Professional
30 Cards — Free
CompTIA Security+ Essentials
Core cybersecurity concepts for the CompTIA Security+ certification exam.
All 30 Cards
CIA Triad
Confidentiality (only authorized access), Integrity (data is accurate/unmodified), Availability (systems are accessible when needed)
Authentication Factors
Something you know (password), Something you have (token/phone), Something you are (biometrics), Somewhere you are (location)
MFA (Multi-Factor Authentication)
Using two or more authentication factors; password + phone code; significantly reduces unauthorized access
Phishing
Social engineering via email; fake messages trick users into revealing credentials or clicking malicious links; most common attack vector
Spear Phishing
Targeted phishing aimed at a specific person or organization; uses personal details to appear legitimate
Social Engineering
Manipulating people into revealing information or performing actions; pretexting, baiting, tailgating, quid pro quo
Malware
Malicious software: viruses, worms, trojans, ransomware, spyware, rootkits, keyloggers, adware
Ransomware
Encrypts victim's files; demands payment for decryption key; prevent with backups, patching, and email filtering
Zero-Day Vulnerability
Unpatched security flaw unknown to the vendor; no fix available yet; highly valuable to attackers
Firewall
Controls incoming/outgoing network traffic based on rules; stateful (tracks connections) vs stateless; hardware or software
IDS vs IPS
IDS: Intrusion Detection System (monitors and alerts). IPS: Intrusion Prevention System (monitors AND blocks). Inline vs passive
VPN
Virtual Private Network; encrypts traffic between endpoints; creates secure tunnel over public internet; site-to-site or remote access
Symmetric Encryption
Same key encrypts and decrypts; fast; examples: AES (standard), DES (legacy), 3DES; key distribution is the challenge
Asymmetric Encryption
Public key encrypts, private key decrypts; slower; examples: RSA, ECC; used for key exchange, digital signatures
Hashing
One-way function producing fixed-length output; SHA-256, MD5 (insecure); used for password storage, file integrity
Digital Certificate
Binds a public key to an identity; issued by Certificate Authority (CA); enables HTTPS; contains subject, issuer, expiry, public key
PKI (Public Key Infrastructure)
Framework for managing digital certificates and encryption keys; includes CAs, registration authorities, certificate revocation
Least Privilege
Users should have only the minimum access needed for their job; reduces attack surface; review regularly
Defense in Depth
Multiple layers of security controls; if one layer fails, others protect; physical, technical, and administrative controls
Risk Assessment
Identifying threats, vulnerabilities, and their potential impact; Risk = Threat × Vulnerability × Impact; prioritize mitigation
Vulnerability Scanning
Automated tool that identifies known vulnerabilities in systems; Nessus, Qualys; run regularly; different from penetration testing
Penetration Testing
Authorized simulated attack to find exploitable vulnerabilities; black box (no info), white box (full info), gray box (partial)
SIEM
Security Information and Event Management; collects and analyzes logs from across the network; real-time alerting; Splunk, QRadar
Incident Response Steps
1) Preparation 2) Identification 3) Containment 4) Eradication 5) Recovery 6) Lessons Learned
DDoS Attack
Distributed Denial of Service; overwhelms target with traffic from many sources (botnet); disrupts availability
SQL Injection
Inserting malicious SQL into input fields to manipulate databases; prevented with parameterized queries and input validation
XSS (Cross-Site Scripting)
Injecting malicious scripts into web pages viewed by others; stored, reflected, or DOM-based; sanitize user input
Access Control Models
DAC (owner decides), MAC (labels/clearances), RBAC (role-based), ABAC (attribute-based)
Business Continuity Plan
Strategy to maintain operations during and after a disaster; includes BIA, recovery procedures, communication plan
Backup Strategy: 3-2-1
3 copies of data, on 2 different media types, with 1 offsite/cloud copy; protects against any single point of failure
Study this deck on the go with Stacked — the AI-powered flashcard app.
Get Stacked Free →