Security Fundamentals

This section covers the terms readers usually need first: threat, vulnerability, risk, exploit, mitigation, defense in depth, least privilege, and security controls.

Start here when you need the foundation before moving into IAM, encryption, network defense, cloud security, or incident response.

Core Articles

• Confidentiality, Integrity, and Availability (CIA Triad)
• Defense in Depth
• Least Privilege
• Attack Surface
• Threat
• Vulnerability
• Risk
• Exploit
• Mitigation
• Security Control
• Security Misconfiguration
• Attack Vector
• Attack Path
• Blast Radius
• Crown Jewels
• Least Functionality
• Zero Trust
• Security by Design
• Privilege Escalation
• Secure by Default
• Zero-Day Vulnerability

Continue Into Identity and Access

Once the basics are clear, the next terms to learn are usually Authentication, Authorization, Multi-Factor Authentication, and Role-Based Access Control.

In this section

• Attack Paths and Chained Weaknesses
  The sequence of weaknesses or trust relationships an attacker could chain together to reach a target.
• Attack Surface and Exposure
  The set of exposed interfaces, identities, services, and workflows an attacker could potentially reach.
• Attack Vectors and Entry Methods
  The path or method a threat uses to reach a target system, user, application, or workload.
• Blast Radius and Impact Scope
  The scope of systems, data, users, or operations affected when one component is compromised or fails.
• Confidentiality, Integrity, and Availability (CIA Triad)
  The CIA triad is a core security model that frames how systems protect secrecy, correctness, and dependable access.
• Crown Jewels in Security
  Crown jewels are the systems, identities, data sets, or processes whose compromise would cause outsized harm to the organization.
• Defense in Depth Strategy
  Defense in depth is the practice of using multiple security layers so one control failure does not expose the whole system.
• Least Functionality for Reduced Exposure
  Practice of enabling only the features and services a system needs to perform its intended job.
• Least Privilege Access Principle
  Practice of giving users, services, and systems only the access they need to reduce blast radius.
• Privilege Escalation Risks
  Privilege escalation is the gain of more access or authority than a user, process, or workload was originally meant to have.
• Risk Mitigation in Security
  Action taken to reduce the likelihood or impact of a security problem when risk cannot be ignored.
• Secure by Default Configuration
  Systems, products, and services start in the safer configuration unless an administrator changes them.
• Security by Design Practices
  Practice of considering security requirements and risks during planning and architecture instead of afterthoughts.
• Security Control Types and Roles
  A safeguard or measure used to prevent, detect, correct, or otherwise reduce security risk.
• Security Exploits in Practice
  A method or piece of code used to take advantage of a vulnerability and cause unauthorized behavior.
• Security Misconfigurations and Exposure
  Condition where systems, applications, identities, or resources are configured in ways that weaken protections.
• Security Risk and Impact
  The possibility that a threat causes meaningful harm once likelihood, impact, and existing controls are considered.
• Security Threats and Sources
  A potential source of harm that could exploit weaknesses or otherwise affect a system or organization.
• Security Vulnerabilities and Weaknesses
  A weakness in software, configuration, process, or design that could be used to compromise security.
• Zero Trust Security Model
  Zero trust is a security model that avoids broad implicit trust and continuously evaluates access based on identity, context, and policy.
• Zero-Day Vulnerability
  A zero-day vulnerability is a security flaw that is newly discovered or not yet remediated, leaving defenders little or no patch window.