Last Updated March 21st, 2023

Access Control
Access Management
Accountable Digital Identity
Advanced Persistent Threat
Air Gap
Anti-Virus, Anti-Malware
Artificial Intelligence
Artificial Intelligence
Asset Curation and Related Topics
Asymmetric cryptography
Attack Surface
Attack Surface Reduction
Attack Vector
Authentication Management
Automatic Certificate Management Environment
Automation and AI
Black Hat Hacker
Blocked List, Quarantined List, Allow/WhiteList
Bring Your Own Device
Bring Your Own Vulnerable Driver
Browser Isolation
Brute Force Attacks
Business Email Compromise
Certificate Authority
Cloud Access Security Broker
Common Vulnerabilities and Exposures
Content Disarm and Reconstruction
Content Disarm and Recovery
Credential Stuffing
Critical Infrastructure
Cybersecurity and Infrastructure Security Agency
CyberStart America
Dark Web
Data Breach
Data Loss Prevention
Deep Fake
Denial of Service
Development, Security & Operations
Digital Forensics and Incident Response
Distributed Denial of Service
DNS Protocol Filtering
DNS Security & Protocol Filtering
Domain Controller
Domain Name Filtering
Drive-by Attacks
Elevation of Privilege
Extended Detection & Response
Fast IDentity Online
Federal Risk and Authorization Management Program
Firewall as a Service
Holistic Cybersecurity
Identity and Access Management
Identity Management
In the Wild
Insider Threats
Internet Protocol Security
Intrusion Prevention System
IP Proxy IP-P
IP, Port and Protocol Filtering
Key Logging
Lateral Movement Attacks
Least Privilege
Living off the Land Attacks
Malicious Code
Malware Detection and Removal
Man in the Middle Attack
Memory-Safe Languages
MiddleBox Function
Monitoring and Auditing
Multi-factor Authentication
Multi-layer security
OAuth Authorization
Open Worldwide Application Security Project
Operational Technology
Password Based Key Derivation Function version 2
Passwords:  Managers,  Iteration Count
Payment Card Industry Data Security Standard
Pen Testing
Phishing and PhaaS
Policy and Enforcement Management
Polymorphic Malware
Private Key
Protective DNS
Public Key
Ransomware  and RaaS
Red Team, Blue Team, White Team
Remote Browser Isolation
Secure Access Service Edge
Secure APIs
Secure Containers
Secure DNS Proxy
Secure Internet Gateway
Secure Network Cloud Ecosystem
Secure Production Identity Framework for Everyone
Secure Service Edge
Secure Socket Layer
Secure Web Gateway
Security and Risk Management
Security as a Service
Security Assertion Markup Language
Security Event Notification
Security Functions
Security Information and Event Management
Security Operations Center
Security Orchestration Automation and Response
Security Posture
Session Hijacking
Side Channel Attack
Social Engineering
Software Defined Wide Area Networks
Software Supply Chain Attacks
SQL Injections
Structured Threat Information Expression
Symmetric cryptography
TCP Split Handshake Attack
The Dark Web
Threat Actor
Threat Detection
Transport Layer Security
URL Filtering
Virtual Private Network
Vulnerability Assessment
Vulnerability management
W3C Web Authentication
White Hat Hacker
Zero Trust
Zero Trust Network Access
Zero Trust-Enabled Secure Service
Zero-Click Attack

Insider View on Terminology

The intention of this page is to provide the most up-to-date set of cybersecurity terms available anywhere. It’s updated as meanings change and new terms arise almost daily. This list of more than 150 terms contains many additions following the publication of the book

Much time in technical work is spent on agreeing (or not) on the exact meaning of terms. Thus, Cybersecurity and telecommunication work is essentially a linguistic phenomenon and caution is needed when searching for definitions in general …

At best this page is a living collection of terms agreed by groups of authors or individuals. As with all such definitions, don’t go seeking the truth. Even if you were to find it, it would still be played against what you already know. 25 years involvement in standards and terminology has taught me that the study of linguistics and meaning is an art not a science.

Marketing or Technical?

When finding a single agreed definition of a term, one is confronted with competing marketing terms disguised as fact. An example is Gartner’s SASE/SSE. Some clear thinking but not in itself an easily implementable as a defined system – or even agreed elements. You are likely aware that many organizations’ acceptance of these terms is clouded by its need to be at the top right of their particular “Gartner’s magic quadrant” or Forrester’s “Wave.” We all visit to Google/ Wikipedia/Gartner Magic Quadrant as the best starting point but many links are sponsored, biased, may not fit your organization or, most relevant, recommend solutions that don’t fit your budget.

Definitions Vary

Industry Standards themselves are subject to the agreement by the parties creating them. This may be obvious but as much as we would love to provide guidance on what services or products to choose with our “Top Ten lists of …” for each approach, it is clearly an unwise and impossible task because it would require years of analysis/expertise and would be outdated before it was written. Even in a standards body it’s common to find multiple definitions of the same term that is subjective and context dependent. (This author once found 10 different definitions of one term in one standards body.) Enter Open Source and all bets are off.

Purpose of Acronyms

Used to save time within knowledgeable technical groups, unfortunately, sometimes they are used to deliberately create an impression that the user is smarter than you.  As a tip, only use an acronym if there is more than one use of a term in a document. I dislike the use of acronyms but they are provided here for completeness. 

Access Control Defines which Subject Actors can perform which operations on a set of Targets Actors according to a set of identity management, authentication, policy, privilege, time and duration etc.
Accountable Digital Identity Creates trusted digital addresses from existing trusted identity sources such as employers, financial services, governments, etc., allowing people to manage their identity information.
Actor Used by various sources, especially the MEF, to represent a user, application or systems software or device. It also defines Actors as either Subject (initiating a request) or Target (the recipient of the request). Application-Application exchanges dominate computer dialogs. A Threat Actor is a common term for a person or organization causing an attack.
Advanced Persistent ThreatAPTAs opposed to malware, which is typically immediate, an Advanced Persistent Threat is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network in order to steal sensitive data over a period of time. It may involve Lateral Movement.
Adware Bombarding users with endless ads and pop-up windows and causes a nuisance to the user experience. However, it can also pose a danger by diverting users to dangerous sites and clicking on malicious links etc.
Air Gap The physical separation of networks and systems. Typical use is in sensitive operational networks being kept separate from external networks (e.g., Internet or internal business networks) to avoid attacks. This physical separation likely includes both wired and Wi-Fi separation.
Anti-Virus, Anti-Malware Generically, a variety of software systems defined to detect users from malware/viruses/phishing/spyware attacks etc.
Argon2 Argon2 is a memory-hard function for password hashing and proof-of-work applications. See also informative RFC9106 by the IETF. It is being used increasingly to strengthen the protection of stored passwords. An example of its adoption in 2023 by password manager BitWarden following recent industry incidents of attacks on other password manager.
Ascon A cryptography standard for lightweight IoT device protection. Ascon is a family of authenticated encryption and hashing algorithms designed to be lightweight (i.e., suitable for devices with low computation power and resources such as IoT devices) and easy to implement, even with added countermeasures against side-channel attacks. Chosen by NIST in February 2023, as the new standard for Lightweight Cryptography (LWC) , its security characteristics are such the it could supersede other encryption technologies such as AES used in IETF’s TLS.
Asset Curation and Related Topics Asset Curation is a critical part of an organization’s security strategy. It’s the act of discovery and automated ongoing monitoring of all electronic assets that could be vulnerable to attack. Without it, it’s not possible to know what assets need protection and which undefendable assets need to be replaced, etc.  It is also an essential part of evaluating the value of data requiring protection.  A Configuration Management Database (CMDB) is a database that contains all relevant information about the hardware and software components used in an organization’s IT/OT services and the relationships between those components. CDMB is a useful tool in this curation process. Also in the area of curation is deployment of data backup strategies. Where practical this should also include adjacent systems (web sites, third party systems that access corporate data, policy databases for unauthorized changes, etc.) This includes off-site disaster recovery, auditing and validation of backups with restoring of data and using Content Disarm and Recovery software (CDR) to scrub data.  this in turn is also part of a Business Continuity Strategy Finally, this is an important tool for automated software, firmware and hardware updates.
Attack Surface The place and time where attacks take place. The shift from data center to Network Cloud Ecosystem has created a multitude of attack surfaces. An Attack Vector is a method of gaining unauthorized access to a network or computer system. An attack surface is the total number of attack vectors an attacker can use to manipulate a network or computer system or extract data.
Attack Surface ReductionASRThis is only included because it’s appeared as a kitchen sink term to mean almost any collection of software and services that reduce threats. Having said that, any set of tools from a highly reliable source is likely a good thing.
Authentication The process of verifying the Identity of an Actor.
Automation and AI The scale of modern systems makes cybersecurity without automated intelligent systems virtually impossible. Firstly, human error is inevitable given complexity and constant change. Not patching ever-changing software, services, firmware and hardware and updating data manually is an opportunity for exploits to occur. Secondly, increased scalability present in larger organizations is the had automation be the only viable approach. The AI element comes in to discover changes and notified irregularities detection and automated deployment of remedies. Several automated approaches may be required in addition to those overseeing organizational system and network functions  (e.g. web site plug ins, platform updates, malware prevention systems and provider networks).
Blocked List, Quarantined List, Allow/WhiteList Lists of flows, IP addresses, that are either approved for passage (Allow or WhiteLists), flows prevented from access (Blocked Lists) or suspicious traffic pending approval or blocking (Quarantined Lists.), Several variants to this.
Botnet A network of computers infected with a Bot virus program. Less common now in its original form but occurring more in terms of malware being transmitted around and ecosystem. See CAPTCHA below for an example of Anti-Botnet software designed to insert human interactions to prevent Bot attacks
Bring Your Own DeviceBYODPotentially disastrous policy allowing users to connect to the organization’s network using their own device that may be infected or vulnerable to attack. This applies to staff contractors, and any outside third party.
Bring Your Own Vulnerable DriverBYOVDThis falls into the category of hidden vulnerabilities that are little known to the average user.  These are device drivers that should be updated automatically but often are not. They are often the  location where attackers insert a specific kernel driver with a valid signature thwarting the driver signature enforcement policy and also may include code that gives the attacker kernel write primitive. The best fix is to ensure that all device drivers are updated from the source or via an OS automatic update. This is not a simple task since it is dependent on the diligence of Microsoft, Apple, Google and others.
Browser Isolation Browser Isolation (also known as Web Isolation) is a technology that contains web browsing activity inside an isolated environment in order to protect computers from any malware the user may encounter. This isolation may occur locally on the computer or remotely on a server.
Brute Force Attacks Simply put, this is an important sounding name for guesswork or trial and error attempts to crack credentials by repeatedly using variants on a name, lazy use of keystrokes, etc., and why weak passwords are the cause of so many problems today.
Business Email CompromiseBECBEC is a type of phishing scam where the attacker impersonates or compromises an employee or user’s email account to manipulate the target into initiating a to give away sensitive information or connect to a malicious remote Internet connected system..
CAPTCHA Completely Automated Public Turing test to tell Computers and Humans Apart. More recently automated by Google but many sites frustratingly still require you to identify crosswalks or bicycles, etc., often unsuccessfully!! At least it helps keep the Bots at bay.
CASB and SWG Note: what is the difference between CASB and SWG?. Both CASB and SWG offer data & threat protection, and they are cloud-based. Cloud-based SWGs have more capabilities, which made them a suitable replacement for the limited firewall. They fulfil the same use case of network/perimeter protection by delivering network security services via the Cloud.
Certificate AuthorityCA
A Certificate is an electronic document that uses a digital signature to bind a public key and an identity. A Certificate Authority is an organization that is responsible for the creation, issuance, revocation, and management of certificates. Length of time that a certificate is valid is becoming under pressure in 2023 by Google with length of time reduced from unlimited to six months or less. The point of including this is to make sure that your web hosting provider automatically updates your SSL certificates via the Automatic Certificate Management Environment (ACME). It is defined in IETF RFC 8555, to automates issuance of authentication certificate request, issuance, installation, and ongoing renewal across for web servers.
Cloud Access Security BrokerCASBA Cloud access security broker is Cloud-hosted software or on-premises software or hardware that act as an intermediary or gateway between users and Cloud service providers. This is curious because as with other SASE elements this sounds a similar description that Gartner provided for ZTNA (see below).
Common Vulnerabilities and ExposuresCVE & CVSSCVE is a glossary that classifies vulnerabilities. CVSS is the scoring system for CVE.
Vulnerabilities that meet the criteria (acknowledged by vendor for a particular code base) are listed by CISA government agency. They are given an ID (e.g., CEV-2022-654321), a severity score (CVSS): 9-10 is a critical issue 7-9 high etc. The list can be quite esoteric reference and do not typically indicate a resolution, so this is purely an informational reference. Around 10 CVEs are added to the the CISA link each month.
Compliance There are many requirements covering Governance. From a security perspective failure to comply to such governance may either break governmental rulings on cybersecurity or cause actual security vulnerabilities. In either case it’s important not only to understand such requirements abut to audit such compliance at the onset of a new project, e.g., with DevSecOps, or during operation with ongoing automated monitoring.
Content Disarm and ReconstructionCDRCDR is a technique for removing imbedded malware from files, usually as they are received. Used increasingly with Remote Browser Isolation, CDR (1) flattens and converts files to a PDF, 2) strips active content while keeping the original file type, and 3) eliminates file-borne risks. Some loss of useful content may be encountered dependent on software functionality.
Credential Re-use Also commonly (and strangely) known as Credential Stuffing, this attack steals a login username and password (e.g., used in Facebook, Twitter or Google) and reuses these credentials on other sites where the user has naively used the same password. See the Breaking News page in March 2023 for more on this. The answer is do not log in using this method as a breach on one site gives access to all sites!
Critical Infrastructure Utility, military, government, health, transport and city network operational infrastructures. This is not a cybersecurity term but is frequently referred to because of the importance of protecting them from cyber-attacks.
Cryptography The application of mathematical methodologies to encrypt/encipher and decrypt data.  Asymmetric Public Key Cryptography uses a public key and private key to enable encryption of data. In Symmetric Cryptography, the same private key is shared.
Cybersecurity and Infrastructure Security AgencyCISAThe US government’s Cybersecurity and Infrastructure Security Agency(CISA) works with partners to defend against today’s threats and collaborates to build a more secure and resilient infrastructure for the future.
CyberStart AmericaCSAU.S. funded student Cybersecurity education program. ”CyberStart America is the most enjoyable way to discover your talent, advance your skills and win scholarships in Cybersecurity.”
Dark Web The Dark Web is encrypted parts of the internet that are not indexed by search engines, used by all types of cyber criminals, to communicate and share information without being detected or identified by law enforcement. Malware of all types can be purchased on the dark web. It can be accessed by anyone with the correct URL,  special software with the correct decryption key and access rights. Users remain almost completely anonymous.
Data Breach The hackers’ end-game. Exfiltration or corruption of critical user, corporate or customer/client data, intellectual property or corruption of software, etc.
Data Loss PreventionDLPAn approach that seeks to improve information security and protect business information from data breaches. It prevents end-users from moving key information outside the network. DLP also refers to tools that enable a network administrator to monitor data accessed and shared by end users.
Deep Fake Video, audio clip or picture that has been altered to trick people to believe a corruption of the truth because they believe in the person who they are seeing or hearing and that they actually said those words. etc. A deeply disturbing trend often used in conjunction with other tricks.
Development, Security & OperationsDevSecOpsA methodology to include security as an element of the development of all services and products (not just software products and services) as they are designed, developed, tested, introduced ,monitored and iteratively revised. In addition, this work adds the responsibility into the product marketing responsibilities to investigate and include security in the requirements and product definitions. This is definitely the author’s personal definition.
Digital Forensics and Incident ResponseDFIRThe Digital Forensics and Incident Response Report is published annually. The 2022 was published in March 2023 and provides a fascinating set of insights of the most potent threats in play.
Distributed Denial of ServiceDos/DDoSDenial of Service (DoS) attacks are used to overwhelm a target device, software element, including websites, cloud containers or applications. The traffic itself is likely legitimate and not necessarily malware. A Distributed Denial of Service  (DDoS) attack involves multiple connected online devices, collectively known as a botnet, may be delivered from a myriad of resources and typically targeting a particular victim. This makes it more complicated to defend. DDoS attacks in the past were more prevalent when Threat Actors were content with disruption rather than financial gain. Any of the targets mentioned above (web sites, etc., can be targets. However, more recently an insidiously, it’s attacks on infrastructure and security element management/control capabilities that can not only cause network devices or service (e.g., a Firewall) be overwhelmed and fail but then allow malicious traffic to penetrate and cause havoc. I.e., DDoS attacks can be the first element of a two pronged attack.
DNS Security & Protocol Filtering The Internet functions by matching website domain names to IP addresses using the Domain Name System (DNS). DNS Protocol Filtering checks whether a subset of a session contains messages that are to be allowed or blocked. DNS messages are specified in RFC 1035 and RFC 1996. DNS Security Functions are important threat detection and prevention tools that include filtering responses from known bad domains (DNS blackholing), Distributed Denial of Service (DDoS) attacks, attacks tricking users into using malicious domains (DNS Hijacking and man-in-the-middle attacks), using the DNS response to carry malicious payloads usually related to command-and-control connections (DNS tunneling) and attacks that create many random domain names to avoid detection.
Domain Controller A Domain Controller is a server that responds to authentication requests and verifies users on computer networks.
Domain Name FilteringDNFDomain Name Filtering is defined as the action taken by the SASE Service Provider to check whether a session contains domain names that are to be permitted or denied. Domain Name Filtering provides a level of protection for a Subject inadvertently attempting to access a malicious Target.
Drive-by Attacks Drive-by attacks is a shorthand for unintentionally downloading of various malware to your devices – PC’s, phones etc., typically without the users involvement or knowledge.
Elevation of Privilege This is an attack when a bad actor gaining illicit access of elevated rights via an insider threat or via gaining access to data files containing user privilege data and modifying the data. As dangerous is giving unnecessary levels of privilege to these who should not have it – e.g., executives, contractors, etc.
Encryption Encryption has many specific definitions and methodologies: symmetric and asymmetric cryptography, public and private keys, encryption types: AES, RSA, MACsec, Ascon, etc. are used for secure communications. Encryption of all sensitive data on every type of compute devices are supported and recommended to prevent data breaches and ransomware. Middle Box functions are used typically to decrypt and inspect IP flows.
Exfiltration Typically unauthorized transfer of information from an information system. A key principal of Zero Trust is the avoidance of exfiltration (stealing) of data.
Exploit A methodology/software to take advantage of vulnerabilities by breaching the security of a system or network ecosystem.
Extended Detection & ResponseXDRAn emerging technology that can/may offer improved threat prevention, detection and response capabilities for security operations teams. . XDR describes a unified security monitoring and unified reporting incident detection and response platform that automatically collects and correlates data from multiple proprietary security components.
Fast IDentity OnlineFidoAn authentication standard defining a fast and secure authentication mechanism for users to access websites and applications. FIDO-2 uses WebAuthn authentication.
Federal Risk and Authorization Management ProgramFedRAMPA government-wide initiative to assess, authorize, and monitor cloud software providers and protect the sensitive data housed in federal agencies.
Firewall A Firewall secures a network by deciding which data packets are allowed to pass through a network. Primarily intercepting Layer 3 IP traffic. Firewall management software can be susceptible to layer 2 DDoS attacks.
Firewall as a ServiceFWaaSFirewall as a service, also known as a Cloud firewall, provides Cloud-based network traffic inspection capabilities to customers seeking to migrate to a hybrid or multi-cloud model. It reduces the burden on on-premises data center equipment and management burden for internal Cybersecurity teams.
Hacker A Hacker is the well-known term for those with malicious intent on inserting malware in systems. More correctly these are known as Black Hat Hackers, whereas a White Hat Hacker is one who looks for vulnerabilities in order to report them and have those weaknesses removed – whether in a software company or an end user organization.
Honeypot A Network Attached device that lures and deflects attacks and attackers. It might represent an Internet connected Database, Web Server, PC, etc. The concept is that these devices are designed to report on any access – since there is no legitimate reason for such access. It is less easy to find reports on the effectiveness of individual solutions one of which is
Identity and Access ManagementIAMIAM is a set of processes, policies and tools for controlling user access to critical information. It’s the discipline that enables individuals to access resources at the appropriate times. It’s important not to collapse Identity and Access since both are elements of Zero Trust but Identity Management and Access Management software/services are possibly independently sourced software functions or services.
In the Wild Usually refers to incidents or attacks seen in actual live situations rather than in a simulation or in a test lab. Not really a technical definition but worth including.
Insider Threats This is when a trusted insider (usually but not necessarily staff), gains access to confidential data, accidentally or deliberately inserts malware, exfiltrates, data etc. Coercion or deceiving insiders is also referred to as Social Engineering. This is where the principle of Least Privilege and monitoring of all network access is key. HR has a key role to play in monitoring staff and trusted third parties.
Internet Protocol SecurityIPsecA group of IP protocols use to create encrypted connections, exchange keys, etc. Reference document is IETF RFC 6071.
Intrusion Prevention SystemIPS
An Intrusion Prevention System (IPS) applies IP reputation and content matching rules to block known bad sessions. These systems known as IDPS, may also include anti-virus systems for inspecting file content across many protocols, for example HTTP, IMAP, and SMB.
Threat and intrusion detection systems have a similar role as IPS but use detection technologies that preclude blocking. For example, behavioral analysis of file content and network anomaly detection often have detection delays and resource requirements that prevent inline deployments. The systems respond to detections by issuing SENs (alerts).
IP Proxy IP-P A proxy server acts as a gateway between you and the internet. It’s an intermediary server separating end users from the websites they browse. Proxy servers provide varying levels of functionality, security, and privacy depending on your use case, needs, or company policy.
IP, Port and Protocol FilteringIPPFIt is defined as the action taken by the SASE Service Provider to check whether a session includes a list of source or destination IP addresses, source or destination port numbers, transport protocols and/or application protocols that are to be allowed or blocked.
Key Logging Keylogging software is spyware logging everything that you type (for instance credit card details and MFA codes(!) The collective wisdom is around typical prevention of inadvertent use of infected applications and defense against malware.
Lateral Movement Attacks This is the concept of malware being downloaded or otherwise being place on a device or process and moved to another system, even cloud or part of the network and immediately, days or even months later becoming active.
Least PrivilegePoLPThe Principle of Least Privilege is that users, devices & programs should only have the privileges necessary to complete their tasks.
Living off the Land AttacksLotLLiving off the Land describes Cyberattacks which use legitimate software and functions available in the system to perform malicious actions on it.  These are often inserted via email/phishing and can be very difficult to detect.
Malware Detection and RemovalMD+RMalware is defined as any software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system. Malware Detection and Removal is defined as the action taken by a Provider to check whether a session contains malware, and to remove the malware or block the session containing the malware.
Note: Viruses that infect code and Trojans that pretend to be legitimate code are both forms of malware.
Man in the Middle AttackMITMIn a Man in the Middle Attack a system intercepts traffic from a subject actor while appearing to be the target system. At the same time, it masquerades as the subject to the actual target system. Its objective is to spoof an actual dialog for a number of malicious purposes without arousing the suspicion of either party. This is where many attacks begin and is the prime way in which 2 Factor Authentication can be hacked.
Memory-Safe Languages Many vulnerabilities occur because poor language disciplines allow malware to hide inside application memory spaces for later activation. This frequent ploy can be limited or even removed. Newer application languages are much more careful. This means that knowledge of the language that an application is written in becomes a factor in choosing an application. Examples of memory safe languages are Rust, C#, Go, Java, Ruby, and Swift as opposed to C, C++ which are not. Judicious use of complier options help here too. Thanks for this gem go to Steve Gibson of Security Now and SpinRite fame.
Micro-segmentation There are several interpretations of this term with a common principle. This being the ability to compartmentalize Cloud and data center functions and applications into secure segments. This works well with implementing Least Privilege, Zero Trust enforcement points, Identity and Access Policies where it is most relevant.
MiddleBox Function A function used to decrypt and re-encrypt secured communications. This process should be in a single device which may include other functions/processes. It is typically required to be protected by Certification in order to be part of a trusted connection.
Mitigation One or more steps taken to minimize or eliminate cybersecurity threats, risks and consequences.
MITRE MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. Click for more info
Monitoring and Auditing Automated continuous Monitoring is a key element of any Zero Trust implementation. The continuous aspect is to make sure that any time-based access privileges are in compliance (either time-of-day or duration), or events that arise, such as blocked access attempts, etc., elevation of access changes are logged/reported via the Secure Event Notification system. Control via an automated system is required. Auditing may also be required to ensure both integrity and compliance to policies is maintained.
Multi-factor AuthenticationMFA
Everyone must be familiar with this irritating phenomenon. It means that you are required to prove who you are by having two (2FA) or more ways of identifying yourself (MFA). For example, after you enter a password, you must also enter a code sent to your mobile device or email. Sometimes multiple proofs are needed. e.g., face recognition or providing your dog’s birthday. See also Passkeys.
Now the bad news. Roger Grimes of has identified at least 20 ways to hack two factor authentication including analysis of 25 +MFA systems.
OAuth AuthorizationOAuth 2An authorization framework that enables applications — such as Facebook, GitHub, and Digital Ocean — to obtain limited access to user accounts on an HTTP service. See warnings on password and Identity Re-use.
Open Worldwide Application Security ProjectOWASPOWASP is a nonprofit foundation working to improve the security of software and the source for developers and technologists to secure the web. It delivers Tools and Resources, Community and Networking, Education & Training
Operational TechnologyOTThis refers to the Operational areas of a network as a complement to the IT functional areas. A subset of OT is also referred to as IIoT,  which can be confusing. OT has previously sheltered from attack and has become a focus for mitigating Cybersecurity weaknesses in manufacturing, utilities, smart city, defense and many real-time networks. That focus is about the defense of devices never intended to have an IP level of connectivity or IT grade computational power.
Passkey A digital credential that adheres to the FIDO and W3C Web Authentication standards. Similar to a password, websites and applications can request that a user create a passkey to access their account. Passkeys rely on unlocking a device to verify a user’s identity. A new (October 2022) web site, gives the latest information.
Password Based Key Derivation Function version 2PBKDF2This is a defense against brute force attacks on passwords by making automated password guessing  impractical. by adding a large number of complex iterations causing large amounts of compute power added to the hackers process. This is generally known as a Key Strengthening Protocol.
Passwords:  Managers,  Iteration Count Passwords and their length, management and security are tiresome topics. Password length is the most important (25 characters or more randomly generated). Password Vaults such as those managed by managers such as BitWarden encourage Password Iteration count (the number of times the password is hashed ) to have a value of at least 100,100. The previous password manager market leader (LastPass) is not recommended (see Breaking News). See Credential Re-use warnings on reusing passwords.
Payment Card Industry Data Security StandardPCI-DSSThe Payment Card Industry Data Security Standard is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council
Pen Testing Penetration Testing. Testing for vulnerabilities using hacker tools.
Policy and Enforcement Management This is the central controlling element of a Zero Trust enabled secure service. It’s the software or service element that manages and controls requested access based on Identity, Authentication, Access Control and Policy. This management may be at either a common point in a network or may also include the Policy Enforcement to protect data exfiltration or software replacement. It can be integrated as part of a service. It also initiates the monitoring of the flow between actors for the duration of a connection. Dependent on the access requested, it may manage at any layer of the network from physical to application layer and also the control or management plane software, operation of secure containers etc.
Polymorphic Malware Malware designed to constantly change its identifiable profile in order to evade detection. Types of malware including bots, trojans, keyloggers, viruses and worms, can be polymorphic.
Phishing and PhaaS Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in email, text (Smishing), Voice mail (vishing) or targeting types of individuals (Whaling) or specific individuals (Spear Phishing). Phishing is the source of large numbers of cybercrimes. Malware triggered by clicking, Zero-Clicks, embedded code, Living off the Land Attacks, etc., begin here. Phishing as a Service is a 2022 phenomenon. It is essentially a tool kit run as a service for use by less skilled hackers.
Protective DNSPDNSProtective Domain Name System PDNS adds a threat intelligence check against all DNS queries and answers to avoid or sinkhole malicious or suspicious domain resolutions. PDNS integrates easily with existing security architectures through a simple recursive resolver switch. It’s important because it analyzes DNS queries and takes action to avoid threat websites, leveraging the existing DNS protocol and architecture. Protecting the DNS queries is a key cyber defense because threat actors use domain names across the exploitation lifecycle. Users frequently mistype domain names while attempting to navigate to websites, and may be redirected unknowingly to a malicious site. From there, threat actors may exfiltrate data, conduct command and control operations, and install malware onto a user’s system.
Ransomware  and RaaS Ransomware is some combination of malware or other software that results in user data, or systems being encrypted or locked until a ransom is paid. The threat is loss of or exposure of private data, or cessation of business critical operations. Ransomware payments do not generally prevent the threat from being executed. Ransomware as a Service (RaaS) was the model for PhaaS (above) as a tool kit run as a complete packed service for use by less skilled hackers.
Red Team, Blue Team, White Team Where resources permit, a Red Team is a group of security experts who simulate attackers attempting to defeat the Blue Team who use their existing threat detection and prevention defenses to detect thwart the Red Team’s attacks on an organization. The result is (in theory) a list of new defenses that can be deployed. This can be very challenging and rewarding when viewed from a holistic perspective. the White Team are the referees/scorers in this competition.
Remote Browser IsolationRBIRBI is a security measure that separates users’ devices from the act of internet browsing by hosting and running all browsing sessions on a remote cloud-based and hopefully secure container. It also means that data can be screened to avoid exfiltration of sensitive data or access to middle box functions and as a phishing defense. This, therefore, is an efficient way and place to implement a Zero Trust Enforcement Point. It also helps prevent malware being inadvertently being loaded onto end user systems.
Rootkit A Rootkit is a collection of software malware giving actors control of a computer, network device or application. They typically create back doors for further attacks and by their nature are not detectable once installed by anti-malware software. This is why Rootkits are considered extremely dangerous.
Secure Access Service EdgeSASESASE is designed as a fully-integrated WAN networking and security framework that connects remote users and branch offices to cloud and corporate applications and the Internet. As first outlined by Garner in December 2019 (Link to the original blog describing this “new package of technologies), SASE is a conceptual framework not a product. It encompasses: (1) SD-WAN – a network overlay technology, (2) Cloud Access Security Broker (CASB),  (3) Secure Web Gateway (SWG), (4) Firewall as a Service (FWaaS) and (5) Zero Trust Network Access (ZTNA). All these terms are covered in this Terminology page. Their definition is up for interpretation.
Late in 2022 the MEF expanded on the original idea introducing a SASE service and service attributes definition (MEF 117) by defining a standard ‘SASE service’ combining security functions and network connectivity.
Secure Service EdgeSSEFollow-on to the above. Later Gartner defined SSE – a more IT-focused and implementable subset of SASE without SD-WAN and FWaaS consisting of CASB, SWG and ZTNA. It defines SSE as securing access to the web, cloud services and private applications. Capabilities include access control, threat protection, data security, security monitoring, and acceptable-use control enforced by network-based and API-based integration. SSE is primarily delivered as a cloud-based service and may include on-premises or agent-based components. In March 2022 Gartner created a new magic quadrant summarizing 11 players in this space.
  Note: If after reading this, Googling SASE or SSE and looking at product definitions in this space, you are still unclear then we would not be surprised since vendors and providers match their capabilities to their market. If you are looking for guidance then it comes down to understanding what a product does and seeing if it matches your requirements rather than matching the function to a marketing definition of SASE or SSE.
Secure APIs Application Program Interfaces (APIs) are increasingly important and their security is critical and integral to regulate the access to code. There are many potential vulnerabilities that are well-documented with best practices for defense. Digital signing of APIs is the best of these defenses.
Secure Containers Given the popularity of Kubernetes as the favored container platform and the home of Cloud workflows it’s no surprise that protection methodologies are required . Hence the term Secure containers. See Reference 36 on the reference page for much more information.
Secure DNS ProxySDNSPSmart DNS Proxy is a secure DNS Proxy service to unblock websites, global video & music streaming services. Unblock US websites like Netflix, Hulu, ABC or music streaming services like Pandora or Spotify just natively happens when you use Smart DNS Proxy. There is no connection or disconnection needed as in VPN. It claims to be faster than a VPN and works with any device; PC, MAC, Smart TV, Xbox, PS3, Router, iPad, iPhone or any Android devices.
Secure Internet GatewaySIGA SIG is a cloud-delivered internet gateway that provides safe and secure access to the users wherever they go, even when the users are off the VPN/network
Secure Production Identity Framework for EveryoneSPIFFESPIFFE, the Secure Production Identity Framework for Everyone, is a set of open-source standards for securely identifying software systems in dynamic and heterogeneous environments. Systems that adopt SPIFFE can easily and reliably mutually authenticate wherever they are running. SPIRE is a production-ready implementation of the SPIFFE APIs.
Secure Socket LayerSSLThe standard security technology for establishing an encrypted link between a web server and a browser.
Secure Web GatewaySWGSecure web gateways act as a barrier, keeping users from accessing malicious websites, malware, or web traffic that is part of a Cyberattack. SWG is a solution that filters malware from user-initiated Internet traffic to enforce corporate and regulatory policy compliance. A secure web gateway is a Cyberbarrier or checkpoint that keeps unauthorized traffic from entering an organization’s network. The traffic that a secure web gateway governs is all inline—the gateway stands between all incoming and outgoing data.
Security and Risk ManagementSRMThe ongoing process of identifying security risks and implementing plans to address them. Risk is determined by considering the likelihood that known threats will exploit vulnerabilities and the impact they have on valuable assets.
Security as a ServiceSECaaSThe ongoing process of identifying security risks and implementing plans to address them. Risk is determined by considering the likelihood that known threats will exploit vulnerabilities and the impact they have on valuable assets.
Security Assertion Markup LanguageSAMLA login standard that helps users access applications based on sessions in another context. It’s a single sign-on (SSO) login method offering more secure authentication (with a better user experience) than usernames and passwords.
Security Event NotificationSENThis is a broad definition of what, how and where events are notified. In this security context, for Zero Trust implementations this could include access requests being blocked or quarantined due to improper access privilege, identification, authentication or policy failures, target actors being out of scope for the subject actors access or monitoring noting that timed access was being violated. It could also notify management issues such as Denial of Service attacks or failure in secure services such as unexpected termination. These notifications are in addition to service notifications of IP failures, QoS violations from network services, secure container or other data related notifications. There is no industry standards that encompass all network, IT, or security notifications via common secure APIs.
Security Functions A SASE Service that delivers and manages cloud-native security functions as specified by the SASE Subscriber Policy for a specific session. These security functions must be deployable anywhere within the SASE Service in order to optimize the performance and security provided by the SASE service for that session.. The security functions available in a SASE service are listed in the body of the work. The security functions are ‘atomic’ in the sense that they are frequently combined as part of a package recognized in the market under different terminology – for example, ATP, CASB and SWG.
Security Information and Event ManagementSIEMA modern SIEM works with more than just log data and applies more than simple correlation rules for data analysis.
Security Operations CenterSOCLocation of services and systems responsible for cybersecurity.
Security Orchestration Automation and ResponseSOARClearly an important function, though Gartner’s marketing engine referring to it as “The SOAR market continues to build toward becoming the control plane for the modern SOC environment” may be a little over the top.
Security Posture Describes the current state of an organization’s overall ability to predict, prevent and respond to Cyber threats. This book provides focus on all the areas that need to be taken account. The term may seem non-intuitive but has become widely adopted.
Session Hijacking Also known as cookie hijacking, it’s the exploitation of a user-Internet/web server session to gain unauthorized access to information or services. In particular, it is used to refer to the theft or “hijacking” of cookie information used to authenticate a user to a remote server.
Side Channel Attack This is an attempt to deduce information, keys, passwords etc, by measuring CPU usage, visual or acoustic evidence, electromagnetic measure measurements within adjacent software or devices. It could involve use of tracking devices, chips, keys, known hardware weaknesses.
Social Engineering The use of psychological manipulation to influence people to divulge sensitive information or to perform actions that may not be in their best interest. It often involves exploiting people’s trust, fear, or desire for gain, and can be used to gain access to confidential information, networks, or systems.
Software Defined Wide Area NetworksSD-WANAn overlay to transport Layer communications. Originally defined by the Open Networking Group ( and later defined for service providers by the MEF ( [15] SD-WAN is also an element of SASE as introduced by Gartner.
Software Supply Chain Attacks Software malware code imbedded “Somewhere” in the system of software suppliers. The cause of many/most large-scale, high-profile ransomware and malicious attacks.
SQL Injections Most IT people are aware that the SQL (structured query language) is a commonly used methodology for accessing databases in data centers or in clouds. SQL Injection malware exploits weaknesses in accessing data. Best defense practices are use of Secure containers, input validation and parametrized queries to prevent deleting and overwriting data and of course use of Zero Trust principles to avoid exfiltration of data.
Structured Threat Information ExpressionSTIX (STIX™) is a language and serialization format used to exchange cyber threat intelligence. STIX is open source and free allowing those interested to contribute and ask questions freely. STIX includes 18 Domain Objects.
TCP Split Handshake Attack First encountered more than a decade ago, this attack is caught by most firewalls. However, this form of attack is seemingly still quite prevalent. Briefly, when the user’s system (e.g., a browser) makes a connection with a remote host the Transport Control protocol (TCP) is invoked beginning with a three way synchronization “handshake.” The connection by the user is initiated with (1) what’s known as a SYN packet, (2) the host replies with a SYN-ACK acknowledgement packet and (3) it’s receipt is acknowledged by the user with an ACK packet. Then the flow of data starts. This can be interrupted by a malicious host sending back confusing packet during the initial handshake. Probably more than you need to know but for a detailed discussion, please see this link from 2010.
Threat Detection Threat Detection (a.k.a. Threat Assessment or Threat Analysis) is the practice of analyzing the entirety of a security ecosystem to identify any malicious activity that could compromise the network. Be aware that while they are much better than having no detection,  most of these Threat Detection systems are limited to the IT department’s domain are not set up to investigate external systems  such as provider or cloud networks, supply chain networks, web content management systems, external CRM systems, OT networks, etc. They also likely do not help directly with social engineering, and often do not validate least privilege, or other Zero Trust attributes. They may also be vulnerable to management plane attacks on the Threat Detection software itself.
Transport Layer SecurityTLSTransport Layer Security (TLS) encrypted data as specified in IETF RFC 5246. This is currently a controversial issue because of the pending requirement to upgrade from TLS 1.2 to TLS 1.3.
The difference being deprecating various supported encryption methods, simpler but more secure handshakes. The overwhelming resistance to upgrade is based on disruption  and concern about breaking vast numbers of applications. This resistance is going to be overcome by NIST mandates the force change in government and financial networks likely to arrive in January 2024. Read Cisco’s report on this issue.
Trojan A form of malware where a malicious payload is embedded inside of a benign host file or program. The log4shell being a prime example of infected open source code that was used extensively before it was detected. When imbedded in a file, the victim is tricked into believing that the only file being retrieved is the viewable benign host. However, when the victim uses the host file, the malicious payload is automatically deposited onto their computer system.
URL FilteringURLFURL Filtering is defined as the action taken by the SASE Service Provider to check whether a session contains a URL that is to be Allowed or Blocked. URL is specified in IETF RFC 3986. URL Filtering applies to cases where the domain name is on the “Domain Name Filtering Allow List,” but one or more URLs associated with that domain have a security issue and need to be blocked.
Virtual Private NetworkVPNA service that protects Internet connections and privacy online. It creates an encrypted tunnel for data, protects your online identity by hiding IP addresses, and allows the use of public Wi-Fi hotspots safely
Vulnerability Assessment The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.
Vulnerability management Cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating” software vulnerabilities. Vulnerability management is integral to computer and network security and should not be confused with vulnerability assessment.
W3C Web AuthenticationWebAuthnA Standard for web authentication: An API for accessing Public Key Credentials.
Zero-Click Attack An attack initiated without the user taking any action/clicking on anything. These can by inserted by just opening an email and unwittingly enabling  a Living off the Land or Microsoft Office exploit.
Zero-Day A.k.a. “Zero-day” Attack. A new exploitation of a vulnerability by an attacker. By definition, it is discovered after it causes damage and is successful because no remedy – e.g., software or remedial process -had yet been implemented.
Zero Trust A set of principles and strategies intended to prevent the exfiltration of data in many areas, layers and apps operating in a hybrid cloud, perimeter-less network. See Section 7 of the Book for an in-depth examination.
In a world where the network perimeter no longer exists, A Zero Trust approach is the best and perhaps the only approach to protecting your assets. Remember it’s not a system but an approach whose deployment is context and location dependent.
Zero Trust-Enabled Secure ServiceZ-TESSWhile Zero Trust is neither a system nor a product and the Gartner concept of SASE and SSE are important steps forward, ZTESS is a framework service that incorporate (1 )the principles of Zero Trust, (2) the network and security elements of SASE, (3) around 30 defensive elements associated with SSE and (4) encompasses the elements of holistic security across an extended organization.
Zero Trust Network AccessZTNAZero Trust Network Access is an element of Gartner’s original SASE concept. Note that there is no official industry standard definition for this term or its specific functions. (this includes NIST 800-215). In the market, ZTNA solutions provides secure remote access to an organization’s applications, data, and services based on clearly defined access control policies. It could be said that ZTNA is the Zero Trust replacement to virtual private networks (VPNs) in that ZTNA grants access only to specific services or applications, where VPNs grant access to an entire network. ZTNA is an obvious solution to distributed workforce security.

Something missing here? Something you disagree with? Contact us to let us know.