Security Terminology and Concepts

If the exam blueprint was your map, this is the legend. Without the legend, you’re just staring at symbols like “uh… dragon?” when it’s actually “firewall.”

We already scoped the SY0-701 journey in the orientation. Now we’re loading the language pack. These terms are the verbs and nouns you’ll use on every question, in every job ticket, and during that one family dinner when someone asks, “So… what is a cyber?”

---

The Big Three: CIA (No, Not That One)

The bedrock of security goals is the CIA triad:

• Confidentiality: Only the right people see the data.
  • Examples: encryption, access controls, screen privacy filters
  • Villains: eavesdropping, data leakage, shoulder surfing
• Integrity: Data stays accurate and unaltered (unless authorized).
  • Examples: hashing, digital signatures, checksums
  • Villains: tampering, man-in-the-middle, data corruption
• Availability: The system works when needed.
  • Examples: redundancy, backups, DDoS protection, UPS
  • Villains: outages, ransomware, hardware failure

Pro tip: Almost every scenario question pokes at which CIA element is at risk. Name the element, pick the control, profit (academically).

Bonus squad: AAA (+ Non-Repudiation)

• Authentication: Prove you’re you (passwords, MFA, certificates).
• Authorization: What you get to do (roles, permissions, policies).
• Accounting/Audit: Record what happened (logs, trails, SIEM).
• Non-repudiation: You can’t deny it later (digital signatures + logs).

---

Risk Language: Stop Using “Threat” and “Vulnerability” Like Synonyms

Let’s break the toxic relationship between these words:

• Asset: Anything valuable (data, systems, reputation, your sanity).
• Threat: Something with the potential to cause harm (attacker, storm, bug, insider oopsie).
• Vulnerability: A weakness that could be exploited (unpatched OS, weak config, default creds).
• Exploit: The technique that takes advantage of a vulnerability.
• Likelihood: Probability it happens.
• Impact: How bad it is when it happens.
• Risk: The potential loss if a threat exploits a vulnerability against an asset.

In faux-math:

Risk ≈ Likelihood × Impact

• Inherent risk: Risk before controls.
• Residual risk: Risk after controls.
• Risk appetite: How much risk the org tolerates without crying.

Example: Coffee shop Wi‑Fi

• Asset: your login cookies
• Threat: nearby attacker sniffing traffic
• Vulnerability: no HTTPS (why), or you reusing passwords (also why)
• Exploit: session hijacking
• Impact: they become you online; chaos ensues

---

Control Zoo: Categories vs Types (Two Orthogonal Axes)

Controls come in two flavors simultaneously: what they are and what they do.

• By category (what they are):

  • Administrative (policies, training, hiring practices)
  • Technical (firewalls, EDR, encryption)
  • Physical (locks, guards, cameras)

• By function (what they do):

  • Preventive (stop it): MFA, input validation
  • Detective (spot it): IDS, logs, CCTV
  • Corrective (fix it): back-ups restore, patches
  • Deterrent (discourage it): warning signs, banners
  • Directive (tell you what to do): policies, SOPs
  • Compensating (plan B): temp controls when the ideal one isn’t possible

Exam trap: A security camera is physical + detective. A policy is administrative + directive. MFA is technical + preventive. Two axes, one love.

---

Governance Stack: Policy Isn’t Just Vibes

• Policy: High-level “what we believe and require.” Mandatory.
• Standard: Specific requirements to meet policy (e.g., “AES-256 for data at rest”).
• Baseline: Minimum acceptable configuration (hardened image).
• Procedure: Step-by-step how-to (SOP). Repeatable.
• Guideline: Recommended but flexible.
• Due care: Being reasonably careful (policy, training, locks).
• Due diligence: Proving you followed through (audits, patching reports).

Translation: Policy says “wear helmets.” Standard says “helmet must meet XYZ.” Procedure says “how to put it on.” Due care is buying helmets; due diligence is checking people actually wear them.

---

People Problems: Threat Actors and Attack Surface

• Script kiddies: Use others’ tools; loud but real.

• Hacktivists: Political/social motive.

• Insiders: Accidental or malicious; hardest to catch.

• Organized crime: Profit-driven, polished ops.

• Nation-states/APTs: Patient, resourced, unsettlingly good.

• Attack surface: All the ways in—open ports, exposed APIs, weak creds, human inboxes.

• Threat vectors: Phishing, USB drops, watering holes, RDP brute force, supply chain.

Shrink the surface, reduce the vectors, sleep slightly better.

---

Access Control Models and Sacred Principles

• Least privilege: Only what’s needed to do the job. No admin “just in case.”
• Need-to-know: Limit access to specific data, even if you have the role.
• Separation of duties: Split critical tasks among people (request vs approve).
• Job rotation: Rotate roles to reduce fraud and share knowledge.
• Implicit deny: Default to no, then allow explicitly.
• Zero trust: Never trust, always verify; continuous validation.

Models:

• DAC (Discretionary): Owner decides (think shared folders). Flexible, risky.
• MAC (Mandatory): Labels and clearances (Top Secret, etc.). Strict.
• RBAC (Role-based): Permissions by job role. Scales well.
• ABAC (Attribute-based): Context-aware (user + device + time + location). Powerful.
• Rule-based: Allow/deny via rules (firewalls, NAC policies).

---

Data Protection (Because Privacy Is Not Optional)

• PII/PHI: Personal/health data. Handle gently.
• Data lifecycle: Create → Store → Use → Share → Archive → Destroy.
• Classification: Public, Internal, Confidential, Restricted (names vary).
• Labeling and handling: The label dictates controls (encryption, DRM, DLP policies).

If you can’t classify it, you can’t protect it. If you can’t label it, no one else will either.

---

Crypto Nouns at 60 MPH

• Encryption: Reversible scrambling with a key (confidentiality). Symmetric (fast, same key) vs asymmetric (public/private pair).
• Hashing: One-way fingerprint (integrity). Add salt to stop rainbow tables.
• Digital signatures: Integrity + authentication + non-repudiation (hash + private key).
• Certificates/PKI: Trust scaffolding. Don’t argue with the CA; document it.

Exam pattern: If it needs to be secret, encrypt. If it needs to be unchanged, hash. If it needs to be provably from you, sign.

---

Availability and Failure Philosophy

• Redundancy: Multiple of a thing (RAID, HA pairs).
• Resilience: Ability to take a hit and keep moving (autoscaling, DR sites).
• RTO/RPO: Time to restore / how much data loss is acceptable.
• Fail-safe vs fail-secure:
  • Fail-safe: Prioritize safety (doors unlock in a fire).
  • Fail-secure: Prioritize security (doors stay locked on power loss).

Choose based on context. Hospitals and datacenters may make opposite choices.

---

Risk Treatment: Pick Your Adventure

• Avoid: Don’t do the risky thing (no BYOD, no crypto-mining in prod). Powerful, unpopular.
• Mitigate: Add controls to reduce likelihood/impact (patches, MFA, segmentation).
• Transfer: Insurance, outsourcing, cloud contracts (remember: shared responsibility ≠ no responsibility).
• Accept: Document it, sign it, monitor it. Use sparingly, not lazily.

Remember the math-ish:

Residual Risk = Inherent Risk − Risk Reduced by Controls

---

Frameworks That Make You Sound Employed

• Defense-in-depth: Multiple layers so one miss doesn’t mean game over.
• Kill chain/ATT&CK: Ways to map attacker behavior. Helps you choose controls by stage.
• Secure by design / least functionality: Ship fewer features; ship fewer bugs; ship less regret.

---

Rapid-Fire Exam Traps (a.k.a. Words That Love Chaos)

• Vulnerability vs exploit: weakness vs how it’s used.
• Authentication vs authorization: who you are vs what you can do.
• Policy vs procedure: "what/why" vs "how/when/who."
• Deterrent vs preventive: discourage vs stop.
• Encryption vs hashing: reversible secret vs one-way integrity.
• Insider threat ≠ administrator only; anyone with access can be one.

---

Mini Scenarios: Name That Term

1. An employee uploads client data to a personal drive for “backup.” What principles got violated?

• Least privilege, need-to-know, policy/procedure, possibly data classification.

2. The firewall blocks unknown traffic by default. What is that?

• Implicit deny (preventive, technical control).

3. A law firm uses a third-party eDiscovery platform. What risk treatment is in play?

• Transfer (but also mitigate with vendor due diligence and contracts).

4. A company encrypts laptops and keeps logs of admin actions. Which goals are served?

• Confidentiality (encryption), non-repudiation/accountability (logging).

---

Wrap-Up: Speak Fluent Security

You now have the dictionary. The rest of the course is grammar and storytelling—stringing these terms into architectures, policies, and incident responses that actually work.

Key takeaways:

• CIA tells you what to protect; AAA tells you how to control and prove it.
• Risk = threat + vulnerability + asset in a complicated love triangle; manage with avoid/mitigate/transfer/accept.
• Controls have both category (admin/technical/physical) and purpose (prevent/detect/correct/etc.).
• Governance is not paperwork cosplay; it’s how strategy becomes safe reality.
• Least privilege, separation of duties, and zero trust are not trends—they’re survival tactics.

Final thought: Security isn’t about saying “no.” It’s about saying “yes, safely,” in a world that keeps inventing new ways to say “oops.”