MORE THAN JUST A GLOSSARY
Updated December 2nd, 2024
The intention of this CyberPedia page is to provide the most up-to-date set of cybersecurity terms and their use available anywhere. More than that, it adds explanatory comment on use of the terms used and concepts developed, hence the title CyberPedia. It’s updated as meanings change and new terms arise almost daily – as does the Breaking News page. This list of more than 400 terms keeps on expanding. Who can keep 400 terms in their head? So, more important than the number is that it’s a reference source. To keep it focused, it only covers one or two of the 1000s of related networking, software, generative AI or IT terms where relevant. Much/Most time in technical work is spent on agreeing on the exact meaning of terms. Thus, cybersecurity and telecommunication work is essentially a linguistic phenomenon and caution is needed when searching for definitions in general.
At best, this page is a living collection of terms agreed by groups of authors or individuals. As with all such definitions, don’t go seeking the truth. Even if you were to find it, it would still be played against what you already know. 25 years involvement in standards and terminology has taught me that the study of linguistics and meaning is an art not a science.
Marketing or Technical?
When finding a single agreed definition of a term, one is confronted with competing marketing terms disguised as fact. This can make understanding even more complex. An example is Gartner’s SASE/SSE. Some clear thinking in terms of ensuring networking and security is aligned but not in itself easily implementable as a defined system – or even an agreed set of elements. This is understandable as it’s part of an organization’s need to uniquely position itself.
You are likely aware that many organizations’ acceptance of these terms is clouded by its need to be at the top right of their particular “Gartner’s magic quadrant” or Forrester’s “Wave.” We all visit to Google/ Wikipedia/Gartner Magic Quadrant as the best starting point but many links are sponsored, biased, may not fit your organization or, most relevant, recommend solutions that don’t fit your budget.
On this page we also distinguish Defense Tools as better-defined “atomic” security functions and also Solutions that combine several such functions into a security product, service or a combination of networking, security automation and AI.
Reportedly there are now around 4,000 cybersecurity solutions in the market(!), so listing any but the market leaders is a minefield. The defense types listed are therefore focused on a specific defensive purpose. What makes it even more challenging is that driven by competitive marketing differentiation, providers increasingly have defensive multiple functions in a marketing wrapper or “cake” when you can’t see the “ingredients.” I.e. it’s important to unravel the functions actually being delivered. This may not be straightforward since vendors are reluctant to reveal the details and especially how it works since that might reveal weaknesses, etc. For that reason this page identifies “types” of products and solutions not specific products.
The best approach is to understand what is being protected and what is being enabled, irrespective of what the product or service is called.
Definitions Vary
Industry Standards themselves are subject to the agreement by the parties creating them. This may be obvious but as much as we would love to provide guidance on what services or products to choose with our “Top Ten lists of …” for each approach, it is clearly an unwise and impossible task because it would require years of analysis/expertise and would be outdated before it was written. Even in a standards body it’s common to find multiple definitions of the same term that is subjective and context dependent. (This author once found 10 different definitions of one term in one standards body.) Enter Open Source and all bets are off. There is a list of references on the References Page and just some here since these definitions are distilled from multiple sources.
Purpose of Acronyms
Used to save time within knowledgeable technical groups, sometimes they are used to deliberately create an impression that the user is smarter than you. As a tip, only use an acronym if there is more than one use of a term in a document. I dislike the use of acronyms but they are provided here for completeness.
The list is categorized by Threat Types, Zero Trust , Defensive Terms, general Information, and Marketing terms. This last category are typically product types that are named to imply unique or innovative capabilities. Defensive are usually either tools or defense software approaches sold separately or part of other solutions. Those labelled “Defense, Marketing” are those that provide defense but the definition is subjective. A new section begins to group connected areas. For example, ATP will be featured on a separate page covering the threats and defenses of these dangerous attacks.
Term | Acronym | Definition | Type | Group |
Access Control | ABAC, DAC, MAC, PBAC, RBAC | Defines which Subject Actors can perform which operations on a set of Targets Actors according to a set of identity management, authentication, policy, privilege, time and duration etc. It also describes the process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., critical infrastructure facilities, federal buildings, military establishments). NIST has defined several Access Control policies including Attribute-based Access Control (ABAC), Mandatory Access Control (MAC), Discretionary Access Control (DAC) covering some areas and Role-Based Access Control (RBAC) based on the role of the actor. Policy-based Access Control (PBAC) governs an actors access based on their privilege levels according to business or technical policy. An Access Control List is defined as the list of rules that make up the policy for accessing a target actor (compute or network resource (device, network service, application, etc.) | Defense | ZT |
Accountable Digital Identity | Creates trusted digital addresses from existing trusted identity sources such as employers, financial services, governments, etc., allowing people to manage their identity information. | Info | ||
Actor | Used by various sources, especially the MEF, to represent a user, application or systems software or device. It also defines Actors as either Subject (initiating a request) or Target (the recipient of the request). Application-Application exchanges dominate computer dialogs. In line with the Zero Trust principle “Never Trust, Always Verify,” Actors are always assumed to be untrusted (with possible malicious intent) unless (and only while) verified to be legitimate. An Actor in the past has been commonly used to mean Threat Actor – a person or organization deemed to have malicious intent. Zero Trust has superseded that meaning. | info | ZT | |
Advanced Persistent Threat | APT | As opposed to malware, which typically acts immediately, an APT is a sophisticated, often complex and sustained cyberattack that is today’s principal vehicle for ransomware and often delivered as “Ransomware as a Service.” These are the typical steps of an APT attack. The intruder begins with Reconnaissance of vulnerabilities, targets to exploit and financial opportunities if present. Via phishing, identity theft etc., it then penetrates the system, establishes an undetected presence that compromises the system and establishes a hard-to-detect foothold. It may prepare for an attack by elevating its privilege level and seeking targets in the systems’ network. Then it may lie dormant, beaconing its remote host and lie undetected in systems for a long time. When activated, it will invoke one of more Lateral Movement attacks to infiltrate connected systems, provider or cloud networks. this in turn begins data exfiltration, damage or encryption to systems and applications etc. The terms in bold are explained on this page. The various “… as a Service” attacks are increasingly of this nature. The result can be anything from disruption, identity or data theft, ransomware, etc. The best defense is avoidance or detection of the initial penetration via anti-Phishing, etc. software at the edge of the network or using Endpoint Detection and Response (EDR) software, in the first place. The most promising defense is the use of Extended Detection & Removal (XDR) Software. This applies the “Assume Breach” Zero Trust principle to focus on those threats detectable inside the network. – e.g., Reconnaissance, Lateral Movement and Beaconing. The overall defense of APTs is also been termed from the military as the Kill Chain. | Threat | APT |
Adversary-in-the-Middle | AiTM | Evolving from the passive man-in-the-middle attacks (see below), these actively manipulate data, control software etc. as they travers between source and target actors. Current examples (October 2024) include, impersonating legitimate actors, delivery of malware and credential harvesting. An extensive write-up is available from SentinelOne. | Threat | |
Adware | Bombarding users with endless ads and pop-up windows causes a nuisance to the user experience. However, it can also pose a danger by diverting users to dangerous sites and clicking on malicious links etc. Also known as Malvertising. | Threat | ||
Air Gap | The physical or virtual separation of networks and systems. 1. Physical. Typical use is in sensitive operational networks being kept separate from external networks (e.g., Internet or internal business networks) to avoid attacks. This physical separation likely includes both wired and Wi-Fi separation. Disaster recovery offline backups are another instance to ensure resilience and 2. The logical separation of networks via encryption, Zero Trust managed access (via least privilege, identity management, policy, etc.) has superseded physical air-gaps in Operational Technology Networks in theory but not always in complex and legacy manufacturing practices. Other approaches that separate OT traffic from IT traffic in shared networks via slicing include encryption, slicing tunneling and ZTNA, none of which address the compromise at the source of the transaction. The term Demilitarized Zone (DMZ) refers to a network that isolates the Internet and a secure network (typically a LAN), similarly separating networks and has the same effect. | Defense | ||
Alarms and Alerts | These are terms used to determine how a security event is reported. (See also Security Event Notification). The distinction is typically that something “Alarming” has happened rather than “Alerting” the user of system that something has happened and should be noted or watched. However, which falls into either category is usually a matter of severity, is subjective and a matter of policy. A Threshold Crossing Alert (TCA) is another related term meaning that some value. For example, the amount of data transferred has exceeded a limit, causing suspicion of exfiltration. | Info | ||
Anti-Malware Software | Generically, a variety of software systems defined to detect and prevent users from malware/viruses/phishing/spyware attacks etc. Used somewhat named interchangeably with Anti-Virus Software and typically installed on user devices. Anti-Phishing and Anti-Spyware software is often separately packaged. Built-in protection is part of the Windows and Apple PC platforms. It’s not clear (seemingly deliberately) on the value of the market “Anti …” software add-ons are compared to the platform protection. | Defense | ||
Application Security | AppSec | Application Security encompasses the many aspects of application security that has become dominated by hosting of workloads in multiple clouds over multiple containers. Like other topics covered here, it has its own world of challenges, threats and solutions. These are addressed under Cloud Security below | Info | |
Argon2 | Argon2 is a memory-hard function for password hashing and proof-of-work applications. See also informative RFC9106 by the IETF. It is being used increasingly to strengthen the protection of stored passwords. An example of its adoption in 2023 by password manager BitWarden following recent industry incidents of attacks on another password manager. | Info | ||
Artificial Intelligence | AI | Many definitions relate to Generative AI. In the Cloud Network Ecosystem, it refers to intelligence applied to the automation of Identity management, access control, policy enforcement, network discovery, monitoring and auditing of access, etc. See also Automation and Artificial Intelligence below. At cybyr.com it is applied to the process of managing the progress of holistic cybersecurity. See also Generative AI cyberattacks on this page. cybyr.com’s CybyrScore software is AI/ML-based and will integrate Generative AI approaches in due course. | Info | |
Ascon | A cryptography standard for lightweight IoT device protection. Ascon is a family of authenticated encryption and hashing algorithms designed to be lightweight (i.e., suitable for devices with low computation power and resources such as IoT devices) and easy to implement, even with added countermeasures against side-channel attacks. Chosen by NIST in February 2023, as the new standard for Lightweight Cryptography (LWC), its security characteristics are such the it could supersede other encryption technologies such as AES used in IETF’s TLS. Lightweight cryptography/encryption designed for devices with limited resources uses less memory, computing resources and power to provide a practical security solution for IoT/IIoT devices. In November 2024 NIST announced the first draft standard (comments close Feb 7th 2025). | Info | ||
Asset Curation and Related Topics | Asset Curation is a critical part of an organization’s security strategy and its defense. Its scope is so much more than customer data. The long list of Assets include customer data and info, company data including all intellectual property, competitive intelligence, software and accompanying data, all personnel information (user ID and privilege levels, personal info and approved workforce locations, insider threat assessments, departmental training and security status) network device and software inventory, update status, personal computer status, cloud container and application status, audits of monitoring and policies. All authorized users privilege is also included. It also reaches beyond the organization to where data, credentials and intellectual property is managed by outside organizations. For example, Cloud brokers, network suppliers and other subcontractors. Abdication to third parties is what resulted in the biggest breach involving Snowflake, AT&T, Ticket master and hundreds of other companies. Protection begins the act of discovery and automated ongoing monitoring of all electronic assets that could be vulnerable to attack. In fact its reported that 96% of attacks target Data Backup. Without proper asset discovery and curation, it’s not possible to know what assets need protection and which undefendable assets need to be replaced, etc. It is also an essential part of evaluating the value of data requiring protection. A Configuration Management Database (CMDB) is a database that contains all relevant information about the hardware and software components used in an organization’s IT/OT services and the relationships between those components. CDMB is a useful tool in this curation process. Also in the area of curation is deployment of data backup strategies. Where practical this should also include adjacent systems (web sites, third party systems that access corporate data, policy databases for unauthorized changes, etc.) plus off-site Disaster Recovery, Auditing and validation of backups with restoring of data and using Content Disarm and Recovery software (CDR) to scrub data. Also, Disaster Recovery is often a part of a Business Continuity Plan (a.k.a. BCDR) covering the recovery plan and how to operate during the process with minimal interruption. The elements here are all considerations for an Incident Response Plan (see below). Finally, this is an important tool for automated software, firmware and hardware updates. Overall its a matter of Data Integrity – ensuring that all assets are managed completely. This obviously goes beyond the walls of cyberseurity. | Info | ||
Atomic Security Functions | Selecting security software is challenging due to lack of agreed definitions of specific security functions. This page is a good example. What begins with a simple product scope gets expanded. SSE, SASE and Firewalls are good examples. Therefore, this page distinguishes products/tools that address specific threats from wider ranging marketing solutions. A January 2024 survey found that that more than half of all enterprises were dissatisfied with the security offerings they had purchased. The recommendation is to make sure what you subscribe to addresses the specific atomic security functions needed. | Info | ||
Attack Surface | The Attack Surface or Surfaces is the place and time where attacks take place. The shift from data center to Network Cloud Ecosystem has created a multitude of attack surfaces. Identification of the attack surface is an essential step in designing a Zero Trust-based strategy. An Attack Vector is the path taken by a Threat Actor to obtain unauthorized access to a system or network. An attack surface is the total number of attack vectors an attacker can use to manipulate a network or computer system or extract data. | Info | ||
Attack Surface Reduction | ASR | The logic is making it harder for attacks to happen if there is less visibility and access to assets. I.e., the targets for attacks, to use the Attack Surface term, are minimized. This is somewhat addressed by a policy of only making the target actor visible to subject actors who are compliant to their specified privilege. However, this term could apply to almost any set of defenses. So, it’s only included because it has come to mean almost any collection of software and services that reduce threats. Having said that, any set of tools from a highly reliable source is likely a good thing. | Defense | |
Authentication | The process of verifying the Identity of an Actor (software, device, or user). If Identity Management is about establishing the identity of an actor then Authentication is the process of discovering if they are who they say they are. There are many ways to do this. Passwords, passkeys, multifactor authentication with or without Biometrics, TLS, mTLS, certification, etc. Given the scale of modern networking automation without security is unthinkable. Ditto security without automation. As with Identity Management, to achieve scalability, many systems invoke Authentication Management software and or services accessed via APIs.. | Info | ZT | |
Authorization | The decision given to authorize access to a network, Cloud, etc., by an authorizing person or strategy. This is executed by the process that results in Allowing or Blocking a Subject Actor from accessing a Target Actor. | Info | ZT | |
Automation | The scale of modern systems makes cybersecurity without automated intelligent systems virtually impossible. Firstly, human error is inevitable given complexity and constant change. Not patching ever-changing software, services, firmware and hardware and updating data manually is an opportunity for exploits to occur. Secondly, increased scalability present in larger organizations is the had automation be the only viable approach. Thirdly, the Artificial Intelligence element comes together with Automation to discover changes and notified irregularities detection and automated deployment of remedies. Finally, Automation and AI are also part of the DevSecOps process for the creation of both products and services. Several automated approaches may be required in addition to those overseeing organizational system and network functions (e.g., web site plug ins, platform updates, malware prevention systems and provider networks). Such approaches must be distributed to span the Network Cloud Ecosystem. | Info | ||
Automotive Threats | A separate topic in itself but specific threats to millions of vehicles as they become more defined as software driven vehicles apply. ISO has a standard ISO 21434 for automotive cybersecurity. Electric and self-driving vehicles are prone to specific system and battery management system attacks – but keyless car theft, disruption to autonomous vehicle communications via phishing attacks and all system functions apply to all modern vehicles too. It’s mind-boggling to imagine what would happen if a vast fleet of trucks were halted via a distributed denial of service attacks. Maybe that 2007 Mercedes is worth keeping after all. | Threat | ||
Back Door | The often careless habit of leaving security bypasses in code inserted to speed development or “just in case” access can’t be achieved. This is especially found in open source code where the practice has caused vulnerabilities. | Threat | ||
Beaconing | A technique used by malware to signal to its host that it is still in place, active and lying dormant until activated. An element of an Advanced Persistent Threat attack. | Threat | ATP | |
Biometric Security | Often used by multifunction authentication using facial, fingerprint, eye, voice etc., such biometric methodologies like other MFA defenses are a great help but are definitely not infallible and each can be cracked. Passkeys use of facial recognition combined with location or device recognition and substituting voice recognition (recently user voice-recognition software is also available) can be used to confirm you are who you say you are. | Defense | ||
Blast Radius | A term used to describe or measure those areas impacted by an attack. | Info | ||
Blockchain | It’s well-known that the inherent security of its distributed systems have enabled Ethereum/ cryptocurrency transactions. What is also clear is that it is not immune from a variety of attacks based on reuse of keys, identity theft and attacks on adjacent systems, etc. It remains to be seen if last year’s tally of a reported $1.8bn of cryptocurrency losses will be an upward trend. | Info | ||
Blocked List | Lists of flows, IP addresses, that are either approved for passage (Allow or White Lists), flows prevented from access (Blocked Lists) or suspicious traffic pending approval or blocking (Quarantined Lists.), Several variants to this. | Info | ZT | |
Border Gateway Protocol Vulnerability | BGP | This is a vulnerability in the poplar Internet protocol that could be exploited to achieve a denial-of-service (DoS) condition on vulnerable BGP peers. BGP is a gateway protocol that’s designed to exchange routing information. | Threat | |
Botnet | A network of computers infected with a Bot virus program. Less common now in its original form but occurring more in terms of malware being transmitted around and ecosystem. See CAPTCHA below for an example of Anti-Botnet software designed to insert human interactions to prevent Bot attacks. Malicious tasks of one sort or another under remote direction. A Zombie is an Internet-connected computing device that has been compromised by a hacker, a computer virus, or a trojan horse. Generally, a compromised machine is only one of many in a Botnet, and will be used to perform malicious tasks of one sort or another under remote direction. Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to Zombies. In October 2023 Cloudflare discovered a new HTTP/2 attack from 20,000 bots. Botnets have been seen in the millions!!! Very simple attacks can cause crippling Distributed Denial of Service attacks. It gets worse: the possibility of combining a Botnet with Worms initiated by Generative AI creates the doomsday scenario that could scale to disable the entire network ecosystem for email systems globally. | Threat | ||
Bring Your Own Device | BYOD | Potentially disastrous policy allowing users to connect to the organization’s network using their own device that may be infected or vulnerable to attack. This applies to staff contractors, and any outside third party. | Threat | |
Bring Your Own Vulnerable Driver | BYOVD | This falls into the category of hidden vulnerabilities that are little known to the average user. These are device drivers that should be updated automatically but often are not. They are often the location where attackers insert a specific kernel driver with a valid signature thwarting the driver signature enforcement policy and also may include code that gives the attacker kernel write primitive. The best fix is to ensure that all device drivers are updated from the source or via an OS automatic update. This is not a simple task since it is dependent on the diligence of Microsoft, Apple, Google and others. | Threat | |
Browser Isolation | Browser Isolation (also known as Web Isolation) is a technology that contains web browsing activity inside an isolated environment in order to protect computers from any malware the user may encounter. This isolation may occur locally on the computer or remotely on a server. | Defense | ||
Brute Force Attacks | Simply put, this is an important sounding name for guesswork or trial and error attempts to crack credentials by repeatedly using variants on a name, lazy use of keystrokes, etc., and why weak passwords are the cause of so many problems today. A report published by Hive systems in April 2023 showed how Brute Force attacks on passwords have dramatically reduced their time to crack passwords over the last 3 years – as 1-250 times faster – rendering anything less than 11 characters with numbers and symbols effectively becoming vulnerable. See https://www.hivesystems.io/ for their detailed analysis. | Threat | ||
Buffer Overflow Attack | A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information – which has to go somewhere – can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. This is why it’s important to write code using Memory-safe Languages. | Threat | ||
Business Email Compromise | BEC | BEC is a type of phishing scam where the attacker impersonates or compromises an employee or user’s email account to manipulate the target into initiating a to give away sensitive information or connect to a malicious remote Internet connected system. | Threat | |
Cache Cramming | Cache Cramming is malicious code that tricks a browser to run cached Java code held locally, rather than from a web page that has enforced restrictions. | Threat | ||
CAPTCHA | Completely Automated Public Turing test to tell Computers and Humans Apart. More recently automated by Google but many sites frustratingly still require you to identify crosswalks or bicycles, etc., often unsuccessfully!! At least it helps keep the Bots at bay. | Defense | ||
Camera Hacking | Malware that can spy on or listen to video calls without the user being aware. This is best defended by use of anti-virus or antimalware software set for frequent scans. | Threat | ||
CASB and SWG | Note: what is the difference between CASB and SWG?. Both CASB and SWG offer data & threat protection, and they are cloud-based. Cloud-based SWGs have more capabilities, which made them a suitable replacement for the limited firewall. They fulfil the same use case of network/perimeter protection by delivering network security services via the Cloud. | Marketing | ||
Cell Phone Cybersecurity | With most of the world’s population living on smart phones, access to personal information if not corporate applications are particularly vulnerable. With booking, ordering, social media, mail functions, texting and WhatsApp need special protection. Apple has had the stronger reputation for security over Android phones but they are all attacked either directly or vis apps that were not verified. Touchless and skimming attacks especially, are difficult to defend. | Info | ||
Certification and Certificate Authorities | CA, ACME | A Certificate is an electronic document that uses a digital signature to bind a public key and an identity. A Certificate Authority is an organization that is responsible for the creation, issuance, revocation, and management of Digital Certificates. Length of time that a certificate is valid is becoming under pressure in 2023 by Google with length of time reduced from unlimited to a few months. The point of including this is to make sure that your web hosting provider automatically updates your SSL certificates via the Automatic Certificate Management Environment (ACME). It is defined in IETF RFC 8555, to automate issuance of authentication certificate request, issuance, installation, and ongoing renewal across for web servers. A Certificate Revocation List (CRL) is list of certificates that have been revoked usually because the software has been compromised and is no longer to be trusted. | Info | |
Chief Security Officer | CSO, CISO, BISO | This is an evolving title and role. The only important point is to ensure a single board-level executive is responsible for security across the entire organization. This means Security Policy, implementation of the Security Strategy across the organization and beyond and reporting its progress. In the past it was definitely a role inside the IT department with the CSO reporting to the Chief Information Officer. With the growth and impact of cybersecurity, the title has either split (CSO and CIO) or grown to be Chief Information and Security Officer (CISO) or recently to Business Information Security Officer (BISO). The blurring of CSO and CISO functions is best demonstrated by the question of who is responsible for the companies electronic assets? The CIO/CISO has been the person with the accountability for data management yet perhaps the most important aspect of cybersecurity responsibility is the protection of the organization’s assets. See Asset Curation above for summary of what is included. It is a significant undertaking, hence the challenge of accountability. The view of this author is that it must be a holistic function taken on by a single individual responsible across the entire organization. | Info | |
Clickjacking | Clickjacking, also known as a UI redress attack, is when a threat actor uses multiple layers to trick a user into clicking on a website graphic or link to redirect the user to a malicious site or even an infected page on a site without them realizing it. Hence, the user’s clicks are hijacked. | Threat | ||
Clientless Operation | This is a methodology where no software is run on an end-user system. The effect is to severely limit if not eliminate the attack surface. I.e. a threat actor cannot infiltrate a system if there is no system to infiltrate. This is not quite the complete story, of course but if the user can only access the internet via a remote browser (Remote Browser Isolation) and then only access mail via that browser then the attack surface shifts to remote systems that are easier to control and manage, Even attacks on device drivers are moved to remote or Cloud-based systems. If this is accompanied by a ZTNA connection then then user’s compute device becomes an expensive dumb terminal – to use the vocabulary from 50 years ago, 10-15 years before PCs existed. This is an important approach for those working at home under the supervision of the IT department. | Info | ||
Cloud Native Application Protection Platform | CNAPP | Like SASE, CNAPP was coined by Gartner. It’s a bundle of cloud-based software: a platform usually including CSPM, CWPP and CIEM, code and container scanning. | Marketing | |
Cloud Access Security Broker | CASB | A Cloud access security broker is Cloud-hosted software or on-premises software or hardware that act as an intermediary or gateway between users and Cloud service providers. This is curious because as with other SASE elements this sounds a similar description to that Gartner provided for ZTNA (see below). | Marketing | SASE |
Cloud Security | Becoming Cloud-centric in terms of applications, the organizations, partners and your customers does not mean the end of cybersecurity responsibilities. In fact, everything you were responsible before is still present except now you cannot directly control or manage it and you are at the mercy of your integrators, providers and their chain of software vendors. The many new acronyms and terms are in use such as CWP: Cloud Workload Protection (keeping workloads secure and correctly configured), CSPM: Cloud Security Posture Management (monitoring of Cloud-based Infrastructures), CIEM: Cloud Infrastructure Entitlement Management (the Cloud equivalent of Identity and Access Management), CDR: Cloud Detection and Response, etc. In addition, microsegmentation and use of secure containers plus of Zero Trust approaches to the curation and updating of Cloud-based application assets are in play. As we said earlier, Clientless Operation does not mean you can forget about cybersecurity. | Info | ||
Cloud Security Alliance | CSA | With around 450 member companies, the Cloud Security Alliance (cloudsecurityalliance.org) is the organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. | Assn. | |
Cloud Security Notification Framework | CSNF | Cloud providers generate notifications that are semantically equivalent but require work to make them usable by security applications. The Cloud Security Notification Framework, developed by the ONUG Automated Cloud Governance Working Group, standardizes terminology and provides a common set of elements to ensure consistency across cloud providers. | Info | |
Cloudjacking | Cloud jacking involves an attacker gaining access to a cloud account, to gain access to data. The cause is typically phishing attacks and are best defended with the usual protections: MFA, separately held encryption/decryption keys held separately from user credentials. Cloud security alone may be insufficient | Threat | ||
Coalition for Content Provenance and Authenticity | C2PA | An open technical standard providing publishers, creators, and consumers the ability to trace the origin of different types of media. C2PA addresses the prevalence of misleading information online through the development of technical standards for certifying the provenance of media content. | Info | |
Code Injection | Used to alter execution of software initiate malware, instigate Lateral Movement attacks, elevate privilege to spread malicious software by embedding/infecting legitimate websites or systems software or applications with malicious code. A sophisticated variant of Code Injection is termed Process Hollowing. This is more difficult to track because it replaces code in software with malicious code making it harder to detect. It is more sophisticated to implement since the code it replaces presumably can no longer perform its programmed functionality! | Threat | ||
Command and Control | The twelfth element in the MITRE|ATT&CK system is how adversaries communicate with software they have implanted into a system often impersonating existing or standard software and communications to avoid detection. | Threat | ||
Common Attack Pattern Enumeration and Classification | CAPEC | CAPEC™ is a MITRE initiative that provides a publicly available catalog of common “attack patterns” to helps users understand how adversaries exploit weaknesses in applications. Established in 2007 by the U.S. Department of Homeland Security’s CAPEC “Attack Patterns” currently described include HTTP Response Splitting , Session Fixation , Cross Site Request Forgery , SQL Injection , Cross-Site Scripting , Buffer Overflow , Clickjacking , Relative Path Traversal and XML Attribute Blowup, etc. | Info | |
Common Vulnerabilities and Exposures | CVE, CVSS | CVE is a glossary that classifies vulnerabilities. CVSS is the scoring system for CVE. Vulnerabilities that meet the criteria (acknowledged by vendor for a particular code base) are listed by CISA government agency. They are given an ID (e.g., CVE-2022-654321), a severity score (CVSS): 9-10 is a critical issue 7-9 high etc. The list can be quite esoteric and does not typically indicate a resolution, so this is purely an informational reference. Around 10 CVEs are added to the CISA list each month. | info | |
Compliance | Failure to comply with government or SEC rulings on cybersecurity may cause actual security vulnerabilities or render organizations liable if breaches occur. In either case it’s important not only to understand such requirements abut to audit such compliance at the onset of a new project, It can also refer to internal security related processes. For example, DevSecOps, certification of transactions or during operation with ongoing automated monitoring. Just as privacy regulations have aligned with General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), etc. Cybersecurity is following the same path. SEC and CISA guidelines and rules will dictate the public and private policies that organizations comply to internally, for their customer clients and their suppliers. What this looks like is a set of rules covering the way you develop services, manage your staff, provide access and protect sensitive information and customer data. See also Governance below. | Info | ||
Content Disarm and Reconstruction | CDR | CDR is a technique for removing embedded malware from files, usually as they are received. Used increasingly with Remote Browser Isolation, CDR (1) flattens and converts files to a PDF, (2) strips active content while keeping the original file type, and (3) eliminates file-borne risks. Some loss of useful content may be encountered dependent on software functionality. | Defense | |
Context-based Access Control | CBAC | CBAC is firewall enhancement to traditional IP layer filtering. It also filters TCP and UDP packets based on application layer protocol session information. It can be configured to only allow forwarding from protected networks not ingress. IT does this via deep packet inspection. | Defense | |
Cookies | As anyone reading this knows, Cookies are small amounts of data implanted when you visit a web site. Used mostly by those tracking you interests for advertising purposes, they are at best an invasion of privacy. Recently, Google has attempted to not support them, much to the irritation of advertisers. The question is: do they also present a security risk? The answer is that even scrolling over an ad on a bad site can deposit cookies which could be used for identity theft. Most can be removed via your browser interface. Some not. Frequent cookie removal is recommended. | Threat | ||
Cookie Hijacking | This is the exploitation of a user-Internet/web server session to gain unauthorized access to information or services. In particular, it is used to refer to the theft or “hijacking” of cookie information used to authenticate a user to a remote server. | Threat | ||
Credential Re-use | Also, commonly (and strangely) known as Credential Stuffing, this attack steals a login username and password (e.g., used in Facebook, Twitter or Google) and reuses these credentials on other sites where the user has naively used the same password. See the Breaking News page in March 2023 for more on this. The answer is do not log in using this method as a breach on one site gives access to all sites! | Threat | ||
Credential Theft | Credential theft is the theft of user, software and device identity (names and passwords, etc.,) often with the intent to gain unauthorized access to computer systems, networks, or online accounts. It encompasses a variety of different techniques (phishing, man-in-the middle attacks, social engineering etc., but is the starting point for most APT attacks. The use of these techniques is also referred to as Credential Access. | Threat | APT | |
Critical Infrastructure | Utility, military, government, health, transport and city network operational infrastructures and much more. This is not a cybersecurity term but is frequently referred to because of the importance of protecting them from cyber-attacks. The US Government publishes its description of the 16 sectors and many subsectors that it comprises (See the CISA description). What distinguishes Critical Infrastructure is that their “incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” | Info | ||
Cross-site Request Forgery | XSRF | A type of attack exploiting a website’s trust in a user’s identity to perform unauthorized actions. | Threat | |
Cross-site Scripting | XSS | First seen 20+ years ago. A type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls. | Threat | |
Cryptojacking | Cryptojacking (a.k.a. crypto-mining) is malware that infects and imbeds itself in systems to steal information such as keys and access credentials to cryptocurrency systems (Ethereum etc.). This has resulted in $billions in stolen from electronic funds, etc. | Threat | ||
Cryptography | The application of mathematical methodologies to encrypt/encipher and decrypt data. Asymmetric Public Key Cryptography uses a public key and private key to enable encryption of data. In Symmetric Cryptography, the same private key is shared. Hashing is the processes for converting variable length data into fixed length encrypted via a one-way algorithm. | Info | ||
Cybersecurity Audit | A security audit is a systematic evaluation of an organization’s information security policies, procedures, and practices. In Zero Trust systems it is integrated with monitoring, reporting and event notification to verify continuous security integrity not just at a single point in time. Thus, weaknesses and vulnerabilities in the organization’s security posture, and may also recommend actions to be improved and ongoing holistic measurement can take place. A separate audit might be conducted internally by the organization’s own staff, or by an external auditor or consultant. A slightly different use of Audit is for validation of results monitored, for checking or validating curation of assets, checking the validity of claims made or process self-attested by suppliers. Audit Logs become part of the system to check progress and ensure items tasks are performed over time. | Info | ||
Cybersecurity Evaluation Tool | CSET | Developed by CISA to improve the security of government agencies, their supplying contractors, their products and services, CSET is comprehensive set of tools that assess the Security Posture. CSET is delivered as a free desktop software and downloaded here. An excellent series of explanatory videos are also available. With more here. | Info | |
Cybersecurity Framework 2.0 | This is the latest iteration of the NIST Cybersecurity Framework. While it is advertised as having 5 categories (“Identify, Protect, Detect, Respond, and Recover”), like many others it covers many more areas (22 main categories and a total of subcategories). Topics such as Zero Trust, microsegmentation, IoT security, lateral movement and APTs are not addressed. | Info | ||
Cybersecurity and Infrastructure Security Agency | CISA | The US government’s Cybersecurity and Infrastructure Security Agency(CISA) works with partners to defend against today’s threats and collaborates to build a more secure and resilient infrastructure for the future. https://www.cisa.gov/ | Info | |
Cybersecurity Insurance | The insurance provided in the event of a cybersecurity incident such as data breaches, ransomware etc. The audit described above is becoming a prerequisite for such insurance to be given. Typically, the top prerequisites for obtaining cyber insurance are provided on this site. They include, curation of all assets with automated backups and resilience planning, education, use of least privilege, MFA access, automated password management, malware and phishing defense, backup plans, employee monitoring, incident response plans, remediations, endpoint security, lateral movement defense, etc. | Info | ||
Cybersecurity Maturity Model Certification | CMMC 2.0 | The US Department of Defense’s comprehensive framework to protect the defense industrial base’s (DIB) sensitive unclassified information from frequent and increasingly complex cyberattacks. (November 2021) | Info | |
Cybersecurity Mesh Architecture | CSMA | Like SASE and SSE this is a Gartner marketing invention that possibly had a goal to simplify the challenges of Zero Trust deployment throughout the network? It seems like more marketing packaging of what enterprises are already doing. It was published in October 2021. It defined itself as follows: “Cybersecurity mesh, or cybersecurity mesh architecture (CSMA), is a collaborative ecosystem of tools and controls to secure a modern, distributed enterprise. It builds on a strategy of integrating composable, distributed security tools by centralizing the data and control plane to achieve more effective collaboration between tools. Outcomes include enhanced capabilities for detection, more efficient responses, consistent policy, posture and playbook management, and more adaptive and granular access control — all of which lead to better security.” As what this means remains a mystery, I will add no comment other than to say that some companies will like attribute CSMA to what they were already selling anyway and claim to be first to market. In late 2023, the analyst companies are publishing reports on the “Cybermesh” market. | Marketing | |
CyberStart America | CSA | U.S. funded student Cybersecurity education program. ”CyberStart America is the most enjoyable way to discover your talent, advance your skills and win scholarships in Cybersecurity.” https://www.Cyberstartamerica.org/ | Assn | |
CybyrScore | CybyrScore is our Security Posture measurement tool that evaluates the whole organization and well beyond. It provides prioritized advice on the most important cybersecurity actions to conduct next. | Info | ||
Dark Web | The Clear Web is how we refer to the publicly accessible parts of the web like this site. However, it only represents a very small part of the Internet. The Deep Web refers to all those parts that are private, behind login-only accessible data and information – customer data, etc., covering about 95% of the Internet. The Dark Web is a tiny part of the Internet where encrypted parts of the internet are not indexed by search engines, used by all types of cyber criminals, to communicate and share information without being detected or identified by law enforcement. Malware of all types can be purchased on the dark web. It can be accessed by anyone but only via the Tor browser and with the correct URL, special software with the correct decryption key and access rights. Users remain almost completely anonymous. | Info | ||
Data, Applications and Services | DAAS | A key aspect of Zero Trust is the first step being identifying the Protect Surface. DAAS is the sensitive resources that guide you as to what to protect. My caution is that it is IT/OT and not holistically focused. | Defense | Zero Trust |
Data Breach | The hackers’ end-game. Exfiltration or corruption of critical user, corporate or customer/client data, intellectual property or corruption of software, etc. Breaches can, of course, mean illicit access to or corruption of any process or system as a means to an end. For example, an attack that allows elevation privilege to corrupt an operating system and implant malware. | Threat | ||
Data Loss Prevention | DLP | There is some disagreement about this term. Some have a narrow focus that it only deals with prevention of data removal or replacement. Others that it encompasses several prevention tools as an approach that seeks to improve information security and protect business information from data breaches. It prevents end-users from moving key information outside the network. DLP also refers to tools that enable a network administrator to monitor data accessed and shared by end users. It’s also a set of tools that both detect and prevent threat actors from either stealing or encrypting data. It’s labelled here as “Marketing” because it can contain a variety of tools to prevent unauthorized access to and exfiltration of data. | Marketing | |
Data Mining | Searching through data looking for key items of interest to attackers. Files with text indicating usernames, passwords and social security are obvious ones. Specific applications with known CVE vulnerabilities, monitoring or identity software with user privilege values, versions of software with unpatched code, are others in a long list. | Threat | ||
Data Tagging | The addition of attributes to data. This powerful defense is the counterpart to user attributes. I.e. the methodology to say what methods and policies are authorized to access the data. This could include data only being accessed from certain locations, via certain software, in read-only mode, at certain times, via users with certain levels of privilege or only after a confirming multi-function authentication of the subject actor. What would be helpful is a collaborative standard for those struggling with multple data management issues. | Info | ||
Deception Technology | This is a technique to bait adversaries that are seaching for vulnerabilities inside a system, often following a breach initated with social engineering or human error. Unlike a Honeypot physical device (see below), the latest techniques deploy a large variety of software simulations of processes that might be targeted by threat actors. This is at the forefront of defensive strategies with threat actors looking for such fakes as fast as they are created. | Defense | ||
Deep Fake | Video, audio clip or picture that has been altered to trick people to believe a corruption of the truth because they believe in the person who they are seeing or hearing and that they actually said those words. etc. A deeply disturbing trend often used in conjunction with other tricks. In July 2024, it was revealed that a threat actor used a deep fake image to gain employment with KnowBe4, a well-known cybersecurity company. | Threat | ||
Deep Packet Inspection | DPI | This is a methodology for inspection of traffic typically in a network but also between processes in a system. In a cybersecurity context, it is used by threat prevention functions and tools to detect and filter potentially exploitive traffic to block, quarantine or allow its passage. It also allows examination of traffic to ensure that it does not exceed the access level of the subject actor. This can be a complex process requiring significant compute resources that might involve comparing many tens of thousands of traffic patterns. It is called “Deep” Packet inspection as opposed to conventional packet inspection that only looks at header info for routing purposes. | Defense | |
Defensive Evasion | MITRE ATT&K (TA005) defines 25 techniques by which threat actors can disable or avoid defenses. An example is the disabling of security software. this is a frequent element of an Advanced Persistent Attack | Threat | APT | |
Deflection | Deflection has a special meaning in cybersecurity. The theory being that the more vulnerabilities that are protected the more attackers are deflected to easier, more vulnerable targets. It follows the simple concept of the thief walking down a line of cars looking for an unlocked door or the phone left on a seat. My book, when first published in 2022, identified more than 100 vulnerabilities or weak links. Many more have been unearthed since then. | Defense | ||
Delegation | Delegation is perhaps the most important and least understood aspect of cybersecurity. “Delegate Don’t Abdicate” is about verifying not trusting those who provide software services in fact any kind of third party action in your supply chain. Once you apply “Never Trust, Always Verify” you run into a catch 22 when you can’t control your suppliers. See more on what I believe are the six most important aspects of Delegation. CISA has begun a journey of self-attestation but is only just scratching the surface in their 2024 work. I’ve categorized it as “defense” because it falls into the “Threat Avoidance” category. In Feb 2024, NIST Special Publication 800-192 on Verification and Test Methods for Access Control Policies/Models is extending this work. | Defense | ||
Development, Security & Operations | DevSecOps | A methodology to include security as an element of the development of all services and products (not just software products and services) as they are designed, developed, tested, introduced ,monitored and iteratively revised. In addition, this work adds the responsibility into the Product Marketing responsibilities to investigate and include security in the requirements and product definitions. In the same vein, the term Shift Left is the practice of moving testing, of performance and security evaluation early in the development process often before code is written. The opposite (Shift Right) tests by simulating real world operations. Regression Testing (ensures that updates did not break or degrade existing functions) is key element of any release process. This is definitely the author’s personal definition. Security as Code(SaC) is the methodology of integrating security into DevOps tools and processes by identifying vulnerabilities in code, ensuring or migrating to memory safe languages, verifying the validity of open source code, yet without delaying process or increasing the cost of the process. A study published in June 2024 estimated that more than half of Open Source projects are written in Memory-Unsafe languages. | Info | |
Digital Forensics and Incident Response | DFIR | The Digital Forensics and Incident Response Report is published annually. The 2022 was published in March 2023 and provides a fascinating set of insights of the most potent threats in play. | Info | |
Digital Signature | Cryptographic transformation of data providing origin authentication, data integrity, and signer non-repudiation. See also Certification Authority. | Info | ||
Digital Twin | Driven by cybersecurity complexity, this concept is becoming and essential cybersecurity testing tool. The concept is to replicate network and system configurations in order to do update and regression testing or simulate complex scenarios.. | Defense | ||
Discovery | This element of an APT systematically searches for vulnerabilities in the users system so as to attack or compromise user assets. | Threat | ATP | |
Distributed Denial of Service | Dos, DDoS | Denial of Service (DoS) attacks are used to overwhelm a target device, software element, including websites, cloud containers or applications. The traffic itself is likely legitimate and not necessarily malware. A Distributed Denial of Service (DDoS) attack involves multiple connected online devices, collectively known as a botnet, may be delivered from a myriad of resources and typically targeting a particular victim. This makes it more complicated to defend. DDoS attacks in the past were more prevalent when Threat Actors were content with disruption rather than financial gain. Any of the targets mentioned above (web sites, etc., can be targets. However, more recently an insidiously, it’s attacks on infrastructure and security element management/control capabilities that can not only cause network devices or service (e.g., a Firewall) be overwhelmed and fail but then allow malicious traffic to penetrate and cause havoc. I.e., DDoS attacks can be the first element of a two pronged attack. | Threat | |
DLL Side-Loading | DLL side-loading attacks use the DLL search order mechanism in Windows to plant and then invoke a legitimate application that executes a malicious payload. Threat actors commonly use this technique for persistence, privilege escalation, and defense evasion. | Threat | ||
DNS Security and Protocol Filtering | DNS, DoH, DoT | The Internet functions by matching website domain names to IP addresses using the Domain Name System (DNS). DNS Protocol Filtering checks whether a subset of a session contains messages that are to be allowed or blocked. DNS messages are specified in RFC 1035 and RFC 1996. DNS Security Functions are a set of important threat detection and prevention tools that are described in the DNS Threats item below. Two other functions: DNS over TLS and DNS over HTTPs (DoT and DoH) encrypt queries to provide additional protection. For example, DoT allows network admins to monitor and block DNS queries. Another DNS security protocol is DNSSSEC covering DNS data itself signed by the owner of the data rather than DNS queries and queries cryptographically-signed responses themselves. | Defense | |
DNS Attacks | The Internet functions by matching website domain names to IP addresses using the Domain Name System (DNS). DNS Security Functions are important threat detection and prevention tools that include filtering responses from known bad domains (DNS Blackholing), Distributed Denial of Service (DDoS) attacks, attacks tricking users into using malicious domains (DNS Hijacking and man-in-the-middle attacks). They use the DNS response to carry malicious payloads usually related to command-and-control connections (DNS tunneling) and attacks that create many random domain names to avoid detection. DNS Exfiltration is a lower-level attack on DNS servers to gain unauthorized access. Such attacks are difficult to detect and can lead to loss of data. | Threat | ||
Domain-based Message Authentication, Reporting and Conformance | DMARC | DMARC is an email authentication, policy, and reporting protocol. It verifies email senders by building on the Domain Name System (DNS), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF) protocols. It’s main use is as an anti-phishing tool. | Defense | |
Domain Controller | A Domain Controller is a server that responds to authentication requests and verifies users on computer networks. | Info | ||
Domain Name Filtering | DNF | Domain Name Filtering is defined as the action taken by a Service Provider to check whether a session contains domain names that are to be permitted or denied. Domain Name Filtering provides a level of protection for a Subject inadvertently attempting to access a malicious Target. | Defense | |
Drive-by Attacks | Drive-by Attacks or Drive-by Downloads is a shorthand for unintentionally downloading of various malware from insecure websites onto your devices – PC’s, phones etc., typically without the users involvement. They typically require no action by the user who has no knowledge of the infiltration. | Threat | ||
Dropper | Droppers don’t carry any malicious activities by themselves but are enablers, downloading and installing malicious code such as Trojans and rootkits. They may also hide their actions by installing harmless files and or delete themselves on completion. Downloaders are simpler. Their function is downloading malware, misleading apps or upgrades to the existing attacks. | Threat | ||
Dwell Time | The amount of time an attacker spends within the systems under attack, especially the amount of time the attacker spends undetected. | Info | ||
Elevation of Privilege | This is an attack when a bad actor gaining illicit access of elevated rights via an insider threat or via gaining access to data files containing user privileged data and modifying the data. As dangerous as giving unnecessary levels of privilege to these who should not have it – e.g., executives, contractors, etc. Note: Escalation and Elevation of Privilege are used interchangeably | Threat | ATP | |
Encryption | AES, DES, ECC | Encryption has many specific definitions and methodologies: symmetric and asymmetric cryptography, public and private keys, encryption types: Advanced Encryption Standard (AES) developed by NIST, Data Encryption Standard (DES), RSA, MACsec(IEEE), Ascon, etc. are used for secure communications. Encryption of all sensitive data on every type of compute device is supported and recommended to prevent data breaches and ransomware. For example: Elliptic Curve Cryptography (ECC) is used for digital signatures in cryptocurrencies such as Bitcoin and Ethereum. Middle Box functions are used typically to decrypt and inspect IP flows. Decryption is the process of transforming an encrypted message into its original plain text. A Cipher is a cryptographic algorithm for encryption and decryption. Key Management is the software provided by Cloud and security providers to manage the security of encryption keys. | Defense | |
End-to-End Encryption | Communications encryption in which data is encrypted when being passed through a network, but routing information remains visible. | Defense | ||
Endpoint Detection and Response | EDR | Endpoint Detection and Response tools and products combine elements of both endpoint antivirus and endpoint management. the actual functions vary by security and service provider. Primarily EDR focused on Endpoint Security rather than security of the system or network security – the province of Extended Detection and Response (XDR) see below. See also Network Detection and Response (NDR) below. Functions may vary but typically include endpoint monitoring, threat detection, incident response and remediation. EDR typically provides less protection from Advanced Persistent Threats (APTs), the cause of most major breaches. | Marketing | ATP |
Evil Twin | We all use airport or coffee shop Wi-Fi but what if there was a rogue Wi-Fi Access Point that shared the same public credentials and intercepted your connection to the legitimate Wi-Fi and eavesdropped or stole your data? These devices are called Evil Twins. | Threat | ||
Exfiltration | The Collection phase of an attack is to gather information about the location of information to be Exfiltrated, being the unauthorized transfer of information from an information system. A key principal of Zero Trust is the avoidance of exfiltration (stealing) of data. | Threat | ||
Exploit | A methodology/software to take advantage of vulnerabilities by breaching the security of a system or network ecosystem. | Threat | ||
Extended Detection & Response | XDR | See also Endpoint Detection and Response above and Network Detection and Response (NDR) below. XDR is a technology that can/may offer improved threat prevention, detection and response capabilities for security operations teams. XDR describes a unified security monitoring and unified reporting incident detection and response platform that automatically collects and correlates data from multiple proprietary security components. If this sounds like marketing hype it is disguising the fact that XDR provides the best protection against APTs – the cause of most ransomware attacks. | Marketing | ATP |
Fast IDentity Online | Fido | An authentication standard defining a fast and secure authentication mechanism for users to access websites and applications. FIDO-2 uses WebAuthn authentication. | Info | |
Federal Risk and Authorization Management Program | FedRAMP | A government-wide initiative to assess, authorize, and monitor cloud software providers and protect the sensitive data housed in federal agencies. | Info | |
Firewall | A Firewall secures a network by deciding which data packets are allowed to pass through a network. Primarily intercepting Layer 3 IP traffic. Traditionally Firewalls were dedicated devices but are more commonly delivered as a software process. Firewall management software can be susceptible to layer 2 DDoS attacks and also Port scanning. Software detecting threats to web-based applications (via HTTPS protocols) are known as Web Application Firewalls (see below). There are certainly issues related to legacy implementations so care is required. A Distributed Firewall is a recent term for a layered approach that embeds firewall code in the fabric of a network system’s architecture rather than as a separate process. Gartner’s market term: Next-Gen Firewalls refers to IP plus application layer combinations. The security functions enabled in today’s firewalls have become blurred so the key is to examine the detection and prevention functions not the marketing hype. The whole Firewall genre may have a limited lifespan. | Marketing | ||
Firewall as a Service | FWaaS | Firewall as a service, also known as a Cloud firewall, provides Cloud-based network traffic inspection capabilities to customers seeking to migrate to a hybrid or multi-cloud model. It reduces the burden on on-premises data center equipment and management burden for internal Cybersecurity teams. | Marketing | |
Form Jacking | JavaScript code insertion to intercept payment card details directly from the payment forms on the checkout web pages of eCommerce sites. | Threat | ||
Fragment Overlap Attack | A TCP/IP Fragmentation Attack is possible because IP allows packets to be fragmented for transport across networks. The TCP packet (and its header) are carried in the IP packet. In this attack the second fragment contains incorrect offset. When packet is reconstructed, the port number will be overwritten. | Threat | ||
Fork Bomb | This is effectively a Denial of Service attack in that it can consume all of the memory and compute resources on a system. A Fork Bomb works by using the fork() UNIX/Linux call to create a new process which is a copy of the original. By doing this repeatedly, all available processes on the machine can be taken up. It can by continued by limiting the number processes that a software actor can run simultaneously. | Threat | ||
Generative AI Attack | ChatGPT, its offshoots and extensions like Microsoft Co-Pilot and implementations are both an opportunity and weapon. ChatGPT’s ability to generate exploits has been shockingly documented with recent (April 2024) studies of ChatGPT-4. See also the use of AI generated Deep Fakes (above). A new AI-related threat, termed Fraud GPT, is available on the dark web with the potential to make weaponized generative AI freely available. Cybersecurity threats using AI appear in many forms such as sophisticated phishing and APT reconnaissance and cataloguing of defenses and vulnerabilities and potential for large scale disruption will be covered in due course. | Threat | ||
Generative AI Defense | GenAI, LLM | This by definition will be an incomplete entry for some time. Its veracity is limited by the content of its Large Language Model (LLM) and more recently Small Language Models(SLMs). On the flip side of large scale attacks is the use of large scale defenses for logging of instances, defense against DDoS attacks and discovery of system status in real time. AI plus Zero Trust is likely to be a new field in its own right. Specifically, it’s Adaptive AI that is the GenAI area that deals with vast amounts of network and cybersecurity data that change moment by moment. It’s the ability to use this information to understand if a transaction is to be allowed “now,” to filter which incidents require rapid attention to predict incidents that may happen. This requires dynamically training of LMs. The overriding challenge remains to distinguish valid information, code and recommendations and to distinguish them from what are known as AI Hallucinations – basically information or recommendations generated by LLMs that make little or no sense thus discrediting or undermining all of the genuine information. Retrieval-Augmented Generation (RAG) – is a new technique for enhancing the accuracy and reliability of generative AI models retrieved from external sources. The opposing forces of Hackers and legitimate forces to leverage GenAI are set in a background of fear surrounding AI. The use of GenAI to track potential intrusions in real time is under development, with the initial solutions aimed at the largest organizations. | Defense | |
Governance | The responsibility for oversight of security spans all departments. The implication from a holistic perspective is that the responsibility for Governance lies with the CSO reporting to the Executive team directly and working with legal councel. This is validated with the requirement for consistent approach to Risk Management. This is where the oversight for all potential internal and external vulnerabilities including verification comes together. Governance also provides oversight for Compliance to government or business rules (See Compliance above). It may also be aligned with Cyber-Insurance and Privacy requirements. | Info | ||
Hacker | A Hacker is the well-known term for those with malicious intent on inserting malware in systems. More correctly these are known as Black Hat Hackers, whereas a White Hat Hacker or Ethical Hacker is one who looks for vulnerabilities in order to report them and have those weaknesses removed – whether in a software company or an end user organization. | Info | ||
Hacking as a Service | HaaS | Joining and expanding on the recent Phishing and Ransomware as Service Toolkits are Hacking as a Service tools. A grim warning in the UK government’s report from the National Cyber Security Centre in April 2023 believes that not only have 80 country states purchased these toolkits but unscrupulous private groups are expected to join. The are not only a superset of RaaS and PhaaS but they have the ability to generate variants as Zero Day attacks. | Threat | |
Holistic Cybersecurity | Cybersecurity has been the term given to the protection of data, networks, software from digital attacks and the unauthorized access to systems. Holistic Cybersecurity covers all aspects of an organization, large & small – not just IT. It begins with the Exec team, expands to all departments, encompasses third parties, suppliers, contractors, in fact every area where you must take responsibility for the security of your organization. The principles of Zero Trust apply everywhere, from the people you hire, the cameras in the lobby, the cleaners, your security firms, your web sites, sales software and accountants you hire, etc. This is all detailed on this site, of course, and should be incorporated into your security policy. | |||
Honeypot | A Network Attached Device that lures and deflects attacks and attackers. It might represent an Internet connected Database, Web Server, PC, etc. The concept is that these devices are designed to report on any access – since there is no legitimate reason for such access. It is less easy to find reports on the effectiveness of individual solutions one of which is canary.tools | Defense | ATP | |
Human Error | Obviously not a definition but critical in reducing risk. This is a long list of areas where vulnerabilities to human error are the most likely to cause a breach: (1) not taking cybersecurity as integral to business life, (2) not being vigilant regarding phishing attacks and making excuses for not taking anti-phishing training seriously, (3) Lack of social engineering and insider threat strategy and training, (4) trusting and not validating third party products (especially software), services and contractors, (5) misconfiguring or lack of automated software updates, (6) unprofessional attitude on testing software processes when changes are made, (7) insufficient vetting of potential staff or contractors and finally (8) not taking a vigilant approach to data backups and testing of backup restoration. | Info | ||
Hypervisor-protected Code Integrity | HVCI | Hypervisor-protected Code Integrity (also called Memory Integrity), uses Microsoft’s Hyper-V hypervisor to virtualize the hardware running some Windows kernel-model processes, protecting them against the injection of malicious code. | Defense | |
HyperText Transfer Protocol Secure | HTTPS, HTTP | HyperText Transfer Protocol Secure (HTTPS) is a protocol that secures communication and data transfer between a web browser and a website. HTTPS uses TLS (SSL) to encrypt HTTP requests and responses, HTTPS is the secure version of HTTP. Most Anti-Malware software protects users by warning or disallowing access to HTTP sites. Some browsers also detect sites as unsafe when spuriously deciding that site based graphics contain malware. Getting into details: HTTP/2 (2021) was reported by CISA (in October 2023) as having DDoS Vulnerability known as Rapid Reset (CVE-2023-44487) with patching recommended. HTTP/3 is in use by Google Chrome and Facebook is a faster protocol that is carried by the UDP protocol. | Defense | |
Identity | The unique identity of a user, device or software that is involved in a transaction or exchange of information. See also IAM below and Authentication. The personal identifying information (PID) is that allows the identity of an actor to be directly or indirectly inferred. | Info | ||
Identity Theft | The theft of a user’s (or software or device’s!) unique identity for the purpose of impersonating them. This includes their password and or biometrics. Identity Cloning is another form where personal data is altered or removed to hide criminal records, country of origin and the criminal takes on a new identity. | Threat | ||
Identity and Access Management | IAM | IAM is a set of processes, policies and tools for controlling user access to critical information. It’s the discipline that enables individuals to access resources at the appropriate times. It’s important not to collapse Identity and Access since both are elements of Zero Trust but Identity Management and Access Management software/services are possibly independently sourced software functions or services. | Defense | ZT |
Immutable Storage | Immutable Storage is storage that when written once cannot be rewritten, just read. This can be on-premises or within Cloud storage where it is known as Immutable Cloud Storage and similarly as Immutable Backup. This means that providing the data was valid when written it cannot be encrypted by a threat actor thus preserving its integrity. This does not prevent theft but does prevent destruction, encryption or corruption by a threat actor. | Defense | ||
In the Wild | Usually refers to incidents or attacks seen in actual live situations rather than in a simulation or in a test lab. Not really a technical definition but worth including. | Info | ||
Incident Response Plan | Incident response is a planned approach to rapidly address and manage the reaction and recovery as soon as a cyber-attack or network security breach is detected. The procedures defined and documented in an Incident Response Plan, must be tested not just planned using Content Disarm and Reconstruction or similar software approaches to avoid saving malware infected data that would survive and negate recovery. Recovery of data from air-gapped servers must include decryption/encryption of all sensitive information. See also Asset Curation above. The plan need not be an all-or-nothing plan but can be part of operational activities. I.e. it could include how to respond to detected intrusions, notification of blocked threats, attacks on elements such as policy and asset control list, or unauthorized privileged changes, etc. | Defense | ||
Indicators of Attack | IoA | Unlike IoC below, Indicators of Attack alert administrators to precursors of attacks such as Discovery, Lateral Movement and Living-off-the-Land Attacks prevalent in ATPs, so that actions can be taken to prevent attacks before the occur. | Defense | |
Indicators of Compromise | IoC | The IETF (Internet Engineering Task Force) created RFC9424 to review fundamentals, opportunities, operational limitations, and recommendations for Indicators of compromise use. Cybersecurity “defenders” frequently rely on IoCs to identify, trace, and block malicious activity in networks or on endpoints. | Defense | |
Information Systems Security | INFOSEC | The protection of information systems against unauthorized access or attempts to compromise and modify data, whether it’s stored data, processed data or data that’s being transmitted. | Marketing | |
Infostealer Malware | As the name implies, this is malware that is designed to gather information from a system, typically login information. In July 2024 it was supposedly the source of the larges breach that resulted in the theft of credentials of 400 companies who were clients of Cloud Broker Snowflake | Threat | ||
Insider Threats | This is when a trusted insider (usually but not necessarily staff), gains access to confidential data, accidentally or deliberately inserts malware, exfiltrates, data etc. Such threats can be from Negligence (usually caused by lack of least privilege, not updating vulnerabilities fixed by supplying software companies, users mistakenly falling foul of phishing attacks), Malicious Insiders deliberately compromising systems for personal revenge or because they were employees planted by threat actors (good grief), of by Compromised Insiders either unwittingly having their credentials stolen of coerced financially to commit crimes. Another aspect of all of this is coercion or deceiving insiders that is also referred to as Social Engineering as reportedly occurred in the MGM breach in 2023. This is where the principle of Least Privilege and monitoring of all network access is key. HR has a key role to play in monitoring staff and trusted third parties. | Threat | ||
Internet of Things Attacks | IoT, IIoT | See Operational Technologies below and Ascon above. IoT is also in critical infrastructure known as Industrial Internet of Things (IIoT) are typically the target for hackers due to their limited compute capabilities, remote location, etc. Microsoft reported in October 2023 that 78% of IoT devices had vulnerabilities and 46% were not patchable. (25% used operating systems that were obsolete.) See “Air Gap ” above as one level of protection. | Threat | |
Internet Protocol Security | IPsec | A group of IP protocols use to create encrypted connections, exchange keys, etc. The IPsec reference document is IETF RFC 6071. | Defense | |
Intrusion Detection System | IDS | An IDS gathers and analyzes information from a compute resource locally, in a cloud, or network to identify possible security breaches, including intrusions from outside and within the organization. | Marketing | |
Intrusion Prevention System | IPS, IDPS | An Intrusion Prevention System (IPS) applies IP reputation and content matching rules to block known bad sessions. These systems known as IDPS, may also include anti-virus systems for inspecting file content across many protocols, for example HTTP, IMAP, and SMB. Threat and Intrusion Detection Systems have a similar role as IPS but use detection technologies that preclude blocking. For example, behavioral analysis of file content and network anomaly detection often have detection delays and resource requirements that prevent inline deployments. The systems respond to detections by issuing SENs (alerts). | Marketing | |
IP, Port and Protocol Filtering | IPPF | It is defined as the action taken by the SASE Service Provider to check whether a session includes a list of source or destination IP addresses, source or destination port numbers, transport protocols and/or application protocols that are to be allowed or blocked. | Defense | |
IP Spoofing | A tactic to supply a fake IP address disguised as a legitimate address. This is often in the form of an Internet Protocol (IP) packets which have a modified source address in order to either disguise or hide its real identity | Threat | ||
ISO 27001 | ISO 27001 is a set of information security standards, guidance and certification. Its scope covers security policy, risk assessment process objectives, assessment of staff competence, risk assessment, auditing etc. It’s not mandatory standard. It can be downloaded from ISO at a cost of CHF 129. | Info | ||
Key Logging | Keylogging software is spyware logging everything that you type (for instance credit card details and MFA codes(!) The collective wisdom is around typical prevention of inadvertent use of infected applications and defense against malware. | Threat | ||
Lateral Movement Attacks | This is the concept of malware being downloaded or otherwise being placed on a device or process and as part of the attack, moved to another system, even cloud or part of the network and immediately, days or even months later becoming active. Most Ransomware or Phishing as a Service attacks begin with penetration of a system to infiltrate systems with Malware followed by one or more Lateral Movement attacks. | Threat | ATP | |
Least Privilege | PoLP | The Principle of Least Privilege is that users, devices & programs should only have the privileges necessary to complete their tasks. Perhaps beyond the scope of small companies, Separation of Duties also helps to separate and limit privilege and duties rather than give privilege for roles that are beyond the user’s responsibility. There are further divisions regarding membership of Static or Dynamic Separation of Duties groups covered in NIST 800-192. | Defense | ZT |
Living off the Land Attacks | LotL | Living off the Land describes Cyberattacks which use legitimate software and functions available in the system to perform malicious actions on it. These are often inserted via email/phishing and can be very difficult to detect. | Threat | ATP |
Macro Virus | In recent times, Microsoft switched the default to disallow opening of Excel and Word documents containing Visual Basic Applications edition macros without agreeing to do so. Especially in Excel, VBA is a powerful programming language that can easily hide malware. It can also be delivered as an XLA or binary coded format where the code cannot be inspected. | Threat | ||
Malware | Malware is defined as any software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system. Note: Viruses that infect code and Trojans that pretend to be legitimate code are both forms of malware. Malware as a Service like other similar tools is increasingly used a s platform for attacks. | Threat | ||
Malware Detection and Removal | MD+R | Malware Detection and Removal is defined as the action taken by a software provider to check whether a session contains malware, and to remove the malware or block the session containing the malware. | Defense | |
Man-in-the-Middle Attack | MiTM | In a Man in the Middle Attack a system intercepts traffic from a subject actor while appearing to be the target system. At the same time, it masquerades as the subject to the actual target system. Its objective is to spoof an actual dialog for a number of malicious purposes without arousing the suspicion of either party. This is where many attacks begin and is the prime way in which 2 Factor Authentication can be hacked. A more sophisticated and proactive evolution of MiTM now exists known as Adversary-in-the-Middle (see above). | Threat | |
Managed Security Service Providers | MSSP | MSSPs outsource monitoring and management of required the networked security functions including intrusion detection, SASE functions such as CASB, ZTE, Firewalls, etc. The distinctions are blurred since some managed service providers combine IT and security functions, others – both regional network service providers and tier 1s combine security and network services. In all instances it is necessary to understand the actual functions required and provided. | Info | |
Memory Forensics | Memory Forensics is a branch of digital forensics that focuses on the analysis and extraction of data from a device’s RAM. This is a critical tool in the investigation of attacks and malware infections that cannot be obtained through traditional file-based forensics. | Info | ||
Memory-Safe Languages | Many vulnerabilities occur because poor language disciplines allow malware to hide inside application memory spaces for later activation. This frequent ploy can be limited or even removed. Newer application languages are much more careful. This means that knowledge of the language that an application is written in becomes a factor in choosing an application. Examples of memory safe languages are Rust, C#, Go, Java, Ruby, and Swift as opposed to C, C++ which are not. Judicious use of complier options help here too. Thanks for this gem go to Steve Gibson of Security Now and SpinRite fame. CISA has also weighed in on the importance of this topic. Unfortunately, they are in the form of recommendations not regulations. This is hardly surprising since the cost of recreating existing work, some of the verge of deprecation would be astronomical and take years. | Defense | ||
Microsegmentation | There are two main interpretations of this term with a common principle. The first being the ability to compartmentalize Cloud and data center functions and applications into secure segments. This works well with implementing Least Privilege, Zero Trust enforcement points, Identity and Access Policies where it is most relevant. For this author microsegmentation is a natural instance of a Zero Trust policy enforcement point. Either way, the secure segmentation at the workload or secure container level certainly helps deter lateral movement attacks. The second is the segmenting of networks to limit the visibility of sensitive areas to unathorized users. | ZT | ||
Microsoft Windows Obsolescence | October 14th, 2025 is the last date to upgrade to Windows 11 before Windows 10 and earlier versions of Windows become unsupported, unpatched and vulnerable. As of August 2024, only 30% of upgrades had happened. | Info | ||
MiddleBox Function | A function used to decrypt and re-encrypt secured communications. This process should be in a single device which may include other functions/processes. It is typically required to be protected by Certification in order to be part of a trusted connection. | Info | ||
Misconfiguration | The term for the incorrect configuration of many aspects of a system that can create vulnerabilities or that could be used by threat actors. The cause of such misconfigurations are many – typically human error, incorrect or outdated information but principally from lack of automation using outdated software. | Assn | ||
Mitigation | One or more steps taken to minimize or eliminate cybersecurity threats, risks and consequences. | Info | ||
MITRE | MITRE ATT&CK® is a mind-bending source and globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. It breaks down threat types in sequence order into 14 categories: Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact. Within these, MITRE details 250+ subcategories naming thousands of threats and threat actors. Items in bold are described on this page. Explanations of how and where to defend such actions are given where possible. While it lists examples of credential information gained from phishing it does not cover items such as social engineering, software & supply chain verification, etc. Some of these categories were last updated in 2019 but the subcategories are often more recent. It is also known for its annual MITRE ATT&CK evaluations. See also CAPEC and STIX on this page Click for more on the MITRE system. | Assn | ||
Monitoring and Auditing | Automated continuous Monitoring is a key element of any Zero Trust implementation. The continuous aspect is to make sure that any time-based access privileges are in compliance (either time-of-day or duration), or events that arise, such as blocked access attempts, etc., elevation of access changes are logged/reported via the Secure Event Notification system. Control via an automated system is required. Auditing may also be required to ensure both integrity and compliance with policies is maintained. Also incorporated should be detection of Anomalous Behavior Detection which typically includes awareness of and deviation from normal network traffic and applications flows, possible middle box functions, and built-in Security Event Notifications and alerts integrated to the user and provider systems | ZT | ||
Multi-factor Authentication | MFA, 2FA | Everyone must be familiar with this irritating phenomenon. It means that you are required to prove who you are by having two (Two Factor Authentication or 2FA) or more ways of identifying yourself (MFA). For example, after you enter a password, you must also enter a code sent to your mobile device or email. Sometimes multiple proofs are needed. e.g., face recognition or providing your dog’s birthday. See also, Passkeys. Now the bad news. Roger Grimes of Knowbe4.com has identified at least 20 ways to hack two factor authentication including analysis of 25 +MFA systems. A variant that is aligned closely with Zero Trust’s “Continually Verify” is Continuous MFA where an actor is reauthenticated during a long transaction or session to ensure that it is still valid. This is particularly important to guard against exfiltration or encryption of data beyond an authorized time or window- a telltale sign of a breach. | Defense | |
Multi-Layer Security | MLS | This concept goes back over 40 years but is often dismissed or forgotten. Most cybersecurity actions focus on users, software and devices – a.k.a. subject actors – accessing target actors. This revolves around IP (Layer 3) data flows and also to some extent application data flows. However, this overlooks attacks on the security software itself. For example, denial of service attacks at the data link layer (2) or TCP layer (4). Attacks on the management of all software and devices are also weak links that are not carefully protected. Recent examples of security software being disabled are prime examples of lack of multi-layer security. Device drivers and video application file protection are other areas that are vulnerable. The main point is that a multi-layer security approach is critical and that what is secure at one layer should not be trusted to be secure at the layer above or below. Update from December 2024: We put the concept into practice with our 10 layer cybersecurity methodology. | Defense | |
Multi-Level Security | Unlike MLS above which is more frequently applied to layers of network protocols, Multi-Level Security is a generic term that is the concept that if one aspect of cybersecurity is penetrated then other defense mechanisms are there to prevent breach. In holistic cybersecurity, it can be applied even to lack of security policy, social engineering and any one of 100 factors. Advanced Persistent Threats (see earlier), are examples of attempts to break multiple levels of threats. | Defense | ||
Mutual Transport Layer Security | mTLS | Mutual Transport Layer Security (mTLS) is a process that establishes an encrypted TLS connection in which both parties use X.509 digital certificates to authenticate each other. MTLS can help mitigate the risk of moving services to the cloud and can help prevent malicious third parties from imitating genuine apps | Defense | |
National Institute of Science and Technology | NIST | The National Institute of Science and Technology (NIST) has many areas related to cybersecurity. One is the Special Publication 800-207 “Zero Trust Architecture.” There are 1000+ items in their Computer Security Resource Center. Just like all the other entries referenced here, they are put together by people who are not necessarily experts at everything they write or have commercial bias. Just look at the ZTNA definition and you will get it – you have been warned. | Info | |
Network as a Service | NaaS | The reason that this emerging service is covered here is that it promises to allow proper delegation of security responsibilities to service and software suppliers as an import cost and resource saving for enterprises. For full coverage see cybyr.com/delegation. | Info | |
Network Detection and Response | NDR | Network Detection and Response is the latest (October 2024) in the family of Detection and Response tools/solutions. The others being EDR and XDR described above. Two things set NDR apart. The first is its use of AI and Machine learning techniques to detect threats. The second is, as its name implies, the examination of network traffic, an area where most ransomware threats are in play in multi-cloud ecosystems. There are several solutions applying this technique and therefore actual functionality and techniques vary. This will become increasingly important as the use of adaptive AI approaches mature. It will also become integrated with Zero Trust enabled network services | Info | |
Nonce | A random or pseudo-random number used only once in a cryptographic protocol to prevent replay attacks, often used in digital signatures, key exchange, or message authentication. | Info | ||
OAuth Authorization | OAuth 2 | An authorization framework that enables applications — such as Facebook, GitHub, and Digital Ocean — to obtain limited access to user accounts on an HTTP service. See warnings on password and Identity Re-use since if one web site is hacked then all websites where a user uses Google or Facebook to login become compromised! | Info | |
Open SSH | This highly stable Open Secure Shell, a tool for secure system administration, file transfers across the Internet, encrypts identities, passwords, and data avoiding theft. See Breaking News item of a flaw that was discovered in July 2024 impacting this stability and millions of Linux devices. | Info | ||
Open Source Malicious Code Threat | This is a generic threat of the insertion of malicious code into publicly posted code that is used in both open source and proprietary projects. The infamous Log4Shell malware was a result of such an attack. Prevention of this threat is the validation of any externally sourced code. | Threat | ||
Open Worldwide Application Security Project | OWASP | OWASP is a nonprofit foundation working to improve the security of software and the source for developers and technologists to secure the web. It delivers Tools and Resources, Community and Networking, Education & Training | Info | |
Operational Technology | OT | This refers to the Operational areas of a network as a complement to the IT functional areas. A subset of OT is also referred to as IIoT or IoT covered above, which can be confusing. OT has previously been sheltered from attack and has become a focus for mitigating Cybersecurity weaknesses in manufacturing, utilities, smart city, defense and many real-time and Critical Infrastructure attacks. Musch focus is on the defense of devices never intended to have an IP level of connectivity or IT grade computational power. Many use niche protocols as a form of protection. Interception of data from remote locations in campuses, rail and utility networks, etc., are typical reasons why encryption is required. Many companies refer to IIoT as simply IoT as this is easier to understand. | Info | |
Passkey | A digital credential that adheres to the FIDO and W3C Web Authentication standards. Similar to a password, websites and applications can request that a user create a passkey to access their account. Passkeys rely on unlocking a device to verify a user’s identity. A new (October 2022) web site passkey.dev, gives the latest information. | Defense | ||
Password Based Key Derivation Function version 2 | PBKDF2 | This is a defense against brute force attacks on passwords by making automated password guessing impractical by adding a large number of complex iterations causing large amounts of compute power to be added to the hackers process. This is generally known as a Key Strengthening Protocol. | Info | |
Password Managers | Password Vaults such as those managed by managers such as BitWarden encourage Password Iteration count (the number of times the password is hashed) to have a value of at least 100,100. The previous password manager market leader (LastPass) is not recommended (see Breaking News). | Info | ||
Password Spraying | Similar to the purpose of Credential re-use, penetration of user accounts looks to brute force attacks discovering commonly used weak passwords over many accounts to avoid lockouts to see if a valuable app can be compromised by one of the weak passwords. | Threat | ||
Passwords | Passwords and their length, management and security are tiresome topics. One-time Passwords as the name indicates are designed to be used once. Password length is the most important (25 characters or more randomly generated). Brute Force Attacks, Passkeys and the approaching Quantum Computing hopefully will see the demise of the password. See Credential Re-use warnings on reusing passwords. | Info | ||
Patch | A maintenance update to code either to fix a problem or remove a security vulnerability. It’s important to have a management process to automate patching to avoid threats and remove vulnerabilities quickly. | Info | ||
Payment Card Industry Data Security Standard | PCI-DSS | The Payment Card Industry Data Security Standard is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council | Info | |
Penetration Testing | Pen Testing | Penetration Testing. Testing for vulnerabilities using hacker tools. | Defense | |
Persistence | The fifth element in the MITRE|ATT&CK system and the “P” in an APT is are the techniques to keep infiltrated code and data active through restarts and possibly upgrades. | Threat | ||
Personal Identifying Information | PII | Definition: The information that permits the identity of an individual to be directly or indirectly inferred. | Info | |
Pharming Attack | This is name for the technique used in a Man-in-the-Middle attack. A user’s session is redirected to a masquerading website. This can be achieved by corrupting a DNS server on the Internet and pointing a URL to the masquerading website’s IP address. By changing the pointers on a DNS server, the URL can be redirected to send traffic to the IP of the masquerading website where transactions can be mimicked and information like login credentials can be gathered. With this the attacker can access the real site and conduct transactions using the credentials of a valid user on that site. | Threat | ||
Phishing and PhaaS | PhaaS | Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in email, text (Smishing), Voice mail (vishing) or targeting types of typically senior individuals (Whaling) or specific individuals (Spear or Trap Phishing). Variants including Cloning that copy legitimate emails and ones that include innocent looking Quishing or QR Code Phishing (usually pretending to be from DocuSign). Phishing is the source of the majority of cybercrimes. Malware triggered by clicking, Zero-Clicks, embedded code, Living off the Land Attacks, etc., begin here. The latest phishing attack type is called Angler Phishing (get the pun?). This is a social media attack that begins with getting the user to check a direct message. Most Phishing attacks are the prelude to lateral movement and installation of malware known collectively as Phishing as a Service. This was first observed in 2022, the phenomenon continues to grow in 2024 with the advent of AI. It is essentially a tool kit run as a service for use by less skilled hackers. It’s an example of a multi-faceted attack. 1. Phishing, 2. downloading of malware, 3. investigating weakness, 4. lateral movement of code to a vulnerable resource, 5. execution of remotely placed malware with elevation of privilege 6. data exfiltration etc. The kit can also be used to generate Zero Day attacks. | Threat | |
Physical Security | Physical Security is the protection of physical assets, resources, and personnel from unauthorized access, theft, damage, or destruction, often used to ensure the safety and security of buildings, facilities, and infrastructure. When contracted to outside companies proper verification of the providing company and their employees is critical. This includes the use of IoT devices, cameras, badge readers, etc., that are provided. | Info | ||
Ping of Death Attack | Another form Denial of Service attack, a Ping of Death attack sends an improperly large ICMP echo request packet (a “ping”) with the intent of overflowing the input buffers of the destination machine and causing it to crash. | Threat | ||
Platform Key | The Platform Key establishes a trust relationship between the device manufacturer or OEM and the firmware. It is an important element of the Secure Boot Process for Windows PCs. | Info | ||
Policy | This is the central controlling element of a Zero Trust enabled secure service. It’s the software or service element that manages and controls requested access based on Identity, Authentication, Access Control and Policy. This management may be at either a common point in a network or may also include the Policy Enforcement to protect data exfiltration or software replacement. It can be integrated as part of a service. It also initiates the monitoring of the flow between actors for the duration of a connection. Dependent on the access requested, it may manage at any layer of the network from physical to application layer and also the control or management plane software, operation of secure containers etc. | Info | ||
Policy as Code | Policy as Code is a current methodology that has become necessary in order to scale, automate and reduce development time. It’s included here, because it’s an important element of DevSecOps where it is termed as Security as Code. | Info | ||
Policy Management and Enforcement | Policy Management is the process in a Zero Trust enabled service that verifies whether the Actor requesting access is identified and authenticated, is in conformance with the role and policy, that the target Actor is similarly identified and monitoring of the access is initiated. Policy Enforcement is the location at which the Policy is enforced. | Defense | ZT | |
Polymorphic Malware | This is Malware designed to constantly change its identifiable profile in order to evade detection. Types of malware including bots, trojans, keyloggers, viruses and worms, can be polymorphic. | Threat | ATP | |
Port Scan | A Port Scan is a series of packets sent to learn which computer network services, each associated with one of the 65,535 TCP port numbers in an IP-connected devices, is vulnerable. The response indicates whether the port is open, closed or filtered, looking for weaknesses. For example, ports used for management information and left open are candidates for Denial of Service Attacks. | Threat | ||
Power Shell Attacks | PowerShell, a native Windows tool for system admin. As its use is difficult to detect, it is used as part of an Advanced Persistant Threat platform to create and instage Lateral Movement attacks, fileless malware execution, credential theft, etc. | Threat | ||
Privileged Access Management | PAM | PAM controls and enforces actor (user, software application or device) privilege levels. I.e., the level of privilege that an actor requires to access another actor. It enables the establishment of Least Privilege to minimize risk to administrative processes. PAM is either separate software or integrated with Identity and Access Management software (IAM, see above) and as such the data it manages and the software itself must be protected from threat actor attack since elevation of privilege is an important tool for ransomware attackers. Confusingly, using the same PAM Acronym, Privileged Account Management is the subset that deals with the management of privileged accounts themselves. Even more confusion is added with PIM (Privileged Identity Management). The main difference between PIM and PAM is that PIM addresses what access a user is already granted, while PAM addresses how to monitor and control access whenever a user requests access to a resource. As always, it is necessary examine the actual functionality and security of the functions of these products! | Defense | |
Protect Surface | Part of Zero Trust strategy is to identify those elements in the ecosystem that is designated for protection. There are likely many protect surfaces that require protection where policy enforcement is to be executed. | Info | ZT | |
Protective DNS | PDNS | Protective Domain Name System PDNS adds a threat intelligence check against all DNS queries and answers to avoid or sinkhole malicious or suspicious domain resolutions. PDNS integrates easily with existing security architectures through a simple recursive resolver switch. It’s important because it analyzes DNS queries and takes action to avoid threat websites, leveraging the existing DNS protocol and architecture. Protecting the DNS queries is a key cyber defense because threat actors use domain names across the exploitation lifecycle. Users frequently mistype domain names while attempting to navigate to websites and may be redirected unknowingly to a malicious site. From there, threat actors may exfiltrate data, conduct command and control operations, and install malware onto a user’s system. | Defense | |
Proxy Server | Unlike a VPN which transfers data via an encrypted tunnel, an IP Proxy Server acts as a gateway between users and the internet. It’s an intermediary server with its own IP address separating end users from the websites they browse. Proxy servers provide varying levels of functionality, security, and privacy depending on use case, needs, or the organization’s policy. | Defense | ||
Purdue Model | Dating back to 1992, there is some discussion regarding the relevance of this structural model for Industrial Control Systems (ICS) security that concerns segmentation of physical processes, sensors, supervisory controls, operations, and logistics. Since then, the emergence of IIoT an IoT, Cloud hosting and Operational Technology has made this less recognized but the Purdue Model’s intention of segmentation is even more important today – along with the concept of air-gap has migrated from physical to virtual. | Info | ||
Quantum Computing | In case you haven’t heard about Quantum Computing, it’s a computing resource not based on 1s and 0s but on multiple states and capable of large numbers of simultaneous calculations. Coupled with some clever mathematics, including Shor’s algorithms, Fourier transforms and Euclid’s work Quantum computing promises scary, very rapid decryption on which all data and internet security is based. At the moment, and despite feverish research, Quantum computing has not nearly reached the required scale. Also, work is going on to develop encryption for a post-quantum world. December 2023 Breakthrough update: The approach of Quantum Computing and the demise of currently dominant asymmetrical encryption algorithms took an important step nearer with the announcement by DARPA (the U.S. Defense Advanced Research Projects Agency) and a highly technical paper in Nature Journal announced results from a team of almost two dozen scientists, most of them from Harvard, funded by a DARPA program known as ONISQ (Optimization with Noisy Intermediate-Scale Quantum devices). This has created a 200 fold increase in the creation of “Logical Qubits” – Quantum’s primary compute elements. Important new work on the creation of symmetrical encryption methods, resistant to quantum decryption is under way by NIST. More on both of these developments in 2024. | Info | ||
Radio Frequency Identification Blocking | RFID | More commonly referred to simply as RFID Blocking, it prevents illicit theft of credit card information etc. Blocking is accomplished by using wallets or sleeves that block the radio frequencies. | Defense | |
Ransomware and RaaS | Ransomware is a combination of malware or other software that results in user data, or systems being encrypted or locked until a ransom is paid. The threat is loss of or exposure of private data, or cessation of business critical operations. Ransomware payments do not generally prevent the threat from being executed. Ransomware as a Service (RaaS) was the model for PhaaS (above) as a tool kit run as a complete service for use by less skilled hackers. In 2023 Ransomware payments reached $1.1bn. | Threat | ATP | |
Raspberry Pi | Typically, a small device used to ascertain vulnerabilities. A Typical use is attached to IoT or operational technologies to test its security – but could also be used for malicious purposes. | Info | ||
Reconnaissance | Usually, the first step in a cyber-attack is the probing for vulnerabilities. Dependent upon the possible vulnerabilities detected, hackers will deploy the next stage of an attack – selecting the targets to steal or corrupt. The fourteen stages of threats are described by MITRE ATT&CK (later). Reconnaissance is also an element of Penetration Testing – an important test of defenses. Reconnaissance-discovered vulnerabilities are not just software weaknesses. I.e. social engineering, physical security weakness, supply chains – the list is almost endless. In fact, MITRE’s 10 categories and 33 sub-categories is just the beginning of the threat types. | Threat | ATP | |
Red Team, Blue Team, White Team | Where resources permit, a Red Team is a group of security experts who simulate attackers attempting to defeat the Blue Team who use their existing threat detection and prevention defenses to detect/thwart the Red Team’s attacks on an organization. The result is (in theory) a list of new defenses that can be deployed. This can be very challenging and rewarding when viewed from a holistic perspective. the White Team are the referees/scorers in this competition. | Info | ||
Remote Access Trojan | RAT | A large and growing variety of malware types designed to allow unfettered access to an attacker to remotely control an infected computer. | Threat | |
Remote Browser Isolation | RBI | RBI is a security measure that separates users’ devices from the act of internet browsing by hosting and running all browsing sessions on a remote cloud-based and hopefully secure container. It also means that data can be screened to avoid exfiltration of sensitive data or access to middle box functions and as a phishing defense. This, therefore, is an efficient way and place to implement a Zero Trust Enforcement Point. It also helps prevent malware being inadvertently being loaded onto end user systems. | Defense | |
Remote Code Execution | RCE | Remote Code Execution is a type of vulnerability that allows a threat actor to execute arbitrary code on a remote system or application. This type of vulnerability can be used to take control of systems, steal data, or carry out other malicious activities. RCE is also a general term since it can be applied to many difficult attack types. An example in an ATP is when installed malware is triggered to start execution long after it installed itself – as happened in the Log4J event. When discovered they are usually given a high vulnerability score (CVSS) by CISA. | Threat | ATP |
Resilience Plan | Resilience is the measurement of how well and how fast an organization can recover from a security incident and how well it is protected to prevent cybersecurity threats to avoid them occurring in the first place. If Zero Trust’s “Assume Breach” is an accepted part of the thinking, then a documented and tested Resilience Plan is a necessary part of the Security Strategy. | Defense | ||
Resource Development | Resources purchased or stolen and used as tools in attacks. Examples are Web domains, DNS Servers, Botnets, online adverts for Malvertizing. A lengthy list is documented by MITRE | ATT&CK (TA0042) | Threat | ||
Reverse Shell Attack | Unlike most attacks where the threat actor reaches out to the end user, as the name implies, a Reverse Shell Attack is when an end user unwittingly reaches out to malicious host using an in built Shell mechanism thus giving the attack the name Reverse Shell. Once initiated, the threat actor is able to execute code in the user’s machine causing mayem, initiating elevation of privilege, lateral movement, etc. Detection is via regular vulnerability scans, ec. | Threat | ||
Risk | Additional to the generic concept of “reduction of risk,” Risk is also used to measure the level of defense being achieved (or not). Although there are many tools/software products that measure “risk,” they typically measure just a part of the problem. The question is do they address the problem that “security is only as strong as the weakest link?” This is why holistic cybersecurity is the only viable approach since it covers the whole organization and beyond. CybrScore provides a (1) Cybrscore Risk Assessment Rating – a measurement of how well the defenses cover overall, multi-level defense – the higher the better and (2) a Holistic Risk Rating – the likelihood of an organization being penetrated – the lower the better. P.S., anyone who use terms such as eliminates or removes risk does not understand the term that you cannot prove a negative. | Threat | ||
Risk Appetite | A pretentious marketing term that really means the amount of risk an organization or investor is willing to take – in other words Risk Tolerance – see below. NIST has a definition of Risk Appetite: “The types and amount of risk, on a broad level, an organization is willing to accept in its pursuit of value.” This is an example of a non-implementable action, that this author believes helps no-one. | Marketing | ||
Risk Management | In the same family as Threat Management, and Asset Curation, Risk Management adds the measurement and finance component. Overall, It’s the decision making process that governs the priority of what should be protected. | Marketing | ||
Risk Register | A repository of risk information including the data understood about risks over time. They are typically used by security teams to identify potential risk events, with the likelihood, impact, and description of an event to track the risk. A separate record should accompany this inventory to log control deficiencies that can contribute to the risks included inside your risk register. See also the NIST definition. | Info | ||
Risk Tolerance | Risk Tolerance is the expression used for the amount of risk, by department, that an organization is willing to accept and deal with risks or uncertainties that could hurt its operations, shareholder value, goals, or image. The implication is one of measurement. Overall, it forms an equation that combines the aspects of applying the security elements into a score that governs what should be enforced and in what order. It is a key element of the ongoing security strategy that dictates the budget of risk v. cost v. time to implement the organizations security policy. That is, a risk is identified and the decision to mitigate the risk can mean the cost of defense of a known vulnerability x likelihood of it happening x the impact and resilience required if it does happen or the priority of the mitigation, etc. It also plays into the coverage provided by cyber insurance. This is an important factor in establishing the ongoing measurement of the security strategy and will change over time. Effectively, it creates the context for the cybersecurity posture. This time the NIST definition does makes sense: “The level of risk an entity is willing to assume in order to achieve a potential desired result.” Risk Appetite is the strange marketing term sometimes used to mean Risk Tolerance (See earlier). | Info | ||
Rootkit | A Rootkit is a collection of software malware giving actors control of a computer, network device or application. They typically create back doors for further attacks and by their nature are not detectable once installed by anti-malware software. This is why Rootkits are considered extremely dangerous. | Threat | ||
Sandbox | An isolated environment on a network that mimics end-user operating environments. Sandboxes are used to safely execute suspicious code without risking harm to the host device or network. | Info | ||
Secure Access Service Edge | SASE | SASE was conceived as a collaboration between networking and cybersecurity. Its intention is to be a fully-integrated WAN networking and security framework that connects remote users and branch offices to cloud and corporate applications and the Internet. However, great caution should be exercised since almost every term is a marketing one rather than a technical definition. Also, every vendor and service provider has (legitimately) added functions to deliver more practical “SASE” or “SSE” solutions. As first outlined by Garner in December 2019 (the link to the original blog “Say hello to SASE” describing this “new package of technologies” has been deprecated by Gartner), SASE is a conceptual framework, largely consisting of marketing terms – not a product. It encompasses: features “such as” (1) SD-WAN – a network overlay technology, (2) Cloud Access Security Broker (CASB), (3) Secure Web Gateway (SWG), (4) Firewall as a Service (FWaaS) and (5) Zero Trust Network Access (ZTNA). All these terms are covered in this Terminology page. Their definition is up for interpretation. For service providers, it has become important to deliver the SASE networking and security functions as a cohesive service that can bring together a wide variety of implementations. Late in 2022 the MEF expanded on the original idea by defining a standard SASE Service combining security functions and network connectivity as MEF 117. An enhanced definition is slated for completion in late 2024 that also formalizes a number of additional security functions that are commonly part of commercial offerings. | Marketing | |
Secure Service Edge | SSE | Follow-on to the above. Later Gartner defined SSE – a more IT-focused and implementable subset of SASE without SD-WAN and FWaaS consisting of CASB, SWG and ZTNA. It defines SSE as securing access to the web, cloud services and private applications. Capabilities include access control, threat protection, data security, security monitoring, and acceptable-use control enforced by network-based and API-based integration. SSE is primarily delivered as a cloud-based service and may include on-premises or agent-based components. In March 2022 Gartner created a new magic quadrant summarizing 11 players in this space. Note: If after reading this, Googling SASE or SSE and looking at product definitions in this space, you are still unclear then we would not be surprised since vendors and providers match their capabilities to their market. If you are looking for guidance then it comes down to understanding what a product does and seeing if it matches your requirements rather than matching the function to a marketing definition of SASE or SSE. | Marketing | |
Secure APIs | Application Program Interfaces (APIs) are increasingly important and their security is critical and integral to regulate the access to code. There are many potential vulnerabilities that are well-documented with best practices for defense. Digital signing of APIs is the best of these defenses. It should also be noted that Terraform – an infrastructure as code open source tool that lets users build, change, and version cloud and on-prem resources is becoming a popular alternative that abstracts the use of APIs to Amazon Web Services, Azure, Google Cloud Platform, Oracle Cloud Infrastructure, and Docker. | Defense | ||
Secure Boot | Secure Boot is a security feature designed to ensure that your computer boots using only trusted software. Secure Boot is part of the Unified Extensible Firmware Interface (UEFI) | Defense | ||
Secure Containers | Given the popularity of Kubernetes as the favored container platform and the home of Cloud workflows it’s no surprise that protection methodologies are required . Hence the term Secure containers. See Reference 36 on the reference page for much more information. | Defense | ||
Secure DNS Proxy | SDNSP | Smart DNS Proxy is a secure DNS Proxy service to unblock websites, global video & music streaming services. Unblock US websites like Netflix, Hulu, ABC or music streaming services like Pandora or Spotify just natively happens when you use Smart DNS Proxy. There is no connection or disconnection needed as in VPN. It claims to be faster than a VPN and works with any device; PC, MAC, Smart TV, Xbox, PS3, Router, iPad, iPhone or any Android devices. | Defense | |
Secure Email Gateway | SEG | A secure email gateway is intended to protect inboxes from suspicious emails. SEGs scan all incoming and outgoing emails. However, although SEGs filter email and spam attacks, they have become dated since they don’t detect many spohisitcated phishing and social engineering attacks. Also, emails are only one source of phishing attacks. | Defense | |
Secure IP Service Functions | SIG | The functions required to provide secure IP services on ingress and egress at a given Service End Point are covered on this page. The collection of these functions are summarized here and include: IP, Port and Protocol Filtering | Domain Name Filtering | URL Filtering | Malware Detection and Removal | Data Loss Prevention | DNS Security Functions: DNS Protocol Filtering and Protective DNS. | Defense | |
Secure Internet Gateway | SIG | A SIG is a cloud-delivered internet gateway that provides safe and secure access to the users wherever they go, even when the users are off the VPN/network | Marketing | |
Secure Network as a Service | SNaaS, NaaS | Secure Network as a Service is a Zero-Trust enabled service. While Zero Trust is neither a system nor a product and the Gartner concept of SASE and SSE are important steps forward, SNaaS is a framework service that incorporate (1) the principles of Zero Trust, (2) the network and security elements of SASE, (3) around 30 defensive elements associated with SSE and (4) encompasses the elements of holistic security across an extended organization. When looking at Securing Network as a Service (NaaS) it’s important to separate how solution and service providers provide the service and what it can provide for the enterprise as an evolving concept. What NaaS should provide is being defined and will be covered elsewhere as 2023 progresses. | Defense | ZT |
Secure Production Identity Framework for Everyone | SPIFFE | SPIFFE, the Secure Production Identity Framework for Everyone, is a set of open-source standards for securely identifying software systems in dynamic and heterogeneous environments. Systems that adopt SPIFFE can easily and reliably mutually authenticate wherever they are running. SPIRE is a production-ready implementation of the SPIFFE APIs. | Assn | |
Secure Socket Layer | SSL | The standard security technology for establishing an encrypted link between a web server and a browser. | Info | |
Secure Web Gateway | SWG | Secure web gateways act as a barrier, keeping users from accessing malicious websites, malware, or web traffic that is part of a Cyberattack. SWG is a solution that filters malware from user-initiated Internet traffic to enforce corporate and regulatory policy compliance. A secure web gateway is a Cyberbarrier or checkpoint that keeps unauthorized traffic from entering an organization’s network. The traffic that a secure web gateway governs is all inline—the gateway stands between all incoming and outgoing data. | Marketing | |
Security and Risk Management | SRM | The ongoing process of identifying security risks and implementing plans to address them. Risk is determined by considering the likelihood that known threats will exploit vulnerabilities and the impact they have on valuable assets. | Marketing | |
Security as a Service | SECaaS | The ongoing process of identifying security risks and implementing plans to address them. Risk is determined by considering the likelihood that known threats will exploit vulnerabilities and the impact they have on valuable assets. | Marketing | |
Security Assertion Markup Language | SAML | A login standard that helps users access applications based on sessions in another context. It’s a single sign-on (SSO) login method offering more secure authentication (with a better user experience) than usernames and passwords. | Info | |
Security Event Notification | SEN | This is a broad definition of what, how and where events are notified. In this security context, for Zero Trust implementations this could include access requests being blocked or quarantined due to improper access privilege, identification, authentication or policy failures, target actors being out of scope for the subject actors access or monitoring noting that timed access was being violated. It could also notify management issues such as Denial of Service attacks or failure in secure services such as unexpected termination. These notifications or Alerts are in addition to service notifications of IP failures, QoS violations from network services, secure container or other data related notifications. There is no industry standards that encompass all network, IT, or security notifications via common secure APIs. | ZT | |
Security Functions | A Service that delivers and manages cloud-native security functions as specified by the Subscriber’s Policy for a specific session. These security functions must be deployable anywhere within the Service in order to optimize the performance and security provided by the SASE service for that session.. The security functions available in a service are listed in the body of the work. The security functions are ‘atomic’ in the sense that they are frequently combined as part of a package recognized in the market under different terminology – for example, ATP, CASB and SWG. | Info | ||
Security Information and Event Management | SIEM | A SIEM collects and analyzes data from various sources (such as event logs), then filters and applies rules for data analysis. It may include analysis of threats etc. | Marketing | |
Security Key | A hardware security key made by DUO (Cisco Brand), Yubico, etc., that is an alternative to phone codes, biometrics, passkeys, and emails for two factor access authentication. It is support via USB ports on laptops and wirelessly on mobile devices. | Defense | ||
Security Operations Center | SOC | Location of services and systems responsible for cybersecurity. In smaller organizations, it’s often combined with a Network Operation Center (a.k.a. NOC/SOC) | Info | |
Security Orchestration Automation and Response | SOAR | Clearly an important function, though Gartner’s marketing engine referring to it as “The SOAR market continues to build toward becoming the control plane for the modern SOC environment” may be a little over the top. | Marketing | |
Security Policy and Security Strategy | An organization’s Security Policy is the fundamental and necessary element of cybersecurity defense. It’s a high-level view of what should be done with regard to information, and physical security – the baseline that executives use to define what is secure enough for their organization in terms of acceptable risk and cost. Typical elements are (1) Assessing Critical Assets (2) Assessing risks v. value and budget(3) Assigning & delegating responsibilities (4) continuous progress measurement, (5) permanent reports to executive meetings (6) role of the CSO – not limited to IT, reporting to the board and (7) reporting and compliance requirements. The Security Strategy is the execution of the Security Policy. It covers the ongoing scope, risk measurement and targets over time and reporting over time. The scope will cover the principle areas to be addressed within budget. Specifically the actions will encompass areas such as those spelled out in our Holistic Cybersecurity as a Service page and for software companies the 12 areas of actions are spelled out in Microsoft’s Software Development Lifecycle (SDL) system. | Info | ||
Security Posture | Describes the current state of an organization’s overall ability to predict, prevent and respond to Cyber threats. The book provides focus on all the areas that need to be taken into account. The term may seem non-intuitive but has become widely adopted. This pretentious-sounding term is the one that is the most important to measure as it’s the one that measures your progress on reducing risk. Our CyberScore program and CISA’s CSET software are examples of such measurement tools. | Info | ||
Session Token Theft | Also known as Session Hijacking, this consists of the exploitation of the web session control mechanism, that is normally managed for a session token. Web servers recognize every user’s connection using the token that the Web Server sends to the client browser after authentication. Session Hijacking attack steals or predicts a valid session token to gain unauthorized access to the Web Server compromising the exchange for Man-in-the-Middle attacks, etc. Session Hijacking is also seen as a way in which MFA protection can be circumvented. | Threat | ||
Shadow API | This is the term used for an API that has not been protected by certification, etc. A report in 2022 indicated that 16 of 20 billion API transactions were malicious and the majority were against APIs were unprotected. | Threat | ||
Side Channel Attack | This is an attempt to deduce information, keys, passwords etc., by measuring CPU usage, visual or acoustic evidence, electromagnetic measure measurements within adjacent software or devices. It could involve use of tracking devices, chips, keys and known hardware weaknesses. Reports in December 2023 revealed a new kind of side channel attack on CPUs from Intel, Arm, and AMD with Linear Address Masking (LAM), and other security features. These have been found to be vulnerable to attack from threat actor Spectre. Known therefor as SLAM, the attack is based on transient execution that allows malicious actors to reveals sensitive data and even operating system code. | Threat | ||
SIM Swapping | A SIM swap is when a threat actor creates or fraudulently copies a victim’s phone SIM card. They trick the service provider into switching a victim’s service to a SIM card that they control — essentially hijacking the victim’s phone number. Typically, it’s then used to intercept online banking SMS verification codes, get MFA codes for financial transactions, cybercriminals create or fraudulently obtain a copy of the victim’s SIM card. Most banks require that a replacement SIM card be re-linked to the account. | Threat | ||
Single Sign-on | SSO | Single sign-on (SSO) is an identification method that enables users to log in to multiple applications and websites with one set of credentials without re-authenticating themselves. It is not the same as using a common sign on (E.g. Google, or Facebook) where the same login is used for multiple sites – effectively reusing the same login username and passwords and if compromised can give hackers access to all site. | Defense | |
Skimming | This term is used when a threat actor uses a tag reader to read an encoded strip (e.g., using RFID to read a credit card magnetic strip and blue tooth and more). Such devices (e.g., Flipper) although banned are seemingly available on the grounds they are used for Penetration Testing! | Threat | ||
Sniffing | Used to investigate the contents of transmitted data to look for malware, this technique can also be used by threat actors to look for user or software credentials or other sensitive data in unencrypted data | Threat | ||
Social Engineering | The use of psychological manipulation to influence people to divulge sensitive information or to perform actions that may not be in their best interest. It often involves exploiting people’s trust, fear, or desire for gain, and can be used to gain access to confidential information, networks, or systems. | Threat | ||
Software Bill of Materials | SBOM | CISA has defined “a software bill of materials (SBOM) as a key building block in software security and software supply chain risk management. A SBOM is a nested inventory, a list of ingredients that make up software components. This list of “Types” is not fixed since it may vary or be duplicated in different scenarios. Although it begins with “Design Specification” it does not discuss preceding it with (1) a Market specification or Requirements Document (MRD) – this misses an important aspect of organizational and cybersecurity requirement. Other types are listed as “Source, Build, Analyzed, Deployed and Runtime” types. When looking at the CISA Types of SBOM Documents, it seems incomplete and perhaps that’s intentional? For instance, there is (2) no discussion on: use of memory safe languages, (3) use of built-in certified secure APIs for automation, (4) investigation of 3rd party open source code, (5) no built-in Zero Trust identity or access control list elements, (6) no automation of regression testing and (7) investigation of possible security vulnerabilities, (9) no built-in hooks for automation nor (10) testing of data or management plane functions. NSA listed its own SBOM recommended practices for securing supply chains in Nov 2023 | Info | |
Software Defined Wide Area Networks | SD-WAN | An overlay to transport Layer communications. Originally defined by the Open Networking Group (ONUG.net) and later defined for service providers by the MEF (MEF.net) [15] SD-WAN is also an element of SASE as introduced by Gartner. | Info | |
Spoofing | Spoofing is a broad term for when threat actors masquerades as a trusted entity or device actions that would cause infection or unauthorized penetration of a system. The older Email Spoofing was used but is now usually referred to as Phishing. See also IP Spoofing above. | Threat | ||
Spyware | A type of malware such as Keylogging that that spies on user or software actions gathering data from the device a user and sends it to third parties without their consent. | Threat | ||
SQL Injections | Most IT people are aware that the SQL (structured query language) is a commonly used methodology for accessing databases in data centers or in clouds. SQL Injection malware exploits weaknesses in accessing data. Best defense practices are use of Secure containers, input validation and parametrized queries to prevent deleting and overwriting data and of course use of Zero Trust principles to avoid exfiltration of data. | Threat | ||
State Sponsored Attacks | Although the term seems obvious, what’s less so is the motivation for those states that targeting the soft underbelly of first-world economies has become a chief source of income. The lack of awareness of most businesses to deal with the problem of ransomware translates into a lifeblood to economies for countries whose own resources are minimal. It’s grown from criminal activities to political warfare to a way of life. It’s for that reason alone that it’s not going to go away. In a strange switch Apple has started calling them Mercenary Attacks. | Threat | ||
Steganography | The technique of hiding data within an ordinary, non-secret file, a message or encrypted data to avoid detection. The file could be a text, image, video or audio type. The word comes from the Greek Steganos meaning hidden. It is said “if it can’t be reached, it can’t be breached.” Threat actors can also use this technique, for example, to hide malware inside video files or place code in software files distributed in a network. | Threat | ATP | |
Structured Threat Information Expression | STIX | This MITRE defined language and serialization format is used to exchange cyber threat intelligence (CTI). It covers all manner of attacks in 18 Domain Objects best defined here. | Info | |
Supply Chain Attack | This covers all manner of attacks from a compromised third party that could be manufacturing a deliverable, product or software element, service company or even security software product. Specifically, Software Supply Chain Attacks are malware code embedded “somewhere” in the system of software suppliers. The cause of many/most large-scale, high-profile ransomware and malicious attacks. The supplying company may not be the culprit. Like the Log4Shell malware, it could be buried in some open source code that was never verified. The important point is to delegate to such companies by having them self-certify their products or services. (This is covered in detail on this site’s Delegation page.) | Threat | ||
Synthetic Identity Theft | This combines the use of real personal information with fake or fraudulent information to create a synthetic identity. Typically used to attempt financial transactions, create fake credit approvals, loans, phishing attacks or other frauds. These Synthetic Identities are increasing relevant since the occurence of massive breaches of personal information from Private Data Records and MC2 in the second half of 2024. Detecting them is non-trivial and involves combining several disciplines. | Threat | ||
Tabletop Exercise | Discussion-based exercise to validate the content of plans, procedures, policies, etc., to manage incidents, plan recovery etc. | Info | ||
TCP Split Handshake Attack | First encountered more than a decade ago, this attack is caught by most firewalls. However, this form of attack is seemingly still quite prevalent. Briefly, when the user’s system (e.g., a browser) makes a connection with a remote host the Transport Control protocol (TCP) is invoked beginning with a three way synchronization “handshake.” The connection by the user is initiated with (1) what’s known as a SYN packet, (2) the host replies with a SYN-ACK acknowledgement packet and (3) its receipt is acknowledged by the user with an ACK packet. Then the flow of data starts. This can be interrupted by a malicious host sending back confusing packet during the initial handshake. Probably more than you need to know but for a detailed discussion, please see this link from 2010. | Threat | ||
Threat Avoidance | A summary of actions to take that avoid likelihood of threats occurring in the first place. They are typified being low on costs and resources. Examples are training against phishing attacks, supply chain delegation, use of MFA, employee screening of insider threats, training against social engineering, not allowing the use of non-company devices (PCs, hand-helds), etc. on the company network. These are distinct from Threat prevention by automating updates to software, use of ID management systems, etc. and use of anti-malware software which typically but not always have a price tag. | Info | ||
Threat Detection | Threat Detection (a.k.a. Threat Assessment or Threat Analysis) is the practice of analyzing the entirety of a security ecosystem to identify any malicious activity that could compromise the network. Be aware that while they are much better than having no detection, most of these Threat Detection systems were initally limited to the IT department’s domain are not set up to investigate external systems such as provider or cloud networks, supply chain networks, web content management systems, external CRM systems, OT networks, etc. They also likely do not help directly with social engineering, and often do not validate least privilege, or other Zero Trust attributes. They may also be vulnerable to management plane attacks on the Threat Detection software itself. By the end of 2024 this concept has developed into a wide range of subcategories. See also Endpoint Detection and Response, Network Detection and Response, Cloud Detection and response togethet hybrid configurations such as Extended Detection and Response (combines EDR and NDR) and Managed Detection and Response (an MSP solution). The challenge is to understand the protection that is provided inside these marketing packages. | Info | ||
Threat Hunting | Threat Hunting is a proactive approach to identifying previously unknown, or ongoing non-remediated threats. This often used to detect post breach incursions or zero day attacks. | Defense | ||
Threat Intelligence | This is a marketing term, that seems to have no standardized definition but is frequently used to make the seller of such products or services look, well, intelligent! | Marketing | ||
Threat Modelling | Threat modelling is the process by which threats, whether vulnerabilities or the absence of appropriate controls, can be described and mitigations or remediations planned. The purpose is to provide an understanding of what controls and vulnerabilities that exist. See also MITRE above. Microsoft’s Threat Modelling Tool is freely available here. It’s based on its STRIDE model for identifying threats, categorized as Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of Privilege. What luck that these 6 categories made up the word STRIDE. I haven’t repeated what Repudiation and Tampering are defined as. | Info | ||
Threat Protection | Like Threat Detection above, Threat Protection is typically an umbrella for a collection of software tools or services that defend against detected threats. Many companies combine detection and protection into an upmarket offering termed Threat Intelligence. | Marketing | ||
Threat Types | There are many threats present called out on this page and elsewhere. This point collects the top threat types that require detection and protection. The several “… as a Service” tool kits often deploy several such threats. Three of these being Phishing as a Service (PhaaS), Ransomware as a Service (RaaS), and most recently and dangerous: Hacking as a Service (HaaS). The number of threat types each requiring detection and protection reveal the scope of the challenges faced: Advanced Persistent Threat | Adware | API attacks | Botnet | Bring Your Own Device | Bring Your Own Vulnerable Driver | Brute Force Attacks | Business Email Compromise | Credential Re-use | Cross-site Scripting | Data Breach | Deep Fake | Denial of Service | Distributed Denial of Service | DLL Side-Loading | DNS Security & Protocol Filtering | Drive-by Attacks | Elevation of Privilege | Exfiltration | Insider Threats | Key Logging | Lateral Movement Attacks | Living off the Land Attacks | Man-in-the-Middle Attacks | Phishing | Polymorphic Malware | Ransomware | Rootkits | Session Hijacking | Side Channel Attack | Social Engineering | Software Supply Chain Attacks | Spyware | SQL Injections | TCP Split Handshake Attack | Trojans | Viruses | Watering Hole Attacks | Zero-Click Attack | Zero-Day | Zombie attacks. | Threat | ||
Transport Layer Security | TLS | Transport Layer Security (TLS) encrypts data as specified by the Internet Engineering Task Force (IETF). This is currently a controversial issue because of the pending requirement to upgrade from TLS 1.2 (IETF RFC 5246) to TLS 1.3 (RFC 8446).The difference being deprecating various supported encryption methods, simpler but more secure handshakes. The overwhelming resistance to upgrade is based on disruption and concern about breaking vast numbers of applications. This resistance is going to be overcome by NIST mandates the force change in government and financial networks likely to arrive in January 2024. Read Cisco’s report on this issue. | Defense | |
Trojan | A form of malware where a malicious payload is embedded inside of a benign host file or program. The log4shell being a prime example of infected open source code that was used extensively before it was detected. When embedded in a file, the victim is tricked into believing that the only file being retrieved is the viewable benign host. However, when the victim uses the host file, the malicious payload is automatically deposited onto their computer system. | Threat | ||
URL Filtering | URLF | URL Filtering is defined as the action taken by a Service Provider to check whether a session contains a URL that is to be Allowed or Blocked. URL is specified in IETF RFC 3986. URL Filtering applies to cases where the domain name is on the “Domain Name Filtering Allow List,” but one or more URLs associated with that domain have a security issue and need to be blocked. | Defense | |
User and Entity Behavior Analytics | UEBA | UEBA is a development of User Behavior Analytics. This protects against unknown threats with analytics, unsupervised machine learning algorithms to establish baseline behaviors of users, devices and applications, then searches for deviations to detect unknown and insider threats. It uses behavioral analytics, AI/ML algorithms and automation to identify unauthorized user, software and device behavior and can be found within SIEM, EDR, XDR, NDR, IAM software to detect ransomware attempts following an initial breach. | Defense | |
Video File Attacks | The difficulty in discovering malware lurking deep inside H264 encoded video files – the most commonly used video format has been revealed. Identifying vulnerabilities, the complexity of H264 encoding makes it very challenging for any tool to discover pervasive malware inside such videos. Actions are required by graphics hardware vendors who need to take corrective actions listed in the revealing paper published in April 2023 by the University of Texas in Austin. Software suppliers, threat detection providers and users will require to implement any updates. | Threat | ||
Verify, Verification | Zero Trust’s “Never Trust, Always Verify” is becoming well known. This begs the question: “What verification actions should be taken?” This cyberpedia page is about scope rather than implementation. Verification is key in SCRM (Supply Chain Risk Management) requiring suppliers to at least self-attest their organization, service and product security. (See cybyr.com/delegation). This works best when it is a collaborative effort. Similarly, this applies when verification is applied to a CSO’s verification that proper cybersecurity processes are being applied across the entire organization. For software products, verification should be built into the design of products (as in DevSecOps), especially in proper regression testing of new releases. It is never a one-off operation and “Continually Verify” is the watchword. This all applies to monitoring and more formally to Audits which document the continual process and are used for “spot” checks. | Threat | ||
Virtual Private Network | VPN | A service that protects Internet connections and privacy online. It creates an encrypted tunnel for data, protects your online identity by hiding IP addresses, and allows the use of public Wi-Fi hotspots safely. However, VPNs are only useful if they are implemented safely and enhanced with ZTNA capabilities. In early 2024 CISA themselves were breached by a vulnerability in a “secure” VPN. | Defense | |
Virus | A virus is a specific type of Malware that self-replicates by inserting its code into other programs and is then spread to other systems and executed. See also Lateral Movement Attacks. A common source has been open-source software that is included and distributed without proper testing. The infamous Log4Shellbeing an example. | Threat | ||
Vulnerability Assessment | The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities or weaknesses in a system. Vulnerabilities can exist anywhere in the organization or beyond, not just in software, hardware, processes or network configurations. | Marketing | ||
Vulnerability Management | Cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating” software vulnerabilities. Vulnerability management is integral to computer and network security and should not be confused with vulnerability assessment. | Marketing | ||
W3C Web Authentication | WebAuthn | A Standard for web authentication: An API for accessing Public Key Credentials. | Assn | |
Watering Hole Attack | Just as the name implies, malware lies in wait for users that are known to visit a specific web site. | Threat | ||
Web Application Firewall | WAF | Unlike traditional Firewalls (see above) that filter unauthorized IP traffic, WAFs look at web application layer to filter, monitor, and block HTTP traffic to and from a web service. They can prevent attacks, exploiting a web application’s known vulnerabilities, such as SQL injection and cross-site scripting (XSS). | Marketing | |
Zero-Click Attack | Also known as Zero Touch attacks, these are initiated without the user taking any action/clicking on anything. These can by inserted by just opening an email and unwittingly enabling a Living off the Land or Microsoft Office exploit. An example is the discovery (Sept 2023) of the Zero Click attack on iPhones and rapid issuance of an update to IOS etc., impacting billons of unsuspecting users. On mobile or fixed devices, Zero Touch exploits can be triggered by messages received on a phone without the user being aware. | Threat | ||
Zero-Day | A.k.a. “Zero-day” Attack. A new exploitation of a vulnerability by an attacker. By definition, it is discovered after it causes damage and is successful because no remedy – e.g., software or remedial process -had yet been implemented. | Threat | ||
Zero Trust | ZT | This is the key topic in cybersecurity so it’s worth describing in detail. A set of principles and strategies intended to prevent the exfiltration of data in many areas, layers and apps operating in a hybrid cloud, perimeter-less network. See this site’s page on the Zero Trust and in Section 7 of the Book for an in-depth examination. Two of these principles are “Assume Breach” where enemy has already penetrated your edge defenses and “Never Trust, Always Verify.” The word “Always” is important and doesn’t just mean verify once. It means continually verify, since access may have time limit or other restrictions and the user, app or device may suddenly attempt actions that are not aligned with the access policy, etc. Perhaps the term should have been “Never Trust, Allow only While Valid” Implementing Zero Trust involves (a)Identity and Authentication, (b) Access Control, (c) Policy Management, (d) Policy Enforcement at appropriate locations or between designated points, (e) continual Automated monitoring and auditing plus (f) Event Notification. In a world where the network perimeter no longer exists, A Zero Trust approach is the best and perhaps the only approach to protecting your assets. Remember it’s not a system but an approach whose deployment is context and location dependent. NIST has defined a Zero Trust Architecture – 800-207. Zero Trust was actually coined by Stephen Paul Marsh in 1994 but was popularized by John Kindervag almost a decade later. Today, circumstances have made it rise to the status of essential. He is now recognized as the father of the movement and he describes a 5 step methodology listed in detil in the NSTAC document are as follows:(1) Define the Protect Surface (2) Map the transaction flows (3) Architect a Zero Trust Environment, (4) Create a Zero Trust Policy, (5). Monitor and Maintain. This is an iterative process coined as “Antifragile” – systems that gains strength from disorder – an idea described by author Nassim Nicholas Taleb. Like many others, I do not express it in exactly the same way as it does not take into account holistic principles and is an over-simplification. In fact, seeking an exact definition of Zero Trust – something that many seek to do so they can understand it better themselves – may not be a useful pursuit! The 2022 NSTAC definition is close but here’s my definition: Zero Trust is a cybersecurity strategy premised on the idea that no asset (user, software, device) or transaction between them is to be trusted. It assumes that a breach has already occurred or will occur, and therefore access to information is only to be granted only while the transactions between assets are valid as compliant to the policy in place. | Info | ZT |
Zero Trust Network Access | ZTNA | Zero Trust Network Access is an element of Gartner’s original SASE concept. What makes it challenging to clarify here is that there is no official industry technical definition for this much-used term or its specific functions (this includes NIST 800-215). Latterly, Gartner has written its “marketing definition” (not agreed in all circles due to its further use of undefined terms!) as “products and services that create an identity and context-based, logical-access boundary that encompasses an enterprise user and an internally hosted application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a collection of named entities, which limits lateral movement within a network.” The MEF’s proposes a more technical definition: “MEF defines Zero Trust Network Access (ZTNA) as access from any Subject Actor at any location, any time, and under any circumstance to any Target Actor at any location, any time, and under any circumstance.” In the industry, ZTNA has come to mean/be the Zero Trust replacement to virtual private networks (VPNs) in that ZTNA grants access only between specific services, data or applications, based on access control, where VPNs grant access to an entire network. It would have more sense to this author if ZTNA had been termed ZTAA – Zero Trust Application Access. ZTNA is an obvious solution to distributed workforce security. However, this use case is just one that could be seen as part of a Zero Trust strategy and termed ZTNA. In recent developments the term Universal ZTNA (UZTNA) has come to mean the use of ZTNA for on-premises and from remote locations. Given that ZTNA has only come to be known as a VPN replacement, this new interpretation adds little that is new other than legitimize ZTNA marketing. | Marketing | ZT |
Zero Trust Packet Routing | ZPR | To quote Oracle: “Zero Trust Packet Routing (ZPR) is an industry-wide initiative to create a new open standard for network and data security that will help organizations better protect their data in distributed IT environments. Oracle is collaborating with Applied Invention and other industry partners on the new standard, which will enable networks to collectively enforce the shared security policies and security architecture organizations already use without changing existing applications and networks.” I put this in quotes because it is an example like SASE, SSE, ZTNA of marketing from Oracle and its associate “Applied Invention” who have trademarked the term. It seems as yet undefined by any industry group, nor defined in terms of functions etc. Perhaps it will become an “Open Standard.” As such, ZPR was included for completeness and we look forward to properly representing their contribution. | Marketing |