MORE THAN JUST A GLOSSARY

Updated February 29th, 2024

Marketing or Technical?

When finding a single agreed definition of a term, one is confronted with competing marketing terms disguised as fact. This can make understanding even more complex. An example is Gartner’s SASE/SSE. Some clear thinking in terms of ensuring networking and security is aligned but not in itself easily implementable as a defined system – or even an agreed set of elements. This is understandable as it’s part of an organization’s need to uniquely position itself

You are likely aware that many organizations’ acceptance of these terms is clouded by its need to be at the top right of their particular “Gartner’s magic quadrant” or Forrester’s “Wave.” We all visit to Google/ Wikipedia/Gartner Magic Quadrant as the best starting point but many links are sponsored, biased, may not fit your organization or, most relevant, recommend solutions that don’t fit your budget.

On this page we also distinguish Defence Tools as better-defined “atomic” security functions and also Solutions that combine several such functions into a security product, service or a combination of networking, security automation and AI.

The best approach is to understand what is being protected and what is being enabled, irrespective of what the product or service is called.

Definitions Vary

Industry Standards themselves are subject to the agreement by the parties creating them. This may be obvious but as much as we would love to provide guidance on what services or products to choose with our “Top Ten lists of …” for each approach, it is clearly an unwise and impossible task because it would require years of analysis/expertise and would be outdated before it was written. Even in a standards body it’s common to find multiple definitions of the same term that is subjective and context dependent. (This author once found 10 different definitions of one term in one standards body.) Enter Open Source and all bets are off. There is a list of references on the References Page and just some here since these definitions are distilled from multiple sources. 

Purpose of Acronyms

Used to save time within knowledgeable technical groups, sometimes they are used to deliberately create an impression that the user is smarter than you.  As a tip, only use an acronym if there is more than one use of a term in a document. I dislike the use of acronyms but they are provided here for completeness. 

The list is catagorized by Threat Types, Zero Trust , Defensive Terms, general Information and Marketing terms. This last category are typically product types that are named to imply unique or innovative capabilities. Those labelled “Defense, Marketing”  are those that provide defense but the definition is subjective. 

Term Acronym Definition Type
Access Control MAC, DAC, RBAC Defines which Subject Actors can perform which operations on a set of Targets Actors according to a set of identity management, authentication, policy, privilege, time and duration etc. It also describes the process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., critical infrastructure facilities, federal buildings, military establishments). NIST has defined several Access Control policies including Attribute-based Access Control (ABAC), Mandatory Access Control (MAC), Discretionary Access Control (DAC) covering some areas and Role-Based Access Control (RBAC) based on the role of the actor. An Access Control List is defined as the list of rules that make up the policy for accessing a target actor (compute or network resource (device, network service, application, etc.)  ZT
Accountable Digital Identity Creates trusted digital addresses from existing trusted identity sources such as employers, financial services, governments, etc., allowing people to manage their identity information. Info
Actor Used by various sources, especially the MEF, to represent a user, application or systems software or device. It also defines Actors as either Subject (initiating a request) or Target (the recipient of the request). Application-Application exchanges dominate computer dialogs. In line with the Zero Trust principle “Never Trust, Always Verify,” Actors are always assumed to be untrusted (with possible malicious intent) unless (and only while) verified to be legitimate. An Actor in the past has been commonly used to mean  Threat Actor – a person or organization deemed to have malicious intent. Zero Trust has superseded that meaning. ZT
Advanced Persistent Threat APT As opposed to malware, which typically acts immediately, an Advanced Persistent Threat is a sophisticated, often complex and sustained cyberattack in which an intruder penetrates a system, establishes an undetected presence in a network and invokes one of more Lateral Movement attacks to infiltrate connected systems, provider or cloud networks. The resulting malware can lie undetected in systems for a long time. The various “… as a Service” attacks are increasingly of this nature. The result can be anything from disruption, identity or data theft, ransomware, etc. The best defense is avoidance or detection of the initial penetration via Phishing, etc., in the first place. Threat
Adware Bombarding users with endless ads and pop-up windows causes a nuisance to the user experience. However, it can also pose a danger by diverting users to dangerous sites and clicking on malicious links etc. Also known as Malvertising. Threat
Air Gap 1. The physical separation of networks and systems. Typical use is in sensitive operational networks being kept separate from external networks (e.g., Internet or internal business networks) to avoid attacks. This physical separation likely includes both wired and Wi-Fi separation. Disaster recovery offline backups are another instance and 2. The logical separation of networks via encryption, Zero Trust managed access (via least privilege, identity management, policy, etc.). Defense
Alarms and Alerts These are terms are used to determine how a security event is reported. (See also Security Event Notification). The distinction is typically that something “Alarming” has happened rather than “Alerting” the user of system that something has happened and should be noted or watched. However, which falls into either category  is usually a matter of severity, is subjective and a matter of policy. A Threshold Crossing Alert (TCA) is another related term meaning that some value. For example, the amount of data transferred has exceeded a limit, causing suspicion of exfiltration. Info
Anti-Malware Software Generically, a variety of software systems defined to detect and prevent users from malware/viruses/phishing/spyware attacks etc. Used somewhat named interchangeably with Anti-Virus Software and typically installed on user devices. Anti-Phishing and Anti-Spyware software is usually separately packaged but not always. Built-in protection is part of the Windows and Apple PC platforms. It’s not clear (seemingly deliberately) on the value of the market “Anti …” software add-ons are compared to the platform protection. Defense
Application Security AppSec Application Security encompasses the many aspects of application security that has become dominated by hosting of workloads in multiple clouds over multiple containers. Like other topics covered here, it has it’s own world of challenges, threats and solutions. These are addressed in under Cloud Security below Info
Argon2 Argon2 is a memory-hard function for password hashing and proof-of-work applications. See also informative RFC9106 by the IETF. It is being used increasingly to strengthen the protection of stored passwords. An example of its adoption in 2023 by password manager BitWarden following recent industry incidents of attacks on another password manager. Info
Artificial Intelligence AI Many definitions relate to generative AI. In the Cloud Network Ecosystem, it refers to intelligence applied to the automation of Identity management, access control, policy enforcement, network discovery, monitoring and auditing of access, etc. See also Automation and Artificial Intelligence  below. ZT
Ascon A cryptography standard for lightweight IoT device protection. Ascon is a family of authenticated encryption and hashing algorithms designed to be lightweight (i.e., suitable for devices with low computation power and resources such as IoT devices) and easy to implement, even with added countermeasures against side-channel attacks. Chosen by NIST in February 2023, as the new standard for Lightweight Cryptography (LWC) , its security characteristics are such the it could supersede other encryption technologies such as AES used in IETF’s TLS. Info
Asset Curation is a critical part of an organization’s security strategy. It’s the act of discovery and automated ongoing monitoring of all electronic assets that could be vulnerable to attack. Without it, it’s not possible to know what assets need protection and which undefendable assets need to be replaced, etc.  It is also an essential part of evaluating the value of data requiring protection. A Configuration Management Database (CMDB) is a database that contains all relevant information about the hardware and software components used in an organization’s IT/OT services and the relationships between those components. CDMB is a useful tool in this curation process. Also in the area of curation is deployment of data backup strategies. Where practical this should also include adjacent systems (web sites, third party systems that access corporate data, policy databases for unauthorized changes, etc.) plus off-site Disaster Recovery, Auditing and validation of backups with restoring of data and using Content Disarm and Recovery software (CDR) to scrub data. Also, Disaster Recovery is often a part of a Business Continuity Plan (a.k.a. BCDR) covering the recovery plan and how to operate during the process with minimal interruption. The elements here are all considerations for an Incident Response Plan  (see below). Finally, this is an important tool for automated software, firmware and hardware updates. Info
Atomic Security Functions Selecting security software is challenging due to lack of agreed definitions of specific security functions. This page is a good example. What begins with a simple product scope gets expanded. SSE, SASE and Firewalls are good examples. Therefore, this page distinguishes products/tools that address specific threats from wider ranging marketing solutions. A January 2024 survey found that that more than half of all  enterprises were dissatisfied with the security offerings they had purchased. The recommendation is to make sure what you subscribe to addresses the specific atomic security functions needed. Info
Attack Surface The place and time where attacks take place. The shift from data center to Network Cloud Ecosystem has created a multitude of attack surfaces. An Attack Vector is the path taken by a Threat Actor to obtain unauthorized access to a system or network. An attack surface is the total number of attack vectors an attacker can use to manipulate a network or computer system or extract data. Info
Attack Surface Reduction ASR The logic is making it harder for attacks to happen if there is less visibility and access to assets. I.e., the targets for attacks, to use the Attack Surface term, are minimized. This is somewhat addressed by a policy of only making the target actor visible to subject actors who are compliant to their specified privilege. However, this term could apply to almost any set of defenses. So, it’s only included because it’s come to mean almost any collection of software and services that reduce threats. Having said that, any set of tools from a highly reliable source is likely a good thing. Defense
Authentication The process of verifying the Identity of an Actor (software, device, or user). If Identity Management is about establishing the identity of an actor then Authentication is the process of discovering if they are who they say they are.  There are many ways to do this. Passwords, passkeys, multifactor authentication with or without Biometrics, TLS, mTLS, certification, etc. ZT
Authorization The decision given to authorize access to a network, Cloud, etc., by an authorizing person or strategy. This is executed by the process that results in Allowing or Blocking a Subject Actor from accessing a Target Actor. ZT
Automation The scale of modern systems makes cybersecurity without automated intelligent systems virtually impossible. Firstly, human error is inevitable given complexity and constant change. Not patching ever-changing software, services, firmware and hardware and updating data manually is an opportunity for exploits to occur. Secondly, increased scalability present in larger organizations is the had automation be the only viable approach. Thirdly, the Artificial Intelligence element comes together with Automation to discover changes and notified irregularities detection and automated deployment of remedies. Finally, Automation and AI are also part of the DevSecOps process for the creation of both products and services. Several automated approaches may be required in addition to those overseeing organizational system and network functions  (e.g., web site plug ins, platform updates, malware prevention systems and provider networks). Such approaches must be distributed to span the Network Cloud Ecosystem. ZT
Automotive Threats A separate topic in itself but specific threats to millions of vehicles as they become more defined as software driven vehicles apply. ISO has a standard ISO 21434 for automotive cybersecurity. Electric and self-driving vehicles are prone to specific system and battery management system attacks – but keyless car theft, disruption to autonomous vehicle communications via phishing attacks and all system functions apply to all modern vehicles too. It’s mind-boggling to imagine what would happen if a vast fleet of trucks were halted via a distributed denial of service attacks. Maybe that 2007 Mercedes is worth keeping after all. Threat
Back Door The often careless habit of leaving security bypasses in code inserted to speed development or “just in case” access can’t be achieved. This is especially found in open source code where the practice has caused vulnerabilities. Threat
Beaconing A technique used by malware to signal to its host that it is still in place, active and lying dormant until activated. An element of an Advanced Persistent Threat attack. Threat
Biometric Security Often used by multifunction authentication using facial, fingerprint, eye, voice etc., such biometric methodologies like other MFA defenses are a great help but are definitely not infallible and each can be cracked. Defense
Blockchain It’s well-known that the inherent security of its distributed systems have enabled Ethereum/ cryptocurrency transactions. What is also clear is that it is not immune from a variety of attacks based on reuse of keys, identity theft and attacks on adjacent systems, etc. It remains to be seen if last year’s tally of a reported $1.8bn of cryptocurrency losses will be an upward trend. info
Blocked List Lists of flows, IP addresses, that are either approved for passage (Allow or White Lists), flows prevented from access (Blocked Lists) or suspicious traffic pending approval or blocking (Quarantined Lists.), Several variants to this. ZT
Border Gateway Protocol Vulnerability BGP This is a vulnerability in the poplar Internet protocol that could be exploited to achieve a denial-of-service (DoS) condition on vulnerable BGP peers. BGP is a gateway protocol that’s designed to exchange routing information. Threat
Botnet A network of computers infected with a Bot virus program. Less common now in its original form but occurring more in terms of malware being transmitted around and ecosystem. See CAPTCHA below for an example of Anti-Botnet software designed to insert human interactions to prevent Bot attacks. Malicious tasks of one sort or another under remote direction. A Zombie is an Internet-connected computing device that has been compromised by a hacker, a computer virus, or a trojan horse. Generally, a compromised machine is only one of many in a Botnet, and will be used to perform malicious tasks of one sort or another under remote direction. Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to Zombies. In October 2023 Cloudflare discovered a new HTTP/2 attack from 20,000 bots. Botnets have been seen in the millions!!!  Very simple attacks can cause crippling Distributed Denial of Service attacks. Threat
Bring Your Own Device BYOD Potentially disastrous policy allowing users to connect to the organization’s network using their own device that may be infected or vulnerable to attack. This applies to staff contractors, and any outside third party. Threat
Bring Your Own Vulnerable Driver BYOVD This falls into the category of hidden vulnerabilities that are little known to the average user.  These are device drivers that should be updated automatically but often are not. They are often the  location where attackers insert a specific kernel driver with a valid signature thwarting the driver signature enforcement policy and also may include code that gives the attacker kernel write primitive. The best fix is to ensure that all device drivers are updated from the source or via an OS automatic update. This is not a simple task since it is dependent on the diligence of Microsoft, Apple, Google and others. Threat
Browser Isolation Browser Isolation (also known as Web Isolation) is a technology that contains web browsing activity inside an isolated environment in order to protect computers from any malware the user may encounter. This isolation may occur locally on the computer or remotely on a server. Defense
Brute Force Attacks Simply put, this is an important sounding name for guesswork or trial and error attempts to crack credentials by repeatedly using variants on a name, lazy use of keystrokes, etc., and why weak passwords are the cause of so many problems today. A report published by Hive systems in April 2023 showed how Brute Force attacks on passwords have dramatically reduced their time to crack passwords over the last 3 years – as 1-250 times faster – rendering anything less than 11 characters with numbers and symbols effectively becoming vulnerable. See https://www.hivesystems.io/ for their detailed analysis. Threat
Buffer Overflow Attack A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information – which has to go somewhere – can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. This why it’s important to write code using Memory-safe Languages. Threat
Business Email Compromise BEC BEC is a type of phishing scam where the attacker impersonates or compromises an employee or user’s email account to manipulate the target into initiating a to give away sensitive information or connect to a malicious remote Internet connected system. Threat
Cache Cramming Cache Cramming is malicious code that tricks a browser to run cached Java code held locally, rather than from a web page that has enforced restrictions. Threat
CAPTCHA Completely Automated Public Turing test to tell Computers and Humans Apart. More recently automated by Google but many sites frustratingly still require you to identify crosswalks or bicycles, etc., often unsuccessfully!! At least it helps keep the Bots at bay. Defense
Camera Hacking Malware that can spy on or listen to video calls without the user being aware. This is best defended by use of anti-virus or antimalware software set for frequent scans. Threat
CASB and SWG Note: what is the difference between CASB and SWG?. Both CASB and SWG offer data & threat protection, and they are cloud-based. Cloud-based SWGs have more capabilities, which made them a suitable replacement for the limited firewall. They fulfil the same use case of network/perimeter protection by delivering network security services via the Cloud. Marketing
Cell Phone Cybersecurity With most of the world’s population living on smart phones, access to personal information if not corporate applications are particularly vulnerable. With booking, ordering, social media, mail functions, texting and WhatsApp need special protection. Apple has had the stronger reputation for security over Android phones but they are all attacked either directly or vis apps that were not verified. Touchless and skimming attacks especially, are difficult to defend. Info
Certificate Authority CA and ACME A Certificate is an electronic document that uses a digital signature to bind a public key and an identity. A Certificate Authority is an organization that is responsible for the creation, issuance, revocation, and management of Digital Certificates. Length of time that a certificate is valid is becoming under pressure in 2023 by Google with length of time reduced from unlimited t a few months. The point of including this is to make sure that your web hosting provider automatically updates your SSL certificates via the Automatic Certificate Management Environment (ACME). It is defined in IETF RFC 8555, to automate issuance of authentication certificate request, issuance, installation, and ongoing renewal across for web servers. Info
Chief Security Officer CSO, CISO, BISO This is an evolving title and role. The only important point is to ensure a single board-level executive is responsible for security across the entire organization. This means Security Policy, implementation of the Security Strategy across the organization and beyond and reporting its progress.  In the past it was definitely a role inside the IT department with the CSO reporting to the Chief Information Officer. With the growth and impact of cybersecurity, the title has either split (CSO and CIO) or grown to be Chief Information and Security Officer (CISO) or recently to Business Information Security Officer (BISO). The view of this author is that it must be a holistic function taken on by a single individual responsible across the entire organization. Info
Clickjacking Clickjacking, also known as a UI redress attack, is when a threat actor uses multiple layers to trick a user into clicking on a website graphic or link to redirect the user to a malicious site or even an infected page on a site without them realizing it. Hence, the user’s clicks are hijacked. Threat
Clientless Operation This is a methodology where no software is run on an end-user system. The effect is to severely limit if not eliminate the attack surface. I.e. a threat actor cannot infiltrate a system if there is no system to infiltrate. This is not quite the complete story, of course but if the user can only access the internet via a remote browser (Remote Browser Isolation) and then only access mail via that browser then the attack surface shifts to remote systems that easier to control and manage, Even attacks on device drivers are moved to remote or Cloud-based systems. If this is accompanied by a ZTNA connection then then user’s compute device becomes an expensive dumb terminal – to use the vocabulary from 50 years ago, 10-15 years before PCs existed. This is an important approach for those working at home under the supervision of the IT department. Info
Cloud Native Application Protection Platform CNAPP Like SASE, CNAPP was coined by Gartner. It’s a bundle of cloud-based software: a platform usually including CSPM, CWPP and CIEM, code and container scanning. Marketing
Cloud Access Security Broker CASB A Cloud access security broker is Cloud-hosted software or on-premises software or hardware that act as an intermediary or gateway between users and Cloud service providers. This is curious because as with other SASE elements this sounds a similar description that Gartner provided for ZTNA (see below). Marketing
Cloud Security Becoming Cloud-centric in terms of applications, the organizations, partners and your customers does not mean the end of cybersecurity reposonsibilities. In fact, everything you were resposnible before is still present except now you cannot directly control or manage it and you are at the mecy of your integrators, providers and their chain of software vendors. The many new acronyms and terms are in use such as CWP: Cloud Workload Protection (keeping workloads secure and correctly configured), CSPM: Cloud Security Posture Management (monitoring of Cloud-based Infrastructures), CIEM: Cloud Infrastructure Entitlement Management (the Cloud equivalent of Identity and Access Management), CDR: Cloud Detection and Response, etc. In addition, microsegmentation and use of secure containers plus of Zero Trust approaches to the curation and updating of Cloud-based application assets are in play. As we said earlier, Clientless Operation does not mean you can forget about cybersecurity. Info
Cloud Security Alliance CSA With around 450 member companies, the Cloud Security Alliance (cloudsecurityalliance.org) is the organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. Assn.
Cloud Security Notification Framework CSNF Cloud providers generate notifications that are semantically equivalent but require work to make them usable by security applications. The Cloud Security Notification Framework, developed by the ONUG Automated Cloud Governance Working Group, standardizes terminology and provides a common set of elements to ensure consistency across cloud providers. Info
Cloudjacking Cloud jacking involves an attacker gaining access to a cloud account, to gain access to data. The cause is typically phishing attacks and are best defended with the usual protections: MFA, separately held encryption/decryption keys held separately from user credentials. Cloud security alone may be insufficient Threat
Code Injection  Used to alter execution of software initiate malware, instigate Lateral Movement attacks, elevate privilege to spread malicious software by embedding/infecting legitimate websites or systems software or applications with malicious code. Threat
Common Attack Pattern Enumeration and Classification  CAPEC CAPEC™  is a MITRE initiative that provides a publicly available catalog of common “attack patterns” to helps users understand how adversaries exploit weaknesses in applications. Established in 2007 by the U.S. Department of Homeland Security CAPEC‘s “Attack Patterns” currently described include HTTP Response Splitting , Session Fixation , Cross Site Request Forgery , SQL Injection , Cross-Site Scripting , Buffer Overflow , Clickjacking , Relative Path Traversal and XML Attribute Blowup, etc. Info
Coalition for Content Provenance and Authenticity C2PA An open technical standard providing publishers, creators, and consumers the ability to trace the origin of different types of media. C2PA addresses the prevalence of misleading information online through the development of technical standards for certifying the provenance of media content.
Common Vulnerabilities and Exposures CVE & CVSS CVE is a glossary that classifies vulnerabilities. CVSS is the scoring system for CVE. Vulnerabilities that meet the criteria (acknowledged by vendor for a particular code base) are listed by CISA government agency. They are given an ID (e.g., CVE-2022-654321), a severity score (CVSS): 9-10 is a critical issue 7-9 high etc. The list can be quite esoteric and does not typically indicate a resolution, so this is purely an informational reference. Around 10 CVEs are added to the CISA list each month.  info
Compliance There are many requirements covering Governance. From a security perspective failure to comply with such governance may either break governmental rulings on cybersecurity or cause actual security vulnerabilities. In either case it’s important not only to understand such requirements abut to audit such compliance at the onset of a new project, e.g., with DevSecOps, or during operation with ongoing automated monitoring. Info
Content Disarm and Reconstruction CDR CDR is a technique for removing embedded malware from files, usually as they are received. Used increasingly with Remote Browser Isolation, CDR (1) flattens and converts files to a PDF, 2) strips active content while keeping the original file type, and 3) eliminates file-borne risks. Some loss of useful content may be encountered dependent on software functionality. Defense
This is the exploitation of a user-Internet/web server session to gain unauthorized access to information or services. In particular, it is used to refer to the theft or “hijacking” of cookie information used to authenticate a user to a remote server. Threat
Credential Re-use Also, commonly (and strangely) known as Credential Stuffing, this attack steals a login username and password (e.g., used in Facebook, Twitter or Google) and reuses these credentials on other sites where the user has naively used the same password. See the Breaking News page in March 2023 for more on this. The answer is do not log in using this method as a breach on one site gives access to all sites! Threat
Critical Infrastructure Utility, military, government, health, transport and city network operational infrastructures and much more. This is not a cybersecurity term but is frequently referred to because of the importance of protecting them from cyber-attacks. The US Government publishes its description of the 16 sectors and many subsectors that it comprises (See the CISA description). What distinguishes Critical Infrastructure is that their “incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” Info
Cross-site Request Forgery XSRF A type of attack exploiting a website’s trust in a user’s identity to perform unauthorized actions. Threat
Cross-site Scripting XSS First seen 20+ years ago. A type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls. Threat
Cryptojacking Cryptojacking (a.k.a. crypto-mining) is  malware that infects and imbeds itself in systems to steal information such as keys and access credentials to cryptocurrency systems (Ethereum etc.). This has resulted in $billions in stolen from electronic funds, etc. Threat
Cryptography The application of mathematical methodologies to encrypt/encipher and decrypt data. Asymmetric Public Key Cryptography uses a public key and private key to enable encryption of data. In Symmetric Cryptography, the same private key is shared. Info
Cybersecurity Audit A security audit is a systematic evaluation of an organization’s information security policies, procedures, and practices. In  Zero Trust systems it is integrated with monitoring, reporting and event notification to verify continuous security integrity not just at a single point in time. Thus, weaknesses and vulnerabilities in the organization’s security posture, and may also recommend actions to be improved and ongoing holistic measurement can take place. A separate audit might be conducted internally by the organization’s own staff, or by an external auditor or consultant Info
Cybersecurity Compliance Just as privacy regulations have aligned with GDPR , CCPA, etc. Cybersecurity is following the same path. SEC, and CISA guidelines and rules will dictate the public and private policies that organizations comply to internally, for their customer clients and their suppliers. What this looks like is a set of rules covering the way you develop services, manage your staff, provide access and protect sensitive information and customer data. Info
Cybersecurity Evaluation Tool CSET Developed by CISA to improve the security of government agencies, their supplying contractors, their products and sevices, CSET is comprehensive set of tools that assess the Security Posture. CSET is delivered as a free desktop software and downloaded here. An excellent series of explanatory videos are also available. With more here. Info
Cybersecurity Framework 2.0 This is the latest iteration of the NIST Cybersecurity Framework. While it is advertised as having 5 categories (“Identify, Protect, Detect, Respond, and Recover”), like many others it covers many more areas (22 main categories and a total of subcategories). Topics such as Zero Trust, microsegmentation, IoT security, lateral movement and APTs are not addressed. Info
Cybersecurity and Infrastructure Security Agency CISA The US government’s Cybersecurity and Infrastructure Security Agency(CISA) works with partners to defend against today’s threats and collaborates to build a more secure and resilient infrastructure for the future. https://www.cisa.gov/ Info
Cybersecurity Insurance  The insurance provided in the event of a cybersecurity incident such as data breaches, ransomware etc. The audit described above is becoming a prerequisite for such insurance to be given. Info
Cybersecurity Maturity Model Certification CMMC 2.0 The US Department of Defense’s comprehensive framework to protect the defense industrial base’s (DIB) sensitive unclassified information from frequent and increasingly complex cyberattacks. (November 2021) Info
Cybersecurity Mesh Architecture CSMA Like SASE and SSE this is a Gartner marketing invention, that possibly had a goal to simplify the challenges of Zero Trust deployment throughout the network? It seems like more marketing packaging of what enterprises are already doing. It was published in October 2021. It defined itself as follows: “Cybersecurity mesh, or cybersecurity mesh architecture (CSMA), is a collaborative ecosystem of tools and controls to secure a modern, distributed enterprise. It builds on a strategy of integrating composable, distributed security tools by centralizing the data and control plane to achieve more effective collaboration between tools. Outcomes include enhanced capabilities for detection, more efficient responses, consistent policy, posture and playbook management, and more adaptive and granular access control — all of which lead to better security.” As what this means remains a mystery, I will add no comment other than to say that some companies will like attribute CSMA to what they were already selling anyway and claim to be first to market. In late 2023, the analyst companies are publishing reports on the “Cybermesh” market. Marketing
CyberStart America CSA U.S. funded student Cybersecurity education program. ”CyberStart America is the most enjoyable way to discover your talent, advance your skills and win scholarships in Cybersecurity.” https://www.Cyberstartamerica.org/ Assn
CybyrScore CybyrScore is our Security Posture measurement tool that evaluates the whole organization and well beyond. It provides prioritized advice the most important cybersecurity actions to conduct next. Info
Dark Web The Clear Web is how we refer to the publicly accessible parts of the web like this site. However, it only represents a very small part of the Internet. The Deep Web refers to all those parts that are private, behind login-only accessible data and information – customer data, etc., covering about 95% of the Internet.  The Dark Web is a tiny part of the Internet where encrypted parts of the internet are not indexed by search engines, used by all types of cyber criminals, to communicate and share information without being detected or identified by law enforcement. Malware of all types can be purchased on the dark web. It can be accessed by anyone but only via the Tor browser and with the correct URL,  special software with the correct decryption key and access rights. Users remain almost completely anonymous. Info
Data Breach The hackers’ end-game. Exfiltration or corruption of critical user, corporate or customer/client data, intellectual property or corruption of software, etc. Threat
Data Loss Prevention DLP There is some disagreement about this term. Some have a narrow focus that it only deals with prevention of data removal or replacement. Others that it encompasses several prevention tools as an approach that seeks to improve information security and protect business information from data breaches. It prevents end-users from moving key information outside the network. DLP also refers to tools that enable a network administrator to monitor data accessed and shared by end users. It’s also a set of tools that both detect and prevent threat actors from either stealing or encrypting data. It’s label here as “Marketing” because it can contain a variety of tools to prevent unauthorized access to and exfiltration of data. Marketing
Deep Fake Video, audio clip or picture that has been altered to trick people to believe a corruption of the truth because they believe in the person who they are seeing or hearing and that they actually said those words. etc. A deeply disturbing trend often used in conjunction with other tricks. Threat
Deep Packet Inspection DPI This is a methodology for inspection of traffic typically in a network but also between processes in a system. In a cybersecurity context, it is used by threat prevention functions and tools to detect and filter potentially exploitive traffic to block, quarantine or allow its passage. It also allows examination of traffic to ensure that it does not exceed the access level of the subject actor. This can be a complex process requiring significant compute resources that might involve comparing many tens of thousands of traffic patterns. It is called “Deep” Packet inspection as opposed to conventional packet inspection that only looks at header info for routing purposes. Defense
Deflection Deflection has a special meaning in cybersecurity. The theory being that the more vulnerabilities that are protected the more attackers are deflected to easier, more vulnerable targets. It follows the simple concept of the thief walking down a line of cars looking for an unlocked door or the phone left on a seat. My book, when first published in 2022, identified more than 100 vulnerabilities or weak links. Many more have been unearthed since then. Defense
Delegation Delegation is perhaps the most important and least understood aspect of cybersecurity. “Delegate Don’t Abdicate” is about verifying not trusting those who provide software services in fact any kind of third party action in your supply chain. Once you apply “Never Trust, Always Verify” you run into a catch 22 when you can’t control your suppliers. See more on what I believe are the six most important aspects of Delegation. CISA has begun a journey of self-attestation but is only just scratching the surface in their 2024 work. I’ve categorized it as “defense” because it falls into the “Threat Avoidance” category. In Feb 2024, NIST Special Publication 800-192 on Verification and Test Methods for Access Control Policies/Models is extending this work. Defense
Development, Security & Operations DevSecOps A methodology to include security as an element of the development of all services and products (not just software products and services) as they are designed, developed, tested, introduced ,monitored and iteratively revised. In addition, this work adds the responsibility into the Product Marketing responsibilities to investigate and include security in the requirements and product definitions. This is definitely the author’s personal definition. Security as Code (SaC) is the methodology of integrating security into DevOps tools and processes by identifying vulnerabilities in code, ensuring or migrating to memory safe languages, verifying the validity of open source code yet without delaying process or increasing the cost of the process. Info
Digital Forensics and Incident Response DFIR The Digital Forensics and Incident Response Report is published annually. The 2022 was published in March 2023 and provides a fascinating set of insights of the most potent threats in play. Info
Digital Signature Cryptographic transformation of data providing origin authentication, data integrity, and signer non-repudiation. See also Certification Authority Info
Distributed Denial of Service Dos/DDoS Denial of Service (DoS) attacks are used to overwhelm a target device, software element, including websites, cloud containers or applications. The traffic itself is likely legitimate and not necessarily malware. A Distributed Denial of Service  (DDoS) attack involves multiple connected online devices, collectively known as a botnet, may be delivered from a myriad of resources and typically targeting a particular victim. This makes it more complicated to defend. DDoS attacks in the past were more prevalent when Threat Actors were content with disruption rather than financial gain. Any of the targets mentioned above (web sites, etc., can be targets. However, more recently an insidiously, it’s attacks on infrastructure and security element management/control capabilities that can not only cause network devices or service (e.g., a Firewall) be overwhelmed and fail but then allow malicious traffic to penetrate and cause havoc. I.e., DDoS attacks can be the first element of a two pronged attack. Threat
DLL Side-Loading DLL side-loading attacks use the DLL search order mechanism in Windows to plant and then invoke a legitimate application that executes a malicious payload. Threat actors commonly use this technique for persistence, privilege escalation, and defense evasion. Threat
DNS Security and Protocol Filtering DNS, DoH, DoT The Internet functions by matching website domain names to IP addresses using the Domain Name System (DNS). DNS Protocol Filtering checks whether a subset of a session contains messages that are to be allowed or blocked. DNS messages are specified in RFC 1035 and RFC 1996. DNS Security Functions are a set of important threat detection and prevention tools that are described in the DNS Threats item below. Two other functions: DNS over TLS and DNS over HTTPs (DoT and DoH) encrypt queries to provide additional protection. For example, DoT allows network admins to monitor and block DNS queries. Another DNS security protocol is DNSSSEC covering DNS data itself signed by the owner of the data rather than DNS queries and queries  cryptographically-signed responses themselves. Defense
DNS Attacks The Internet functions by matching website domain names to IP addresses using the Domain Name System (DNS). DNS Security Functions are important threat detection and prevention tools that include filtering responses from known bad domains (DNS Blackholing), Distributed Denial of Service (DDoS) attacks, attacks tricking users into using malicious domains (DNS Hijacking and man-in-the-middle attacks). They use the DNS response to carry malicious payloads usually related to command-and-control connections (DNS tunneling) and attacks that create many random domain names to avoid detection. DNS Exfiltration is a lower-level attack on DNS servers to gain unauthorized access. Such attacks are difficult to detect and can lead to loss of data. Threat
Domain Controller A Domain Controller is a server that responds to authentication requests and verifies users on computer networks. Info
Domain Name Filtering DNF Domain Name Filtering is defined as the action taken by a Service Provider to check whether a session contains domain names that are to be permitted or denied. Domain Name Filtering provides a level of protection for a Subject inadvertently attempting to access a malicious Target. Defense
Drive-by Attacks Drive-by Attacks or Drive-by Downloads is a shorthand for unintentionally downloading of various malware from insecure websites onto your devices – PC’s, phones etc., typically without the users involvement. They typically require no action by the user who has no knowledge of the infiltration. Threat
Dwell Time The amount of time an attacker spends within the systems under attack, especially the amount of time the attacker spends undetected. Info
Elevation of Privilege This is an attack when a bad actor gaining illicit access of elevated rights via an insider threat or via gaining access to data files containing user privileged data and modifying the data. As dangerous as giving unnecessary levels of privilege to these who should not have it – e.g., executives, contractors, etc. Note: Escalation and Elevation of Privilege are used interchangeably Threat
Encryption Encryption has many specific definitions and methodologies: symmetric and asymmetric cryptography, public and private keys, encryption types: Advanced Encryption Standard (AES) developed by NIST, Data Encryption Standard (DES), RSA, MACsec(IEEE), Ascon, etc. are used for secure communications. Encryption of all sensitive data on every type of compute device is supported and recommended to prevent data breaches and ransomware. For example: Elliptic Curve Cryptography (ECC) is used for digital signatures in cryptocurrencies such as Bitcoin and Ethereum. Middle Box functions are used typically to decrypt and inspect IP flows. Decryption is the process of transforming an encrypted message into its original plaintext. A Cipher is a cryptographic algorithm for encryption and decryption. Defense
End-to-End Encryption Communications encryption in which data is encrypted when being passed through a network, but routing information remains visible. Defense
Endpoint Detection and Response EDR Endpoint detection and response tools are the newest members of the endpoint security family. Endpoint Protection products combine elements of both endpoint antivirus and endpoint management. Marketing
Evil Twin We all use airport or coffee shop Wi-Fi but what if there was a rogue Wi-Fi Access Point that shared the same public credentials and intercepted your connection to the legitimate Wi-Fi and eavesdropped or stole your data? These devices are called Evil Twins. Threat
Exfiltration Typically, unauthorized transfer of information from an information system. A key principal of Zero Trust is the avoidance of exfiltration (stealing) of data. Threat
Exploit A methodology/software to take advantage of vulnerabilities by breaching the security of a system or network ecosystem. Threat
Extended Detection & Response XDR An emerging technology that can/may offer improved threat prevention, detection and response capabilities for security operations teams. XDR describes a unified security monitoring and unified reporting incident detection and response platform that automatically collects and correlates data from multiple proprietary security components. Marketing
Fast IDentity Online Fido An authentication standard defining a fast and secure authentication mechanism for users to access websites and applications. FIDO-2 uses WebAuthn authentication. Info
Federal Risk and Authorization Management Program FedRAMP A government-wide initiative to assess, authorize, and monitor cloud software providers and protect the sensitive data housed in federal agencies. Info
Firewall A Firewall secures a network by deciding which data packets are allowed to pass through a network. Primarily intercepting Layer 3 IP traffic. Traditionally Firewalls were dedicated devices but are more commonly delivered as a software process. Firewall management software can be susceptible to layer 2 DDoS attacks and also Port scanning. Software detecting threats to web-based applications (via HTTPS protocols) are known as Web Application Firewalls (see below). There are certainly issues related to legacy implementations so care is required. A Distributed Firewall is a recent term for a layered approach that embeds firewall code in the fabric of a network system’s architecture rather than as a separate process. The security functions enabled in today’s firewalls have become blurred so the key is to examine the detection and prevention functions not the marketing hype. Marketing
Firewall as a Service FWaaS Firewall as a service, also known as a Cloud firewall, provides Cloud-based network traffic inspection capabilities to customers seeking to migrate to a hybrid or multi-cloud model. It reduces the burden on on-premises data center equipment and management burden for internal Cybersecurity teams. Marketing
Form Jacking JavaScript code insertion to intercept payment card details directly from the payment forms on the checkout web pages of eCommerce sites. Threat
Fragment Overlap Attack A TCP/IP Fragmentation Attack is possible because IP allows packets to be fragmented for transport across networks. The TCP packet (and its header) are carried in the IP packet. In this attack the second fragment contains incorrect offset. When packet is reconstructed, the port number will be overwritten. Threat
Fork Bomb This is effectively a Denial of Service attack in that it can consume all of the memory and compute resources on a system. A Fork Bomb works by using the fork() UNIX/Linux call to create a new process which is a copy of the original. By doing this repeatedly, all available processes on the machine can be taken up. It can by continued by limiting the number processes that a software actor can run simultaneously. Threat
Hacker A Hacker is the well-known term for those with malicious intent on inserting malware in systems. More correctly these are known as Black Hat Hackers, whereas a White Hat Hacker is one who looks for vulnerabilities in order to report them and have those weaknesses removed – whether in a software company or an end user organization. Info
Hacking as a Service HaaS Joining and expanding on the recent Phishing and Ransomware as  Service Toolkits are Hacking as a Service tools. A grim warning in the UK government’s report from the National Cyber Security Centre in April 2023 believes that not only have 80 country states purchased these toolkits but unscrupulous private groups are expected to join. The are not only a superset of RaaS and PhaaS but they have the ability to generate variants as Zero Day attacks. Threat
Holistic Cybersecurity Cybersecurity has been the term given to the protection of data, networks, software from digital attacks and the unauthorized access to systems. Holistic Cybersecurity covers all aspects of an organization, large & small – not just IT. It begins with the Exec team, expands to all departments, encompasses third parties, suppliers, contractors, in fact every area where you must take responsibility for the security of your organization. The principles of Zero Trust apply everywhere, from the people you hire, the cameras in the lobby, the cleaners, your security firms, your web sites, sales software and accountants you hire, etc. This is all detailed on this site, of course, and should be incorporated into your security policy. Info
Honeypot A Network Attached Device that lures and deflects attacks and attackers. It might represent an Internet connected Database, Web Server, PC, etc. The concept is that these devices are designed to report on any access – since there is no legitimate reason for such access. It is less easy to find reports on the effectiveness of individual solutions one of which is canary.tools Info
Hypervisor-protected Code Integrity HVCI Hypervisor-protected Code Integrity (also called Memory Integrity), uses Microsoft’s Hyper-V hypervisor to virtualize the hardware running some Windows kernel-model processes, protecting them against the injection of malicious code. Defense
HyperText Transfer Protocol Secure HTTPS & HTTP HyperText Transfer Protocol Secure (HTTPS) is a protocol that secures communication and data transfer between a web browser and a website. HTTPS uses TLS (SSL) to encrypt HTTP requests and responses, HTTPS is the secure version of HTTP. Most Anti-Malware software protects users by warning or disallowing access to HTTP sites. Some browsers also detect sites as unsafe when spuriously deciding that site based graphics contain malware. Getting into details: HTTP/2 (2021) was reported by CISA (in October 2023) as having DDoS Vulnerability known as Rapid Reset (CVE-2023-44487) with patching recommended. HTTP/3 is in use by Google Chrome and Facebook is a faster protocol that is carried by the UDP protocol. Defense
Incident Response Plan Incident response is a planned approach to rapidly address and manage the reaction and recovery as soon as a cyber-attack or network security breach is detected. The procedures defined and documented in an Incident Response Plan, must be tested not just planned using Content Disarm and Reconstruction or similar software approaches to avoid saving malware infected data that would survive and negate recovery.  Recovery of data from air-gapped servers must include decryption/encryption of all sensitive information.  See also Asset Curation above. The plan need not be an all-or-nothing plan but can be part of operational activities. I.e. it could include how to respond to detected intrusions, notification of blocked threats, attacks on elements such as policy and asset control list, or unauthorized privileged changes, etc. Defense
Identity The unique identity of a user, device or software involved in a transaction or exchange of information. See also IAM below and Authentication.  The personal identifying information (PID) is that allows the identity of an actor to be directly or indirectly inferred. ZT
Identity Theft The theft of a user’s (or software or device’s!) unique identity for the purpose of impersonating them. this includes their password and or biometrics. Threat
Identity and Access Management IAM IAM is a set of processes, policies and tools for controlling user access to critical information. It’s the discipline that enables individuals to access resources at the appropriate times. It’s important not to collapse Identity and Access since both are elements of Zero Trust but Identity Management and Access Management software/services are possibly independently sourced software functions or services. ZT
In the Wild Usually refers to incidents or attacks seen in actual live situations rather than in a simulation or in a test lab. Not really a technical definition but worth including. Info
Indicators of compromise IoC The IETF (Internet Engineering Task Force) created RFC9424 to review fundamentals, opportunities, operational limitations, and recommendations for Indicators of compromise use. Cybersecurity “defenders” frequently rely on IoCs to identify, trace, and block malicious activity in networks or on endpoints. Info
Information Systems Security INFOSEC The protection of information systems against unauthorized access or attempts to compromise and modify data, whether it’s stored data, processed data or data that’s being transmitted. Marketing
Insider Threats This is when a trusted insider (usually but not necessarily staff), gains access to confidential data, accidentally or deliberately inserts malware, exfiltrates, data etc. Coercion or deceiving insiders is also referred to as Social Engineering. This is where the principle of Least Privilege and monitoring of all network access is key. HR has a key role to play in monitoring staff and trusted third parties. Threat
Internet of Things Attacks IoT See Operational Technologies below and Ascon above. IoT also in critical infrastructure known as Industrial Internet of Things (IIoT) are typically the target for hackers due their limited compute capabilities,  remote location, etc. Microsoft reported in October 2023 that 78% of IoT devices had vulnerabilities and 46% were not patchable. (25% used operating systems that were obsolete.) See “Air Gap ” above as one level of protection. Threat
Internet Protocol Security IPsec A group of IP protocols use to create encrypted connections, exchange keys, etc. The IPsec reference document is IETF RFC 6071. Defense
Intrusion Detection System IDS An IDS gathers and analyzes information from a compute resource locally, in a cloud, or network to identify possible security breaches, including intrusions from outside and within the organization. Marketing
Intrusion Prevention System IPS, IDPS An Intrusion Prevention System (IPS) applies IP reputation and content matching rules to block known bad sessions. These systems known as IDPS, may also include anti-virus systems for inspecting file content across many protocols, for example HTTP, IMAP, and SMB. Threat and Intrusion Detection Systems have a similar role as IPS but use detection technologies that preclude blocking. For example, behavioral analysis of file content and network anomaly detection often have detection delays and resource requirements that prevent inline deployments. The systems respond to detections by issuing SENs (alerts). Marketing
IP, Port and Protocol Filtering IPPF It is defined as the action taken by the SASE Service Provider to check whether a session includes a list of source or destination IP addresses, source or destination port numbers, transport protocols and/or application protocols that are to be allowed or blocked. Defense
IP Spoofing A tactic to supply a fake IP address disguised as a legitimate address. This is often in the form of an Internet Protocol (IP) packets which have a modified source address in order to either disguise or hide its real identity Threat
Key Logging Keylogging software is spyware logging everything that you type (for instance credit card details and MFA codes(!) The collective wisdom is around typical prevention of inadvertent use of infected applications and defense against malware. Threat
Lateral Movement Attacks This is the concept of malware being downloaded or otherwise being placed on a device or process and as part of the attack, moved to another system, even cloud or part of the network and immediately, days or even months later becoming active. Most Ransomware or Phishing as a Service attacks begin with penetration of a system to infiltrate systems with Malware followed by one or more Lateral Movement attacks. Threat
Least Privilege PoLP The Principle of Least Privilege is that users, devices & programs should only have the privileges necessary to complete their tasks. Perhaps beyond the scope of small companies, Separation of Duties also helps to separate and limit privilege and duties rather than give privilege for roles that are beyond the user’s responsibility. There are further divisions regarding membership of Static or Dynamic Separation of Duties groups covered in NIST 800-192. ZT
Living off the Land Attacks LotL Living off the Land describes Cyberattacks which use legitimate software and functions available in the system to perform malicious actions on it. These are often inserted via email/phishing and can be very difficult to detect. Threat
Macro Virus In recent times, Microsoft switched the default to disallow opening of Excel and Word documents containing Visual Basic Applications edition macros without agreeing to do so. Especially in Excel, VBA is a powerful programming language that can easily hide malware. It can also be delivered as an XLA or binary coded format where the code cannot be inspected. Threat
Malware Malware is defined as any software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system. Note: Viruses that infect code and Trojans that pretend to be legitimate code are both forms of malware. Info
Malware Detection and Removal MD+R Malware Detection and Removal is defined as the action taken by a software provider to check whether a session contains malware, and to remove the malware or block the session containing the malware. Defense
Man-in-the-Middle Attack MITM In a Man in the Middle Attack a system intercepts traffic from a subject actor while appearing to be the target system. At the same time, it masquerades as the subject to the actual target system. Its objective is to spoof an actual dialog for a number of malicious purposes without arousing the suspicion of either party. This is where many attacks begin and is the prime way in which 2 Factor Authentication can be hacked. Threat
Memory Forensics Memory Forensics is a branch of digital forensics that focuses on the analysis and extraction of data from a device’s RAM. This is a critical tool in the investigation of attacks and malware infections that cannot be obtained through traditional file-based forensics. Info
Memory-Safe Languages Many vulnerabilities occur because poor language disciplines allow malware to hide inside application memory spaces for later activation. This frequent ploy can be limited or even removed. Newer application languages are much more careful. This means that knowledge of the language that an application is written in becomes a factor in choosing an application. Examples of memory safe languages are Rust, C#, Go, Java, Ruby, and Swift as opposed to C, C++ which are not. Judicious use of complier options help here too. Thanks for this gem go to Steve Gibson of Security Now and SpinRite fame. CISA has also weighed in on the importance of this topic. Defense
Microsegmentation There are several interpretations of this term with a common principle. This being the ability to compartmentalize Cloud and data center functions and applications into secure segments. This works well with implementing Least Privilege, Zero Trust enforcement points, Identity and Access Policies where it is most relevant. For this author microsegmentation is a natural instance of a Zero Trust policy enforcement point. Either way the secure segmentation at the workload or secure container level certainly helps deter lateral movement attacks. ZT
MiddleBox Function A function used to decrypt and re-encrypt secured communications. This process should be in a single device which may include other functions/processes. It is typically required to be protected by Certification in order to be part of a trusted connection. Info
Misconfiguration The term for the incorrect configuration of many aspects of a system that could create vulnerabilities or that could be used by threat actors. The cause of such misconfigurations include: Assn
Mitigation One or more steps taken to minimize or eliminate cybersecurity threats, risks and consequences. Info
MITRE MITRE ATT&CK® is a mind-bending source and globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. It breaks down threat types in sequence order into 14 categories: Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact. Within these it details 250+ subcategories naming thousands of threats and threat actors. Explanations of how and where to defend such actions are given where possible. While it lists examples credential information gained from phishing it does not cover items such as social engineering, software & supply chain verification, etc.  It also known for its annual MITRE ATT&CK evaluations. See also CAPEC and STIX on this page Click for more info  Assn
Monitoring and Auditing Automated continuous Monitoring is a key element of any Zero Trust implementation. The continuous aspect is to make sure that any time-based access privileges are in compliance (either time-of-day or duration), or events that arise, such as blocked access attempts, etc., elevation of access changes are logged/reported via the Secure Event Notification system. Control via an automated system is required. Auditing may also be required to ensure both integrity and compliance with policies is maintained. Also incorporated should be detection of Anomalous Behavior Detection which typically includes awareness of and deviation from normal network traffic and applications flows, possible middle box functions, and built-in Security Event Notifications and alerts integrated to the user and provider systems ZT
Multi-factor Authentication MFA, 2FA Everyone must be familiar with this irritating phenomenon. It means that you are required to prove who you are by having two (Two Factor Authentication or 2FA) or more ways of identifying yourself (MFA). For example, after you enter a password, you must also enter a code sent to your mobile device or email. Sometimes multiple proofs are needed. e.g., face recognition or providing your dog’s birthday. See also Passkeys. Now the bad news. Roger Grimes of Knowbe4.com has identified at least 20 ways to hack two factor authentication including analysis of 25 +MFA systems. Defense
Multi-Layer Security MLS This concept goes back over 40 years but is often dismissed or forgotten. Most  cybersecurity actions focus on users, software and devices – a.k.a. subject actors – accessing target actors. This revolves around IP (Layer 3) data flows and also to some extent application data flows. However, this overlooks attacks on the security software itself. For example, denial of service attacks at the data link layer (2) or TCP layer (4). Attacks on the management of all software and devices are also weak links that are not carefully protected. Recent examples of security software being disabled are prime examples of lack of multi-layer security. Device drivers and video application file protection are other areas that are vulnerable. The main point is that a multi-layer security approach is critical and that what is secure at one layer should not be trusted to be secure at the layer above or below. Defense
Multi-Level Security Unlike MLS above which is more frequently applied to layers of network protocols, Multi-Level Security  is a generic term that is the concept that if one aspect of cybersecurity is penetrated then other defense mechanisms are there to prevent breach.  In holistic cybersecurity, it can be applied even to lack of security policy, social engineering and any one of 100 factors. Advanced Persistent Threats (see earlier), are examples of attempts to break multiple levels of threats. Defense
Mutual Transport Layer Security mTLS Mutual Transport Layer Security (mTLS) is a process that establishes an encrypted TLS connection in which both parties use X.509 digital certificates to authenticate each other. MTLS can help mitigate the risk of moving services to the cloud and can help prevent malicious third parties from imitating genuine apps Defense
National Institute of Science and Technology NIST The National Institute of Science and Technology (NIST) has many areas related to cybersecurity. One is the Special Publication 800-207 “Zero Trust Architecture.” There are 1000+ items in their Computer Security Resource Center. Just like all the other entries referenced here, they are put together by people who are not necessarily experts at everything they write or have commercial bias. Just look at the ZTNA definition and you will get it – you have been warned. Info
Nonce A random or pseudo-random number used only once in a cryptographic protocol to prevent replay attacks, often used in digital signatures, key exchange, or message authentication. Info
OAuth Authorization OAuth 2 An authorization framework that enables applications — such as Facebook, GitHub, and Digital Ocean — to obtain limited access to user accounts on an HTTP service. See warnings on password and Identity Re-use since if one web site is hacked then all websites where a user uses Google or Facebook to login become compromised! Info
Open Source Malicious Code Threat This is a generic threat of the insertion of malicious code into publicly posted code that is used in both open source and proprietary projects. The infamous Log4Shell malware was a result of such an attack. Prevention of this threat is the validate of any externally sourced code. Threat
Open Worldwide Application Security Project OWASP OWASP is a nonprofit foundation working to improve the security of software and the source for developers and technologists to secure the web. It delivers Tools and Resources, Community and Networking, Education & Training Info
Operational Technology OT IoT IIoT This refers to the Operational areas of a network as a complement to the IT functional areas. A subset of OT is also referred to as IIoT or IoT,  which can be confusing. OT has previously sheltered from attack and has become a focus for mitigating Cybersecurity weaknesses in manufacturing, utilities, smart city, defense and many real-time and Critical Infrastructure attacks. That focus is about the defense of devices never intended to have an IP level of connectivity or IT grade computational power. Interception of data from remote locations in campuses, rail and utility networks, etc., are typical reasons why encryption  is required. Many companies refer to IIoT as simply IoT as this is easier to understand. Info
Passkey A digital credential that adheres to the FIDO and W3C Web Authentication standards. Similar to a password, websites and applications can request that a user create a passkey to access their account. Passkeys rely on unlocking a device to verify a user’s identity. A new (October 2022) web site passkey.dev, gives the latest information. Defense
Password Based Key Derivation Function version 2 PBKDF2 This is a defense against brute force attacks on passwords by making automated password guessing  impractical by adding a large number of complex iterations causing large amounts of compute power to be added to the hackers process. This is generally known as a Key Strengthening Protocol. Info
Password Managers Password Vaults such as those managed by managers such as BitWarden encourage Password Iteration count (the number of times the password is hashed) to have a value of at least 100,100. The previous password manager market leader (LastPass) is not recommended (see Breaking News). Info
Password Spraying Similar to the purpose of Credential re-use, penetration of user accounts looks to brute force attacks discovering commonly used weak passwords over many accounts to avoid lockouts to see if a valuable app can be compromised by one of the weak passwords. Threat
Passwords Passwords and their length, management and security are tiresome topics. Password length is the most important (25 characters or more randomly generated). Brute Force Attacks, Passkeys and the approaching Quantum Computing hopefully will see the demise of the password. See Credential Re-use warnings on reusing passwords. Info
Patch A maintenance update to code either to fix a problem or remove a security vulnerability. It’s important to automate patching to avoid threats and remove vulnerabilities quickly. Info
Payment Card Industry Data Security Standard PCI-DSS The Payment Card Industry Data Security Standard is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council Info
Penetration Testing Pen Testing Penetration Testing. Testing for vulnerabilities using hacker tools. Defense
Personal Identifying Information PII Definition: The information that permits the identity of an individual to be directly or indirectly inferred. Info
Pharming Attack This is name for the technique used in a Man-in-the-Middle attack. A user’s session is redirected to a masquerading website. This can be achieved by corrupting a DNS server on the Internet and pointing a URL to the masquerading website’s IP address. By changing the pointers on a DNS server, the URL can be redirected to send traffic to the IP of the masquerading website where transactions can be mimicked and information like login credentials can be gathered. With this the attacker can access the real site and conduct transactions using the credentials of a valid user on that site. Threat
Phishing and PhaaS Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in email, text (Smishing), Voice mail (vishing) or targeting types of typically senior individuals (Whaling) or specific individuals (Spear or Trap Phishing). 2023 variants including Cloning that copy legitimate emails and ones that include innocent looking Quishing or QR Code Phishing (usually pretending to be from DocuSign). Phishing is the source of the majority numbers of cybercrimes. Malware triggered by clicking, Zero-Clicks, embedded code, Living off the Land Attacks, etc., begin here. The latest phishing attack type is called Angler Phishing (get the pun?). This is a social media attack that begins with getting the user to check a direct message.  Most Phishing attacks are the prelude to lateral movement and installation of malware known collectively as Phishing as a Service. This was first observed in 2022 and the  phenomenon continues to grow. It is essentially a tool kit run as a service for use by less skilled hackers. It’s an example of a multi-faceted attack. 1. Phishing, 2. downloading of malware, 3. investigating weakness, 4. lateral movement of code to a vulnerable resource, 5. execution of remotely placed malware with elevation of privilege 6. data exfiltration etc. The kit can also be used to generate Zero Day attacks. Threat
Physical Security Physical Security is the protection of physical assets, resources, and personnel from unauthorized access, theft, damage, or destruction, often used to ensure the safety and security of buildings, facilities, and infrastructure. When contracted to outside companies proper verification of the providing company and their employees is critical. This includes the use of IoT devices, cameras, badge readers,etc., that are provided. Info
Ping of Death Attack Another form Denial of Service attack, a Ping of Death attack sends an improperly large ICMP echo request packet (a “ping”) with the intent of overflowing the input buffers of the destination machine and causing it to crash. Threat
Policy  This is the central controlling element of a Zero Trust enabled secure service. It’s the software or service element that manages and controls requested access based on Identity, Authentication, Access Control and Policy. This management may be at either a common point in a network or may also include the Policy Enforcement to protect data exfiltration or software replacement. It can be integrated as part of a service. It also initiates the monitoring of the flow between actors for the duration of a connection. Dependent on the access requested, it may manage at any layer of the network from physical to application layer and also the control or management plane software, operation of secure containers etc. Info
Policy as Code Policy as Code is a current methodology that has become necessary in order to scale, automate and reduce development time. It’s included here, because it’s an important element of DevSecOps where it is termed as Security as Code. Info
Policy Management and Enforcement Policy Management is the process in a Zero Trust enabled service that verifies whether the Actor requesting access is identified and authenticated, is in conformance with the role and policy, that the target Actor is similarly identified and monitoring of the access is initiated. Policy Enforcement is the location at which the Policy is enforced. ZT
Polymorphic Malware This is Malware designed to constantly change its identifiable profile in order to evade detection. Types of malware including bots, trojans, keyloggers, viruses and worms, can be polymorphic. Threat
Port Scan A Port Scan is a series of packets sent to learn which computer network services, each associated with one of the 65,535 TCP port numbers in an IP-connected devices, is vulnerable. The response indicates whether the port is open, closed or filtered, looking for weaknesses.  For example, ports used for management information and left open are candidates for Denial of Service Attacks. Threat
Protective DNS PDNS Protective Domain Name System PDNS adds a threat intelligence check against all DNS queries and answers to avoid or sinkhole malicious or suspicious domain resolutions. PDNS integrates easily with existing security architectures through a simple recursive resolver switch. It’s important because it analyzes DNS queries and takes action to avoid threat websites, leveraging the existing DNS protocol and architecture. Protecting the DNS queries is a key cyber defense because threat actors use domain names across the exploitation lifecycle. Users frequently mistype domain names while attempting to navigate to websites and may be redirected unknowingly to a malicious site. From there, threat actors may exfiltrate data, conduct command and control operations, and install malware onto a user’s system. Defense
Proxy Server Unlike a VPN which transfers data via an encrypted tunnel, an IP Proxy Server acts as a gateway between users and the internet. It’s an intermediary server with its own IP address separating end users from the websites they browse. Proxy servers provide varying levels of functionality, security, and privacy depending on use case, needs, or the organization’s policy. Defense
Quantum Computing In case you haven’t heard about Quantum Computing, it’s a computing resource not based on 1s and 0s but on multiple states and capable of large numbers of simultaneous calculations. Coupled with some clever mathematics, including Shor’s algorithms, Fourier transforms and Euclid’s work Quantum computing promises scary, very rapid decryption on which all data and internet security is based. At the moment, and despite feverish research, Quantum computing has not nearly reached the required scale. Also, work is going on to develop encryption for a post-quantum world. December 2023 Breakthrough update: The approach of Quantum Computing and the demise of currently dominant asymmetrical encryption algorithms took an important step nearer with the announcement by DARPA (the U.S. Defense Advanced Research Projects Agency) and a highly technical paper in Nature Journal announced results from a team of almost two dozen scientists, most of them from Harvard, funded by a DARPA program known as ONISQ (Optimization with Noisy Intermediate-Scale Quantum devices). This has created a 200 fold increase in the creation of “Logical Qubits” – Quantum’s primary compute  elements. Important new work on the creation of symmetrical encryption methods, resistant to quantum decryption is under way by NIST. More on both of  these developments in 2024. Info
Ransomware and RaaS Ransomware is a combination of malware or other software that results in user data, or systems being encrypted or locked until a ransom is paid. The threat is loss of or exposure of private data, or cessation of business critical operations. Ransomware payments do not generally prevent the threat from being executed. Ransomware as a Service (RaaS) was the model for PhaaS (above) as a tool kit run as a complete service for use by less skilled hackers. In 2023 Ransomware payments reached $1.1bn. Threat
Raspberry Pi Typically a small device used to ascertain vulnerabilities. A Typical use is attached to IoT or operational technologies to test its security – but could also be used for malicious purposes. Info
Reconnaissance Usually, the first step in a cyber-attack is the probing for vulnerabilities. Dependent upon the possible vulnerabilities detected, hackers will deploy the next stage of an attack – Resource Development – selecting the targets to steal or corrupt. The fourteen stages of threats are described by MITRE ATT&CK (later). Reconnaissance is also an element of Penetration Testing – an important test of defenses. Reconnaissance-discovered vulnerabilities are not just software weaknesses. I.e. social engineering, physical security weakness, supply chains – the list is almost endless. In fact, MITRE’s 10 categories and 33 sub-categories is just the beginning of the threat types. Threat
Red Team, Blue Team, White Team Where resources permit, a Red Team is a group of security experts who simulate attackers attempting to defeat the Blue Team who use their existing threat detection and prevention defenses to detect thwart the Red Team’s attacks on an organization. The result is (in theory) a list of new defenses that can be deployed. This can be very challenging and rewarding when viewed from a holistic perspective. the White Team are the referees/scorers in this competition. Info
Remote Access Trojan RAT A large and growing variety of malware types designed to allow unfettered access to an attacker to remotely control an infected computer. Threat
Remote Browser Isolation RBI RBI is a security measure that separates users’ devices from the act of internet browsing by hosting and running all browsing sessions on a remote cloud-based and hopefully secure container. It also means that data can be screened to avoid exfiltration of sensitive data or access to middle box functions and as a phishing defense. This, therefore, is an efficient way and place to implement a Zero Trust Enforcement Point. It also helps prevent malware being inadvertently being loaded onto end user systems. Defense
Remote Code extension Remote Code Execution is a type of vulnerability that allows a threat actor to execute arbitrary code on a remote system or application. This type of vulnerability can be used to take control of systems, steal data, or carry out other malicious activities. Defense
Resilience The measurement of how well and how fast an organization can recover from a security incident and how well it is protected to prevent cybersecurity threats to avoid them occurring in the first place. Defense
Risk Addition to the generic concept of “reduction of risk,” Risk is also used to measure the level of defense being achieved (or not). Although there are many  tools/software products that measure “risk,” they typically measure just a part of the problem. The question is do they address the problem that “security is only as strong as the weakest link?” This is why holistic cybersecurity is the only viable approach since it covers the whole organization and beyond. CybrScore provides a (1) Cybrscore Rating – a measurement of how well the defenses cover overall, multi-level defense – the higher the better and (2) a Holistic Risk Rating – the likelihood of an organization being penetrated – the lower the better.  P.S., anyone who use terms such as eliminates or removes risk does not understand the term that you cannot prove a negative. Threat
Risk Management In the same family as Threat Management, and Asset Curation, Risk Management adds the measurement and finance component. Overall, It’s the decision making process that governs the priority of what should be protected. Risk Tolerance is the expression used for the amount of risk, by department, that an organization is willing to tolerate. Overall, it forms an equation that combines the aspects of applying the security elements into a score that governs what should be enforced and in what order. It is a key element of the ongoing security strategy that dictates the budget of risk v. cost v. time to implement the organizations security policy. Risk Appetite is the strange marketing term sometimes used to mean Risk Tolerance Marketing
Risk Register A repository of risk information including the data understood about risks over time. They are typically used by security teams to identify potential risk events, with the likelihood, impact, and description of an event to track the risk. A separate record should accompany this inventory to log control deficiencies that can contribute to the risks included inside your risk register.  See also the NIST definition. Info
Rootkit A Rootkit is a collection of software malware giving actors control of a computer, network device or application. They typically create back doors for further attacks and by their nature are not detectable once installed by anti-malware software. This is why Rootkits are considered extremely dangerous. Threat
Sandbox An isolated environment on a network that mimics end-user operating environments. Sandboxes are used to safely execute suspicious code without risking harm to the host device or network. Info
Secure Access Service Edge SASE SASE was conceived  as a collaboration between networking and cybersecurity. Its intention is to be a fully-integrated WAN networking and security framework that connects remote users and branch offices to cloud and corporate applications and the Internet. However, great caution should be exercised since almost every term is a marketing one rather than a technical definition. Also, every vendor and service provider has (legitimately) added functions to deliver more practical “SASE” or “SSE” solutions. As first outlined by Garner in December 2019 (Link to the original blog describing this “new package of technologies), SASE is a conceptual framework, largely consisting of marketing terms – not a product. It encompasses: features “such as” (1) SD-WAN – a network overlay technology, (2) Cloud Access Security Broker (CASB),  (3) Secure Web Gateway (SWG), (4) Firewall as a Service (FWaaS) and (5) Zero Trust Network Access (ZTNA). All these terms are covered in this Terminology page. Their definition is up for interpretation. Late in 2022 the MEF expanded on the original idea introducing a SASE service and service attributes definition (MEF 117) by defining a standard ‘SASE service’ combining security functions and network connectivity. Marketing
Secure Service Edge SSE Follow-on to the above. Later Gartner defined SSE – a more IT-focused and implementable subset of SASE without SD-WAN and FWaaS consisting of CASB, SWG and ZTNA. It defines SSE as securing access to the web, cloud services and private applications. Capabilities include access control, threat protection, data security, security monitoring, and acceptable-use control enforced by network-based and API-based integration. SSE is primarily delivered as a cloud-based service and may include on-premises or agent-based components. In March 2022 Gartner created a new magic quadrant summarizing 11 players in this space. Marketing
Note: If after reading this, Googling SASE or SSE and looking at product definitions in this space, you are still unclear then we would not be surprised since vendors and providers match their capabilities to their market. If you are looking for guidance then it comes down to understanding what a product does and seeing if it matches your requirements rather than matching the function to a marketing definition of SASE or SSE.
Secure APIs Application Program Interfaces (APIs) are increasingly important and their security is critical and integral to regulate the access to code. There are many potential vulnerabilities that are well-documented with best practices for defense. Digital signing of APIs is the best of these defenses. It should also be noted that Terraform – an infrastructure as code open source tool that lets users build, change, and version cloud and on-prem resources is becoming a popular alternative that abstracts the use of APIs to Amazon Web Services, Azure, Google Cloud Platform, Oracle Cloud Infrastructure, and Docker. Defense
Secure Containers Given the popularity of Kubernetes as the favored container platform and the home of Cloud workflows it’s no surprise that protection methodologies are required . Hence the term Secure containers. See Reference 36 on the reference page for much more information. Defense
Secure DNS Proxy SDNSP Smart DNS Proxy is a secure DNS Proxy service to unblock websites, global video & music streaming services. Unblock US websites like Netflix, Hulu, ABC or music streaming services like Pandora or Spotify just natively happens when you use Smart DNS Proxy. There is no connection or disconnection needed as in VPN. It claims to be faster than a VPN and works with any device; PC, MAC, Smart TV, Xbox, PS3, Router, iPad, iPhone or any Android devices. Info
Secure IP Service Functions SIG The functions required to provide secure IP services on ingress and egress at a given Service End Point are covered on this page. The collection of these functions are summarized here and include: IP, Port and Protocol Filtering  | Domain Name Filtering | URL Filtering | Malware Detection and Removal | Data Loss Prevention | DNS Security Functions: DNS Protocol Filtering and Protective DNS. Info
Secure Internet Gateway SIG A SIG is a cloud-delivered internet gateway that provides safe and secure access to the users wherever they go, even when the users are off the VPN/network Marketing
Secure Network as a Service SNaaS NaaS Secure Network as a Service is a Zero-Trust enabled service. While Zero Trust is neither a system nor a product and the Gartner concept of SASE and SSE are important steps forward, SNaaS is a framework service that incorporate (1) the principles of Zero Trust, (2) the network and security elements of SASE, (3) around 30 defensive elements associated with SSE and (4) encompasses the elements of holistic security across an extended organization. When looking at Securing Network as a Service (NaaS) it’s important to separate how solution and service providers provide the service and what it can provide for the enterprise as an evolving concept. What NaaS should provide is being defined and will be covered elsewhere as 2023 progresses. ZT
Secure Production Identity Framework for Everyone SPIFFE SPIFFE, the Secure Production Identity Framework for Everyone, is a set of open-source standards for securely identifying software systems in dynamic and heterogeneous environments. Systems that adopt SPIFFE can easily and reliably mutually authenticate wherever they are running. SPIRE is a production-ready implementation of the SPIFFE APIs. Assn
Secure Socket Layer SSL The standard security technology for establishing an encrypted link between a web server and a browser. Info
Secure Web Gateway SWG Secure web gateways act as a barrier, keeping users from accessing malicious websites, malware, or web traffic that is part of a Cyberattack. SWG is a solution that filters malware from user-initiated Internet traffic to enforce corporate and regulatory policy compliance. A secure web gateway is a Cyberbarrier or checkpoint that keeps unauthorized traffic from entering an organization’s network. The traffic that a secure web gateway governs is all inline—the gateway stands between all incoming and outgoing data. Marketing
Security and Risk Management SRM The ongoing process of identifying security risks and implementing plans to address them. Risk is determined by considering the likelihood that known threats will exploit vulnerabilities and the impact they have on valuable assets. Marketing
Security as a Service SECaaS The ongoing process of identifying security risks and implementing plans to address them. Risk is determined by considering the likelihood that known threats will exploit vulnerabilities and the impact they have on valuable assets. Marketing
Security Assertion Markup Language SAML A login standard that helps users access applications based on sessions in another context. It’s a single sign-on (SSO) login method offering more secure authentication (with a better user experience) than usernames and passwords. Info
Security Event Notification SEN This is a broad definition of what, how and where events are notified. In this security context, for Zero Trust implementations this could include access requests being blocked or quarantined due to improper access privilege, identification, authentication or policy failures, target actors being out of scope for the subject actors access or monitoring noting that timed access was being violated. It could also notify management issues such as Denial of Service attacks or failure in secure services such as unexpected termination. These notifications or Alerts are in addition to service notifications of IP failures, QoS violations from network services, secure container or other data related notifications. There is no industry standards that encompass all network, IT, or security notifications via common secure APIs. ZT
Security Functions A Service that delivers and manages cloud-native security functions as specified by the  Subscriber’s Policy for a specific session. These security functions must be deployable anywhere within the Service in order to optimize the performance and security provided by the SASE service for that session.. The security functions available in a service are listed in the body of the work. The security functions are ‘atomic’ in the sense that they are frequently combined as part of a package recognized in the market under different terminology – for example, ATP, CASB and SWG. Info
Security Information and Event Management SIEM A SIEM  collects and analyzes data from various sources (such as event logs), then filters and applies rules for data analysis. It may include analysis of threats etc. Marketing
Security Operations Center SOC Location of services and systems responsible for cybersecurity. Info
Security Orchestration Automation and Response SOAR Clearly an important function, though Gartner’s marketing engine referring to it as “The SOAR market continues to build toward becoming the control plane for the modern SOC environment” may be a little over the top. Marketing
Security Policy and Security Strategy An organization’s Security Policy is the fundamental and necessary element of cybersecurity defense. It’s a high-level view of what should be done with regard to information, and physical security – the baseline that executives use to define what is secure enough for their organization in terms of acceptable risk and cost. Typical elements are (1) Assessing Critical Assets (2) Assessing risks v. value and budget(3) Assigning & delegating responsibilities (4) continuous progress measurement, (5) permanent reports to executive meetings (6) role of the CSO – not limited to IT, reporting to the board and (7) reporting and compliance requirements. The  Security Strategy is the execution of the Security Policy. It covers the ongoing scope, risk measurement and targets over time and reporting over time. The scope will cover the principle areas to be addressed within budget. Specifically the actions will encompass areas such as those spelled out in our Holistic Cybersecurity as a Service page and for software companies the 12 areas of actions are spelled out in Microsoft’s Software Development Lifecycle (SDL) system. Info
Security Posture Describes the current state of an organization’s overall ability to predict, prevent and respond to Cyber threats. The book provides focus on all the areas that need to be taken into account. The term may seem non-intuitive but has become widely adopted. This pretentious-sounding term is the one that is the most important to measure as itt’s the one that measures your progress on reducing risk. Our CyberScore program and CISA’s CSET software are examples of such measurement tools. Info
Session Token Theft Also known as Session Hijacking, this consists of the exploitation of the web session control mechanism, that is normally managed for a session token. Web servers recognize every user’s connection using the token that the Web Server sends to the client browser after authentication. Session Hijacking attack steals or predicts a valid session token to gain unauthorized access to the Web Server compromising the exchange for Man-in-the-Middle attacks, etc. Threat
Shadow API This is the term used for an API that has not been protected by certification, etc. A report in indicated that 2022 16 of 20 billion API transactions were malicious and the majority were against APIs were unprotected. Threat
Side Channel Attack This is an attempt to deduce information, keys, passwords etc., by measuring CPU usage, visual or acoustic evidence, electromagnetic measure measurements within adjacent software or devices. It could involve use of tracking devices, chips, keys and known hardware weaknesses. Reports in December 2023 revealed a new kind of side channel attack on CPUs from Intel, Arm, and AMD with Linear Address Masking (LAM), and other security features. These have been found  to be vulnerable to attack from threat actor Spectre. Known therefor as SLAM, the attack is based on transient execution that allows malicious actors to reveals sensitive data and even operating system code. Threat
SIM Swapping A SIM swap is when a threat actor creates or fraudulently copies a victim’s phone SIM card. They trick the service provider into switching a victim’s service to a SIM card that they control — essentially hijacking the victim’s phone number. Typically, it’s then used to intercept online banking SMS verification codes, get MFA codes for financial transactions, cybercriminals create or fraudulently obtain a copy of the victim’s SIM card Most banks require that a replacement SIM card be re-linked to the account. Threat
Single Sign-on SSO Single sign-on (SSO) is an identification method that enables users to log in to multiple applications and websites with one set of credentials without re-authenticating themselves. It is not the same as using a common sign on (E.g. Google, or Facebook) where the same login is used for multiple sites – effectively reusing the same login username and passwords and if compromised can give hackers access to all site. Defense
Skimming This term is used when a threat actor uses a tag reader to read an encoded strip (e.g., using RFID to read a credit card magnetic strip and blue tooth and more). Such devices (e.g., Flipper) although banned are seemingly available on the grounds they are used for Penetration Testing! Threat
Sniffing Used to investigate the contents of transmitted data to look for malware, this technique can also be used by threat actors to look for user or software credentials or other sensitive data in unencrypted data Threat
Social Engineering The use of psychological manipulation to influence people to divulge sensitive information or to perform actions that may not be in their best interest. It often involves exploiting people’s trust, fear, or desire for gain, and can be used to gain access to confidential information, networks, or systems. Threat
Software Bill of Materials SBOM CISA has defined “a software bill of materials (SBOM) as a key building block in software security and software supply chain risk management. A SBOM is a nested inventory, a list of ingredients that make up software components. This list of “Types”  is not  fixed since it may vary or be duplicated in different scenarios. Although it begins with “Design Specification” it does not discuss preceding it with (1) a Market specification or Requirements Document (MRD) – this misses an important aspect of organizational and cybersecurity requirement. Other types are listed as “Source, Build, Analyzed, Deployed and Runtime” types. When looking at the CISA Types of SBOM Documents, it seems incomplete and perhaps that’s intentional? For instance, there is (2) no discussion on: use of memory safe languages, (3) use of built-in certified secure APIs for automation, (4) investigation of 3rd party open source code, (5) no built-in Zero Trust identity or access control list elements, (6) no automation of regression testing and (7) investigation of possible security vulnerabilities, (9) no built-in hooks for automation nor (10) testing of data or management plane functions. NSA  listed its own SBOM recommended practices  for securing supply chains in Nov 2023 Info
Software Defined Wide Area Networks SD-WAN An overlay to transport Layer communications. Originally defined by the Open Networking Group (ONUG.net) and later defined for service providers by the MEF (MEF.net) [15] SD-WAN is also an element of SASE as introduced by Gartner. Info
Spoofing Spoofing is a broad term threat actors masquerading as a trusted entity or device actions that would cause infection or unauthorized penetration of  a system. Threat
Spyware A type of malware such as Keylogging that that spies on user or software actions gathering data from the device a user and sends it to third parties without their consent. Threat
SQL Injections Most IT people are aware that the SQL (structured query language) is a commonly used methodology for accessing databases in data centers or in clouds. SQL Injection malware exploits weaknesses in accessing data. Best defense practices are use of Secure containers, input validation and parametrized queries to prevent deleting and overwriting data and of course use of Zero Trust principles to avoid exfiltration of data. Threat
Steganography The technique of hiding data within an ordinary, non-secret file, a message or encrypted data to avoid detection. The file could be a text, image, video or audio type. The word comes from the Greek Steganos meaning hidden. Info
Structured Threat Information Expression STIX This MITRE defined language and serialization format is used to exchange cyber threat intelligence (CTI). It covers all manner of attacks in 18 Domain Objects best defined here. Info
Supply Chain Attack This covers all manner of attacks from a compromised third party that could be manufacturing a deliverable, product or software element, service company or even security software product. Specifically, Software Supply Chain Attacks are malware code embedded “somewhere” in the system of software suppliers. The cause of many/most large-scale, high-profile ransomware and malicious attacks. The supplying company may not be the culprit. Like the Log4Shell malware, it could be buried in some open source code that was never verified. The important point is to delegate to such companies by having them self-certify their products or services. (This is covered in detail on this site’s Delegation page. Threat
Tabletop Exercise Discussion-based exercise to validate the content of plans, procedures, policies, etc., to manage incidents, plan recovery etc. Info
TCP Split Handshake Attack First encountered more than a decade ago, this attack is caught by most firewalls. However, this form of attack is seemingly still quite prevalent. Briefly, when the user’s system (e.g., a browser) makes a connection with a remote host the Transport Control protocol (TCP) is invoked beginning with a three way synchronization “handshake.” The connection by the user is initiated with (1) what’s known as a SYN packet, (2) the host replies with a SYN-ACK acknowledgement packet and (3) it’s receipt is acknowledged by the user with an ACK packet. Then the flow of data starts. This can be interrupted by a malicious host sending back confusing packet during the initial handshake. Probably more than you need to know but for a detailed discussion, please see this link from 2010. Threat
Threat Detection Threat Detection (a.k.a. Threat Assessment or Threat Analysis) is the practice of analyzing the entirety of a security ecosystem to identify any malicious activity that could compromise the network. Be aware that while they are much better than having no detection,  most of these Threat Detection systems are limited to the IT department’s domain are not set up to investigate external systems  such as provider or cloud networks, supply chain networks, web content management systems, external CRM systems, OT networks, etc. They also likely do not help directly with social engineering, and often do not validate least privilege, or other Zero Trust attributes. They may also be vulnerable to management plane attacks on the Threat Detection software itself. Marketing
Threat Intelligence This is a marketing term, that seems to have no standardized definition but is frequently used to make the seller of such products or services look, well, intelligent! Marketing
Threat Modelling Threat modelling is the process by which threats, whether vulnerabilities or the absence of appropriate controls, can be described and mitigations or remediations planned. The purpose is to provide an understanding of what controls and vulnerabilities that exist. Microsoft’s Threat Modelling Tool is freely available here. It’s based on its STRIDE model for identifying threats, categorized as Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of Privilege. What luck that these 6 categories made up the word STRIDE. I haven’t repeated what Repudiation and Tampering are defined as. Info
Threat Protection Like Threat Detection above, Threat Protection is typically an umbrella for a collection of software tools or services that defend against detected threats. Many companies combine detection and protection into an upmarket offering termed Threat Intelligence. Defense, Marketing
Threat Types There are many threats present called out on this page and elsewhere. This point collects the top threat types that require detection and protection. The several “… as a Service” tool kits often deploy several such threats. Three of these being Phishing as a Service (PhaaS), Ransomware  as a Service (RaaS), and most recently and dangerous: Hacking as a Service (HaaS). The number of threat types each requiring detection and protection reveal the scope of the challenges faced: Advanced Persistent Threat | Adware | API attacks | Botnet | Bring Your Own Device | Bring Your Own Vulnerable Driver | Brute Force Attacks | Business Email Compromise | Credential Re-use | Cross-site Scripting | Data Breach | Deep Fake | Denial of Service | Distributed Denial of Service | DLL Side-Loading | DNS Security & Protocol Filtering | Drive-by Attacks | Elevation of Privilege | Exfiltration | Insider Threats | Key Logging | Lateral Movement Attacks | Living off the Land Attacks | Man-in-the-Middle Attacks | Phishing | Polymorphic Malware | Ransomware | Rootkits | Session Hijacking | Side Channel Attack | Social Engineering | Software Supply Chain Attacks | Spyware | SQL Injections | TCP Split Handshake Attack | Trojans | Viruses | Watering Hole Attacks | Zero-Click Attack | Zero-Day | Zombie attacks. Threat
Transport Layer Security TLS Transport Layer Security (TLS) encrypts data as specified by the Internet Engineering Task Force (IETF). This is currently a controversial issue because of the pending requirement to upgrade from TLS 1.2 (IETF RFC 5246) to TLS 1.3 (RFC 8446). The difference being deprecating various supported encryption methods, simpler but more secure handshakes. The overwhelming resistance to upgrade is based on disruption  and concern about breaking vast numbers of applications. This resistance is going to be overcome by NIST mandates the force change in government and financial networks likely to arrive in January 2024. Read Cisco’s report on this issue. Defense
Trojan A form of malware where a malicious payload is embedded inside of a benign host file or program. The log4shell being a prime example of infected open source code that was used extensively before it was detected. When embedded in a file, the victim is tricked into believing that the only file being retrieved is the viewable benign host. However, when the victim uses the host file, the malicious payload is automatically deposited onto their computer system. Threat
URL Filtering URLF URL Filtering is defined as the action taken by a Service Provider to check whether a session contains a URL that is to be Allowed or Blocked. URL is specified in IETF RFC 3986. URL Filtering applies to cases where the domain name is on the “Domain Name Filtering Allow List,” but one or more URLs associated with that domain have a security issue and need to be blocked. Defense
Video File Attacks The difficulty in discovering malware lurking deep inside H264 encoded video files – the most commonly used video format has been revealed. Identifying  vulnerabilities, the complexity of H264 encoding makes it very challenging for any tool to discover pervasive malware inside such videos. Actions are required by graphics hardware vendors who need to take corrective actions listed in the revealing paper published in April 2023 by the University of Texas in Austin. Software suppliers, threat detection providers and users will require implement any updates. Threat
Virtual Private Network VPN A service that protects Internet connections and privacy online. It creates an encrypted tunnel for data, protects your online identity by hiding IP addresses, and allows the use of public Wi-Fi hotspots safely. Defense
Virus A virus is a specific type of Malware that self-replicates by inserting its code into other programs and is then spread to other systems and executed. See also Lateral Movement Attacks. A common source has been open-source software that is included and distributed without proper testing. The infamous Log4Shellbeing an example. Threat
Vulnerability Assessment The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities or weaknesses in a system.  Vulnerabilities can exist anywhere in the organization or beyond, not just in software, hardware, processes or network configurations. Marketing
Vulnerability Management Cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating” software vulnerabilities. Vulnerability management is integral to computer and network security and should not be confused with vulnerability assessment. Marketing
W3C Web Authentication WebAuthn A Standard for web authentication: An API for accessing Public Key Credentials. Assn
Watering Hole Attack Just as the name implies, malware lies in wait for users that are known to visit a specific web site. Threat
Web Application Firewall WAF Unlike traditional Firewalls (see above) that filter unauthorized IP traffic,  WAFs look at web application layer to filter, monitor, and block HTTP traffic to and from a web service. They can prevent attacks exploiting a web application’s known vulnerabilities, such as SQL injection, cross-site scripting (XSS). Marketing
Zero-Click Attack Also known as Zero Touch attacks, these are initiated without the user taking any action/clicking on anything. These can by inserted by just opening an email and unwittingly enabling  a Living off the Land or Microsoft Office exploit. An example is the discovery  (Sept 2023) of the Zero Click attack on iPhones and rapid issuance of an update to IOS etc., impacting billons of unsuspecting users. On mobile or fixed devices, Zero Touch exploits can be triggered by messages received on a phone without the user being aware. Threat
Zero-Day A.k.a. “Zero-day” Attack. A new exploitation of a vulnerability by an attacker. By definition, it is discovered after it causes damage and is successful because no remedy – e.g., software or remedial process -had yet been implemented. Threat
Zero Trust ZT This is the key topic in cybersecurity so it’s worth describing in detail. A set of principles and strategies intended to prevent the exfiltration of data in many areas, layers and apps operating in a hybrid cloud, perimeter-less network. See this site’s page on the Zero Trust and in Section 7 of the Book for an in-depth examination. Two of these principles are “Assume Breach” where enemy has already penetrated your perimeter and “Never Trust, Always Verify.” The word “Always” is important and doesn’t just mean verify once. It means continually verify, since access may have time limit or other restrictions and the user, app or device may suddenly attempt actions that are not aligned with the access policy, etc. Perhaps the term should have been “Never Trust, Continually Verify.” Implementing Zero Trust involves (a)Identity and Authentication, (b) Access Control, (c) Policy Management, (d) Policy Enforcement at appropriate locations or between designated points, (e) continual Automated monitoring and auditing plus (f) Event Notification. In a world where the network perimeter no longer exists, A Zero Trust approach is the best and perhaps the only approach to protecting your assets. Remember it’s not a system but an approach whose deployment is context and location dependent. NIST has defined a Zero Trust Architecture – 800-207Zero Trust was actually coined by Stephen Paul Marsh in 1994 but was popularized by John Kindervag almost a decade later. Today, circumstances have made it rise to the status of essential. He is now recognized as the father of the movement and he describes a 5 step methodology which is as follows:(1) Define the Protect Surface (2) Map the transaction flows (3) Architect a Zero Trust Environment, (4) Create a Zero Trust Policy, (5).  Monitor and Maintain.  This is an iterative process coined as “Antifragile” – systems that gains strength from disorder – an idea described by author Nassim Nicholas Taleb. Like many others, I do not express it in exactly the same way as it does not take into account holistic principles and is an over-simplification. In fact, seeking an exact definition of Zero Trust – something that many seek to do so they can understand it better themselves – may not be a useful pursuit! ZT
Zero Trust Network Access ZTNA Perhaps the most bizarre term on this page is (almost) the last one. Zero Trust Network Access is an element of Gartner’s original SASE concept. Note: there is no official industry standard definition for this term or its specific functions (this includes NIST 800-215). In the market, ZTNA solutions provides secure remote access to an organization’s applications, data, and services based on clearly defined access control policies. It could be said that ZTNA is the Zero Trust replacement to virtual private networks (VPNs) in that ZTNA grants access only to specific services or applications, where VPNs grant access to an entire network. ZTNA is an obvious solution to distributed workforce security. This use case is the only one that could be seen as part of a Zero Trust strategy. Marketing
Zero Trust Packet Routing ZPR To quote Oracle: “Zero Trust Packet Routing (ZPR) is an industry-wide initiative to create a new open standard for network and data security that will help organizations better protect their data in distributed IT environments. Oracle is collaborating with Applied Invention and other industry partners on the new standard, which will enable networks to collectively enforce the shared security policies and security architecture organizations already use without changing existing applications and networks.” I put this in quotes because it is an example like SASE, SSE, ZTNA of marketing from Oracle and its associate “Applied Invention” who have trademarked the term. It seems as yet undefined by any industry group, nor defined in terms of functions etc. Perhaps it will become an “Open Standard.” As such, ZPR was included for completeness and we look forward to properly representing their contribution. Marketing