traffic on a specific segment of the network and look for signs of suspicious activity. It inspects traffic and analyses it for potentially rogue activity. NIDS Detection Techniques Signature-based Comparing observed traffic to known attacks defined by a signature Anomaly-based Comparing observed traffic to typical protocol activity, such as amount or vulume or a particular protocal Behavior-based - compared observed traffic to base traffic or the traffic patterns that were obtained during the learning period. Switched Port Analyzer (SPAN) Allows for the copying of ingress and/or egress communications from one or more switch ports to another. Capturing of traffic from a network segment Test Access Point (TAP) The preferred method for performing traffic capture as it leverages special expansion ports on the switch and does not cause a negative performance impact to the switch. VPC Traffic mirroring is a feature available on cloud platform's designed to all traffic to be forwarded and inspected. Wireless Intrusion Detection System (WIDS) A type of NIDS that scans the radio frequency spectrum for possible threats to the wireless network, primarily rogue access points. Network Intrusion Prevention System (NIPS) A technology that monitors network traffic to immediately react to block a malicious attack. It is place inline with traffic and susceptible to false positive in not configured properly and will block legitimate traffic Wireless Intrusion Prevention System (WIPS) Cybersecurity Cybersecurity Used to detect and restrict network access to unauthorized wireless devices, also capable of searching for and locating rogue access points. File Integrity Monitoring (FIM) Used to validate the integrity of operating system and application software files using a verification method between the current file state and a known good baseline Simple Network Management Protocol (SNMP) A protocol used to monitor and manage network devices, such as routers, switches, and servers. NetFlow A network protocol system created by Cisco that collects active IP network traffic as it flows in or out of an interface, including its point of origin, destination, volume and paths on the network Data Loss Prevention (DLP) A system that can identify critical data, monitor how it is being accessed, and protect it from unauthorized users. Antivirus software that is specifically designed to detect viruses and protect a computer and files from harm. Now part of and endpoint detection and response strategy. Network Segmentation The act of dividing a network into multiple smaller networks, each acting as its own small network (subnet) This is called subnetting. The basic principle behind this is that an individual network segment failure does not impact the larger enterprise network. Virtual LANs (Virtual Local Area Networks) Segmenting a network logically from endpoints in one network from the endpoints in another network. Screened Subnet also known as DMZ; commonly uses two firewalls; one between public network and DMZ; other resides between the DMZ and the private network Staging Environment Cybersecurity Cybersecurity A "production like" environment to test installation, configuration and migration scripts. Performance testing, load testing, processes required by other teams, boundary partners, etc. Guest environment Describe the hosts and networks available to visitors, such as the public or vendors and should be completely isolated. Access Control Lists - acts like firewall for subnet - across multiple subnets - overrules security groups - rules evaluated from lowest to greatest - default traffic permissions denies inbound and outbound peer-to-peer A network model where all computers on the network are equal and data may be shared from computer to computer. air gap A type of network isolation that physically separates a network from all other networks. Jump Box A server that is used to access devices that have been placed in a secure network zone, such as a DMZ. The server spans the two networks to provide access from an administrative desktop to the managed device. Microsegmented Networks, Microsegmentation Part of a zero-trust strategy that breaks LANs into very small, highly localized zones using firewalls or similar technologies. At the limit, this places firewall at every connection point. Policies are established and implemented through software defined networks (SDN) to limit traffic between networks. This traffic flow is broadly called east west traffic as opposed to North south traffic which is between a server and client and controlled with Network Segmentation Virtual Private Cloud (VPC) a subset of a public cloud that has highly restricted, secure access. referred to as a Virtual Network (VNet) in Azure, allows for the creation of cloud resources within a Cybersecurity Cybersecurity private network that parallels the functionality of the same resources in a private datacenter. NAC Lists Or nackles in a cloud environment are used to control inbound and outbound traffic between networks or more specifically between VPCs. Security Groups act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level. Regions Describe the physical location of data centers in a globally distributed cloud. and are subdivided into availability zones. Availability Zones Physically separate locations within an Azure region. Each Availability Zone is made up of one or more datacenters equipped with independent power, cooling, and networking. Offer high availability and low latency. Data Zones The state and location of data to help isolate and protect it from unauthorized access/inappropriate use. Provide clear boundaries between data types in a data lake so quality can be accessesed. Data Zones commonly used Raw Zone - contains data from multiple sources Structured/Curated Zone - Data quality is checked and formatted for further use. Analytical Zone - Data in this zone is used for practical purposes Zero Trust Architecture (ZTA) Everything essentially is considered external and designs adapt to the adage of never trust, always verify and assume breach NIST SP 800-207 Zero trust Architecture Defines Zero Trust as a Cybersecurity Paradigms that moves defenses from static, network-based perimeters to focus on users, assets, and resources. Microsegmentation provides a critical role in zero trust peering Cybersecurity Cybersecurity routing traffic between Virtual Private Clouds (VPC) using a vpc peering connection. Cross Domain Solutions (CDS) offer information assurance while providing the ability to manually or automatically access or transfer information between two or more differing security domains (i.e., Unclassified, Secret, or Top Secret). Performs content inspection and enforces a data sharing policy and typically associated with military establishments federation The company trust accounts created and managed by a different network. In business a company may need to make parts of its network open to partners, suppliers and customers Software Defined Networking (SDN) A software defined networking application can be used to define policy decisions on the control plane. using a central control program separate from network devices to manage the flow of data on a network Software Defined Networking (SDN) planes Control plane - Makes decisions on how traffic should be prioritized and secured, and where it should be switched. Data plane - Handles the actual switching and routing of traffic and imposition of access control lists (ACLs) for security. Management plane - Monitors traffic conditions and network status Vertical Scaling Adding resources to a single node, such as memory, processing power, or redundant components. Also referred to as scale up. Horizontal Scaling employing multiple computers to share the workload Content Delivery Network (CDN) a system of hardware and software that stores user data in many different geographical locations and makes those data available on demand to the local region Internet Exchange Point (IXP) hub where the backbone intersects with local and regional networks and where backbone owners connect with one another Cybersecurity Cybersecurity Virtual Desktop Infrastructure (VDI) A presentation of a virtual desktop made to a client computer by a server that is serving up a virtual machine. Applications are run inside the VMs that are hosted on servers in the virtualization infrastructure. Three main type VDI deployments Hosted - Generally provided by a 3rd party that manages the entire virtualization infrastructure and provides desktop services on demand. Centralized - All VDI instances are hosted on a virtualization infrastructure within the enterprise. All VM images are stored centrally and delivered over the enterprise network Synchronized - Remote virtual desktops expand on the capabilities of centralized virtual desktops by adding the ability to continue working in a disconnected state without network connectivity. Requires more local computing resources than other VDI deployments. Bootstrapping In a cloud setting, this describes the set of automated tasks that are performed as part of the deployment of the an instance. For instance, in the cloud capacity shifts in say utilization can trigger the deployment of additional instance to handle the increased capacity demands. Autoscaling is a method used in cloud computing, whereby the amount of computational resources in a server farm, typically measured in terms of the number of active servers, scales automatically based on the load on the farm. Dynamically adjusts the performance according to observed workloads. Security orchestration, automation, and response (SOAR) A system designed to automate some of the routing tasks ordinarily performed by security personnel in response to a security incident. Often a bolt on/Snap in feature to an existing SIEM. Virtual Machine Vulnerabilities There is inherent risk in running multiple guest systems within virtualization infrastructure as each guest system increases the attack surface. VM escape Cybersecurity Cybersecurity An attack that allows an attacker to access the host system or hypervisor from within a virtual machine. This would allow the attacker access to all the VMs running on the host. The primary protection is to keep hosts and guests up to date with current patches. Privilege Escalation The process of gaining elevated rights and permissions. Malware typically uses a variety of techniques to gain elevated privileges. Live VM migration Attacker could access the VM as it is migrated from one host to another (MITM attack). Plant malicious code or exploits while the VM is in-transit. Often the VM is migrated between hosts unencrypted. Mitigated by utilizing a separate VLAN. Data Remnants in Virtualization When VMs are migrated, replicated, or terminated it is possible for data remnants to remain. Securely dispose of data no longer needed. Wipe data instead of deleting. Proper disposal of drives/arrays when decommissioning. Container API Creates and manages data containers using an application programming interface. Provides the ability to run applications outside of the traditional virtual machine Hypervisor approach. API management and monitoring a centralized and managed control level that provides monitoring, service level management, software development lifecycle process integration, and role-based access management across the three above layers Middleware Several different types of software that sit between and provide connectivity for two or more software applications Interactive Application Security Testing (IAST) - performs real-time analysis of runtime behavior, application performance, HTTP/HTTPS traffic, frameworks, components, and backend connections. Cybersecurity Cybersecurity Customer Relationship Management (CRM) managing detailed information about individual customers and carefully managing customer touch points to maximize customer loyalty Enterprise Resource Planning (ERP) integrates all departments and functions throughout an organization into a single IT system so that employees can make decisions by viewing enterprise-wide information on all business operations Configuration Management Database (CMDB) A configuration management database (CMDB) is a repository that contains a collection of IT assets that are referred to as configuration items. Content Management System (CMS) helps companies manage the creation, storage, editing, and publication of their website content by enabling non-technical users. Directory Services A network service that stores identity information about all the objects in a particular network, including users, groups, servers, client computers, and printers. Domain Name System (DNS) the system responsible for translating domain names like into IP addresses Service-oriented architecture (SOA) A method for designing and developing software applications in the form of interoperable services. These services can be reused for different purposes. Enterprise Service Bus (ESB) middleware that serves as a central switchboard for communications between all enterprise services and applications Software Development Life Cycle The process that a program goes through. It consists of the development, maintenance, and demise of a software system. The phases include analysis, design, coding, testing/verification, maintenance, and obsolescence Regression Test Cybersecurity Cybersecurity The process of testing an application after changes are made to see if these changes have triggered problems in older areas of code. unit test A test of each individual component (often a program) to ensure that it is as defect-free as possible Integration Testing After unit testing, integration testing is done to see that the modules communicate the necessary data between and among themselves and that all modules work together smoothly. Waterfall Model Used during the system development life cycle (SDLC) to denote the fact that each step should be completed one at a time. Spiral Method Development teams combine several approaches to software development, such as incremental and waterfall, into a single hybrid method. Agile Model A development model that emphasizes continuous feedback and cross-functional teamwork. SecDevOps The process of integrating secure development best practices and methodologies into application software development and deployment processes using the agile model. Security as Code (SaC) Using automated methods to introduce static code analysis testing and dynamic application testing (DAST) as applications are developed. Infrastructure as Code (IaC) Leveraging configuration management tools to control changes to infrastructure. Continuous Integration (CI) Software development method in which code updates are tested and committed to a development or build server/code repository rapidly. Developers commit and test updates often every day or sometimes more frequently. Continuous Delivery Cybersecurity Cybersecurity A software development method where application and platform requirements are frequently tested and validated for immediate availability Continuous Deployment (CD) Continuous Deployment (CD) is the process that takes validated Features in a staging environment and deploys them into the production environment, where they are readied for release using configuration management platforms such as ansible, puppet, octopus deploy. Continuous monitoring A continous monitoring mechanisms designed to detect flaws, bugs, errors, and defects. Might require a locally installed agent and works with SOAR Continuous validation (CV) Continuously testing and validating software to ensure that it meets the required standards and specifications. This involves automating the testing process and running tests continuously throughout the software development lifecycle to identify and address issues early in the process. Open Web Application Security Project (OWASP) A non-profit organization focused on improving software security and publishes secure application development resources. such as the top 10 list of most critical application security risks. - Proper Hypertext Transfer Protocol (HTTP) headers A number of security options can be set in the response header returned by a web server to a client. Enabling these settings is limited by compatibility and implementation considerations between the various client browser and web application functionality OWASP Secure Headers Project Describes the different HTTP responses headers that your application can use. Increases security of your application when placing calls. Pharming An online scam that attacks the browser's address bar. Users type in what they think is a valid website address and are unknowingly redirected to an illegitimate site that steals their personal information. Cybersecurity Cybersecurity Privileged Access Management (PAM) Policies, procedures, and support software for managing accounts and credentials with administrative permissions. Using people, processes, and technology to control, secure, monitor, and audit all identities used by people as well as services and applications. OpenID An open standard and decentralized protocol that is used to authenticate users in a federated identity management system. Uses the OAuth 2.0 version of the protocol. Security Assertion Markup Language (SAML) An XML-based standard used to exchange authentication and authorization information. AWS can function as a SAML service provider. shibboleth A federated identity method based on SAML and often used by universities and public service organizations. Transitive trust/authentication - A trusts B, B trusts C, so A trusts C. Trust models determine how organizations establish relationships between authentication services Discretionary Access Control (DAC) The least restrictive access control model in which the owner of the object has total control over it. Also, the weakest model as it makes centralized administration of security policies very difficult to enforce. Mandatory Access Control (MAC) Based on the idea of security clearance levels. Rather than using ACLs on resource each object and subject is granted a clearance level referred to as a label. Subjects than are only grated access to labeled resources at their level or below. Role-Based Access Control (RBAC) An access control model that bases the access control authorizations on the roles (or functions) that the user is assigned within an organization Attribute-based access control (ABAC) Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions. This is the most fine grained type of access control. Rule-Based Access Control Cybersecurity Cybersecurity An access control model that based on a list of predefined rules that determine what accesses should be granted. A firewall is a class example of this modeli single sign-on (SSO) Using one authentication credential to access multiple accounts or applications. In Windows this is provided by the Kerberos framework. Remote Authentication Dial-In User Service (RADIUS) The RADIUS client is configured with the IP address of the RADIUS server and with a shared secret. Clients are switches and access points or VPN gateways and lot user laptops. This was developed in the time of dial up networking. Diameter Improves upon RADIUS by strengthening upon some of its weakness such as having a failover mechanism because it is TCP based while RADIUS doesn't since it is UDP based. Terminal Access Controller Access-Control System Plus (TACACS+) CISCO developed this authentication protocol and is a reliable connection oriented using port 49 that encrypts all data in its packets. Light Directory Access Protocol (LDAP) A directory services protocol that runs over TCP/IP networks. The LDAP schema is extensible, meaning it can added to or changed. Secure LDAP (LDAPS) A method of implementing LDAP using SSL/TLS encryption protocols to prevent eavesdropping and man-in-the-middle attacks Kerberos Authentication An authentication protocol used in a Windows domain environment or on a Linux system; uses OS-generated keys, which makes this protocol more secure than having an administrator enter key. Two services make up this system the authentication service and the ticket granting service Open Authorization (OAuth) The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by Cybersecurity Cybersecurity orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. Extensible Authentication Protocol (EAP) A framework for transporting authentication protocols that defines the format of the messages. 802.1x A port-based authentication protocol. Wireless can use 802.1X. For example, WPA2 Enterprise mode uses an 802.1X server (implemented as a RADIUS server) to add authentication. Identity proofing The process of collecting and verifying information about a person for the purpose of proving that a person who has requested an account, a credential, or other special privilege is indeed who he or she claims to be and establishing a reliable relationship that can be trusted electronically between the individual and said credential for purposes of electronic authentication. multifactor authentication (MFA) Authentication scheme that requires the user to present at least two different factors as credentials; for example, something you know, something you have, something you are, something you do, and somewhere you are. Specifying two factors is known as 2FA. two-factor authentication requires the user to provide two means of authentication, what the user knows (password) and what the user has (security token) 2-step verification or out-of-band mechanisms Generate a software toke on a server and sent it to a resource like a phone assume to be safely controlled by the user. Can use SMS, push notification, email etc. HMAC-based one-time password (HOTP) A password is computed from a shared secret and is synchronized between the client and the server time-based one-time password (TOTP) A one-time password that changes after a set period of time. Hardware Root of Trust (ROT) Cybersecurity Cybersecurity A cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics JavaScript Object Notation (JSON) Web Token (JWT) A subset of JavaScript that is used in the representation state transfer (REST) style of web application architecture. The Web token is a method to transfer claims between two parties. Claims are encoded as JSON objects to enable them to be digitally signed.c Hypervisor Type 2 One added to an already full featured Operating system for the purpose of building labs or analysing software. Hypervisor Type 1 runs directly on the computer's hardware instead of the underlying OS and used in Enterprise settings to create virtual servers or appliances. Provisioning A term used to describe the creation of a virtual machine and would include a gold image base image and scripts to complete further configuration Metadata Is assigned to resources through the use of tags and contains information such as configuration setting, purpose, owner, environment and permission levels. Each tag contains a key and value to categorize resources Public Cloud (or multi tenant) A service offered over the internet by cloud service providers such as AWS, Azure and GCP. Multi Cloud A cloud deployment model where the cloud consumer uses multiple public cloud services. Private Cloud serves only one customer or organization and can be located on the customer's premises or off the customer's premises. Used a lot in banking. Community Cloud Several organizations share the same resources in a hosted private cloud or fully private cloud. Cybersecurity Cybersecurity Enterprise Mobility Management (EMM) An enterprisewide security strategy to enforce corporate epolicies while enabling employee use of mobile devices such as smart phones and tablets Mobile Device Management (MDM) a security strategy comprised of products and services that offer remote support for mobile devices, such as smart phones, laptops, and tablets to enforce an organizations security policy trust certificates Are certificates used globally to identify trusted devices within an organization. A single certificate is used and is pushed to enrolled devices. Simple to use but someone can easily copy the certificate to allow any device acess. And any situation requiring certificate to be revoked will impact all devices using the certificate. Over-The-Air (OTA) A firmware update delivered on a cellular data connection. Near Field Communication (NFC) a very short-range wireless connectivity technology designed for cell phones and credit cards. Used primarily for credit card transactions using a wallet such as google or apple pay. The information is not encrypted so there is possibility for eavesdropping or MITM attacker can find some way of intercepting the short range communication. Bluetooth Wireless PAN Personal Area Network technology that transmits signals over short distances between cell phones, computers, and other devices BlueBorne Attack Performed on Bluetooth connections to gain access and take full control of the target device. International Mobile Subscriber Identity (IMSI) A unique identifier that defines a subscriber in the wireless world, including the country and mobile network to which the subscriber belongs. The IMSI is one of the pieces of information stored on a SIM card. Evil base station Cybersecurity Cybersecurity A well-resourced attacker can create an "evil base station" using a Stingray/International Mobile Subscriber Identity (IMSI) catcher. This will allow the attacker to identify the location of cell devices operating in the area. This is used by law enforcement to track criminals but can also be used by bad guys. Wi-Fi Protected Access 3 (WPA3) WPA3 is a new authentication launched in 2018. It is a more resilient version of WPA2. WPA3: Uses password-based authentication Provides better protection against password guessing attempts by using Simultaneous Authentication of Equals (SAE) Offers 192-bit cryptographic strength, giving additional protection for networks dealing with sensitive data Tethering Transforms a smartphone or Internet-capable tablet into a portable communications device that shares its Internet access with other computers and devices wirelessly referred to as a hotspot. Can also connect over USB. Custom DNS DNS can protect clients by observing, tracking and customizing request/response activity. Custom DNS can block dangerous sites by refusing to resolve identified malicious host. Also, DNS blackholes can be setup DNS over HTTPS (DoH) Encrypts DNS queries sent through HTTPS, blends DNS queries with HTTPS traffic for increased privacy and security Bring Your Own Device (BYOD) policy allows employees to use their personal mobile devices and computers to access enterprise data and applications. This model is the most popular with employees but poses the most difficulties for security and network managers. Corporate owned, personally enabled (COPE) It is similar to the traditional corporate-owned model, but the primary difference is that the employees are free to use the device as if it was their personally owned device. Corporate owned, business only (COBO) Cybersecurity Cybersecurity Enterprise mobile device provisioning model where the device is the property of the organization and personal use is prohibited. Choose Your Own Device (CYOD) Employees choose from a limited selection of approved devices but the employee pays the upfront cost of the device while the business owns the contract. VPN Settings Have broad support and implemented in three different ways 3 multiple choice options location services a feature of computers and mobile devices that determines your location by using GPS or wireless networks. can also triangulate to cell towers or by wi-fi hotspots Geofencing The use of GPS or RFID technology to create a virtual geographic boundary, enabling software to trigger a response when a mobile device enters or leaves a particular area. Geotagging the process of adding geographical information to various media in the form of metadata. The data usually consists of coordinates like latitude and longitude, but may even include bearing, altitude, distance and place names. jailbreaking unlocking Android and iOS mobile devices to allow users full access to the file system and full access to the kernel module Rooting Term used for getting root access to the Android operating system. Sideloading Android allows Downloading an app from an unofficial third-party website if this option is enabled. F-Droid Installable catalogoue of FOSS free and Open Source Software appliactions for the Android platform. Containerization Cybersecurity Cybersecurity Allows the employer to manage and maintain the portion of the devices that interfaces with the corporate network. This container isolates corporate apps from the rest of the device. eFuses can be set at chip level to monitor firmware and prevent degradation. when new firmware is installed, are burned indicating new firmware that is installed. prevents older versions from being installed. Allows cryptographic keys to be permanently etched into the device so they coan be trusted and used to validate the integrity of the software. hardening the process of modifying the default configuration of endpoints to eliminate unnecessary settings and services. The needs of hardening must be balanced against the needs of use. US Department of Defense Security Technical Implementation Guide (STIG) Popular source of guidance on hardening put out by the DOD. SELinux (Security-Enhanced Linux) A security mechanism that provides an additional layer of security for Linux distributions. Controls executions of software or scripts and is normally enforced using Mandatory Access Control (MAC) SEAndroid (Security-Enhanced Android) Since version 4.3, Android has been based on Security-Enhanced Linux, enabling granular permissions for apps, container isolation, and storage segmentation. BIOS Basic Input/Output System, a firmware used to perform hardware initialization during the booting process. Uses a master boot record. UEFI (Unified Extensible Firmware Interface) An interface between firmware on the motherboard and the operating system that improves on legacy BIOS processes for booting, handing over the boot to the OS, and loading device drivers and applications before the OS loads. UEFI also manages motherboard settings and secures the boot to ensure that no rogue operating system hijacks the system. Uses a GUID partition table (GPT). Cybersecurity Cybersecurity Trusted Platform Module (TPM) A specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information. Either part of the chipset or an embedded function of the CPU. Secure Boot A UEFI feature that prevents a system from booting up with drivers or an OS that are not digitally signed and trusted by the motherboard or computer manufacturer. Measured Boot Takes measurements of the secure boot process, signs those results with a TPM, and reports those measurements to a trusted third party such as a remote attestation service. Attestation Services Hardware backed attestation is designed to protect against threats that originate prior to operating system load. Device OEMs store secure boot information in NVRAM during manufacture. This includes a Key Enrollment Key (KEK) database. The firmware is locked and will prevent changes unless updates are signed with the proper KEK. HSM (Hardware Security Module) An appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage. Self-Encrypting Drive (SED) SEDs automatically encrypt all data in the drive, preventing attackers from accessing the data through the operating system. Eliminates the need for encryption keys to be stored in system RAM which could be breached. application controls Controls that apply to the processing of specific computer applications and can check for digital signatures. Referred to allow-lists and block-lists. host-based firewall A software firewall that runs as a program on the local computer to block or filter traffic coming into and out of the computer. Self-Healing Hardware Cybersecurity Cybersecurity Has the capability to detect and react to component failures in a way that allows for continued operation or can be preventive in nature by detecting and alerting to imminent component failure. HIDS (host-based intrusion detection system) A passive IDS used to monitor an individual server or workstation. Protects local resources on the host such as the operating system files. Monitors system logs, processes, services files and windows registry for changes HIPS (host-based intrusion prevention system) A type of intrusion prevention that runs on a single computer, such as a client or server, to intercept and help prevent attacks against that one host. Similar to HIDS but can actually block an attack instead of logging it. Endpoint Detection and Response (EDR) A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats UEBA (user and entity behavior analytics) AI enabled A system that can provide automated identification of suspicious activity by user accounts and computer hosts by comparing it to a baseline. Is heavily dependent on AI and machine learning. Data Dispersion (Bit Splitting) This process takes chunks of data, breaks them up, and then stores multiple copies on different physical storage to provide high durability. Data stored in this way is thus physically dispersed. A single file, for example, would not be located on a single hard drive. Bit Splitting Splitting up and storing encrypted information across different cloud storage services Serverless Computing A modern design pattern for service delivery. Strongly associated with modern web applications like Netflix. All architecture is hosted in the cloud. Software Defined Networking (SDN) Cybersecurity Cybersecurity A broad and developing concept addressing the management of the various network components. The objective is to provide a control plane to manage network traffic on a more abstract level than through direct management of network components Cloud Access Security Broker (CASB) A software tool or service that enforces cloud-based security requirements. It is placed between the organization's resources and the cloud, monitors all network traffic, and can enforce security policies. Internet of Things (IoT) the network of products embedded with connectivity-enabled electronics. Use Machine to Machine (M2M) to communicate to other IOT systems IoT Network general type of components Hub/Control System using the zigbee or zwave network. This is required as most components have not user interfacee. Smart Devices IOT compoents such as cameras and lightbulbs that can be taken over by bad actors. Wearables Such as fitbit, smartwatches, Apple watch, samsung each has their unique OS Sensors —IoT devices need to measure all kinds of things, including temperature, light levels, humidity, pressure, proximity, motion, gas/chemicals/smoke, heart/breathing rates, and so on. ASIC (Application Specific Integrated Circuit) An integrated circuit designed for a particular use instead of for general-purpose uses. This is used for Ethernet switching. Field Programmable Gate Array (FPGA) A processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture. System on a Chip (SoC) A modern microprocessor that contain the CPU, memory, and peripheral interfaces; a miniature computer; an example is the Raspberry Pi. Cybersecurity Cybersecurity Industrial Control Systems (ICS) Used to control industrial processes such as manufacturing, product handling, production, and distribution. Water systems, energey etc etc. Human Machine Interface (HMI) Input and output controls on a PLC to allow a user to configure and monitor the system Data Historian Software that aggregates and catalogs data from multiple sources within an industrial control system SCADA (supervisory control and data acquisition) A type of industrial control system that manages large-scale, multiple-site devices and equipment spread over geographically large areas. Programmable Logic Controller (PLC) A type of computer designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems. HVAC (Heating, Ventilation and Air Conditioning) Systems that provide and regulate heating and cooling. Controller Area Network (CAN) A multimaster serial bus that allows connectivity between the various microcontrollers in an automobile. Modbus A communications protocol used in operational technology networks Operational Technology (OT) A communications network designed to implement an industrial control system rather than data networking. Modbus is the communication protocol Data Distribution Service (DDS) Provides network interoperability and facilitates the required scalability, performance, and QoS features Safety Instrumented System (SIS) Returns an industrial process to a safe state after a predetermined condition was detected PKI (Public Key Infrastructure) Cybersecurity Cybersecurity An encryption system that is composed of a CA, certificates, software, services, and other cryptographic components, for the purpose of verifying authenticity and enabling validation of data and entities. For confidential messages, the public key is used to encrypt the message. The message can then only be decrypted by the associated private key, which is protected and accessible to its owner only. Code signing The process of assigning a certificate to code. The certificate includes a digital signature and validates the code. Data at rest Data that is stored in some sort of persistent storage media. Data in Transit (motion) Data that is moving between computing nodes over a data network such as the Internet. Data in Use data that is currently being updated, processed, erased, accessed, or read by a system. The state when data is present in volatile memory such as system RAM or CPU registers and cache. Trusted Execution Environment (TEE) It provides a full-blown isolated execution environment that runs alongside the main OS and is able to encrypt data as it exists in memory so that an untrusted process cannot decode the information. Digital Certificate A public assertion of identity, validated by a certificate authority (CA). Also, a notice that guarantees a user or a website is legitimate Secure authentication A user name and password are required, and that information is encrypted before it is sent across the Internet, so that anyone who intercepts the data will not be able to read it. Servers can present a client certificate to a server to identify it is an authorized device. smart card authentication A device similar to a credit card that can store authentication information, such as a user's private key, on an embedded microchip. Cybersecurity Cybersecurity Federated PKI A set of independent PKI hierarchies (each supporting trust domains and each with its own root CA) that are defined by a common set of policies that shape the trust relationship between them. Certificate Authority (CA) A trusted third-party agency that is responsible for issuing digital certificates.For public or business-to-business communications, however, the CA must be trusted by each party Intermediate CA Subordinate organizatio