Computer Security Terminology#
Lecture 3: Essential Security Vocabulary#
Press Space for next page
layout: default#
Why Security Terminology Matters#
๐ฏ Learning Objectives#
- Define key security terms accurately
- Understand relationships between concepts
- Apply terminology in practical scenarios
- Communicate effectively with security professionals
๐ Today’s Key Terms#
- Adversary (Threat Agent)
- Attack and Attack Vectors
- Countermeasure and Controls
- Risk and Risk Management
- Security Policy
- System Resource (Asset)
- Threat and Threat Modeling
- Vulnerability Assessment
๐ Term Relationships#
graph TB
A[Adversary] --> B[Exploits]
B --> C[Vulnerability]
C --> D[In System Resource]
A --> E[Uses Attack]
E --> F[Creates Risk]
F --> G[Mitigated by]
G --> H[Countermeasure]
H --> I[Guided by]
I --> J[Security Policy]
style A fill:#ffebee
style C fill:#e8f5e8
style D fill:#e3f2fd
style F fill:#fff3e0
style H fill:#f3e5f5
layout: default#
Adversary (Threat Agent)#
๐ญ Definition#
An adversary (or threat agent) is any individual, group, or entity that poses a potential threat to an information system by attempting unauthorized access, disruption, or destruction.
๐ท๏ธ Classification by Motivation#
- Financial gain - Cybercriminals
- Political agenda - Hacktivists
- National interests - Nation-state actors
- Personal reasons - Disgruntled employees
- Fame/recognition - Script kiddies
- Espionage - Corporate spies
๐ฏ Classification by Skills#
- Novice - Limited technical skills
- Advanced - Sophisticated techniques
- Expert - Nation-state level capabilities
๐ฅ Types of Adversaries#
๐ดโโ ๏ธ External Threat Actors#
- Cybercriminals - Organized crime groups
- Nation-states - Government-sponsored
- Hacktivists - Politically motivated
- Competitors - Industrial espionage
- Script kiddies - Amateur hackers
๐ข Internal Threat Actors#
- Malicious insiders - Intentional harm
- Careless employees - Accidental exposure
- Compromised accounts - Hijacked credentials
- Third-party vendors - Supply chain risks
๐ Adversary Capabilities Matrix#
| Type | Resources | Skills | Persistence | Examples |
|---|---|---|---|---|
| Script Kiddie | Low | Low | Low | Individual hackers |
| Cybercriminal | Medium | High | Medium | Ransomware groups |
| Nation-State | High | Expert | High | APT groups |
layout: default#
Attack: Methods and Vectors#
โ๏ธ Definition#
An attack is a deliberate action taken by an adversary to compromise the security of a system by exploiting vulnerabilities to gain unauthorized access, disrupt operations, or steal information.
๐ฏ Attack Classifications#
By Target#
- Network attacks - Infrastructure focused
- Application attacks - Software focused
- Physical attacks - Hardware/facility focused
- Social engineering - Human focused
By Method#
- Active attacks - Modify system/data
- Passive attacks - Monitor/eavesdrop
- Direct attacks - Target specific system
- Indirect attacks - Use intermediate systems
๐ Common Attack Vectors#
๐ง Email-based Attacks#
- Phishing - Deceptive emails
- Spear phishing - Targeted attacks
- Malware attachments
- Business Email Compromise (BEC)
๐ Network-based Attacks#
- DDoS - Service disruption
- Man-in-the-Middle - Traffic interception
- DNS poisoning - Traffic redirection
- Port scanning - Reconnaissance
๐ป Application Attacks#
- SQL injection - Database manipulation
- Cross-site scripting (XSS) - Web exploitation
- Buffer overflow - Memory corruption
- Zero-day exploits - Unknown vulnerabilities
๐ค Social Engineering#
- Pretexting - False scenarios
- Baiting - Malicious media/downloads
- Tailgating - Physical access following
layout: default#
Attack Lifecycle & Kill Chain#
๐ Cyber Kill Chain#
7-Stage Attack Process#
- Reconnaissance - Target research
- Weaponization - Malware creation
- Delivery - Attack transmission
- Exploitation - Vulnerability execution
- Installation - Malware deployment
- Command & Control - Remote access
- Actions on Objectives - Goal achievement
graph LR
A[Recon] --> B[Weaponize]
B --> C[Deliver]
C --> D[Exploit]
D --> E[Install]
E --> F[C2]
F --> G[Actions]
style A fill:#ffebee
style B fill:#fff3e0
style C fill:#e8f5e8
style D fill:#e3f2fd
style E fill:#f3e5f5
style F fill:#fce4ec
style G fill:#e0f2f1
โฑ๏ธ Attack Timeline Analysis#
Stage 1-3: Pre-Exploitation#
- Duration: Days to months
- Detection: Often missed
- Prevention: Most effective
- Cost: Lowest to defend
Stage 4-5: Initial Compromise#
- Duration: Minutes to hours
- Detection: Possible with good tools
- Prevention: Some options available
- Cost: Moderate to defend
Stage 6-7: Post-Exploitation#
- Duration: Weeks to years
- Detection: Most visible activity
- Prevention: Limited options
- Cost: Highest to remediate
๐ก๏ธ Defense Strategies#
- Early detection is most cost-effective
- Multiple layers increase difficulty
- Threat intelligence improves reconnaissance detection
- User training disrupts social engineering
layout: default#
Countermeasure: Security Controls#
๐ก๏ธ Definition#
A countermeasure (or security control) is any action, device, procedure, or technique that reduces or eliminates a security threat or vulnerability.
๐ Control Classifications#
By Function#
- Preventive - Stop incidents before they occur
- Detective - Identify ongoing/completed incidents
- Corrective - Respond to and recover from incidents
- Deterrent - Discourage potential attackers
- Compensating - Alternative when primary fails
By Implementation#
- Administrative - Policies, procedures, training
- Technical - Hardware, software, technology
- Physical - Locks, cameras, barriers
๐ง Control Examples by Type#
๐ Preventive Controls#
- Firewalls - Block unauthorized traffic
- Access controls - Limit system access
- Encryption - Protect data confidentiality
- Input validation - Prevent malicious data
- Security awareness training
๐ Detective Controls#
- Intrusion Detection Systems (IDS)
- Security Information Event Management (SIEM)
- Audit logs and monitoring
- Vulnerability scanning
- Security cameras
๐ง Corrective Controls#
- Incident response procedures
- Backup and recovery systems
- Antivirus and anti-malware
- Patch management
- Business continuity plans
layout: default#
Risk: Understanding and Managing Uncertainty#
โก Definition#
Risk is the potential for loss or damage when a threat exploits a vulnerability. It represents the likelihood and impact of adverse events.
๐งฎ Risk Formula#
Risk = Threat ร Vulnerability ร Impact
Risk Components#
- Threat - Source of potential harm
- Vulnerability - Weakness that can be exploited
- Impact - Potential consequences
- Likelihood - Probability of occurrence
๐ Risk Assessment Process#
- Asset identification - What needs protection?
- Threat identification - What can cause harm?
- Vulnerability assessment - Where are weaknesses?
- Impact analysis - What are consequences?
- Risk calculation - Quantify the risk
- Risk treatment - How to respond?
๐ฏ Risk Management Strategies#
1. Risk Avoidance#
- Eliminate the risk entirely
- Don’t engage in risky activities
- Example: Not connecting critical systems to internet
2. Risk Mitigation#
- Reduce likelihood or impact
- Implement security controls
- Example: Install firewalls and antivirus
3. Risk Transfer#
- Shift risk to another party
- Insurance or outsourcing
- Example: Cyber insurance policies
4. Risk Acceptance#
- Accept the risk as-is
- Cost of control > value protected
- Example: Legacy system with low value
๐ Risk Appetite vs Risk Tolerance#
- Risk Appetite - Desired risk level
- Risk Tolerance - Maximum acceptable risk
- Risk Capacity - Ability to absorb risk
layout: default#
Security Policy: The Foundation of Security#
๐ Definition#
A security policy is a formal set of rules, guidelines, and procedures that define how an organization manages, protects, and distributes sensitive information and resources.
๐ฏ Policy Purposes#
- Establish security requirements
- Define acceptable behavior
- Assign responsibilities and roles
- Provide legal protection
- Guide security decisions
- Ensure compliance with regulations
๐ Types of Security Policies#
- Organizational - High-level strategy
- Functional - Specific areas (email, internet)
- Technical - Implementation details
- Regulatory - Compliance requirements
๐ Policy Components#
1. Policy Statement#
- Purpose and scope
- Applicability (who, what, when)
- Authority and responsibilities
2. Standards#
- Specific requirements to meet policy
- Measurable criteria
- Technical specifications
3. Procedures#
- Step-by-step instructions
- Implementation guidelines
- Operational details
4. Guidelines#
- Best practices and recommendations
- Flexible suggestions
- Context-specific advice
๐ Policy Lifecycle#
graph LR
A[Develop] --> B[Approve]
B --> C[Implement]
C --> D[Monitor]
D --> E[Review]
E --> F[Update]
F --> A
layout: default#
System Resource (Asset): What We Protect#
๐ Definition#
A system resource (or asset) is any hardware, software, data, facility, person, or service that has value to an organization and requires protection from threats.
๐ Asset Classification#
๐ท๏ธ By Type#
- Information assets - Data, databases, files
- Software assets - Applications, systems, code
- Physical assets - Hardware, facilities, equipment
- Human assets - Personnel, contractors, partners
- Service assets - Utilities, communications, cloud
๐ฐ By Value#
- Critical - Mission essential
- Important - Business impact
- Useful - Convenience/efficiency
- Non-essential - Minimal impact
๐ Asset Inventory Process#
1. Asset Discovery#
- Network scanning for IT assets
- Interviews for information assets
- Physical surveys for equipment
- Documentation review
2. Asset Classification#
- Categorize by type and criticality
- Assign ownership and custodianship
- Determine protection requirements
- Document dependencies
3. Asset Valuation#
- Replacement cost - Cost to replace
- Revenue impact - Lost business
- Competitive advantage - Strategic value
- Legal/regulatory - Compliance costs
๐ Asset Management#
- Maintain accurate inventory
- Track asset lifecycle
- Monitor asset usage
- Update valuations regularly
- Retire obsolete assets
layout: default#
Threat: Sources of Potential Harm#
โก Definition#
A threat is any potential event, action, or circumstance that could cause harm to an information system, its users, or the organization by exploiting vulnerabilities.
๐ท๏ธ Threat Categories#
๐ Natural Threats#
- Weather - Floods, hurricanes, earthquakes
- Fire - Electrical, human-caused
- Environmental - Temperature, humidity
๐ค Human Threats#
- Intentional - Malicious actors
- Unintentional - Human error, accidents
- Negligence - Failure to follow procedures
๐ง Technical Threats#
- Hardware failures - Equipment breakdown
- Software bugs - Programming errors
- System crashes - Overload, corruption
๐ฏ Threat Modeling Process#
1. System Understanding#
- Identify system components
- Map data flows
- Document trust boundaries
- List assumptions
2. Threat Identification#
- Brainstorm potential threats
- Use threat libraries (STRIDE)
- Consider attack trees
- Research current threats
3. Threat Analysis#
- Assess likelihood and impact
- Prioritize by risk level
- Consider existing controls
- Identify gaps
4. Mitigation Planning#
- Select appropriate countermeasures
- Balance cost vs. benefit
- Plan implementation
- Document decisions
๐ STRIDE Threat Model#
- Spoofing - Identity theft
- Tampering - Data modification
- Repudiation - Denying actions
- Information Disclosure - Data leakage
- Denial of Service - Availability loss
- Elevation of Privilege - Unauthorized access
layout: default#
Vulnerability: System Weaknesses#
๐ Definition#
A vulnerability is a weakness or flaw in a system that can be exploited by a threat to gain unauthorized access, cause harm, or compromise security.
๐ Vulnerability Types#
๐ฅ๏ธ Technical Vulnerabilities#
- Software bugs - Programming errors
- Misconfigurations - Improper settings
- Unpatched systems - Missing updates
- Weak cryptography - Poor algorithms/keys
- Design flaws - Architectural issues
๐ฅ Human Vulnerabilities#
- Lack of training - Security unawareness
- Social engineering susceptibility
- Poor password practices
- Insider threats
- Process violations
๐ข Physical Vulnerabilities#
- Unsecured facilities
- Environmental hazards
- Hardware tampering
- Inadequate access controls
๐ Vulnerability Assessment#
1. Discovery Methods#
- Automated scanning - Network/web/database
- Manual testing - Penetration testing
- Code review - Source code analysis
- Configuration review - Settings audit
- Documentation review - Policy gaps
2. Scoring Systems#
CVSS (Common Vulnerability Scoring System):
Base Score: 0.0 - 10.0
- None: 0.0
- Low: 0.1 - 3.9
- Medium: 4.0 - 6.9
- High: 7.0 - 8.9
- Critical: 9.0 - 10.0
3. Vulnerability Lifecycle#
graph LR
A[Discovery] --> B[Analysis]
B --> C[Disclosure]
C --> D[Patching]
D --> E[Verification]
E --> F[Closure]
layout: default#
Putting It All Together: The Security Ecosystem#
๐ Security Relationship Model#
graph TB
subgraph "Organization"
A[System Resources<br/>Assets]
B[Security Policy<br/>Governance]
end
subgraph "Threat Environment"
C[Adversary<br/>Threat Agent]
D[Threat<br/>Potential Harm]
end
subgraph "System State"
E[Vulnerability<br/>Weakness]
F[Attack<br/>Exploitation]
end
subgraph "Defense"
G[Countermeasure<br/>Security Control]
H[Risk Management<br/>Decision Process]
end
C --> D
D --> F
F --> E
E --> A
A --> H
H --> G
G --> E
B --> G
B --> H
style A fill:#e3f2fd
style B fill:#f3e5f5
style C fill:#ffebee
style D fill:#fff3e0
style E fill:#e8f5e8
style F fill:#fce4ec
style G fill:#e0f2f1
style H fill:#f1f8e9
layout: default#
Real-World Terminology Application#
๐ฆ Banking Scenario#
๐ Situation#
Online banking platform experiencing unusual login attempts
๐ Terminology Application#
- Asset: Customer account database
- Adversary: Cybercriminal organization
- Threat: Credential stuffing attack
- Vulnerability: Weak account lockout policy
- Attack: Automated login attempts using stolen credentials
- Risk: High - potential financial theft and reputation damage
- Countermeasures:
- Multi-factor authentication
- Account lockout after failed attempts
- Real-time monitoring and alerting
- Policy: Authentication and access control standards
๐ฅ Healthcare Scenario#
๐ Situation#
Hospital staff received phishing emails requesting login credentials
๐ Terminology Application#
- Asset: Electronic health records system
- Adversary: Potentially nation-state actor
- Threat: Spear-phishing campaign
- Vulnerability: Insufficient security awareness training
- Attack: Email with malicious links targeting healthcare workers
- Risk: Critical - patient safety and HIPAA violations
- Countermeasures:
- Email security filtering
- Security awareness training
- Incident response procedures
- Network segmentation
- Policy: Email security and user awareness policy
layout: default#
Practical Exercise: Terminology Mapping#
๐ฏ Individual Activity (15 minutes)#
Scenario: E-Learning Platform#
Your organization operates an online learning platform with:
- 50,000 student accounts
- Course content and video lectures
- Payment processing system
- Student grade databases
- Mobile applications
Your Task: Complete the Security Analysis#
- Identify Assets (at least 5)
- List Potential Adversaries (3 types)
- Describe Threats (5 different threats)
- Find Vulnerabilities (common weaknesses)
- Suggest Attacks (how threats exploit vulnerabilities)
- Calculate Risk (likelihood ร impact for top 3)
- Recommend Countermeasures (preventive, detective, corrective)
- Policy Requirements (what policies are needed)
layout: default#
Common Terminology Mistakes#
โ Frequent Errors#
Threat vs Risk Confusion#
- Wrong: “The risk is hackers”
- Right: “The threat is hackers, the risk is data breach”
Vulnerability vs Attack Mix-up#
- Wrong: “SQL injection is a vulnerability”
- Right: “SQL injection is an attack that exploits input validation vulnerabilities”
Asset vs Data Confusion#
- Wrong: “Our asset is customer information”
- Right: “Our information asset includes customer data stored in the CRM database”
Countermeasure Overuse#
- Wrong: “Firewalls are the countermeasure”
- Right: “Firewalls are one countermeasure in a layered security approach”
โ Best Practices#
Precise Language#
- Use specific terms rather than generic ones
- Define context when terms could be ambiguous
- Distinguish between related concepts
- Verify understanding in communications
Documentation Standards#
- Maintain glossaries for organizational terms
- Update terminology as industry evolves
- Train staff on proper usage
- Review communications for accuracy
Communication Tips#
- Tailor vocabulary to audience knowledge level
- Explain technical terms to non-technical stakeholders
- Use examples to illustrate abstract concepts
- Confirm comprehension before proceeding
layout: default#
Industry Terminology Standards#
๐ Standard Vocabularies#
NIST SP 800-39#
Risk Management Terminology
- Comprehensive risk definitions
- Federal government standard
- Widely adopted framework
ISO/IEC 27000#
Information Security Vocabulary
- International standard
- Detailed security terminology
- Management system focus
NIST Cybersecurity Framework#
Framework-specific Terms
- Identify, Protect, Detect, Respond, Recover
- Industry-neutral language
- Practical implementation focus
๐ญ Industry-Specific Terms#
Financial Services#
- PCI DSS - Payment card terminology
- Basel III - Risk management terms
- SOX - Financial reporting security
Healthcare#
- HIPAA - Privacy and security terms
- HITECH - Health information technology
- FDA - Medical device security
Government#
- FISMA - Federal information systems
- Common Criteria - Security evaluation
- CNSSI - National security systems
Key Benefits#
- Consistency across organizations
- Regulatory compliance
- Professional communication
- Knowledge transfer
layout: default#
Building Your Security Vocabulary#
๐ Continuous Learning#
Daily Practice#
- Read security news and reports
- Join professional forums and groups
- Attend webinars and conferences
- Take online courses and certifications
Professional Development#
- Security certifications (Security+, CISSP)
- Industry publications (CSO, Dark Reading)
- Research papers and white papers
- Vendor documentation and guides
Practical Application#
- Use terms correctly in documentation
- Explain concepts to colleagues
- Participate in security discussions
- Mentor others learning security
๐ฏ Mastery Indicators#
You Know You’re Proficient When:#
- Explain security concepts to non-technical audiences
- Distinguish between similar terms accurately
- Use terminology consistently in documentation
- Understand context-specific meanings
- Recognize when terms are misused
Career Benefits#
- Clear communication with stakeholders
- Professional credibility
- Effective documentation
- Better problem-solving
- Leadership readiness
Assessment Tools#
- Self-evaluation checklists
- Peer review of communications
- Certification exams
- Professional feedback
layout: default#
Next Lecture Preview#
๐ Lecture 4: Advanced Security Concepts#
๐ฏ Topics Coming Up:#
- Security policies in depth
- System resources management
- Threat modeling methodologies
- Vulnerability management lifecycle
๐ Preparation Tasks:#
- Review today’s terminology definitions
- Research a recent security incident
- Identify the terminology elements in the incident
- Think about your organization’s assets
๐ Key Takeaways#
Master the Fundamentals#
- Terminology is the foundation of security knowledge
- Precise language improves communication
- Relationships between terms matter
- Context determines appropriate usage
Practice Application#
- Use terms correctly in daily work
- Build comprehensive security vocabulary
- Stay current with evolving terminology
- Teach others to reinforce learning
layout: center class: text-center#
Questions & Discussion#
๐ค Discussion Questions:#
- Which terminology concept was most challenging?
- How do you see these terms applying in your field?
- What terminology gaps exist in your organization?
๐ก Exercise Review#
Share findings from your e-learning platform analysis
layout: center class: text-center#
Thank You!#
Next Lecture: Advanced Security Concepts#
Deep Dive into Policies, Resources, and Threat Modeling#
Cyber Security (4353204) - Lecture 3 Complete
Words matter in security! ๐๐