Studying for a certification exam like the CISSP or Security+ is stressful enough, what’s even more stressful is getting a question wrong on a practice exam knowing that in your mind it should be correct. The problem is usually word pairs that are similar in meaning, yet different. Below is a short list of some of the more common confusing word pairs.
Need to Know: Users having access only to the information needed to perform their duties. For example, having a Top-Secret clearance does not mean you get to access to all Top-Secret material. You only have access the information needed for your job.
Least Privilege: A principle, whereby a subject has the most restrictive set of privileges needed to perform their task. Example, A user account that is created for querying databases, should not have administrative privileges. Also applies to read, write, execute privileges.
Due Care: Simply put, doing what is right and needed. The opposite is negligence.
Due Diligence: Ensuring sufficient information has been gathered to make informed decisions.
Categorization: Assigning a system a threat level of High, Medium, or Low based on Confidential, Integrity, or availability (CIA).
Classification: Assigning security labels to objects, for example applying Secret, Top Secret, or confidential to objects.
Scoping: When creating a baseline, you remove controls that do not apply to your environment. For example, your system does not have a public web presence, therefore, you remove the controls that apply to securing a public website.
Tailoring: Modifying security controls to make them fit your environment or technology. For example, a control says that your screen should lock after 15 minutes of inactivity, however, the systems is in a secure area, and is always required unlocked. Therefore, a waiver will be needed.
Deterrent: Makes someone choose not to commit a crime. For example, a person wants to hop a fence, but they see a “beware of dog” sign. So the beware of dog sign acts as a deterrent.
Preventive: If a person chooses to do a crime, he/she is blocked (prevented) from doing so.
Boundary: Your boundary is within your trusted network and has different security level. Also, can mean an accreditation boundary with all devices that an accredited system contains.
Perimeter: Goes around your entire company or network. Can be physical or logical.
Whitelist: A list of what is allowed. Example, an application whitelist (only these apps are permitted)
Blacklist: A list of what is not allowed. Example, an IP blacklist (These IP addresses are not permitted).
Piggybacking: Following someone into a secure zone with their knowledge.
Tailgating: Following someone into a secure zone without their knowledge.
Bug: Typically, a syntax error in code by coder
Flaw: A logical design flaw.
Risk appetite: The amount of risk and the type of risk that an organization is willing to pursue or retain.
Risk Tolerance: reflects the acceptable variation of risk. Over or under the risk bar.
Breach: An unauthorized person made it beyond perimeter defenses, into a security zone.
Disclosure: Sensitive information was obtained by an unauthorized person.
Loss: Related to availability. For example, data was destroyed (Thus lost, not available).
Leakage: Sensitive information was disclosed. Typically, related to confidently.
Certification: Verifying the system or application performs as intended.
Accreditation: Approval to deploy the system or application.
Critical: Something that is required for operation to continue.
Sensitive: Data or information that should be kept confidential.