Security+ Glossary
Every term here appears somewhere on this site. in an error message, a playbook, or a lesson. and is aligned to the CompTIA Security+ SY0-701 exam domains. Terms are grouped by domain so students can see which areas they are developing through competition preparation. Click any term to see the formal definition, its NCAE context, and the error patterns it's associated with.
1.0 General Security Concepts (6 terms)
CIA triad
Confidentiality, Integrity, Availability. the three core goals of information security. **Confidentiality** = only authorized entities can read the data. **Integrity** = data hasn…
Defense in depth
Layer multiple, independent security controls so that if one fails, others still protect the asset. Not a specific control. an architectural pattern.
Least privilege
Every user, process, and system component is granted only the permissions needed to do its job. nothing more. A web server runs as `www-data`, not root; `torch_bearer` has INSERT …
Non-repudiation
Cryptographic evidence that an actor performed an action, such that they cannot later credibly deny it. Typically provided by digital signatures + tamper-proof logs.
Risk assessment
The process of identifying assets, threats, vulnerabilities, and impact, then quantifying risk as (likelihood × impact). Output: a ranked list of what to protect first.
Zero trust
An architecture where no user, device, or request is trusted by default. every request is authenticated and authorized regardless of origin. Replaces the older 'castle-and-moat' m…
2.0 Threats (13 terms)
Command injection
A vulnerability where user-supplied input is passed to a shell interpreter, letting the attacker append arbitrary commands. Classic: `system("ping " + user_input)` with input `; r…
Cross-Site Scripting (XSS)
A vulnerability where user input is rendered in a web page without escaping, letting an attacker run JavaScript in someone else's browser. Types: stored (persisted in the DB), ref…
Denial of Service (DoS)
An attack that makes a service unavailable to legitimate users. Can be resource exhaustion (flooding), protocol abuse, or configuration tampering (e.g., changing a password the sc…
Kernel exploit
An exploit that abuses a bug in the kernel to escalate from userspace to root. Examples: Dirty Pipe (CVE-2022-0847), Dirty COW (CVE-2016-5195), CVE-2021-4034 (PwnKit).
Lateral movement
Moving from a compromised host to other hosts inside the network. Techniques: reused SSH keys, pass-the-hash (Windows), SMB shares, remote command execution via PsExec/WinRM.
Malware
Malicious software, broadly. Categories: virus (attaches to a host file), worm (self-propagates), trojan (disguised), rootkit (hides itself), ransomware (encrypts data), RAT (remo…
Persistence
Techniques an attacker uses to maintain access to a compromised system across reboots, credential changes, and system updates. Common mechanisms: cron jobs, systemd services/timer…
Privilege escalation
Moving from a low-privilege account (e.g., `www-data`) to a higher one (e.g., `root`). Vertical privesc = gaining more privileges on the same system. Horizontal privesc = accessin…
Reverse shell
A shell where the *victim* connects outbound to the attacker instead of the attacker connecting inbound. Defeats a typical inbound-only firewall. Classic bash idiom: `bash -i >& /…
SQL injection (SQLi)
A vulnerability where user input is concatenated into a SQL query, letting the attacker change query semantics. Classic: `' OR 1=1 --` as a password to log in without one.
SUID (Set-User-ID)
A Linux file permission bit that causes an executable to run with the permissions of its *owner* rather than the user invoking it. `chmod u+s file` sets it. Shown as `rws` (the `s…
Social engineering
Manipulating humans instead of machines: phishing (fake emails), pretexting (inventing a story), baiting (leaving a USB drive), tailgating (following someone through a door).
Web shell
A small script uploaded to a web server that lets an attacker run shell commands via HTTP requests. Classic form: a PHP file that does `system($_GET['cmd'])`.
3.0 Security Architecture (18 terms)
Asymmetric encryption
Encryption where a public key encrypts and a private key decrypts (or the reverse for signatures). Slower than symmetric but solves key-distribution. Examples: RSA, ECDSA, Ed25519.
Authentication vs Authorization (AuthN / AuthZ)
**Authentication (AuthN)** proves who students are (password, key, token). **Authorization (AuthZ)** decides what an authenticated identity is allowed to do. Distinct concerns. a …
DMZ (Demilitarized Zone)
A network segment that hosts externally-facing services (web, mail, DNS) in isolation from the internal network. Compromise of a DMZ host shouldn't directly reach internal.
Firewall
A network control that allows or denies packets based on rules (source/destination IP, port, protocol, state). Stateful firewalls also track connection state to allow return traff…
Hashing
A one-way function producing a fixed-size digest from input. Cryptographically secure hashes (SHA-256, BLAKE2) are collision-resistant. MD5 and SHA-1 are broken and should not be …
ICMP
Internet Control Message Protocol. Ping and traceroute use it. Also carries 'destination unreachable' and 'time exceeded' diagnostics. Not TCP or UDP. its own IP protocol (1).
NAT (Network Address Translation)
A router technique that rewrites packet addresses so multiple internal hosts can share one public IP (SNAT/masquerade) or so external traffic can reach internal services (DNAT/por…
OSI model
A 7-layer conceptual model for network communication: Physical, Data Link, Network, Transport, Session, Presentation, Application. Cable Ethernet IP TCP . HTTP.
Port forwarding
A DNAT rule that maps an external (public) port on the router to an internal (private) host+port, so external traffic can reach an internal service.
Principle of least functionality
A system should only run services, have open ports, and include software necessary for its role. Minimize attack surface by removing everything else.
Public Key Infrastructure (PKI)
The system of CAs (Certificate Authorities), certificates, CRLs (revocation lists), and trust stores that underpins TLS, code signing, and authenticated email (S/MIME).
Salt
A random value added to a password before hashing, so identical passwords hash to different values. Defeats rainbow-table attacks. Stored alongside the hash.
Segmentation
Dividing a network into smaller zones (VLANs, subnets, or software-defined) to limit lateral movement. Complementary to DMZ.
Symmetric encryption
Encryption where the same key is used to encrypt and decrypt. Fast, but requires secure key distribution. Examples: AES, ChaCha20.
TCP three-way handshake
How TCP connections establish: client sends SYN, server answers SYN+ACK, client acknowledges with ACK. Until the handshake completes, no data flows.
TLS (Transport Layer Security)
The successor to SSL. an encryption protocol that provides confidentiality, integrity, and authentication for network connections. HTTPS = HTTP over TLS. Uses X.509 certificates f…
VPN (Virtual Private Network)
Encrypted tunnel between two endpoints over an untrusted network, making the endpoint appear to be on the remote network. Types: IPsec, WireGuard, OpenVPN, SSL-VPN.
X.509 certificate
A public-key certificate standard. Contains the subject's public key, identity (Subject + CN + SANs), validity period, and a signature from a CA. Used by TLS, code signing, and em…
4.0 Security Operations (16 terms)
Baseline
A known-good snapshot of system state: running services, listening ports, user accounts, configuration files, file hashes. Later deviations from the baseline are candidate evidenc…
Brute force attack
Trying many passwords (or keys) until one works. Dictionary attacks use common-password lists (e.g., rockyou.txt). Mitigated by rate-limiting (fail2ban), account lockouts, and lon…
Chain of custody
The documented handling of evidence from collection through analysis to court admission. Every person who touched it, when, what they did. Required for forensic evidence to hold up.
EDR (Endpoint Detection and Response)
Host-based software that monitors for suspicious process behavior, file changes, and network connections, and allows remote response (isolate host, kill process, etc).
File integrity monitoring (FIM)
A system that detects unauthorized changes to files by hashing them at a known-good moment and comparing later. Examples: AIDE, Tripwire, Samhain, Falco's file-watch rules.
Hardening
Reducing the attack surface of a system by disabling unused services, changing default credentials, applying least-privilege, enabling logging, and patching. CIS Benchmarks and DI…
Incident response lifecycle
The standardized workflow for handling a security incident: **Preparation Identification Containment Eradication Recovery Lessons learned** (NIST SP 800-61 or the SANS PICERL…
Indicators of Compromise (IoC)
Observable artifacts that suggest a system has been compromised: unexpected files, unusual processes, outbound connections to known-bad IPs, modified configuration files.
Log aggregation / SIEM
A Security Information and Event Management system centralizes logs from many sources (syslog, authd, web access logs, firewall) and enables correlation and alerting. Examples: Sp…
MITRE ATT&CK
A free, open knowledge base of adversary tactics and techniques based on real-world observations. Think of it as a taxonomy: Initial Access Execution Persistence Privilege Esca…
Patch management
The process of testing, approving, and deploying software updates that fix security vulnerabilities. Balance: apply quickly (defense) vs. test first (stability).
Port knocking
A technique where SSH (or another service) only opens its port after a specific sequence of 'knocks' on other ports. Security-through-obscurity layer on top of normal auth.
SOAR (Security Orchestration, Automation, Response)
A class of tools that automates routine security-operation tasks and playbooks. Reduces mean-time-to-respond by machines doing what analysts used to do manually.
Service account
A user account used by an automated process (not a human). Distinguished by having no interactive shell, no expiration, and narrow privileges.
Syslog
The Unix tradition for system logging: priority, facility, message. over UDP or TCP, locally or to a remote collector. rsyslog and systemd-journald are the modern implementations.
Threat intelligence
Information about known attackers and their TTPs (tactics, techniques, procedures). Sources: MITRE ATT&CK, OSINT blogs, paid feeds (CrowdStrike, Mandiant), ISAC sharing.
5.0 Program Management (3 terms)
Change management
A documented process for proposing, reviewing, approving, and recording changes to production systems. so the student can answer 'what changed?' when things break.
GRC (Governance, Risk, Compliance)
The discipline of aligning security controls with business goals, laws, and standards. Governance = policies. Risk = identify + mitigate. Compliance = proving adherence (SOC 2, PC…
Separation of duties
No single person should have enough authority to execute a sensitive process end-to-end. Example: one person writes the deploy script, a different person approves the deploy.