Standards - Career & Technical Education

Examples: baiting, scareware, pretexting, phishing, spear-phishing, watering hole, whaling

Examples: adversarial artificial intelligence, automated learning, ransomware, remote access Trojan (RAT)

Examples: race conditions, error handling, buffer overflow, distributed denial of service (DDoS), domain name system (DNS), OSI Model Layer 2 Attacks

Examples: network vulnerabilities, operating systems vulnerabilities, human vulnerabilities

Examples: configuration management (diagrams, baseline configuration, standard naming conventions, IP schema), data protection and redundancy, secure sockets layer (SSL) and transport layer security (TLS) inspection, hashing, API considerations, site resiliency, honeypots, fake telemetry

Examples: application approved/denied list, quarantine, firewall rules, mobile device management (MDM), data loss prevention (DLP), update or revoke certificates

Examples: documentation and evidence, acquisition, on-premises versus cloud, integrity, data recovery, non-repudiation

Examples: communicating only with trusted parties, disclosing information based on requirements, preventing inadvertent release of information, following requirements for reporting incidents

Examples: unusual outbound network traffic or geographical irregularities, which indicate a possible breach or compromise

Examples: cyber incident planning and response (CIPR) action checklist

Examples: network traffic analyzers, endpoint disk and memory, mobile, cloud, virtualization, legal hold, hashing, data carving, data acquisition

Examples: managerial, operational, technical, control type (preventive, detective, corrective, deterrent, compensating, physical)

Examples: General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), Center for Internet Security framework (CIS); the National Institute of Standards and Technology (NIST), Risk Management Framework (RMF) and Cybersecurity Framework (CSF); benchmarks and security configuration guides

Examples: acceptable use policy, job rotation, mandatory vacation, least privilege, non-disclosure agreement, third-party vendors and risk management, service level agreement, memorandum of understanding, measurement systems analysis, end of life, credentialing policies, change management, asset management

Examples: external, internal, legacy systems, acceptance, avoidance, transference, mitigation, risk matrix, heat map, risk control assessment, asset value, single-loss expectancy, annualized loss expectancy, annualized rate of occurrence

Examples: avoiding reputation damage, identity theft, IP theft, and fines; preventing privilege escalation, public disclosures, and data breaches

Examples: Gather and report on current information from the Department of Homeland Security, the FBI, or SANS Internet Storm Center and explain how applying the information benefits an organization.

Examples: MITRE ATT&CK, Diamond Model, kill chain, indicator of compromise, Common Vulnerability Scoring System, total attack surface, attack vector, adversary capability

Examples: active versus passive scanning, mapping, enumeration, criticality of assets, validation outcomes (true positive, false positive, true negative, false negative), baseline configuration, patching, hardening, scanning parameters, web application scanners, wireless and infrastructure vulnerability scanners

Examples: mobile, Internet of Things, embedded, real-time operating system, System-on-Chip, field programmable gate array, physical access controls, building automation systems, drones and vehicles, supervisory control and data acquisition systems (SCADA), cloud deployment models; insecure application programming interfaces, improper key management, unprotected storage, insufficient logging and monitoring

Examples: malware, unpatched security vulnerabilities, hidden backdoor programs, superuser or Admin Account privileges

Examples: cloud versus on-premises, asset management, segmentation, network architecture, change management, virtualization, containerization, identity and access management, honeypot, certificate management, monitoring and logging, active best practices defense, encryption

Examples: code of conduct, acceptable use policy, password policy, data ownership and retention, account management, continuous monitoring, work product retention, control types

Examples: business impact analysis, risk identification process, risk calculation, communication of risk factors, risk prioritization, systems assessment, documented compensating controls, training and exercises, supply chain assessment

Examples: software development life cycle, DevSecOps, software assessment methods (user acceptance testing, stress test application, security regression testing, code review), secure coding best practices, static and dynamic analysis tools, hardware root of trust, trusted firmware updates