Geofencing
An automated security control that defines a virtual geographic boundary and takes action β granting or restricting access β based on whether a device or user is inside or outside that boundary. Geofencing works at multiple scales: building-level (inside the corporate office vs. outside), city-level, or country-level. Technologies used to detect location and enforce the boundary include GPS (satellite-based, high accuracy, requires device GPS hardware), 802.11 Wi-Fi positioning (maps to known access points, works indoors), cell tower triangulation (wide coverage for mobile devices), and IP address geolocation (maps IP to geographic region via ISP registration, less accurate for mobile). Common security applications: automatically allowing full application access from within the building, restricting or blocking access from foreign countries where the organization has no operations, triggering additional authentication challenges when a user is outside the expected region.
Encryption (Data Protection Context)
A reversible mathematical transformation that converts plaintext (readable original data) into ciphertext (unreadable scrambled data) using an algorithm and a key. The transformation requires the key to reverse β decrypt the ciphertext back to the original plaintext. Unlike hashing, encryption is two-way: data can be recovered. The confusion property describes how good encryption works: the output ciphertext should be dramatically different from the input plaintext β changing one character of input should produce a completely different ciphertext, with no visible relationship between original and encrypted forms. Encryption protects data at rest (disk and database encryption), data in transit (TLS, IPsec), and data in specific files. Primary security goal: confidentiality β unauthorized parties who intercept or access the encrypted data cannot read it without the key.
Hashing (Cryptographic Hash Function)
A one-way mathematical function that transforms input data of any length into a fixed-length output called a hash, message digest, or fingerprint. Critically: the process is irreversible β the hash cannot be mathematically reversed to recover the original input. Any input, however long, produces a fixed-size output (e.g., SHA-256 always produces 256 bits / 64 hexadecimal characters). Two key properties: (1) determinism β the same input always produces the same hash; (2) avalanche effect β a tiny change to the input (one character, one bit) produces a completely different hash. Primary uses: password storage (store the hash, not the password), file integrity verification (hash of a legitimate file compared to hash of received file), and digital signatures (hash the message, then sign the hash). A hash collision β two different inputs producing the same hash β breaks hash security and is why MD5 and SHA-1 are deprecated.
Hash Collision
A cryptographic weakness that occurs when two different inputs produce the same hash output from the same hash function. In theory, any hash function with finite output will eventually have collisions (pigeonhole principle), but a cryptographically secure hash function makes it computationally infeasible to find two inputs that collide. When an attacker can deliberately engineer a collision β find a malicious file that produces the same hash as a legitimate file β they can substitute the malicious file while the hash check still passes, defeating integrity verification. MD5 is fully broken: practical collision attacks exist and MD5 should not be used for any security purpose. SHA-1 is deprecated and considered insecure for collision resistance. SHA-256 and SHA-3 are current standard minimum recommendations. The exam specifically notes MD5 and SHA-1 as deprecated due to collision vulnerability.
Digital Signature
A cryptographic mechanism that uses asymmetric key cryptography and hashing together to provide authentication, integrity, and non-repudiation for a message or document. Process: the sender hashes the message to produce a digest, then encrypts the digest with their private key β the result is the digital signature. The recipient decrypts the signature with the sender's public key to recover the digest, independently hashes the received message, and compares the two digests. A match proves: (1) authentication β only the private key holder could have created this signature; (2) integrity β the message has not been altered since signing, because any change would produce a different hash; (3) non-repudiation β the sender cannot deny sending it, because only they hold the private key. Digital signatures underpin code signing, document signing (PDFs, contracts), email (S/MIME, PGP), and certificate validation in TLS.
Obfuscation
A technique that deliberately makes data, code, or information harder to understand while preserving its functionality or meaning. Obfuscation is not encryption β it does not use a key and is not mathematically secured. A determined analyst with enough time and effort can reverse obfuscation; it provides security through obscurity rather than cryptographic strength. Legitimate uses: software companies obfuscate source code (variable renaming, control flow scrambling) to make reverse engineering of proprietary algorithms harder; obfuscated JavaScript is common in web applications to protect intellectual property and reduce file size. Malicious uses: malware authors obfuscate code to evade signature-based antivirus detection, making it harder for security tools to recognize known malicious patterns. Key exam distinction: obfuscated code runs identically to the original β the behavior is the same, only the readability is degraded.
Data Masking
A specific type of obfuscation that hides portions of sensitive data while displaying enough information for a legitimate purpose. The most common example: displaying only the last four digits of a credit card number (**** **** **** 4532) to allow a customer to identify which card is on file without exposing the full number. Key distinction: data masking affects what is displayed or provided to a particular user β the underlying data may still be stored fully intact in the database. A call center agent sees a masked card number; the payment processing system retrieves the full number from the database when needed. Types of masking: substitution (replacing characters with alternatives), shuffling (rearranging characters or fields), masking out (replacing with asterisks or X's), and encrypting specific fields. Static masking creates a permanent masked copy; dynamic masking applies masking at query time to specific roles.
Tokenization
A data protection technique that replaces a sensitive value with a non-sensitive substitute called a token. Unlike encryption, there is no mathematical relationship between the token and the original value β the mapping is stored in a separate token service (a secure lookup table). The original sensitive value lives only in the token service; the token itself has no useful meaning outside that system. Classic example: a credit card number 4111-1111-1111-1111 is replaced with a token 8937-2841-7734-0092 in all merchant systems. Mobile payment systems (Apple Pay, Google Pay) use tokenization: a device-specific token replaces the actual card number for each NFC transaction. Advantages over encryption: (1) no cryptographic overhead in day-to-day operations β systems just pass around tokens; (2) tokens are useless if stolen β cannot be reversed mathematically; (3) one-time-use tokens (used in mobile payments) work for exactly one transaction.
Data Segmentation
A protection strategy that distributes data across multiple separate databases, systems, or storage locations rather than consolidating everything in one place. The security rationale: a single database containing all sensitive data is a single point of failure β a breach exposes everything. By distributing data, each breach is limited in scope to the data held in that specific segment. The most sensitive data receives the highest security investment β top-tier controls on the database holding critical identifiers, lighter controls on less sensitive segments. Practical implementation: customer PII in one database (highest security tier), order history in another (medium tier), product catalog data in a third (lower tier). An attacker who compromises the product catalog database cannot access PII. The tradeoff is operational complexity: queries that need data from multiple segments require joins across systems or additional application logic.
Permission Restrictions (Authentication and Authorization)
A layered data protection approach combining authentication controls (verifying who the user is before granting access) with post-login authorization controls (determining what the authenticated user is allowed to do). Authentication controls include password policies (minimum length, complexity requirements, expiration, history), multi-factor authentication (MFA β requiring a second factor such as an authenticator app, hardware token, or biometric), and lockout policies. Post-login authorization controls include group-based permissions (assign users to groups with predefined access levels, not individual permissions), file and folder permissions (ACLs specifying read/write/execute per user or group), principle of least privilege (users receive only the minimum permissions necessary for their job function), and separation of duties (critical operations require more than one person, preventing single-person fraud or error).
Confusion Property (in Encryption)
A property of a good encryption algorithm describing that the relationship between the ciphertext and the encryption key should be as complex and non-obvious as possible. In practical terms: a small change to the plaintext input (changing one character, one bit) should produce a dramatically different ciphertext output, with no visible pattern or relationship to the original. The name "confusion" describes making it maximally difficult for an analyst studying ciphertext to work backward to either the key or the plaintext β even with access to many pairs of plaintext and corresponding ciphertext. Confusion is paired with diffusion (spreading the influence of each plaintext character across many ciphertext characters) as the two properties Claude Shannon identified as essential for secure ciphers. When the exam says "the encrypted version looks completely different from the original" or "the output is unrecognizable as derived from the input" β that describes confusion.