Security-Fundamentals

The CIA triad is a core security model that frames how systems protect secrecy, correctness, and dependable access.

Defense in depth is the practice of using multiple security layers so one control failure does not expose the whole system.

Practice of giving users, services, and systems only the access they need to reduce blast radius.

The set of exposed interfaces, identities, services, and workflows an attacker could potentially reach.

A potential source of harm that could exploit weaknesses or otherwise affect a system or organization.

A weakness in software, configuration, process, or design that could be used to compromise security.

The possibility that a threat causes meaningful harm once likelihood, impact, and existing controls are considered.

A method or piece of code used to take advantage of a vulnerability and cause unauthorized behavior.

Action taken to reduce the likelihood or impact of a security problem when risk cannot be ignored.

A safeguard or measure used to prevent, detect, correct, or otherwise reduce security risk.

Condition where systems, applications, identities, or resources are configured in ways that weaken protections.

The path or method a threat uses to reach a target system, user, application, or workload.

The scope of systems, data, users, or operations affected when one component is compromised or fails.

Systems, products, and services start in the safer configuration unless an administrator changes them.

A zero-day vulnerability is a security flaw that is newly discovered or not yet remediated, leaving defenders little or no patch window.

The sequence of weaknesses or trust relationships an attacker could chain together to reach a target.

Crown jewels are the systems, identities, data sets, or processes whose compromise would cause outsized harm to the organization.

Practice of enabling only the features and services a system needs to perform its intended job.

Zero trust is a security model that avoids broad implicit trust and continuously evaluates access based on identity, context, and policy.

Practice of considering security requirements and risks during planning and architecture instead of afterthoughts.

Privilege escalation is the gain of more access or authority than a user, process, or workload was originally meant to have.