Glossary Flashcards
heat map risk matrix
A graphical table indicating the likelihood and impact of risk factors identified for a workflow, project, or department for reference by stakeholders.
lessons learned report (LLR)
An analysis of events that can provide insight into how to improve response and support processes in the future.
network log
A target for system and access events generated by a network appliance, such as a switch, wireless access point, or router.
File Transfer Protocol (FTP)
Application protocol used to transfer files between network hosts. Variants include S(ecure)FTP, FTP with SSL (FTPS and FTPES), and T(rivial)FTP. FTP utilizes ports 20 and 21.
quantitative risk analysis
A numerical method that is used to assess the probability and impact of risk and measure the impact.
provenance
In digital forensics, being able to trace the source of evidence to a crime scene and show that it has not been tampered with.
Internet header
A record of the email servers involved in transferring an email message from a sender to a recpient.
clean desk policy
An organizational policy that mandates employee work areas be free from potentially sensitive information; sensitive documents must not be left out where unauthorized personnel might see them.
capacity planning
A practice which involves estimating the personnel, storage, computer hardware, software, and connection infrastructure resources required over some future period of time.
port mirroring (SPAN)
Copying ingress and/or egress communications from one or more switch ports to another port. This is used to monitor communications passing over the switch.
Internet Protocol Security (IPSec)
Network protocol suite used to secure data through authentication and encryption as the data travels across the network or the Internet.
geographic dispersion
A resiliency mechanism where processing and data storage resources are replicated between physically distant sites.
mean time to repair/replace/recover (MTTR)
A metric representing average time taken for a device or component to be repaired, replaced, or otherwise recover from a failure.
logic bomb
A malicious program or script that is set to run under particular circumstances or in response to a defined event.
password best practices
Rules to govern secure selection and maintenance of knowledge factor authentication secrets, such as length, complexity, age, and reuse.
environmental attack
A physical threat directed against power, cooling, or fire suppression systems.
representational state transfer (REST)
A standardized, stateless architectural style used by web applications for communication and integration.
listener/collector
A network appliance that gathers or receives log and/or state data from other network systems.
pretexting
Social engineering tactic where a team will communicate, whether directly or indirectly, a lie or half-truth in order to get someone to believe a falsehood.
Remote Authentication Dial-in User Service (RADIUS)
AAA protocol used to manage remote and wireless authentication infrastructures.
network functions virtualization (NFV)
Provisioning virtual network appliances, such as switches, routers, and firewalls, via VMs and containers.
behavior-based detection
A network monitoring system that detects changes in normal operating data sequences and identifies abnormal sequences.
onboarding
The process of bringing in a new employee, contractor, or supplier.
information security policies
A document or series of documents that are backed by senior management and that detail requirements for protecting technology and information assets from threats and misuse.
cloud deployment model
Classifying the ownership and management of a cloud as public, private, community, or hybrid.
regulated data
Information that has storage and handling compliance requirements defined by national and state legislation and/or industry regulations.
proprietary information
Information created by an organization, typically about the products or services that it makes or provides.
cloning
The process of quickly duplicating a virtual machine’s configuration when several identical machines are needed immediately.
key length
Size of a cryptographic key in bits. Longer keys generally offer better security, but key lengths for different ciphers are not directly comparable.
data breach
When confidential or private data is read, copied, or changed without authorization. Data breach events may have notification and reporting requirements.
backup power generator
A standby power supply fueled by diesel or propane. In the event of a power outage, a UPS must provide transitionary power, as a backup generator cannot be cut in fast enough.
DNS sinkhole
A temporary DNS record that redirects malicious traffic to a controlled IP address.
availability
The fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need.
hybrid password attack
An attack that uses multiple attack methods, including dictionary, rainbow table, and brute force attacks, when trying to crack a password.
forgery attack
An attack that exploits weak authentication to perform a request via a hijacked session.
baseline configuration
A collection of security and configuration settings that are to be applied to a particular system or network in the organization.
non-transparent proxy
A server that redirects requests and responses for clients configured with the proxy address and port.
missing logs
A potential indicator of malicious activity where events or log files are deleted or tampered with.
address resolution protocol (ARP)
Broadcast mechanism by which the hardware MAC address of an interface is matched to an IP address on a local network segment.
brute force attack
A type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted passwords.
active reconnaissance
Penetration testing techniques that interact with target systems directly.
data controller
In privacy regulations, the entity that determines why and how personal data is collected, stored, and used.
playbook
A checklist of actions to perform to detect and respond to a specific type of incident.
e-discovery
Procedures and tools to collect, preserve, and analyze digital evidence.
Information Sharing and Analysis Center (ISAC)
A not-for-profit group set up to share sector-specific threat intelligence and security best practices among its members.
certificate signing request (CSR)
A Base64 ASCII file that a subject sends to a CA to get a certificate.
Kerberos
A single sign-on authentication and authorization service that is based on a time-sensitive, ticket-granting system.
advanced persistent threat (APT)
Threat actors with the ability to craft novel exploits and techniques to obtain, maintain, and diversify unauthorized access to network systems over a long period.
recovery time objective (RTO)
The maximum time allowed to restore a system after a failure event.
Extensible Authentication Protocol over LAN (EAPoL)
A port-based network access control (PNAC) mechanism that allows the use of EAP authentication when a host connects to an Ethernet switch.
access badge
An authentication mechanism that allows a user to present a smart card to operate an entry system.
layer 4 firewall
A stateful inspection firewall that can monitor TCP sessions and UDP traffic.
cable lock
Devices can be physically secured against theft using cable ties and padlocks. Some systems also feature lockable faceplates, preventing access to the power switch and removable drives.
NetFlow
Cisco-developed means of reporting network flow information to a structured database. NetFlow allows better understanding of IP traffic flows as used by different network applications and hosts.
chain of custody
Record of handling evidence from collection to presentation in court to disposal.
organized crime
A type of threat actor that uses hacking and computer fraud for commercial gain.
fencing
A security barrier designed to prevent unauthorized access to a site perimeter.
fraud
Falsifying records, such as an internal fraud that involves tampering with accounts.
access control vestibule
A secure entry system with two gateways, only one of which is open at any one time.
false rejection rate (FRR)
A biometric assessment metric that measures the number of valid subjects who are denied access.
Post Office Protocol (POP)
Application protocol that enables a client to download email messages from a server mailbox to a client over port TCP/110 or secure port TCP/995.
Memorandum of Agreement (MoA)
A legal document forming the basis for two parties to cooperate without a formal contract (a cooperative agreement). MOAs are often used by public bodies.
passive reconnaissance
Penetration testing techniques that do not interact with target systems directly.
malicious update
A vulnerability in a software repository or supply chain that a threat actor can exploit to add malicious code to a package.
financial data
Data held about bank and investment accounts, plus information such as payroll and tax returns.
key exchange
Any method by which cryptographic keys are transferred among users, thus enabling the use of a cryptographic algorithm.
cross-site scripting (XSS)
A malicious script hosted on the attacker’s site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser’s security model of trusted zones.
cookie
A text file used to store information about a user when they visit a website. Some sites use cookies to support user sessions.
Diffie-Hellman (DH)
A cryptographic technique that provides secure key exchange.
internet of things (IoT)
Devices that can report state and configuration data and be remotely managed over IP networks.
inline
Placement and configuration of a network security control so that it becomes part of the cable path.
data exfiltration
The process by which an attacker takes data that is stored inside of a private network and moves it to an external network.
canonicalization attack
An attack method where input characters are encoded in such a way as to evade vulnerable input validation measures.
journaling
A method used by file systems to record changes not yet made to the file system in an object called a journal.
due diligence
A legal principal that a subject has used best practice or reasonable care when setting up, configuring, and maintaining a system.
physical penetration testing
Assessment techniques that extend to site and other physical security systems.
business continuity (BC)
A collection of processes that enable an organization to maintain normal business operations in the face of some adverse event.
dependencies
Resources and other services that must be available and running for a service to start.
bluejacking
Sending an unsolicited message or picture message using a Bluetooth connection.
FTPS
A type of FTP using TLS for confidentiality.
control plane
In zero trust architecture, functions that define policy and determine access decisions.
incident response lifecycle
Procedures and guidelines covering appropriate priorities, actions, and responsibilities in the event of security incidents, divided into preparation, detection, analysis, containment, eradication/recovery, and lessons learned stages.
cyber threat intelligence (CTI)
The process of investigating, collecting, analyzing, and disseminating information about emerging threats and threat sources.
command and control (C2)
Infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets.
cryptography
The science and practice of altering data to make it unintelligible to unauthorized parties.
hardening
A process of making a host or app configuration secure by reducing its attack surface, through running only necessary services, installing monitoring software to protect against malware and intrusions, and establishing a maintenance schedule to ensure the system is patched to be secure against software exploits.
logical segmentation
Network topology enforced by switch, router, and firewall configuration where hosts on one network segment are prevented from or restricted in communicating with hosts on other segments.
detectability
A risk evaluation parameter that defines the likelihood of a company detecting a risk occurrence before it impacts the project, process, or end user.
IEEE 802.1X
A standard for encapsulating EAP communications over a LAN (EAPoL) or WLAN (EAPoW) to implement port-based authentication.
fake telemetry
Deception strategy that returns spoofed data in response to network probes.
reputational threat intelligence
Blocklists of known threat sources, such as malware signatures, IP address ranges, and DNS domains.
ARP poisoning
A network-based attack where an attacker with access to the target local network segment redirects an IP address to the MAC address of a computer that is not the intended recipient. This can be used to perform a variety of attacks, including DoS, spoofing, and on-path (previously known as man-in-the-middle).
mobile device management (MDM)
Process and supporting technologies for tracking, controlling, and securing the organization’s mobile infrastructure.
integrated penetration testing
A holistic approach that combines different types of penetration testing methodologies and techniques to evaluate an organization’s security operations.
maximum tolerable downtime (MTD)
The longest period that a process can be inoperable without causing irrevocable business failure.
access control list (ACL)
The collection of access control entries (ACEs) that determines which subjects (user accounts, host IP addresses, and so on) are allowed or denied access to the object and the privileges given (read-only, read/write, and so on).
internal threat
A type of threat actor who is assigned privileges on the system and causes an intentional or unintentional incident.
incident
An event that interrupts standard operations or compromises security policy.
eXtensible Markup Language (XML)
A system for structuring documents so that they are human and machine readable. Information within the document is placed within tags, which describe how information within the document is structured.
data subject
An individual that is identified by privacy data.
chief technology officer (CTO)
Company officer with the primary role of making effective use of new and emerging computing platforms and innovations.
offensive penetration testing
The “hostile” or attacking team in a penetration test or incident response exercise.
hot site
A fully configured alternate processing site that can be brought online either instantly or very quickly after a disaster.
caching engine
A feature of many proxy servers that enables the servers to retain a copy of frequently requested web pages.
internal/external
The degree of access that a threat actor possesses before initiating an attack. An external threat actor has no standing privileges, while an internal actor has been granted some access permissions.
guidelines
Best practice recommendations and advice for configuration items where detailed, strictly enforceable policies and standards are impractical.
hashing
A function that converts an arbitrary-length string input to a fixed-length string output. A cryptographic hash function does this in a way that reduces the chance of collisions, where two different inputs produce the same output.
Message Digest Algorithm v5 (MD5)
A cryptographic hash function producing a 128-bit output.
network attack
An attack directed against cabled and/or wireless network infrastructure, including reconnaissance, denial of service, credential harvesting, on-path, privilege escalation, and data exfiltration.
enterprise authentication
A wireless network authentication mode where the access point acts as pass-through for credentials that are verified by an AAA server.
machine learning (ML)
A component of AI that enables a machine to develop strategies for solving a task given a labeled dataset where features have been manually identified but without further explicit instructions.
endpoint log
A target for security-related events generated by host-based malware and intrusion detection agents.
community cloud
A cloud that is deployed for shared use by cooperating tenants.
annualized loss expectancy (ALE)
The total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO).
fault tolerance
Protection against system failure by providing extra (redundant) capacity. Generally, fault-tolerant systems identify and eliminate single points of failure.
discretionary access control (DAC)
An access control model where each resource is protected by an access control list (ACL) managed by the resource’s owner (or owners).
file integrity monitoring (FIM)
A type of software that reviews system files to ensure that they have not been tampered with.
forensics
The process of gathering and submitting computer evidence for trial. Digital evidence is latent, meaning that it must be interpreted. This means that great care must be taken to prove that the evidence has not been tampered with or falsified.
blockchain
A concept in which an expanding list of transactional records listed in a public ledger is secured using cryptography.
identity and access management (IAM)
A security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications.
fail-open
A security control configuration that ensures continued access to the resource in the event of failure.
decentralized computing architecture
A model in which data processing and storage are distributed across multiple locations or devices.
continuity of operations plan (COOP)
Identifies how business processes should deal with both minor and disaster-level disruption by ensuring that there is processing redundancy supporting the workflow.
directive control
A type of control that enforces a rule of behavior through a policy or contract.
reaction time
The elapsed time between an incident occurring and a response being implemented.
environmental variables
In vulnerability assessment, factors or metrics due to local network or host configuration that increase or decrease the base likelihood and impact risk level.
host-based intrusion prevention system (HIPS)
Endpoint protection that can detect and prevent malicious activity via signature and heuristic pattern matching.
Point-to-Point Tunneling Protocol (PPTP)
Developed by Cisco and Microsoft to support VPNs over PPP and TCP/IP. PPTP is highly vulnerable to password cracking attacks and considered obsolete.
cloud computing
Computing architecture where on-demand resources provisioned with the attributes of high availability, scalability, and elasticity are billed to customers on the basis of metered utilization.
jump server
A hardened server that provides access to other hosts.
full disk encryption (FDE)
Encryption of all data on a disk (including system files, temporary files, and the pagefile) can be accomplished via a supported OS, third-party software, or at the controller level by the disk device itself.
phishing
An email-based social engineering attack in which the attacker sends email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim.
data owner
A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of an information asset.
legal data
Documents and records that relate to matters of law, such as contracts, property, court cases, and regulatory filings.
authentication, authorization, and accounting (AAA)
A security concept where a centralized platform verifies subject identification, ensures the subject is assigned relevant permissions, and then logs these actions to create an audit trail.
level of sophistication/capability
A formal classification of the resources and expertise available to a threat actor.
distributed denial-of-service (DDoS)
An attack that involves the use of infected Internet-connected computers and devices to disrupt the normal flow of traffic of a server or service by overwhelming the target with traffic.
bollards
Sturdy vertical posts installed to control road traffic or designed to prevent ram-raiding and vehicle-ramming attacks.
near-field communication (NFC)
A standard for two-way radio communications over very short (around four inches) distances, facilitating contactless payment and similar technologies. NFC is based on RFID.
out of band management (OOB)
Accessing the administrative interface of a network appliance using a separate network from the usual data network. This could use a separate VLAN or a different kind of link, such as a dial-up modem.
impersonation
Social engineering attack where an attacker pretends to be someone they are not.
preventive control
A type of security control that acts before an incident to eliminate or reduce the likelihood that an attack can succeed.
closed/proprietary
Software code or security research that remains in the ownership of the developer and may only be used under permitted license conditions.
digital certificate
Identification and authentication information presented in the X.509 format and issued by a certificate authority (CA) as a guarantee that a key pair (as identified by the public key embedded in the certificate) is valid for a particular subject (user or host).
likelihood
In qualitative risk analysis, the chance of an event that is expressed as a subjectively determined scale, such as high or low.
compensating control
A security measure that takes on risk mitigation when a primary control fails or cannot completely meet expectations.
data exposure
A software vulnerability where an attacker is able to circumvent access controls and retrieve confidential or sensitive data from the file system or database.
non-repudiation
The security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.
credential replay
An attack that uses a captured authentication token to start an unauthorized session without having to discover the plaintext password for an account.
disinformation
A type of attack that falsifies an information resource that is normally trusted by others.
centralized computing architecture
A model where all data processing and storage is performed in a single location.
reporting
A forensics process that summarizes significant contents of digital data using open, repeatable, and unbiased methods and tools.
data retention
The process an organization uses to maintain the existence of and control over certain data in order to comply with business policies and/or applicable laws and regulations.
Common Vulnerabilities and Exposures (CVE)
A scheme for identifying vulnerabilities developed by MITRE and adopted by NIST.
asset
A thing of economic value. For accounting purposes, assets are classified in different ways, such as tangible and intangible or short term and long term. Asset management means identifying each asset and recording its location, attributes, and value in a database.
acceptable use policy (AUP)
A policy that governs employees’ use of company equipment and Internet services. ISPs may also apply AUPs to their customers.
credentialed scan
A scan that uses credentials, such as usernames and passwords, to take a deep dive during the vulnerability scan, which will produce more information while auditing the network.
computer-based training (CBT)
Training and education programs delivered using computer devices and e-learning instructional models and design.
air-gapped
A type of network isolation that physically separates a host from other hosts or a network from all other networks.
account lockout
Policy that prevents access to an account under certain conditions, such as an excessive number of failed authentication attempts.
authorization
The process of determining what rights and privileges a particular entity has.
recovery point objective (RPO)
The longest period that an organization can tolerate lost data being unrecoverable.
exception handling
An application vulnerability that is defined by how an application responds to unexpected errors that can lead to holes in the security of an app.
encryption level
Target for data-at-rest encryption, ranging from more granular (file or row/record) to less granular (volume/partition/disk or database).
concurrent session usage
A potential indicator of malicious activity where an account has started multiple sessions on one or more hosts.
Document Object Model (DOM)
When attackers send malicious scripts to a web app’s client-side implementation of JavaScript to execute their attack solely on the client.
open-source intelligence (OSINT)
Publicly available information plus the tools used to aggregate and search it.
provisioning
The process of deploying an account, host, or application to a target production environment. This involves proving the identity or integrity of the resource, and issuing it with credentials and access permissions.
information-sharing organization
Collaborative groups that exchange data about emerging cybersecurity threats and vulnerabilities.
physical attack
An attack directed against cabling infrastructure, hardware devices, or the environment of the site facilities hosting a network.
passwordless
Multifactor authentication scheme that uses ownership and biometric factors, but not knowledge factors.
escalation
In the context of support procedures, incident response, and breach-reporting, escalation is the process of involving expert and senior staff to assist in problem management.
network monitoring
Auditing software that collects status and configuration information from network devices. Many products are based on the Simple Network Management Protocol (SNMP).
password spraying
A brute force attack in which multiple user accounts are tested with a dictionary of common passwords.
device placement
Considerations for positioning security controls to protect network zones and individual hosts to implement a defense in depth strategy and to meet overall security goals.
horizontal privilege escalation
When a user accesses or modifies specific resources that they are not entitled to.
remote access Trojan (RAT)
Malware that creates a backdoor remote administration channel to allow a threat actor to access and control the infected host.
DevSecOps
A combination of software development, security operations, and systems operations, and refers to the practice of integrating each discipline with the others.
metadata
Information stored or recorded as a property of an object, state of a system, or transaction.
AES Galois Counter Mode Protocol (GCMP)
A high performance mode of operation for symmetric encryption. Provides a special characteristic called authenticated encryption with associated data, or AEAD.
non-credentialed scan
A scan that uses fewer permissions and many times can only find missing patches or updates.
account policies
A set of rules governing user security information, such as password expiration and uniqueness, which can be set globally.
procedure
Detailed instructions for completing a task in a way that complies with policies and standards.
attack surface
The points at which a network or application receive external connections or inputs/outputs that are potential vectors to be exploited by a threat actor.
indicator of compromise (IoC)
A sign that an asset or network has been attacked or is currently under attack.
heat map
In a Wi-Fi site survey, a diagram showing signal strength and channel uitilization at different locations.
data plane
Functions that enforce policy decisions configured in the control plane and facilitate data transfers.
project stakeholder
A person who has a business interest in the outcome of a project or is actively involved in its work.
Encapsulating Security Payload (ESP)
IPSec sub-protocol that enables encryption and authentication of the header and payload of a data packet.
data loss prevention (DLP)
A software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.
disassociation attack
Spoofing frames to disconnect a wireless station to try to obtain authentication data to crack.
credential harvesting
Social engineering techniques for gathering valid credentials to use to gain unauthorized access.
endpoint detection and response (EDR)
A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats.
Internet Key Exchange (IKE)
Framework for creating a security association (SA) used with IPSec. An SA establishes that two hosts trust one another (authenticate) and agree on secure protocols and cipher suites to use to exchange data.
factors
In authentication design, different technologies for implementing authentication, such as knowledge, ownership/token, and biometric/inherence. These are characterized as something you know/have/are.
Extensible Authentication Protocol (EAP)
Framework for negotiating authentication methods that enable systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication and to establish secure tunnels through which to submit credentials.
password attack
Any attack where the attacker tries to gain unauthorized access to and use of passwords.
distinguished name (DN)
A collection of attributes that define a unique identifier for any given resource within an X.500-like directory.
IP Flow Information Export (IPFIX)
Standards-based version of the Netflow framework.
penetration testing
A test that uses active tools and security utilities to evaluate security by simulating an attack on a system. A pen test will verify that a threat exists, then will actively test and bypass security controls, and will finally exploit vulnerabilities on the system.
attribute-based access control
An access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted.
digital signature
A message digest encrypted using the sender’s private key that is appended to a message to authenticate the sender and prove message integrity.
biometric authentication
An authentication mechanism that allows a user to perform a biometric scan to operate an entry or access system. Physical characteristics stored as a digital data template can be used to authenticate a user. Typical features used include facial pattern, iris, retina, fingerprint pattern, and signature recognition.
enterprise risk management (ERM)
The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization.
persistence (load balancing)
In load balancing, the configuration option that enables a client to maintain a connection with a load-balanced server over the duration of the session. Also referred to as sticky sessions.
log aggregation
Parsing information from multiple log and security event data sources so that it can be presented in a consistent and searchable format.
least privilege
A basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.
power distribution unit (PDU)
An advanced strip socket that provides filtered output voltage. A managed unit supports remote administration.
cross-site request forgery (CSRF)
A malicious script hosted on the attacker’s site that can exploit a session started on another site in the same browser.
deception and disruption
Cybersecurity resilience tools and techniques to increase the cost of attack planning for the threat actor.
backup
A security copy of production data made to removable media, typically according to a regular schedule. Different backup types (full, incremental, or differential) balance media capacity, time required to backup, and time required to restore.
defense in depth
Security strategy that positions the layers of diverse security control categories and functions as opposed to lying on perimeter controls.
IT Infrastructure Library (ITIL)
An IT best practice framework, emphasizing the alignment of IT Service Management (ITSM) with business needs. ITIL was first developed in 1989 by the UK government. ITIL 4 was released in 2019 and is now marketed by AXELOS.
first responder
The first experienced person or team to arrive at the scene of an incident.
intrusion detection system (IDS)
A security appliance or software that analyzes data from a packet sniffer to identify traffic that violates policies or rules.
Common Vulnerability Scoring System (CVSS)
A risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information.
anything as a service
The concept that most types of IT requirements can be deployed as a cloud service model.
downgrade attack
A cryptographic attack where the attacker exploits the need for backward compatibility to force a computer system to abandon the use of encrypted messages in favor of plaintext messages.
DNS poisoning
An attack where a threat actor injects false resource records into a client or server cache to redirect a domain name to an IP address of the attacker’s choosing.
group account
A group account is a collection of user accounts that is useful when establishing file permissions and user rights because when many individuals need the same level of access, a group could be established containing all the relevant users.
radio-frequency ID (RFID)
A means of encoding information into passive tags which can be energized and read by radio waves from a reader device.
buffer overflow
An attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory. This can allow the attacker to crash the system or execute arbitrary code.
false negative
In security scanning, a case that is not reported when it should be.
perfect forward secrecy (PFS)
A characteristic of transport encryption that ensures if a key is compromised, the compromise will only affect a single session and not facilitate recovery of plaintext data from other sessions.
dd command
Linux command that makes a bit-by-bit copy of an input file, typically used for disk imaging.
asymmetric algorithm
Cipher that uses public and private keys. The keys are mathematically linked, using either Rivel, Shamir, Adleman (RSA), or elliptic curve cryptography (ECC) alogrithms, but the private key is not derivable from the public one. An asymmetric key cannot reverse the operation it performs, so the public key cannot decrypt what it has encrypted, for example.
privileged access management (PAM)
Policies, procedures, and support software for managing accounts and credentials with administrative permissions.
preparation
An incident response process that hardens systems, defines policies and procedures, establishes lines of communication, and puts resources in place.
potentially unwanted program (PUP)
Software that cannot definitively be classed as malicious, but may not have been chosen by or wanted by the user.
Internet Protocol (IP)
Network (Internet) layer protocol in the TCP/IP suite providing packet addressing and routing for all higher-level protocols in the suite.
cloud service model
Classifying the provision of cloud services and the limit of the cloud service provider’s responsibility as software, platform, infrastructure, and so on.
botnet
A group of hosts or devices that has been infected by a control program called a bot, which enables attackers to exploit the hosts to mount attacks.
gap analysis
An analysis that measures the difference between the current and desired states in order to help assess the scope of work included in a project.
configuration baseline
Settings for services and policy configuration for a network appliance or for a server operating in a particular application role (web server, mail server, file/print server, and so on).
destruction
An asset disposal technique that ensures that data remnants are rendered physically inaccessible and irrevocable, through degaussing, shredding, or incineration.
patch management
Identifying, testing, and deploying OS and application updates. Patches are often classified as critical, security-critical, recommended, and optional.
real-time operating system (RTOS)
A type of OS that prioritizes deterministic execution of operations to ensure consistent response for time-critical tasks.
jailbreaking
Removes the protective seal and any OS-specific restrictions to give users greater control over the device.
algorithm
Operations that transform a plaintext into a ciphertext with cryptographic properties, also called a cipher. There are symmetric, asymmetric, and hash cipher types.
public key cryptography standards (PKCS)
A series of standards defining the use of certificate authorities and digital certificates.
business partnership agreement (BPA)
Agreement by two companies to work together closely, such as the partner agreements that large IT companies set up with resellers and solution providers.
authenticator
A PNAC switch or router that activates EAPoL and passes a supplicant’s authentication data to an authenticating server, such as a RADIUS server.
proxy server
A server that mediates the communications between a client and another server. It can filter and often modify communications as well as provide caching services to improve performance.
blocked content
A potential indicator of malicious activity where audit logs show unauthorized attempts to read or copy a file or other data.
on-site backup
Backup that writes job data to media that is stored in the same physical location as the production system.
hard authentication token
An authentication token generated by a cryptoprocessor on a dedicated hardware device. As the token is never transmitted directly, this implements an ownership factor within a multifactor authentication scheme.
authentication
A method of validating a particular entity’s or individual’s unique credentials.
appliance firewall
A standalone hardware device that performs only the function of a firewall, which is embedded into the appliance’s firmware.
collision
In cryptography, the act of two different plaintext inputs producing the same exact ciphertext output.
key encryption key (KEK)
In storage encryption, the private key that is used to encrypt the symmetric bulk media encryption key (MEK). This means that a user must authenticate to decrypt the MEK and access the media.
crossover error rate
A biometric evaluation factor expressing the point at which FAR and FRR meet, with a low value indicating better performance.
NT LAN Manager authentication (NTLM authentication)
A challenge-response authentication protocol created by Microsoft for use in its products.
residual risk
Risk that remains even after controls are put into place.
mean time between failures (MTBF)
A metric for a device or component that predicts the expected time between failures.
governance committee
Leaders and subject matter experts with responsibility for defining policies, procedures, and standards within a particular domain or scope.
private cloud
A cloud that is deployed for use by a single entity.
internet relay chat (IRC)
A group communications protocol that enables users to chat, send private messages, and share files.
out-of-cycle logging
A potential indicator of malicious activity where event dates or timestamps are not consistent.
federation
A process that provides a shared login capability across multiple systems and enterprises. It essentially connects the identity management services of multiple systems.
data custodian
An individual who is responsible for managing the system on which data assets are stored, including being responsible for enforcing access control, encryption, and backup/recovery measures.
data processor
In privacy regulations, an entity trusted with a copy of personal data to perform storage and/or analysis on behalf of the data collector.
command injection
Where a threat actor is able to execute arbitrary shell commands on a host via a vulnerable web application.
mission essential function (MEF)
Business or organizational activity that is too critical to be deferred for anything more than a few hours, if at all.
intrusion prevention system (IPS)
A security appliance or software that combines detection capabilities with functions that can actively block attacks.
HTML5 VPN
Using features of HTML5 to implement remote desktop/VPN connections via browser software (clientless).
data historian
Software that aggregates and catalogs data from multiple sources within an industrial control system.
memorandum of understanding (MoU)
Usually a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money.
private key
In asymmetric encryption, the private key is known only to the holder and is linked to, but not derivable from, a public key distributed to those with whom the holder wants to communicate securely. A private key can be used to encrypt data that can be decrypted by the linked public key or vice versa.
application virtualization
A software delivery model where the code runs on a server and is streamed to a client.
conflict of interest
When an individual or organization has investments or obligations that could compromise their ability to act objectively, impartially, or in the best interest of another party.
hacker
Often used to refer to someone who breaks into computer systems or spreads viruses, ethical hackers prefer to think of themselves as experts on and explorers of computer security systems.
malware
Software that serves a malicious purpose, typically installed without the user’s consent (or knowledge).
qualitative risk analysis
The process of determining the probability of occurrence and the impact of identified risks by using logical reasoning when numeric data is not readily available.
hash-based message authentication code (HMAC)
A method used to verify both the integrity and authenticity of a message by combining a cryptographic hash of the message with a secret key.
active security control
Detective and preventive security controls that use an agent or network configuration to monitor hosts. This allows for more accurate credentialed scanning, but consumes some host resources and is detectable by threat actors.
cloud service provider (CSP)
Organization providing infrastructure, application, and/or storage services via an “as a service” subscription-based, cloud-centric offering.
honeypot
A host (honeypot), network (honeynet), file (honeyfile), or credential/token (honeytoken) set up with the purpose of luring attackers away from assets of actual value and/or discovering attack strategies and weaknesses in the security configuration.
cold site
A predetermined alternate location where a network can be rebuilt after a disaster.
dump file
A file containing data captured from system memory.
nation state actor
A type of threat actor that is supported by the resources of its host country’s military and security services.
data masking
A de-identification method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data.
antivirus
Inspecting traffic to locate and block viruses.
containerization
An operating system virtualization deployment containing everything required to run a service, application, or microservice.
disposal/decommissioning
In asset management, the policies and procedures that govern the removal of devices and software from production networks, and their subsequent disposal through sale, donation, or as waste.
extortion
Demanding payment to prevent or halt some type of attack.
pivoting
When an attacker uses a compromised host (the pivot) as a platform from which to spread an attack to other points in the network.
pluggable authentication module (PAM)
A framework for implementing authentication providers in Linux.
defensive penetration testing
The defensive team in a penetration test or incident response exercise.
bug bounty
Reward scheme operated by software and web services vendors for reporting vulnerabilities.
identity provider
In a federated network, the service that holds the user account and performs authentication.
Media Access Control filtering (MAC filtering)
Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.
malicious process
A process executed without proper authorization from the system owner for the purpose of damaging or compromising the system.
permissions
Security settings that control access to objects including file system items and network resources.
choose your own device (CYOD)
An enterprise mobile device provisioning model where employees are offered a selection of corporate devices for work and, optionally, private use.
open public ledger
Distributed public record of transactions that underpins the integrity of blockchains.
lighting
Physical security mechanisms that ensure a site is sufficiently illuminated for employees and guests to feel safe and for camera-based surveillance systems to work well.
replay attack
An attack where the attacker intercepts some authentication data and reuses it to try to reestablish a session.
Payment Card Industry Data Security Standard (PCI DSS)
The information security standard for organizations that process credit or bank card payments.
cryptanalysis
The science, art, and practice of breaking codes and ciphers.
off-site backup
Backup that writes job data to media that is stored in a separate physical location to the production system.
cryptographic primitive
A single hash function, symmetric cipher, or asymmetric cipher.
platform as a service (PaaS)
A cloud service model that provisions application and database services as a platform for development of apps.
incident response plan (IRP)
Specific procedures that must be performed if a certain type of event is detected or reported.
key risk indicator (KRI)
The method by which emerging risks are identified and analyzed so that changes can be adopted to proactively avoid issues from occuring.
next-generation firewall (NGFW)
Advances in firewall technology, from app awareness, user-based filtering, and intrusion prevention to cloud inspection.
network access control (NAC)
A general term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level.
packet analysis
Analysis of the headers and payload data of one or more frames in captured network traffic.
one-time password (OTP)
A password that is generated for use in one specific session and becomes invalid after the session ends.
percent encoding
A mechanism for encoding characters as hexadecimal values delimited by the percent sign.
inherent risk
Risk that an event will pose if no controls are put in place to mitigate it.
master service agreement (MSA)
A contract that establishes precedence and guidelines for any business documents that are executed between two parties.
configuration management
A process through which an organization’s information systems components are kept in a controlled state that meets the organization’s requirements, including those for security and compliance.
acquisition/procurement
Policies and processes that ensure asset and service purchases and contracts are fully managed, secure, use authorized suppliers/vendors, and meet business goals.
parallel processing tests
Running primary and backup systems simultaneously to validate the functionality and performance of backup systems without disrupting normal operations.
replication
Automatically copying data between two processing systems either simultaneously on both systems (synchronous) or from a primary to a secondary location (asynchronous).
password manager
Software that can suggest and store site and app passwords to reduce risks from poor user choices and behavior. Most browsers have a built-in password manager.
escrow
In key management, the storage of a backup key with a third party.
keylogger
Malicious software or hardware that can record user keystrokes.
analysis
An incident response process in which indicators are assessed to determine validity, impact, and category.
intentional threat
A threat actor with a malicious purpose.
reconnaissance
The actions taken to gather information about an individual’s or organization’s computer systems and software. This typically involves collecting information such as the types of systems and software used, user account information, data types, and network configuration.
ephemeral
In cryptography, a key that is used within the context of a single session only.
database encryption
Applying encryption at the table, field, or record level via a database management system rather than via the file system.
Remote Desktop Protocol (RDP)
Application protocol for operating remote connections to a host using a graphical interface. The protocol sends screen data from the remote host to the client and transfers mouse and keyboard input from the client to the remote host. It uses TCP port 3389.
public key infrastructure (PKI)
A framework of certificate authorities, digital certificates, software, services, and other cryptographic components deployed for the purpose of validating subject identities.
injection attack
An attack that exploits weak request handling or input validation to run arbitrary code in a client browser or on a server.
offboarding
The process of ensuring that all HR and other requirements are covered when an employee leaves an organization.
key distribution center (KDC)
A component of Kerberos that authenticates users and issues tickets (tokens).
human-machine interface (HMI)
Input and output controls on a PLC to allow a user to configure and monitor the system.
nondisclosure agreement (NDA)
An agreement that stipulates that entities will not share confidential information, knowledge, or materials with unauthorized third parties.
industrial camouflage
Methods of disguising the nature and purpose of buildings or parts of buildings.
legal hold
A process designed to preserve all relevant information when litigation is reasonably expected to occur.
call list
A document listing authorized contacts for notification and collaboration during a security incident.
group policy object (GPO)
On a Windows domain, a way to deploy per-user and per-computer settings such as password policy, account restrictions, firewall status, and so on.
dictionary attack
A type of password attack that compares encrypted passwords against a predetermined list of possible password values.
industrial control system (ICS)
Network managing embedded devices (computer systems that are designed to perform a specific, dedicated function).
bring your own device (BYOD)
Security framework and tools to facilitate use of personally owned devices to access corporate networks and data.
objective probability
The mathematical measure of the possibility of a risk occurring.
data in transit
Information that is being transmitted between two hosts, such as over a private network or the Internet.
data classification
The process of applying confidentiality and privacy labels to information.
card cloning
Making a copy of a contactless access card.
host-based intrusion detection system (HIDS)
A type of IDS that monitors a computer system for unexpected behavior or drastic changes to the system’s state.
accounting
Tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted.
infrastructure as code (IaC)
Provisioning architecture in which deployment of resources is performed by scripted automation and orchestration.
Global Positioning System (GPS)
A means of determining a receiver’s position on Earth based on information received from orbital satellites.
data in use
Information that is present in the volatile memory of a host, such as system memory or cache.
firewall log
A target for event data related to access rules that have been configured for logging.
indoor positioning system (IPS)
Technology that can derive a device’s location when indoors by triangulating its proximity to radio sources such as Bluetooth beacons or Wi-Fi access points.
corporate owned, business only (COBO)
An enterprise mobile device provisioning model where the device is the property of the organization and personal use is prohibited.
false positive
In security scanning, a case that is reported when it should not be.
impact
The severity of the risk if realized by factors such as the scope, value of the asset, or the financial impacts of the event.
correlation
A function of log analysis that links log and state data to identify a pattern that should be logged or alerted as an event.
questionnaires
In vendor management, structured means of obtaining consistent information, enabling more effective risk analysis and comparison.
exposure factor (EF)
In risk calculation, the percentage of an asset’s value that would be lost during a security incident or disaster scenario.
governance
Creating and monitoring effective policies and procedures to manage assets, such as data, and ensure compliance with industry regulations and local, national, and global legislation.
data inventory
List of classified data or information stored or processed by a system.
allow listing
A security configuration where access is denied to any entity (software process, IP/domain, and so on) unless the entity appears on an allow list.
passive security control
An enumeration, vulnerability, or incident detection scan that analyzes only intercepted network traffic rather than sending probes to a target. More generally, passive reconnaissance techniques are those that do not require direct interaction with the target.
key management system
In PKI, procedures and tools that centralize generation and storage of cryptographic keys.
on-path attack
An attack where the threat actor makes an independent connection between two victims and is able to read and possibly modify traffic.
data at rest
Information that is primarily stored on specific media, rather than moving from one medium to another.
change control
The process by which the need for change is recorded and approved.
artificial intelligence
The science of creating machines with the ability to develop problem-solving and analysis strategies without significant human direction or intervention.
authorized
A hacker engaged in authorized penetration testing or other security consultancy.
cipher suite
Lists of cryptographic algorithms that a server and client can use to negotiate a secure connection.
corporate owned, personally enabled (COPE)
An enterprise mobile device provisioning model where the device remains the property of the organization, but certain personal use, such as private email, social networking, and web browsing, is permitted.
annualized rate of occurrence (ARO)
In risk calculation, an expression of the probability/likelihood of a risk as the number of times per year a particular loss is expected to occur.
probability
In quantitative risk analysis, the chance of an event that is expressed as a percentage.
chief information officer (CIO)
Company officer with the primary responsibility for management of information technology assets and procedures.
cybersecurity framework (CSF)
Standards, best practices, and guidelines for effective security risk management. Some frameworks are general in nature, while others are specific to industry or technology types.
hybrid cloud
A cloud deployment that uses both private and public elements.
anomalous behavior recognition
Systems that automatically detect users, hosts, and services that deviate from what is expected, or systems and training that encourage reporting of this by employees.
integrity
The fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications.
encryption
Scrambling the characters used in a message so that the message can be seen but not understood or modified unless it can be deciphered. Encryption provides for a secure means of transmitting data and authenticating users. It is also used to store data securely. Encryption uses different types of cipher and one or more keys. The size of the key is one factor in determining the strength of the encryption product.
cryptominer
Malware that hijacks computer resources to create cryptocurrency.
on-premises network
A private network facility that is owned and operated by an organization for use by its employees only.
maneuver
In threat hunting, the concept that threat actor and defender may use deception or counterattacking strategies to gain positional advantage.
ransomware
Malware that tries to extort money from the victim by blocking normal operation of a computer and/or encrypting the victim’s files and demanding payment.
attack vector
A specific path by which a threat actor gains unauthorized access to a system.
personal area network (PAN)
A network scope that uses close-range wireless technologies (usually based on Bluetooth or NFC) to establish communications between personal devices, such as smartphones, laptops, and printers/peripheral devices.
corrective control
A type of security control that acts after an incident to eliminate or minimize its impact.
Internet Message Access Protocol (IMAP)
Application protocol providing a means for a client to access and manage email messages stored in a mailbox on a remote server. IMAP4 utilizes TCP port number 143, while the secure version IMAPS uses TCP/993.
open authorization (OAuth)
A standard for federated identity management, allowing resource servers or consumer sites to work with user accounts created and managed on a separate identity provider.
birthday attack
A type of password attack that exploits weaknesses in the mathematical algorithms used to encrypt passwords, in order to take advantage of the probability of different password inputs producing the same encrypted output.
eradication
An incident response process in which malicious tools and configurations on hosts and networks are removed.
business impact analysis (BIA)
Systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations.
high availability (HA)
A metric that defines how closely systems approach the goal of providing data availability 100% of the time while maintaining a high level of system performance.
hacktivist
A threat actor that is motivated by a social issue or political cause.
application programming interface
Methods exposed by a script or program that allow other scripts or programs to use it. For example, an API enables software developers to access functions of the TCP/IP network stack under a particular operating system.
implicit deny
The basic principle of security stating that unless something has explicitly been granted access, it should be denied access.
infrastructure as a service (IaaS)
A cloud service model that provisions virtual machines and network infrastructure.
Opal
Standards for implementing device encryption on storage devices.
chief security officer (CSO)
Typically the job title of the person with overall responsibility for information assurance and systems security. This may also be referred to as chief information security officer (CISO).
kill chain
A model developed by Lockheed Martin that describes the stages by which a threat actor progresses to a network intrusion.
host-based firewall
A software application running on a single host and designed to protect only that host.
key stretching
A technique that strengthens potentially weak input for cryptographic key generation, such as passwords or passphrases created by people, against brute force attacks.
arbitrary code execution
A vulnerability that allows an attacker to run their own code or a module that exploits such a vulnerability.
multifactor authentication (MFA)
An authentication scheme that requires the user to present at least two different factors as credentials; for example, something you know, something you have, something you are, something you do, and somewhere you are. Specifying two factors is known as “2FA.”
personal identification number (PIN)
A number used in conjunction with authentication devices such as smart cards; as the PIN should be known only to the user, loss of the smart card should not represent a security risk.
remote access
Infrastructure, protocols, and software that allow a host to join a local network from a physically remote location, or that allow a session on a host to be established over a network.
proximity reader
A scanner that reads data from an RFID or NFC tag when in range.
remote code execution (RCE)
A vulnerability that allows an attacker to transmit code from a remote host for execution on a target host or a module that exploits such a vulnerability.
load balancer
A type of switch, router, or software that distributes client requests between different resources, such as communications links or similarly configured servers. This provides fault tolerance and improves throughput.
Lightweight Directory Access Protocol Secure (LDAP Secure)
A method of implementing LDAP using SSL/TLS encryption.
fail-closed
A security control configuration that blocks access to a resource in the event of failure.
input validation
Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application.
clustering
A load balancing technique where a group of servers are configured as a unit and work together to provide network services.
attestation
Capability of an authenticator or other cryptographic module to prove that it is a root of trust and can provide reliable reporting to prove that a device or computer is a trustworthy platform.
Domain Name System Security Extensions (DNSSEC)
Security protocol that provides authentication of DNS data and upholds DNS data integrity.
bluesnarfing
A wireless attack where an attacker gains access to unauthorized information on a device using a Bluetooth connection.
public cloud
A cloud that is deployed for shared use by multiple independent tenants.
false acceptance rate (FAR)
A biometric assessment metric that measures the number of unauthorized users who are mistakenly allowed access.
disaster recovery (DR)
A documented and resourced plan showing actions and responsibilities to be used in response to critical incidents.
race condition
A software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer.
denial of service attack (DoS)
Any type of physical, application, or network attack that affects the availability of a managed resource.
CIA triad
Three principles of security control and management. Also known as the information security triad. Also referred to in reverse order as the AIC triad.
common name (CN)
An X500 attribute expressing a host or username; also used as the subject identifier for a digital certificate.
directory service
A network service that stores identity information about all the objects in a particular network, including users, groups, servers, client computers, and printers.
impossible travel
A potential indicator of malicious activity where authentication attempts are made from different geographical locations within a short timeframe.
JavaScript Object Notation (JSON)
A file format that uses attribute-value pairs to define configurations in a structure that is easy for both humans and machines to read and consume.
embedded system
An electronic system that is designed to perform a specific, dedicated function, such as a microcontroller in a medical drip or components in a control system managing a water treatment plant.
non-human-readable data
Information stored in a file that human beings cannot read without a specialized processor to decode the binary or complex structure.
multi-cloud
A cloud deployment model where the cloud consumer uses mutiple public cloud services.
online certificate status protocol (OCSP)
Allows clients to request the status of a digital certificate to check whether it is revoked.
governance board
Senior executives and external stakeholders with responsibility for setting strategy and ensuring compliance.
policy
A strictly enforceable ruleset that determines how a task should be completed.
log data
OS and applications software can be configured to log events automatically. This provides valuable troubleshooting information. Security logs provide an audit trail of actions performed on the system as well as warning of suspicious activity. It is important that log configuration and files be made tamperproof.
evil twin
A wireless access point that deceives users into believing that it is a legitimate network access point.
detective control
A type of security control that acts during an incident to identify or record that it is happening.
National Institute of Standards and Technology (NIST)
Develops computer security standards used by US federal agencies and publishes cybersecurity best practice guides and research.
memory injection
A vulnerability that a threat actor can exploit to run malicious code with the same privilege level as the vulnerable process.
certification
An asset disposal technique that relies on a third party to use sanitization or destruction methods for data remnant removal, and provides documentary evidence that the process is complete and successful.
chmod command
Linux command for managing file permissions.
authentication header
IPSec protocol that provides authentication for the origin of transmitted data as well as integrity and protection against replay attacks.
block list
A security configuration where access is generally permitted to a software process, IP/domain, or other subject unless it is listed as explicitly prohibited.
antivirus scan (A-V)
Software capable of detecting and removing virus infections and (in most cases) other types of malware, such as worms, Trojans, rootkits, adware, spyware, password crackers, network mappers, DoS tools, and so on.
confidentiality
The fundamental security goal of keeping information and communications private and protecting them from unauthorized access.
covert channel
A type of attack that subverts network security systems and policies to transfer data without authorization or detection.
privilege escalation
The practice of exploiting flaws in an operating system or other application to gain a greater level of access than was intended for the user or application.
ciphertext
Data that has been enciphered and cannot be read without the cipher key.
dynamic analysis
Software testing that examines code behavior during runtime. It helps identify potential security issues, potential performance issues, and other problems.
packet filtering firewall
A layer 3 firewall technology that compares packet headers against ACLs to determine which network traffic to accept.
blackmail
Demanding payment to prevent the release of information.
geolocation
The identification or estimation of the physical location of an object, such as a radar source, mobile phone, or Internet-connected computing device.
lure
An attack type that will entice a victim into using or opening a removable device, document, image, or program that conceals malware.
isolation
Removing or severely restricting communications paths to a particular device or system.
IDS/IPS log
A target for event data related to detection/prevention rules that have been configured for logging.
network behavior anomaly detection (NBAD)
A security monitoring tool that monitors network packets for anomalous behavior based on known signatures.
patch
A small unit of supplemental code meant to address either a security problem or a functionality flaw in a software package or operating system.
detection
An incident response process that correlates event data to determine whether they are indicators of an incident.
access point (AP)
A device that provides a connection between wireless devices and can connect to wired networks, implementing an infrastructure mode WLAN.
geofencing
Security control that can enforce a virtual boundary based on real-world geography.
microservice
An independent, single-function module with well-defined and lightweight interfaces and operations. Typically this style of architecture allows for rapid, frequent, and reliable delivery of complex applications.
layer 7 firewall
A stateful inspection firewall that can filter traffic based on specific application protocol headers and data, such as web or email data.
on-premises
Software or services installed and managed on a customer’s computing infrastructure rather than in the cloud or hosted by a third-party provider.
DomainKeys Identified Mail (DKIM)
A cryptographic authentication mechanism for mail utilizing a public key published as a DNS record.
public key
During asymmetric encryption, this key is freely distributed and can be used to perform the reverse encryption or decryption operation of the linked private key in the pair.
certificate chaining
A method of validating a certificate by tracing each CA that signs the certificate, up through the hierarchy to the root CA. Also referred to as chain of trust.
cellular
Standards for implementing data access over cellular networks are implemented as successive generations. For 2G (up to about 48 Kb/s) and 3G (up to about 42 Mb/s), there are competing GSM and CDMA provider networks. Standards for 4G (up to about 90 Mb/s) and 5G (up to about 300 Mb/s) are developed under converged LTE standards.
distributed reflected DoS (DRDoS)
A malicious request to a legitimate server is created and sent as a link to the victim, so that a server-side flaw causes the malicious component to run on the target’s browser.
dark web
Resources on the Internet that are distributed between anonymized nodes and protected from general access by multiple layers of encryption and routing.
redundancy
Overprovisioning resources at the component, host, and/or site level so that there is failover to a working instance in the event of a problem.
alert tuning
The process of adjusting detection and correlation rules to reduce incidence of false positives and low-priority alerts.
containment
An incident response process in which scope of affected systems is constrained using isolation, segmentation, and quarantine techniques and tools.
code of conduct
Professional behavior depends on basic ethical standards, such as honesty and fairness. Some professions may have developed codes of ethics to cover difficult situations; some businesses may also have a code of ethics to communicate the values it expects its employees to practice.
Mandatory Access Control (MAC)
An access control model where resources are protected by inflexible, system-defined rules. Resources (objects) and users (subjects) are allocated a clearance level (or label).
computer incident response team (CIRT)
Team with responsibility for incident response. The CIRT must have expertise across a number of business domains (IT, HR, legal, and marketing, for instance).
certificate revocation list (CRL)
A list of certificates that were revoked before their expiration date.
pre-shared key (PSK)
A wireless network authentication mode where a passphrase-based mechanism is used to allow group authentication to a wireless network. The passphrase is used to derive an encryption key.
identification
The process by which a user account (and its credentials) is issued to the correct person. Sometimes referred to as enrollment.
recovery
An incident response process in which hosts, networks, and systems are brought back to a secure baseline configuration.
due process
A term used in US and UK common law to require that people only be convicted of crimes following the fair application of the laws of the land.
intelligence fusion
In threat hunting, using sources of threat intelligence data to automate detection of adversary IoCs and TTPs.
Health Insurance Portability and Accountability Act (HIPAA)
US federal law that protects the storage, reading, modification, and transmission of personal healthcare data.
lateral movement
The process by which an attacker is able to move from one part of a computing environment to another.
ad hoc network
A type of wireless network where connected devices communicate directly with each other instead of over an established medium.
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
Framework for ensuring proper application of SPF and DKIM, utilizing a policy published as a DNS record.
power failure
Complete loss of building power.
pharming
An impersonation attack in which a request for a website, typically an e-commerce site, is redirected to a similar-looking, but fake, website.
dashboard
A console presenting selected information in an easily digestible format, such as a visualization.
Lightweight Directory Access Protocol (LDAP)
Protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information.
data acquisition
In digital forensics, the method and tools used to create a forensically sound copy of data from a source device, such as system memory or a hard disk.
adware
Software that records information about a PC and its user. Adware is used to describe software that the user has acknowledged can record information about their habits.
code signing
The method of using a digital signature to ensure the source and integrity of programming code.
compute
Processing, memory, storage, and networking resources that allow a host or network appliance to handle a given workload.
failover
A technique that ensures a redundant component, device, or application can quickly and efficiently take over the functionality of an asset that has failed.
change management
The process through which changes to the configuration of information systems are implemented as part of the organization’s overall configuration management efforts.
human-readable data
Information stored in a file type that human beings can access and understand using basic viewer software, such as documents, images, video, and audio.
amplification attack
A network-based attack where the attacker dramatically increases the bandwidth sent to a victim during a DDoS attack by implementing an amplification factor.
deprovisioning
The process of removing an account, host, or application from the production environment. This requires revoking any privileged access that had been assigned to the object.
obfuscation
A technique that essentially “hides” or “camouflages” code or other information so that it is harder to read by unauthorized users.
monitoring/asset tracking
Enumeration and inventory processes and software that ensure physical and data assets comply with configuration and performance baselines, and have not been tampered with or suffered other unauthorized access.
heuristic
A method that uses feature comparisons and likenesses rather than specific signature matching to identify whether the target of observation is malicious.
directory traversal
An application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.
deduplication
A technique for removing duplicate copies of repeated data. In SIEM, the removal of redundant information provided by several monitored systems.
Event Viewer
A Windows console related to viewing and exporting events in the Windows logging file format.
backdoor
A mechanism for gaining access to a computer that bypasses or subverts the normal method of authentication.
package monitoring
Techniques and tools designed to mitigate risks from application vulnerabilities in third-party code, such as libraries and dependencies.
order of volatility
The order in which volatile data should be recovered from various storage locations and devices after a security incident occurs.
business email compromise (BEC)
An impersonation attack in which the attacker gains control of an employee’s account and uses it to convince other employees to perform fraudulent actions.
