Last Updated June 3rd, 2023

At best this page is a living collection of terms agreed by groups of authors or individuals. As with all such definitions, don’t go seeking the truth. Even if you were to find it, it would still be played against what you already know. 25 years involvement in standards and terminology has taught me that the study of linguistics and meaning is an art not a science.

Marketing or Technical?

When finding a single agreed definition of a term, one is confronted with competing marketing terms disguised as fact. This can make understanding even more complex. An example is Gartner’s SASE/SSE. Some clear thinking in terms of ensuring networking and security is aligned but not in itself easily implementable as a defined system – or even an agreed set of elements. You are likely aware that many organizations’ acceptance of these terms is clouded by its need to be at the top right of their particular “Gartner’s magic quadrant” or Forrester’s “Wave.” We all visit to Google/ Wikipedia/Gartner Magic Quadrant as the best starting point but many links are sponsored, biased, may not fit your organization or, most relevant, recommend solutions that don’t fit your budget.

The best approach is to understand what is being protected and what is being enabled, irrespective of what the product or service is called.

Definitions Vary

Industry Standards themselves are subject to the agreement by the parties creating them. This may be obvious but as much as we would love to provide guidance on what services or products to choose with our “Top Ten lists of …” for each approach, it is clearly an unwise and impossible task because it would require years of analysis/expertise and would be outdated before it was written. Even in a standards body it’s common to find multiple definitions of the same term that is subjective and context dependent. (This author once found 10 different definitions of one term in one standards body.) Enter Open Source and all bets are off. There is a list of references on the References Page and just some here since these definitions are distilled from multiple sources. 

Purpose of Acronyms

Used to save time within knowledgeable technical groups, unfortunately, sometimes they are used to deliberately create an impression that the user is smarter than you.  As a tip, only use an acronym if there is more than one use of a term in a document. I dislike the use of acronyms but they are provided here for completeness. 

The list is catagorized by threat types, Zero Trust , SSE elements, general information and marketing terms. This last category are typically product types that are named to imply unique or innovative capabilities.

Term Acronym Definition Type
Access Control MAC, DAC, RBAC Defines which Subject Actors can perform which operations on a set of Targets Actors according to a set of identity management, authentication, policy, privilege, time and duration etc. It also describes the process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., critical infrastructure facilities, federal buildings, military establishments). NIST has defined several Access Control policies including Mandatory Access Control (MAC), Discretionary Access Control (DAC) covering some areas and Role-Based Access Control (RBAC) based on the role of the actor.  ZT
Accountable Digital Identity Creates trusted digital addresses from existing trusted identity sources such as employers, financial services, governments, etc., allowing people to manage their identity information. info
Actor Used by various sources, especially the MEF, to represent a user, application or systems software or device. It also defines Actors as either Subject (initiating a request) or Target (the recipient of the request). Application-Application exchanges dominate computer dialogs. In line with the Zero Trust principle “Never Trust, Always Verify,” Actors are always assumed to be untrusted (with possible malicious intent) unless (and only while) verified to be legitimate. An Actor in the past has been commonly used to mean  Threat Actor – a person or organization deemed to have malicious intent. Zero Trust has superseded that meaning. info ZT
Advanced Persistent Threat APT As opposed to malware, which is typically immediate, an Advanced Persistent Threat is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network in order to steal sensitive data over a period of time. It may involve Lateral Movement. Threat
Adware Bombarding users with endless ads and pop-up windows causes a nuisance to the user experience. However, it can also pose a danger by diverting users to dangerous sites and clicking on malicious links etc. Also known as Malvertising. Threat
Air Gap The physical separation of networks and systems. Typical use is in sensitive operational networks being kept separate from external networks (e.g., Internet or internal business networks) to avoid attacks. This physical separation likely includes both wired and Wi-Fi separation. info
Anti-Virus, Anti-Malware Generically, a variety of software systems defined to detect users from malware/viruses/phishing/spyware attacks etc. Marketing
Argon2 Argon2 is a memory-hard function for password hashing and proof-of-work applications. See also informative RFC9106 by the IETF. It is being used increasingly to strengthen the protection of stored passwords. An example of its adoption in 2023 by password manager BitWarden following recent industry incidents of attacks on another password manager. info
Artificial Intelligence AI Many definitions relate to generative AI. In the Cloud Network Ecosystem, it refers to intelligence applied to the automation of Identity management, access control, policy enforcement, network discovery, monitoring and auditing of access, etc. See also Automation and Artificial Intelligence  below. ZT
Ascon A cryptography standard for lightweight IoT device protection. Ascon is a family of authenticated encryption and hashing algorithms designed to be lightweight (i.e., suitable for devices with low computation power and resources such as IoT devices) and easy to implement, even with added countermeasures against side-channel attacks. Chosen by NIST in February 2023, as the new standard for Lightweight Cryptography (LWC) , its security characteristics are such the it could supersede other encryption technologies such as AES used in IETF’s TLS. info
Asset Curation is a critical part of an organization’s security strategy. It’s the act of discovery and automated ongoing monitoring of all electronic assets that could be vulnerable to attack. Without it, it’s not possible to know what assets need protection and which undefendable assets need to be replaced, etc.  It is also an essential part of evaluating the value of data requiring protection. A Configuration Management Database (CMDB) is a database that contains all relevant information about the hardware and software components used in an organization’s IT/OT services and the relationships between those components. CDMB is a useful tool in this curation process. Also in the area of curation is deployment of data backup strategies. Where practical this should also include adjacent systems (web sites, third party systems that access corporate data, policy databases for unauthorized changes, etc.) plus off-site disaster recovery, auditing and validation of backups with restoring of data and using Content Disarm and Recovery software (CDR) to scrub data.  This in turn is also part of a Business Continuity Strategy Finally, this is an important tool for automated software, firmware and hardware updates. info
Attack Surface The place and time where attacks take place. The shift from data center to Network Cloud Ecosystem has created a multitude of attack surfaces. An Attack Vector is a method of gaining unauthorized access to a network or computer system. An attack surface is the total number of attack vectors an attacker can use to manipulate a network or computer system or extract data. info
Attack Surface Reduction ASR The logic is making it harder for attacks to happen if there is less visibility and access to assets. I.e., the targets for attacks, to use the Attack Surface term, are minimized. This is somewhat addressed by a policy of only making the target actor visible to subject actors who are compliant to their specified privilege. However, this term could apply to almost any set of defenses. So, it’s only included because it’s come to mean almost any collection of software and services that reduce threats. Having said that, any set of tools from a highly reliable source is likely a good thing. Marketing
Auditing In a cybersecurity context, auditing is the information gathering and analysis of assets to ensure such things as policy compliance and security from vulnerabilities. This is an element of monitoring in a Zero Trust enabled service to ensure that any access changes detected are verified as remaining within policy. ZT
Authentication The process of verifying the Identity of an Actor (software, device, or user). If Identity Management is about establishing the identity of an actor then Authentication is the process of discovering if they are who they say they are.  There are many ways to do this. Passwords, passkeys, multifactor authentication with or without Biometrics, TLS, mTLS, certification, etc. ZT
Authorization The decision given to authorize access to a network, Cloud, etc., by an authorizing person or strategy. This is executed by the process that results in Allowing or Blocking a Subject Actor from accessing a Target Actor. ZT
Automation and Artificial Intelligence AI The scale of modern systems makes cybersecurity without automated intelligent systems virtually impossible. Firstly, human error is inevitable given complexity and constant change. Not patching ever-changing software, services, firmware and hardware and updating data manually is an opportunity for exploits to occur. Secondly, increased scalability present in larger organizations is the had automation be the only viable approach. Thirdly, the Artificial Intelligence element comes together with Automation to discover changes and notified irregularities detection and automated deployment of remedies. Finally, Automation and AI are also part of the DevSecOps process for the creation of both products and services. Several automated approaches may be required in addition to those overseeing organizational system and network functions  (e.g., web site plug ins, platform updates, malware prevention systems and provider networks). Such approaches must be distributed to span the Network Cloud Ecosystem. info ZT
Back Door The often careless habit of leaving security bypasses in code inserted to speed development or “just in case” access can’t be achieved. This is especially found in open source code where the practice has caused vulnerabilities.  Threat
Biometric Security Often used by multifunction authentication using facial, fingerprint, eye, voice etc., such biometric methodologies like other MFA defenses are a great help but are definitely not infallible and each can be cracked.  info
Blocked List, Quarantined List, Allow/White List Lists of flows, IP addresses, that are either approved for passage (Allow or White Lists), flows prevented from access (Blocked Lists) or suspicious traffic pending approval or blocking (Quarantined Lists.), Several variants to this. info ZT
Botnet A network of computers infected with a Bot virus program. Less common now in its original form but occurring more in terms of malware being transmitted around and ecosystem. See CAPTCHA below for an example of Anti-Botnet software designed to insert human interactions to prevent Bot attacks. malicious tasks of one sort or another under remote direction. A Zombie is an Internet-connected computing device that has been compromised by a hacker, a computer virus, or a trojan horse. Generally, a compromised machine is only one of many in a Botnet, and will be used to perform malicious tasks of one sort or another under remote direction. Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to Zombies. Threat
Bring Your Own Device BYOD Potentially disastrous policy allowing users to connect to the organization’s network using their own device that may be infected or vulnerable to attack. This applies to staff contractors, and any outside third party. Threat
Bring Your Own Vulnerable Driver BYOVD This falls into the category of hidden vulnerabilities that are little known to the average user.  These are device drivers that should be updated automatically but often are not. They are often the  location where attackers insert a specific kernel driver with a valid signature thwarting the driver signature enforcement policy and also may include code that gives the attacker kernel write primitive. The best fix is to ensure that all device drivers are updated from the source or via an OS automatic update. This is not a simple task since it is dependent on the diligence of Microsoft, Apple, Google and others. Threat
Browser Isolation Browser Isolation (also known as Web Isolation) is a technology that contains web browsing activity inside an isolated environment in order to protect computers from any malware the user may encounter. This isolation may occur locally on the computer or remotely on a server. info
Brute Force Attacks Simply put, this is an important sounding name for guesswork or trial and error attempts to crack credentials by repeatedly using variants on a name, lazy use of keystrokes, etc., and why weak passwords are the cause of so many problems today. A report published by Hive systems in April 2023 showed how Brute Force attacks on passwords have dramatically reduced their time to crack passwords over the last 3 years – as 1-250 times faster – rendering anything less than 11 characters with numbers and symbols effectively becoming vulnerable. See https://www.hivesystems.io/ for their detailed analysis. Threat
Buffer Overflow Attack A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information – which has to go somewhere – can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. This why it’s important to write code using Memory-safe Languages. Threat
Business Email Compromise BEC BEC is a type of phishing scam where the attacker impersonates or compromises an employee or user’s email account to manipulate the target into initiating a to give away sensitive information or connect to a malicious remote Internet connected system. Threat
Cache Cramming Cache Cramming is malicious code that tricks a browser to run cached Java code held locally, rather than from a web page that has enforced restrictions. Threat
CAPTCHA Completely Automated Public Turing test to tell Computers and Humans Apart. More recently automated by Google but many sites frustratingly still require you to identify crosswalks or bicycles, etc., often unsuccessfully!! At least it helps keep the Bots at bay. info
CASB and SWG Note: what is the difference between CASB and SWG?. Both CASB and SWG offer data & threat protection, and they are cloud-based. Cloud-based SWGs have more capabilities, which made them a suitable replacement for the limited firewall. They fulfil the same use case of network/perimeter protection by delivering network security services via the Cloud. SSE
Certificate Authority CA and ACME A Certificate is an electronic document that uses a digital signature to bind a public key and an identity. A Certificate Authority is an organization that is responsible for the creation, issuance, revocation, and management of Digital Certificates. Length of time that a certificate is valid is becoming under pressure in 2023 by Google with length of time reduced from unlimited t a few months. The point of including this is to make sure that your web hosting provider automatically updates your SSL certificates via the Automatic Certificate Management Environment (ACME). It is defined in IETF RFC 8555, to automate issuance of authentication certificate request, issuance, installation, and ongoing renewal across for web servers. info
Chief Security Officer CSO, CISO, BISO This is an evolving title and role. The only important point is to ensure a single board-level executive is responsible for security across the entire organization. This means Security Policy, implementation of the Security Strategy across the organization and beyond and reporting its progress.  In the past it was definitely a role inside the IT department with the CSO reporting to the Chief Information Officer. With the growth and impact of cybersecurity, the title has either split (CSO and CIO) or grown to be Chief Information and Security Officer (CISO) or recently to Business Information Security Officer (BISO). The view of this author is that it must be a holistic function taken on by a single individual responsible across the entire organization. info
Clickjacking Clickjacking, also known as a UI redress attack, is when a threat actor uses multiple layers to trick a user into clicking on a website graphic or link to redirect the user to a malicious site or even an infected page on a site without them realizing it. Hence, the user’s clicks are hijacked. Threat
Cloud Access Security Broker CASB A Cloud access security broker is Cloud-hosted software or on-premises software or hardware that act as an intermediary or gateway between users and Cloud service providers. This is curious because as with other SASE elements this sounds a similar description that Gartner provided for ZTNA (see below). SSE
Cloud Security Alliance CSA With around 450 member companies, the Cloud Security Alliance (cloudsecurityalliance.org) is the organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. assn.
Code Injection  Used to alter execution of software initiate malware, instigate Lateral Movement attacks, elevate privilege to spread malicious software by embedding/infecting legitimate websites or systems software or applications with malicious code. info
Common Attack Pattern Enumeration and Classification  CAPEC CAPEC™  is a MITRE initiative that provides a publicly available catalog of common “attack patterns” to helps users understand how adversaries exploit weaknesses in applications. Established in 2007 by the U.S. Department of Homeland Security CAPEC‘s “Attack Patterns” currently described include HTTP Response Splitting , Session Fixation , Cross Site Request Forgery , SQL Injection , Cross-Site Scripting , Buffer Overflow , Clickjacking , Relative Path Traversal and XML Attribute Blowup, etc. info
Common Vulnerabilities and Exposures CVE & CVSS CVE is a glossary that classifies vulnerabilities. CVSS is the scoring system for CVE. Vulnerabilities that meet the criteria (acknowledged by vendor for a particular code base) are listed by CISA government agency. They are given an ID (e.g., CEV-2022-654321), a severity score (CVSS): 9-10 is a critical issue 7-9 high etc. The list can be quite esoteric reference and do not typically indicate a resolution, so this is purely an informational reference. Around 10 CVEs are added to the CISA list each month.  info
Compliance There are many requirements covering Governance. From a security perspective failure to comply with such governance may either break governmental rulings on cybersecurity or cause actual security vulnerabilities. In either case it’s important not only to understand such requirements abut to audit such compliance at the onset of a new project, e.g., with DevSecOps, or during operation with ongoing automated monitoring. info
Content Disarm and Reconstruction CDR CDR is a technique for removing embedded malware from files, usually as they are received. Used increasingly with Remote Browser Isolation, CDR (1) flattens and converts files to a PDF, 2) strips active content while keeping the original file type, and 3) eliminates file-borne risks. Some loss of useful content may be encountered dependent on software functionality.  info
Credential Re-use Also, commonly (and strangely) known as Credential Stuffing, this attack steals a login username and password (e.g., used in Facebook, Twitter or Google) and reuses these credentials on other sites where the user has naively used the same password. See the Breaking News page in March 2023 for more on this. The answer is do not log in using this method as a breach on one site gives access to all sites! Threat
Critical Infrastructure Utility, military, government, health, transport and city network operational infrastructures. This is not a cybersecurity term but is frequently referred to because of the importance of protecting them from cyber-attacks. https://www.cisa.org/ info
Cryptojacking XSS First seen 20+ years ago. A type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls Threat
Cryptography The application of mathematical methodologies to encrypt/encipher and decrypt data. Asymmetric Public Key Cryptography uses a public key and private key to enable encryption of data. In Symmetric Cryptography, the same private key is shared. info
Cross-site Scripting XSS First seen 20+ years ago. A type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls Threat
Cybersecurity and Infrastructure Security Agency CISA The US government’s Cybersecurity and Infrastructure Security Agency(CISA) works with partners to defend against today’s threats and collaborates to build a more secure and resilient infrastructure for the future. https://www.cisa.org/ info
Cybersecurity Audit The oversight required to actively monitor the enforcement of cybersecurity policies and strategy. In a Zero Trust enabled product or service such audits are continuous and generate security event notifications when a data transaction is out of policy. They may also take the form or regular reports that span the holistic cybersecurity health across the organization. info
Cybersecurity Insurance  The insurance provided in the event of a cybersecurity incident such as data breaches, ransomware etc. The audit described above is becoming a prerequisite for such insurance to be given. info
CyberStart America CSA U.S. funded student Cybersecurity education program. ”CyberStart America is the most enjoyable way to discover your talent, advance your skills and win scholarships in Cybersecurity.” https://www.Cyberstartamerica.org/ assn
Dark Web The Dark Web is encrypted parts of the internet that are not indexed by search engines, used by all types of cyber criminals, to communicate and share information without being detected or identified by law enforcement. Malware of all types can be purchased on the dark web. It can be accessed by anyone with the correct URL,  special software with the correct decryption key and access rights. Users remain almost completely anonymous. Threat
Data Breach The hackers’ end-game. Exfiltration or corruption of critical user, corporate or customer/client data, intellectual property or corruption of software, etc. Threat
Data Loss Prevention DLP An approach that seeks to improve information security and protect business information from data breaches. It prevents end-users from moving key information outside the network. DLP also refers to tools that enable a network administrator to monitor data accessed and shared by end users. info
Deep Fake Video, audio clip or picture that has been altered to trick people to believe a corruption of the truth because they believe in the person who they are seeing or hearing and that they actually said those words. etc. A deeply disturbing trend often used in conjunction with other tricks. Threat
Deflection Deflection has a special meaning in cybersecurity. The theory being that the more vulnerabilities that are protected the more attackers are deflected to easier, more vulnerable targets. It follows the simple concept of the thief walking down a line of cars looking for an unlocked door or the phone left on a seat. My book, when first published in 2022, identified more than 100 vulnerabilities or weak links. Many more have been unearthed since then. info
Delegation This term has a special meaning in cybersecurity. This is the requirement to Delegate and not Abdicate responsibility for cybersecurity when using third parties, software companies or their applications. This is a potentially recursive problem because the external company may be faced with the same problem with its suppliers. It’s critical because of the need to verify not just trust. There is a relatively simple answer to this problem and is covered in a new piece of work in mid-2023. When published, the link will be inserted here. Examples of abdicating responsibility probably account for 99% of all successful cybersecurity attacks. Solving this problem is likely to reverse the situation. info
Development, Security & Operations DevSecOps A methodology to include security as an element of the development of all services and products (not just software products and services) as they are designed, developed, tested, introduced ,monitored and iteratively revised. In addition, this work adds the responsibility into the Product Marketing responsibilities to investigate and include security in the requirements and product definitions. This is definitely the author’s personal definition. Security as Code (SaC) is the methodology of integrating security into DevOps tools and processes by identifying vulnerabilities in code, ensuring or migrating to memory safe languages, verifying the validity of open source code yet without delaying process or increasing the cost of the process. info
Digital Forensics and Incident Response DFIR The Digital Forensics and Incident Response Report is published annually. The 2022 was published in March 2023 and provides a fascinating set of insights of the most potent threats in play.  info
Digital Signature Cryptographic transformation of data providing origin authentication, data integrity, and signer non-repudiation. See also Certification Authority
Distributed Denial of Service Dos/DDoS Denial of Service (DoS) attacks are used to overwhelm a target device, software element, including websites, cloud containers or applications. The traffic itself is likely legitimate and not necessarily malware. A Distributed Denial of Service  (DDoS) attack involves multiple connected online devices, collectively known as a botnet, may be delivered from a myriad of resources and typically targeting a particular victim. This makes it more complicated to defend. DDoS attacks in the past were more prevalent when Threat Actors were content with disruption rather than financial gain. Any of the targets mentioned above (web sites, etc., can be targets. However, more recently an insidiously, it’s attacks on infrastructure and security element management/control capabilities that can not only cause network devices or service (e.g., a Firewall) be overwhelmed and fail but then allow malicious traffic to penetrate and cause havoc. I.e., DDoS attacks can be the first element of a two pronged attack. Threat
DLL Side-Loading DLL side-loading attacks use the DLL search order mechanism in Windows to plant and then invoke a legitimate application that executes a malicious payload. Threat actors commonly use this technique for persistence, privilege escalation, and defense evasion. Threat
DNS Security & Protocol Filtering The Internet functions by matching website domain names to IP addresses using the Domain Name System (DNS). DNS Protocol Filtering checks whether a subset of a session contains messages that are to be allowed or blocked. DNS messages are specified in RFC 1035 and RFC 1996. DNS Security Functions are important threat detection and prevention tools that include filtering responses from known bad domains (DNS blackholing), Distributed Denial of Service (DDoS) attacks, attacks tricking users into using malicious domains (DNS Hijacking and man-in-the-middle attacks), using the DNS response to carry malicious payloads usually related to command-and-control connections (DNS tunneling) and attacks that create many random domain names to avoid detection. Threat
Domain Controller A Domain Controller is a server that responds to authentication requests and verifies users on computer networks. Marketing
Domain Name Filtering DNF Domain Name Filtering is defined as the action taken by the SASE Service Provider to check whether a session contains domain names that are to be permitted or denied. Domain Name Filtering provides a level of protection for a Subject inadvertently attempting to access a malicious Target. info
Drive-by Attacks Drive-by attacks is a shorthand for unintentionally downloading of various malware to your devices – PC’s, phones etc., typically without the users involvement or knowledge. Threat
Elevation of Privilege This is an attack when a bad actor gaining illicit access of elevated rights via an insider threat or via gaining access to data files containing user privileged data and modifying the data. As dangerous as giving unnecessary levels of privilege to these who should not have it – e.g., executives, contractors, etc. Threat
Encryption Encryption has many specific definitions and methodologies: symmetric and asymmetric cryptography, public and private keys, encryption types: Advanced Encryption Standard (AES), Data Encryption Standard (DES), RSA, MACsec, Ascon, etc. are used for secure communications. Encryption of all sensitive data on every type of compute device is supported and recommended to prevent data breaches and ransomware. Middle Box functions are used typically to decrypt and inspect IP flows. Decryption is the process of transforming an encrypted message into its original plaintext. A Cipher is a cryptographic algorithm for encryption and decryption. info
End-to-End Encryption Communications encryption in which data is encrypted when being passed through a network, but routing information remains visible. info
Endpoint Detection and Response EDR Endpoint detection and response tools are the newest members of the endpoint security family. They combine elements of both endpoint antivirus and endpoint management Marketing
Exfiltration Typically, unauthorized transfer of information from an information system. A key principal of Zero Trust is the avoidance of exfiltration (stealing) of data. Threat
Exploit A methodology/software to take advantage of vulnerabilities by breaching the security of a system or network ecosystem. Threat
Extended Detection & Response XDR An emerging technology that can/may offer improved threat prevention, detection and response capabilities for security operations teams. XDR describes a unified security monitoring and unified reporting incident detection and response platform that automatically collects and correlates data from multiple proprietary security components. Marketing
Fast IDentity Online Fido An authentication standard defining a fast and secure authentication mechanism for users to access websites and applications. FIDO-2 uses WebAuthn authentication. info
Federal Risk and Authorization Management Program FedRAMP A government-wide initiative to assess, authorize, and monitor cloud software providers and protect the sensitive data housed in federal agencies.  info
Firewall A Firewall secures a network by deciding which data packets are allowed to pass through a network. Primarily intercepting Layer 3 IP traffic. Firewall management software can be susceptible to layer 2 DDoS attacks. A Distributed Firewall is a new term for a layered approach that embeds firewall code in the fabric of a network system’s architecture rather than as a separate process. The security functions enabled in today’s firewalls have become blurred so the key is to examine the detection and prevention functions not the marketing hype. Marketing
Firewall as a Service FWaaS Firewall as a service, also known as a Cloud firewall, provides Cloud-based network traffic inspection capabilities to customers seeking to migrate to a hybrid or multi-cloud model. It reduces the burden on on-premises data center equipment and management burden for internal Cybersecurity teams.  Marketing
Fragment Overlap Attack A TCP/IP Fragmentation Attack is possible because IP allows packets to be fragmented for transport across networks. The TCP packet (and its header) are carried in the IP packet. In this attack the second fragment contains incorrect offset. When packet is reconstructed, the port number will be overwritten.  Threat
Fork Bomb This is effectively a Denial of Service attack in that it can consume all of the memory and compute resources on a syste. A Fork Bomb works by using the fork() UNIX/Linux call to create a new process which is a copy of the original. By doing this repeatedly, all available processes on the machine can be taken up. It can by contined by limiting the number processes that a a sftware actor can run simultaneously.  Threat
Hacker A Hacker is the well-known term for those with malicious intent on inserting malware in systems. More correctly these are known as Black Hat Hackers, whereas a White Hat Hacker is one who looks for vulnerabilities in order to report them and have those weaknesses removed – whether in a software company or an end user organization. Threat
Hacking as a Service HaaS Joining and expanding on the recent Phishing and Ransomware as  Service Toolkits are Hacking as a Service tools. A grim warning in the UK government’s report from the National Cyber Security Centre in April 2023 believes that not only have 80 country states purchased these toolkits but unscrupulous private groups are expected to join. The are not only a superset of RaaS and PhaaS but they have the ability to generate variants as Zero Day attacks. Threat
Holistic Cybersecurity Holistic Cybersecurity covers all aspects of an organization, large & small – not just IT. It begins with the Exec team, expands to  all departments, encompasses third parties, suppliers, contractors, in fact every area where you must take responsibility for the security of your organization.  The principles of Zero Trust apply everywhere, from the people you hire, the cameras in the lobby, the cleaners, your security firms, your web sites, sales software and accountants you hire, etc. This is all detailed in my book, of course, and should be incorporated into your security policy.
Honeypot A Network Attached device that lures and deflects attacks and attackers. It might represent an Internet connected Database, Web Server, PC, etc. The concept is that these devices are designed to report on any access – since there is no legitimate reason for such access. It is less easy to find reports on the effectiveness of individual solutions one of which is canary.tools  info
Hypervisor-protected Code Integrity HVCI Hypervisor-protected Code Integrity (also called Memory Integrity), uses Microsoft’s Hyper-V hypervisor to virtualize the hardware running some Windows kernel-model processes, protecting them against the injection of malicious code.  info
HyperText Transfer Protocol Secure HTTPS & HTTP HyperText Transfer Protocol Secure (HTTPS) is a protocol that secures communication and data transfer between a web browser and a website. HTTPS uses TLS (SSL) to encrypt HTTP requests and responses, HTTPS is the secure version of HTTP. Most Anti-Malware software protects users by warning or disallowing access to HTTP sites. Some browsers also detect sites as unsafe when spuriously deciding that site based graphics contain malware. ZT
Identity The unique identity of a user, device or software involved in a transaction or exchange of information. See also IAM below and Authentication. ZT
Identity Theft The theft of a user’s (or software or device’s!) unique identity for the purpose of impersonating them. this includes their password and or biometrics. Threat
Identity and Access Management IAM IAM is a set of processes, policies and tools for controlling user access to critical information. It’s the discipline that enables individuals to access resources at the appropriate times. It’s important not to collapse Identity and Access since both are elements of Zero Trust but Identity Management and Access Management software/services are possibly independently sourced software functions or services. ZT
In the Wild Usually refers to incidents or attacks seen in actual live situations rather than in a simulation or in a test lab. Not really a technical definition but worth including.  info
Information Systems Security INFOSEC The protection of information systems against unauthorized access or attempts to compromise and modify data, whether it’s stored data, processed data or data that’s being transmitted.  Marketing
Insider Threats This is when a trusted insider (usually but not necessarily staff), gains access to confidential data, accidentally or deliberately inserts malware, exfiltrates, data etc. Coercion or deceiving insiders is also referred to as Social Engineering. This is where the principle of Least Privilege and monitoring of all network access is key. HR has a key role to play in monitoring staff and trusted third parties. Threat
Internet Protocol Security IPsec A group of IP protocols use to create encrypted connections, exchange keys, etc. The IPsec reference document is IETF RFC 6071.  info
Intrusion Detection System IDS An IDS gathers and analyzes information from a compute resource locally, in a cloud, or network to identify possible security breaches, including intrusions from outside and within the organization.  Marketing
Intrusion Prevention System IPS IDPS An Intrusion Prevention System (IPS) applies IP reputation and content matching rules to block known bad sessions. These systems known as IDPS, may also include anti-virus systems for inspecting file content across many protocols, for example HTTP, IMAP, and SMB. Threat and Intrusion Detection Systems have a similar role as IPS but use detection technologies that preclude blocking. For example, behavioral analysis of file content and network anomaly detection often have detection delays and resource requirements that prevent inline deployments. The systems respond to detections by issuing SENs (alerts).  Marketing
IP, Port and Protocol Filtering IPPF It is defined as the action taken by the SASE Service Provider to check whether a session includes a list of source or destination IP addresses, source or destination port numbers, transport protocols and/or application protocols that are to be allowed or blocked. info
IP Spoofing A tactic to supply a fake IP address disguised as a legitimate address. This is often in the form of an Internet Protocol (IP) packets which have a modified source address in order to either disguise or hide its real identity Threat
Key Logging Keylogging software is spyware logging everything that you type (for instance credit card details and MFA codes(!) The collective wisdom is around typical prevention of inadvertent use of infected applications and defense against malware. Threat
Lateral Movement Attacks This is the concept of malware being downloaded or otherwise being place on a device or process and moved to another system, even cloud or part of the network and immediately, days or even months later becoming active. Threat
Least Privilege PoLP The Principle of Least Privilege is that users, devices & programs should only have the privileges necessary to complete their tasks.  ZT
Living off the Land Attacks LotL Living off the Land describes Cyberattacks which use legitimate software and functions available in the system to perform malicious actions on it. These are often inserted via email/phishing and can be very difficult to detect. Threat
Macro Virus In recent times, Microsoft switched the default to disallow opening of Excel and Word documents containing Visual Basic Applications edition macros without agreeing to do so. Especially in Excel, VBA is a powerful programming language that can easily hide malware. It can also be delivered as an XLA or binary coded format where the code cannot be inspected. info
Malware Malware is defined as any software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system. Note: Viruses that infect code and Trojans that pretend to be legitimate code are both forms of malware. Marketing
Malware Detection and Removal MD+R Malware Detection and Removal is defined as the action taken by a software provider to check whether a session contains malware, and to remove the malware or block the session containing the malware. Note: Viruses that infect code and Trojans that pretend to be legitimate code are both forms of malware. Marketing
Man-in-the-Middle Attack MITM In a Man in the Middle Attack a system intercepts traffic from a subject actor while appearing to be the target system. At the same time, it masquerades as the subject to the actual target system. Its objective is to spoof an actual dialog for a number of malicious purposes without arousing the suspicion of either party. This is where many attacks begin and is the prime way in which 2 Factor Authentication can be hacked. Threat
Memory-Safe Languages Many vulnerabilities occur because poor language disciplines allow malware to hide inside application memory spaces for later activation. This frequent ploy can be limited or even removed. Newer application languages are much more careful. This means that knowledge of the language that an application is written in becomes a factor in choosing an application. Examples of memory safe languages are Rust, C#, Go, Java, Ruby, and Swift as opposed to C, C++ which are not. Judicious use of complier options help here too. Thanks for this gem go to Steve Gibson of Security Now and SpinRite fame. info
Microsegmentation There are several interpretations of this term with a common principle. This being the ability to compartmentalize Cloud and data center functions and applications into secure segments. This works well with implementing Least Privilege, Zero Trust enforcement points, Identity and Access Policies where it is most relevant. For this author microsegmentation is a natural instance of a Zero Trust policy enforcement point. Either way the secure segmentation at the workload or secure container level certainly helps deter lateral movement attacks. info ZT
MiddleBox Function A function used to decrypt and re-encrypt secured communications. This process should be in a single device which may include other functions/processes. It is typically required to be protected by Certification in order to be part of a trusted connection. info
Mitigation One or more steps taken to minimize or eliminate cybersecurity threats, risks and consequences.  info
MITRE MITRE ATT&CK® is an important source and globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. Click for more info  assn
Monitoring and Auditing Automated continuous Monitoring is a key element of any Zero Trust implementation. The continuous aspect is to make sure that any time-based access privileges are in compliance (either time-of-day or duration), or events that arise, such as blocked access attempts, etc., elevation of access changes are logged/reported via the Secure Event Notification system. Control via an automated system is required. Auditing may also be required to ensure both integrity and compliance to policies is maintained. ZT
Multi-factor Authentication MFA 2FA Everyone must be familiar with this irritating phenomenon. It means that you are required to prove who you are by having two (Two Factor Authentication or 2FA) or more ways of identifying yourself (MFA). For example, after you enter a password, you must also enter a code sent to your mobile device or email. Sometimes multiple proofs are needed. e.g., face recognition or providing your dog’s birthday. See also Passkeys. Now the bad news. Roger Grimes of Knowbe4.com has identified at least 20 ways to hack two factor authentication including analysis of 25 +MFA systems. info
Multi-Layer Security MLS This concept goes back over 40 years but is often dismissed or forgotten. Most  cybersecurity actions focus on users, software and devices – a.k.a. subject actors – accessing target actors. This revolves around IP (Layer 3) data flows and also to some extent application data flows. However, this overlooks attacks on the security software itself. For example, denial of service attacks at the data link layer (2) or TCP layer (4). Attacks on the management of all software and devices are also weak links that are not carefully protected. Recent examples of security software being disabled are prime examples of lack of multi-layer security. Device drivers and video application file protection are other areas that are vulnerable. The main point is that a multi-layer security approach is critical and that what is secure at one layer should not be trusted to be secure at the layer above or below.  info
Mutual Transport Layer Security mTLS Mutual Transport Layer Security (mTLS) is a process that establishes an encrypted TLS connection in which both parties use X.509 digital certificates to authenticate each other. MTLS can help mitigate the risk of moving services to the cloud and can help prevent malicious third parties from imitating genuine apps info
OAuth Authorization OAuth 2 An authorization framework that enables applications — such as Facebook, GitHub, and Digital Ocean — to obtain limited access to user accounts on an HTTP service. See warnings on password and Identity Re-use since if one web site is hacked then all websites where a user uses Google or Facebook to login become compromised! info
Open Worldwide Application Security Project OWASP OWASP is a nonprofit foundation working to improve the security of software and the source for developers and technologists to secure the web. It delivers Tools and Resources, Community and Networking, Education & Training info
Operational Technology OT This refers to the Operational areas of a network as a complement to the IT functional areas. A subset of OT is also referred to as IIoT,  which can be confusing. OT has previously sheltered from attack and has become a focus for mitigating Cybersecurity weaknesses in manufacturing, utilities, smart city, defense and many real-time networks. That focus is about the defense of devices never intended to have an IP level of connectivity or IT grade computational power.  info
Passkey A digital credential that adheres to the FIDO and W3C Web Authentication standards. Similar to a password, websites and applications can request that a user create a passkey to access their account. Passkeys rely on unlocking a device to verify a user’s identity. A new (October 2022) web site passkey.dev, gives the latest information. info
Password Based Key Derivation Function version 2 PBKDF2 This is a defense against brute force attacks on passwords by making automated password guessing  impractical by adding a large number of complex iterations causing large amounts of compute power to be added to the hackers process. This is generally known as a Key Strengthening Protocol. info
Passwords:  Managers,  Iteration Count Passwords and their length, management and security are tiresome topics. Password length is the most important (25 characters or more randomly generated). Password Vaults such as those managed by managers such as BitWarden encourage Password Iteration count (the number of times the password is hashed ) to have a value of at least 100,100. The previous password manager market leader (LastPass) is not recommended (see Breaking News). See Credential Re-use warnings on reusing passwords. info
Payment Card Industry Data Security Standard PCI-DSS The Payment Card Industry Data Security Standard is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council info
Penetration Testing Pen Testing Penetration Testing. Testing for vulnerabilities using hacker tools.
Phishing and PhaaS Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in email, text (Smishing), Voice mail (vishing) or targeting types of typically senior individuals (Whaling) or specific individuals (Spear Phishing). 2023 variants including Cloning that copy legitimate emails and ones that include innocent looking QR code phishing (usually pretending to be from Docusign). Phishing is the source of the majority numbers of cybercrimes. Malware triggered by clicking, Zero-Clicks, embedded code, Living off the Land Attacks, etc., begin here. Phishing as a Service was a 2022 phenomenon and continues to grow. It is essentially a tool kit run as a service for use by less skilled hackers. The kit can also be used to generate Zero Day attacks. Threat
Pharming Attack This is nam for the technique used in a Man-in-the-Middle attack. A user’s session is redirected to a masquerading website. This can be achieved by corrupting a DNS server on the Internet and pointing a URL to the masquerading website’s IP address. By changing the pointers on a DNS server, the URL can be redirected to send traffic to the IP of the masquerading website where transactions can be mimicked and information like login credentials can be gathered. With this the attacker can access the real site and conduct transactions using the credentials of a valid user on that site. Threat
Ping of Death Attack Another form Denial of Service attack, a Ping of Death attack sends an improperly large ICMP echo request packet (a “ping”) with the intent of overflowing the input buffers of the destination machine and causing it to crash. Threat
Policy  This is the central controlling element of a Zero Trust enabled secure service. It’s the software or service element that manages and controls requested access based on Identity, Authentication, Access Control and Policy. This management may be at either a common point in a network or may also include the Policy Enforcement to protect data exfiltration or software replacement. It can be integrated as part of a service. It also initiates the monitoring of the flow between actors for the duration of a connection. Dependent on the access requested, it may manage at any layer of the network from physical to application layer and also the control or management plane software, operation of secure containers etc. info
Policy as Code Policy as Code is a current methodology that has become necessary in order to scale, automate and reduce development time. It’s included here, because it’s an important element of DevSecOps where it is termed as Security as Code.  info
Policy Management and Enforcement Policy Management is the process in a Zero Trust enabled service that verifies whether the Actor requesting access is identified and authenticated, is in conformance with the role and policy, that the target Actor is similarly identified and monitoring of the access is initiated. Policy Enforcement is the location at which the Policy is enforced. ZT
Polymorphic Malware This is Malware designed to constantly change its identifiable profile in order to evade detection. Types of malware including bots, trojans, keyloggers, viruses and worms, can be polymorphic. Threat
Port Scan A Port Scan is a series of packets sent to learn which computer network services, each associated with one of the 65,535 TCP port numbers in an IP-connected devices, is vulnerable. The response indicates whether the port is open, closed or filtered, looking for weaknesses.  For example, ports used for management information and left open are candidates for Denial of Service Attacks.  Threat
Protective DNS PDNS Protective Domain Name System PDNS adds a threat intelligence check against all DNS queries and answers to avoid or sinkhole malicious or suspicious domain resolutions. PDNS integrates easily with existing security architectures through a simple recursive resolver switch. It’s important because it analyzes DNS queries and takes action to avoid threat websites, leveraging the existing DNS protocol and architecture. Protecting the DNS queries is a key cyber defense because threat actors use domain names across the exploitation lifecycle. Users frequently mistype domain names while attempting to navigate to websites and may be redirected unknowingly to a malicious site. From there, threat actors may exfiltrate data, conduct command and control operations, and install malware onto a user’s system.  info
Proxy Server Unlike a VPN which transfers data via an encrypted tunnel, an IP Proxy Server acts as a gateway between users and the internet. It’s an intermediary server with its own IP address separating end users from the websites they browse. Proxy servers provide varying levels of functionality, security, and privacy depending on use case, needs, or the organization’s policy. info
Ransomware  and RaaS Ransomware is some combination of malware or other software that results in user data, or systems being encrypted or locked until a ransom is paid. The threat is loss of or exposure of private data, or cessation of business critical operations. Ransomware payments do not generally prevent the threat from being executed. Ransomware as a Service (RaaS) was the model for PhaaS (above) as a tool kit run as a complete packed service for use by less skilled hackers. Threat
Red Team, Blue Team, White Team Where resources permit, a Red Team is a group of security experts who simulate attackers attempting to defeat the Blue Team who use their existing threat detection and prevention defenses to detect thwart the Red Team’s attacks on an organization. The result is (in theory) a list of new defenses that can be deployed. This can be very challenging and rewarding when viewed from a holistic perspective. the White Team are the referees/scorers in this competition.  info
Remote Browser Isolation RBI RBI is a security measure that separates users’ devices from the act of internet browsing by hosting and running all browsing sessions on a remote cloud-based and hopefully secure container. It also means that data can be screened to avoid exfiltration of sensitive data or access to middle box functions and as a phishing defense. This, therefore, is an efficient way and place to implement a Zero Trust Enforcement Point. It also helps prevent malware being inadvertently being loaded onto end user systems. info
Risk Management In the same family as Threat Management, and Asset Curation, Risk Management adds the measurement and finance component. Overall, It’s the decision making process that governs the priority of what should be protected. Put another way it’s an equation that combines the aspects of applying the security elements into a score that governs what should be enforced and in what order. Marketing
Rootkit A Rootkit is a collection of software malware giving actors control of a computer, network device or application. They typically create back doors for further attacks and by their nature are not detectable once installed by anti-malware software. This is why Rootkits are considered extremely dangerous. Threat
Secure Access Service Edge SASE SASE was conceived  as a collaboration between networking and cybersecurity. Its intention is to be a fully-integrated WAN networking and security framework that connects remote users and branch offices to cloud and corporate applications and the Internet. However, great caution should be exercised since almost every term is a marketing one rather than a technical definition. Also, every vendor and service provider has (legitimately) added functions to deliver more practical “SASE” or “SSE” solutions. As first outlined by Garner in December 2019 (Link to the original blog describing this “new package of technologies), SASE is a conceptual framework, largely consisting of marketing terms – not a product. It encompasses: features “such as” (1) SD-WAN – a network overlay technology, (2) Cloud Access Security Broker (CASB),  (3) Secure Web Gateway (SWG), (4) Firewall as a Service (FWaaS) and (5) Zero Trust Network Access (ZTNA). All these terms are covered in this Terminology page. Their definition is up for interpretation. Late in 2022 the MEF expanded on the original idea introducing a SASE service and service attributes definition (MEF 117) by defining a standard ‘SASE service’ combining security functions and network connectivity. Marketing
Secure Service Edge SSE Follow-on to the above. Later Gartner defined SSE – a more IT-focused and implementable subset of SASE without SD-WAN and FWaaS consisting of CASB, SWG and ZTNA. It defines SSE as securing access to the web, cloud services and private applications. Capabilities include access control, threat protection, data security, security monitoring, and acceptable-use control enforced by network-based and API-based integration. SSE is primarily delivered as a cloud-based service and may include on-premises or agent-based components. In March 2022 Gartner created a new magic quadrant summarizing 11 players in this space. Marketing
Note: If after reading this, Googling SASE or SSE and looking at product definitions in this space, you are still unclear then we would not be surprised since vendors and providers match their capabilities to their market. If you are looking for guidance then it comes down to understanding what a product does and seeing if it matches your requirements rather than matching the function to a marketing definition of SASE or SSE.
Secure APIs Application Program Interfaces (APIs) are increasingly important and their security is critical and integral to regulate the access to code. There are many potential vulnerabilities that are well-documented with best practices for defense. Digital signing of APIs is the best of these defenses.  info
Secure Containers Given the popularity of Kubernetes as the favored container platform and the home of Cloud workflows it’s no surprise that protection methodologies are required . Hence the term Secure containers. See Reference 36 on the reference page for much more information.  info
Secure DNS Proxy SDNSP Smart DNS Proxy is a secure DNS Proxy service to unblock websites, global video & music streaming services. Unblock US websites like Netflix, Hulu, ABC or music streaming services like Pandora or Spotify just natively happens when you use Smart DNS Proxy. There is no connection or disconnection needed as in VPN. It claims to be faster than a VPN and works with any device; PC, MAC, Smart TV, Xbox, PS3, Router, iPad, iPhone or any Android devices.  info
Secure Internet Gateway SIG A SIG is a cloud-delivered internet gateway that provides safe and secure access to the users wherever they go, even when the users are off the VPN/network Marketing
Secure Network as a Service SNaaS Secure Network as a Service is a Zero-Trust enbled service. While Zero Trust is neither a system nor a product and the Gartner concept of SASE and SSE are important steps forward, SNaaS is a framework service that incorporate (1) the principles of Zero Trust, (2) the network and security elements of SASE, (3) around 30 defensive elements associated with SSE and (4) encompasses the elements of holistic security across an extended organization. ZT
Secure Production Identity Framework for Everyone SPIFFE SPIFFE, the Secure Production Identity Framework for Everyone, is a set of open-source standards for securely identifying software systems in dynamic and heterogeneous environments. Systems that adopt SPIFFE can easily and reliably mutually authenticate wherever they are running. SPIRE is a production-ready implementation of the SPIFFE APIs.  assn
Secure Socket Layer SSL The standard security technology for establishing an encrypted link between a web server and a browser.  info
Secure Web Gateway SWG Secure web gateways act as a barrier, keeping users from accessing malicious websites, malware, or web traffic that is part of a Cyberattack. SWG is a solution that filters malware from user-initiated Internet traffic to enforce corporate and regulatory policy compliance. A secure web gateway is a Cyberbarrier or checkpoint that keeps unauthorized traffic from entering an organization’s network. The traffic that a secure web gateway governs is all inline—the gateway stands between all incoming and outgoing data. Marketing
Security and Risk Management SRM The ongoing process of identifying security risks and implementing plans to address them. Risk is determined by considering the likelihood that known threats will exploit vulnerabilities and the impact they have on valuable assets. Marketing
Security as a Service SECaaS The ongoing process of identifying security risks and implementing plans to address them. Risk is determined by considering the likelihood that known threats will exploit vulnerabilities and the impact they have on valuable assets.  Marketing
Security Assertion Markup Language SAML A login standard that helps users access applications based on sessions in another context. It’s a single sign-on (SSO) login method offering more secure authentication (with a better user experience) than usernames and passwords. info
Security Event Notification SEN This is a broad definition of what, how and where events are notified. In this security context, for Zero Trust implementations this could include access requests being blocked or quarantined due to improper access privilege, identification, authentication or policy failures, target actors being out of scope for the subject actors access or monitoring noting that timed access was being violated. It could also notify management issues such as Denial of Service attacks or failure in secure services such as unexpected termination. These notifications are in addition to service notifications of IP failures, QoS violations from network services, secure container or other data related notifications. There is no industry standards that encompass all network, IT, or security notifications via common secure APIs. ZT
Security Functions A SASE Service that delivers and manages cloud-native security functions as specified by the SASE Subscriber Policy for a specific session. These security functions must be deployable anywhere within the SASE Service in order to optimize the performance and security provided by the SASE service for that session.. The security functions available in a SASE service are listed in the body of the work. The security functions are ‘atomic’ in the sense that they are frequently combined as part of a package recognized in the market under different terminology – for example, ATP, CASB and SWG.  info
Security Information and Event Management SIEM A SIEM  collects and analyzes data from various sources (such as event logs), then filters and applies rules for data analysis. It may include analysis of threats etc. Marketing
Security Operations Center SOC Location of services and systems responsible for cybersecurity.  info
Security Orchestration Automation and Response SOAR Clearly an important function, though Gartner’s marketing engine referring to it as “The SOAR market continues to build toward becoming the control plane for the modern SOC environment” may be a little over the top. Marketing
Security Policy An organization’s Security Policy is the fundamental and necessary element of cybersecurity defense. It’s a high-level view of what should be done with regard to information, and physical security – the baseline that executives use to define what is secure enough for their organization. Typical elements are (1) Assessing Critical Assets (2) Assessing risks v. value (3) Assigning & delegating responsibilities (4) continuous progress measurement, (5) permanent reports to executive meetings (6)role of the CSO – not limited to IT, reporting to the board. The  Security Strategy is the execution of the Security Policy.  info
Security Posture Describes the current state of an organization’s overall ability to predict, prevent and respond to Cyber threats. The book provides focus on all the areas that need to be taken account. The term may seem non-intuitive but has become widely adopted.  info
Session Hijacking Also known as cookie hijacking, it’s the exploitation of a user-Internet/web server session to gain unauthorized access to information or services. In particular, it is used to refer to the theft or “hijacking” of cookie information used to authenticate a user to a remote server. Threat
Side Channel Attack This is an attempt to deduce information, keys, passwords etc., by measuring CPU usage, visual or acoustic evidence, electromagnetic measure measurements within adjacent software or devices. It could involve use of tracking devices, chips, keys, known hardware weaknesses. Threat
Skimming This term is used when a threat actor uses a tag reader to read an encoded strip (e.g., using RFID to read a credit card magnetic strip and blue tooth and more). Such devices (e.g., Flipper) although banned are seemingly available on the grounds they are used for Penetration Testing! Threat
Social Engineering The use of psychological manipulation to influence people to divulge sensitive information or to perform actions that may not be in their best interest. It often involves exploiting people’s trust, fear, or desire for gain, and can be used to gain access to confidential information, networks, or systems. Threat
Software Defined Wide Area Networks SD-WAN An overlay to transport Layer communications. Originally defined by the Open Networking Group (ONUG.net) and later defined for service providers by the MEF (MEF.net) [15] SD-WAN is also an element of SASE as introduced by Gartner. info
SQL Injections Most IT people are aware that the SQL (structured query language) is a commonly used methodology for accessing databases in data centers or in clouds. SQL Injection malware exploits weaknesses in accessing data. Best defense practices are use of Secure containers, input validation and parametrized queries to prevent deleting and overwriting data and of course use of Zero Trust principles to avoid exfiltration of data. Threat
Spyware A type of malware such as Keylogging that that spies on user or software actions gathering data from the device a user and sends it to third parties without their consent. Threat
Structured Threat Information Expression STIX This covers all manner of attacks orginating from a third party that could be manufacturing a deliverable product or software element or even security software product.  Marketing
Supply Chain Attack This covers all manner of attacks from a compromised third party that could be manufacturing a deliverable, product or software element, service company or even security software product. Specifically, Software Supply Chain Attacks are malware code embedded “somewhere” in the system of software suppliers. The cause of many/most large-scale, high-profile ransomware and malicious attacks. The supplying company may not be the culprit. Like the Log4Shell malware, it could be buried in some open source code that was never verified. The important point is to delegate to such companies by having them self-certify their products or services. (This covered in detail elsewhere on the site in mid-2023.)  info
Tabletop Exercise Discussion-based exercise to validate the content of plans, procedures, policies, etc., to manage incidents, plan recovery etc. Threat
TCP Split Handshake Attack First encountered more than a decade ago, this attack is caught by most firewalls. However, this form of attack is seemingly still quite prevalent. Briefly, when the user’s system (e.g., a browser) makes a connection with a remote host the Transport Control protocol (TCP) is invoked beginning with a three way synchronization “handshake.” The connection by the user is initiated with (1) what’s known as a SYN packet, (2) the host replies with a SYN-ACK acknowledgement packet and (3) it’s receipt is acknowledged by the user with an ACK packet. Then the flow of data starts. This can be interrupted by a malicious host sending back confusing packet during the initial handshake. Probably more than you need to know but for a detailed discussion, please see this link from 2010. Threat
Threat Detection Threat Detection (a.k.a. Threat Assessment or Threat Analysis) is the practice of analyzing the entirety of a security ecosystem to identify any malicious activity that could compromise the network. Be aware that while they are much better than having no detection,  most of these Threat Detection systems are limited to the IT department’s domain are not set up to investigate external systems  such as provider or cloud networks, supply chain networks, web content management systems, external CRM systems, OT networks, etc. They also likely do not help directly with social engineering, and often do not validate least privilege, or other Zero Trust attributes. They may also be vulnerable to management plane attacks on the Threat Detection software itself. Marketing
Threat Intelligence This is a marketing term, that seems to have no standardized definition but is frequently used to make the seller of such products or services look, well, intelligent! Marketing
Threat Modelling Threat modelling is the process by which threats, whether vulnerabilities or the absence of appropriate controls, can be described and mitigations or remediations planned. The purpose is to provide an understanding of what controls controls and vulnerabilites that exist. Microsoft’s Threat Modelling Tool is freely available here. It’s based on it’s STRIDE model for identifying threats, categorized as Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of Privilege. What luck that these 6 categories made up the word STRIDE. I haven’t repeated what Repudiation and Tampering are defined as. info
Threat Protection Like Threat Detection above, Threat Protection is typically an umbrella for a collection of software tools or services that defend against detected threats. Many companies combine detection and protection into an upmarket offering termed Threat Intelligence. Marketing
Threat Types There are many threats present called out on this page and elsewhere. This point collects the top threat types that require detection and protection. The several “… as a Service” tool kits often deploy several such threats. Three of these being Phishing as a Service (PhaaS), Ransomware  as a Service (RaaS), and most recently and dangerous: Hacking as a Service (HaaS). The number of threat types each requiring detection and protection reveal the scope of the challenges faced: Advanced Persistent Threat | Adware | API attacks | Botnet | Bring Your Own Device | Bring Your Own Vulnerable Driver | Brute Force Attacks | Business Email Compromise | Credential Re-use | Cross-site Scripting | Data Breach | Deep Fake | Denial of Service | Distributed Denial of Service | DLL Side-Loading | DNS Security & Protocol Filtering | Drive-by Attacks | Elevation of Privilege | Exfiltration | Insider Threats | Key Logging | Lateral Movement Attacks | Living off the Land Attacks | Man-in-the-Middle Attacks | Phishing | Polymorphic Malware | Ransomware | Rootkits | Session Hijacking | Side Channel Attack | Social Engineering | Software Supply Chain Attacks | Spyware | SQL Injections | TCP Split Handshake Attack | Trojans | Viruses | Watering Hole Attacks | Zero-Click Attack | Zero-Day | Zombie attacks. Threat
Transport Layer Security TLS Transport Layer Security (TLS) encrypts data as specified by the Internet Engineering Task Force (IETF). This is currently a controversial issue because of the pending requirement to upgrade from TLS 1.2 (IETF RFC 5246) to TLS 1.3 (RFC 8446). The difference being deprecating various supported encryption methods, simpler but more secure handshakes. The overwhelming resistance to upgrade is based on disruption  and concern about breaking vast numbers of applications. This resistance is going to be overcome by NIST mandates the force change in government and financial networks likely to arrive in January 2024. Read Cisco’s report on this issue.  info
Trojan A form of malware where a malicious payload is embedded inside of a benign host file or program. The log4shell being a prime example of infected open source code that was used extensively before it was detected. When embedded in a file, the victim is tricked into believing that the only file being retrieved is the viewable benign host. However, when the victim uses the host file, the malicious payload is automatically deposited onto their computer system. Threat
URL Filtering URLF URL Filtering is defined as the action taken by the SASE Service Provider to check whether a session contains a URL that is to be Allowed or Blocked. URL is specified in IETF RFC 3986. URL Filtering applies to cases where the domain name is on the “Domain Name Filtering Allow List,” but one or more URLs associated with that domain have a security issue and need to be blocked.  info
Video File Attacks The difficulty in discovering malware lurking deep inside H264 encoded video files – the most commonly used video format has been revealed. Identifying  vulnerabilities, the complexity of H264 encoding makes it very challenging for any tool to discover pervasive malware inside such videos. Actions are required by graphics hardware vendors who need to take corrective actions listed in the revealing paper published in April 2023 by the University of Texas in Austin. Software suppliers, threat detection providers and users will require implement any updates. Threat
Virtual Private Network VPN A service that protects Internet connections and privacy online. It creates an encrypted tunnel for data, protects your online identity by hiding IP addresses, and allows the use of public Wi-Fi hotspots safely.  info
Virus A virus is a specific type of Malware that self-replicates by inserting its code into other programs and is then spread to other systems and executed. See also Lateral Movement Attacks. A common source has been open-source software that is included and distributed without proper testing. The infamous Log4Shellbeing an example. Threat
Vulnerability Assessment The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Marketing
Vulnerability management Cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating” software vulnerabilities. Vulnerability management is integral to computer and network security and should not be confused with vulnerability assessment.  Marketing
W3C Web Authentication WebAuthn A Standard for web authentication: An API for accessing Public Key Credentials.  assn
Watering Hole Attack Just as the name implies, malware lies in wait for users that are known to visit a specific web site. Threat
Zero-Click Attack An attack initiated without the user taking any action/clicking on anything. These can by inserted by just opening an email and unwittingly enabling  a Living off the Land or Microsoft Office exploit. Threat
Zero-Day A.k.a. “Zero-day” Attack. A new exploitation of a vulnerability by an attacker. By definition, it is discovered after it causes damage and is successful because no remedy – e.g., software or remedial process -had yet been implemented. Threat
Zero Trust A set of principles and strategies intended to prevent the exfiltration of data in many areas, layers and apps operating in a hybrid cloud, perimeter-less network. See this site’s page on the Zero Trust and in Section 7 of the Book for an in-depth examination. Two of these principles are “Assume Breach” where enemy has already penetrated your perimeter and “Never Trust, Always Verify.” The word “Always” is important and doesn’t just mean verify once. It means continually verify, since access may have time limit or other restrictions and the user, app or device may suddenly attempt actions that are not aligned with the access policy, etc. Perhaps the term should have been “Never Trust, Continuously Verify.” Implementing Zero Trust involves (a)Identity and Authentication, (b) Access Control, (c) Policy Management, (d) Policy Enforcement at appropriate locations or between designated points, (e) continual Automated monitoring and auditing plus (f) Event Notification. In a world where the network perimeter no longer exists, A Zero Trust approach is the best and perhaps the only approach to protecting your assets. Remember it’s not a system but an approach whose deployment is context and location dependent. NIST has defined a Zero Trust Architecture – 800-207 ZT
Zero Trust Network Access ZTNA Perhaps the most bizarre term on this page is the last one. Zero Trust Network Access is an element of Gartner’s original SASE concept. Note: there is no official industry standard definition for this term or its specific functions (this includes NIST 800-215). In the market, ZTNA solutions provides secure remote access to an organization’s applications, data, and services based on clearly defined access control policies. It could be said that ZTNA is the Zero Trust replacement to virtual private networks (VPNs) in that ZTNA grants access only to specific services or applications, where VPNs grant access to an entire network. ZTNA is an obvious solution to distributed workforce security. This use case is the only one that could be seen as part of a Zero Trust strategy. Marketing

Something missing here? Something you disagree with? Contact us to let us know.