Security Fundamentals

This section covers the terms readers usually need first: threat, vulnerability, risk, exploit, mitigation, defense in depth, least privilege, and security controls.

Start here when you need the foundation before moving into IAM, encryption, network defense, cloud security, or incident response.

Core Articles

• Confidentiality, Integrity, and Availability (CIA Triad)
• Defense in Depth
• Least Privilege
• Attack Surface
• Threat
• Vulnerability
• Risk
• Exploit
• Mitigation
• Security Control
• Security Misconfiguration
• Attack Vector
• Attack Path
• Blast Radius
• Crown Jewels
• Least Functionality
• Zero Trust
• Security by Design
• Privilege Escalation
• Secure by Default
• Zero-Day Vulnerability

Continue Into Identity and Access

Once the basics are clear, the next terms to learn are usually Authentication, Authorization, Multi-Factor Authentication, and Role-Based Access Control.

In this section

• Attack Path
  An attack path is the sequence of weaknesses, opportunities, or trust relationships an attacker could combine to reach a target.
• Attack Surface
  Attack surface describes the set of exposed systems, interfaces, identities, and pathways an attacker could potentially target.
• Attack Vector
  An attack vector is the path or method a threat uses to reach a target system, user, or workload.
• Blast Radius
  Blast radius is the scope of systems, data, users, or operations that could be affected when one component is compromised or fails.
• Confidentiality, Integrity, and Availability (CIA Triad)
  The CIA triad is a core security model that frames how systems protect secrecy, correctness, and dependable access.
• Crown Jewels
  Crown jewels are the systems, identities, data sets, or processes whose compromise would cause outsized harm to the organization.
• Defense in Depth
  Defense in depth is the practice of using multiple security layers so one control failure does not expose the whole system.
• Exploit
  An exploit is a method or piece of code used to take advantage of a vulnerability and cause unauthorized behavior.
• Least Functionality
  Least functionality is the practice of enabling only the features, services, ports, components, and capabilities a system actually needs to perform its intended job.
• Least Privilege
  Least privilege limits users, services, and systems to the minimum access needed for their legitimate work.
• Mitigation
  Mitigation is the action taken to reduce the likelihood or impact of a security problem when risk cannot simply be ignored.
• Privilege Escalation
  Privilege escalation is the gain of more access or authority than a user, process, or workload was originally meant to have.
• Risk
  Risk is the possibility that a threat will cause meaningful harm in a specific context, taking impact and likelihood into account.
• Secure by Default
  Secure by default means systems and products start in the safer configuration unless an administrator deliberately changes them.
• Security by Design
  Security by design is the practice of considering security requirements and risks during planning and architecture instead of treating them as afterthoughts.
• Security Control
  A security control is a safeguard or measure used to prevent, detect, correct, or otherwise reduce security risk.
• Security Misconfiguration
  Security misconfiguration is a condition where systems, applications, or cloud resources are set up in ways that weaken intended protections.
• Threat
  A threat is a potential source of harm that could exploit weaknesses or otherwise affect a system, user, or organization.
• Vulnerability
  A vulnerability is a weakness in software, configuration, process, or design that could be used to compromise security.
• Zero Trust
  Zero trust is a security model that avoids granting broad implicit trust based only on network location or prior access.
• Zero-Day Vulnerability
  A zero-day vulnerability is a security flaw that is newly discovered or not yet remediated, leaving defenders little or no patch window.