Glossary Flashcards
(500 cards)
1
Q
heat map risk matrix
A
A graphical table indicating the likelihood and impact of risk factors identified for a workflow, project, or department for reference by stakeholders.
2
Q
lessons learned report (LLR)
A
An analysis of events that can provide insight into how to improve response and support processes in the future.
3
Q
network log
A
A target for system and access events generated by a network appliance, such as a switch, wireless access point, or router.
4
Q
File Transfer Protocol (FTP)
A
Application protocol used to transfer files between network hosts. Variants include S(ecure)FTP, FTP with SSL (FTPS and FTPES), and T(rivial)FTP. FTP utilizes ports 20 and 21.
5
Q
quantitative risk analysis
A
A numerical method that is used to assess the probability and impact of risk and measure the impact.
6
Q
provenance
A
In digital forensics, being able to trace the source of evidence to a crime scene and show that it has not been tampered with.
7
Q
Internet header
A
A record of the email servers involved in transferring an email message from a sender to a recpient.
8
Q
clean desk policy
A
An organizational policy that mandates employee work areas be free from potentially sensitive information; sensitive documents must not be left out where unauthorized personnel might see them.
9
Q
capacity planning
A
A practice which involves estimating the personnel, storage, computer hardware, software, and connection infrastructure resources required over some future period of time.
10
Q
port mirroring (SPAN)
A
Copying ingress and/or egress communications from one or more switch ports to another port. This is used to monitor communications passing over the switch.
11
Q
Internet Protocol Security (IPSec)
A
Network protocol suite used to secure data through authentication and encryption as the data travels across the network or the Internet.
12
Q
geographic dispersion
A
A resiliency mechanism where processing and data storage resources are replicated between physically distant sites.
13
Q
mean time to repair/replace/recover (MTTR)
A
A metric representing average time taken for a device or component to be repaired, replaced, or otherwise recover from a failure.
14
Q
logic bomb
A
A malicious program or script that is set to run under particular circumstances or in response to a defined event.
15
Q
password best practices
A
Rules to govern secure selection and maintenance of knowledge factor authentication secrets, such as length, complexity, age, and reuse.
16
Q
environmental attack
A
A physical threat directed against power, cooling, or fire suppression systems.
17
Q
representational state transfer (REST)
A
A standardized, stateless architectural style used by web applications for communication and integration.
18
Q
listener/collector
A
A network appliance that gathers or receives log and/or state data from other network systems.
19
Q
pretexting
A
Social engineering tactic where a team will communicate, whether directly or indirectly, a lie or half-truth in order to get someone to believe a falsehood.
20
Q
Remote Authentication Dial-in User Service (RADIUS)
A
AAA protocol used to manage remote and wireless authentication infrastructures.
21
Q
network functions virtualization (NFV)
A
Provisioning virtual network appliances, such as switches, routers, and firewalls, via VMs and containers.
22
Q
behavior-based detection
A
A network monitoring system that detects changes in normal operating data sequences and identifies abnormal sequences.
23
Q
onboarding
A
The process of bringing in a new employee, contractor, or supplier.
24
Q
information security policies
A
A document or series of documents that are backed by senior management and that detail requirements for protecting technology and information assets from threats and misuse.
25
cloud deployment model
Classifying the ownership and management of a cloud as public, private, community, or hybrid.
26
regulated data
Information that has storage and handling compliance requirements defined by national and state legislation and/or industry regulations.
27
proprietary information
Information created by an organization, typically about the products or services that it makes or provides.
28
cloning
The process of quickly duplicating a virtual machine's configuration when several identical machines are needed immediately.
29
key length
Size of a cryptographic key in bits. Longer keys generally offer better security, but key lengths for different ciphers are not directly comparable.
30
data breach
When confidential or private data is read, copied, or changed without authorization. Data breach events may have notification and reporting requirements.
31
backup power generator
A standby power supply fueled by diesel or propane. In the event of a power outage, a UPS must provide transitionary power, as a backup generator cannot be cut in fast enough.
32
DNS sinkhole
A temporary DNS record that redirects malicious traffic to a controlled IP address.
33
availability
The fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need.
34
hybrid password attack
An attack that uses multiple attack methods, including dictionary, rainbow table, and brute force attacks, when trying to crack a password.
35
forgery attack
An attack that exploits weak authentication to perform a request via a hijacked session.
36
baseline configuration
A collection of security and configuration settings that are to be applied to a particular system or network in the organization.
37
non-transparent proxy
A server that redirects requests and responses for clients configured with the proxy address and port.
38
missing logs
A potential indicator of malicious activity where events or log files are deleted or tampered with.
39
address resolution protocol (ARP)
Broadcast mechanism by which the hardware MAC address of an interface is matched to an IP address on a local network segment.
40
brute force attack
A type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted passwords.
41
active reconnaissance
Penetration testing techniques that interact with target systems directly.
42
data controller
In privacy regulations, the entity that determines why and how personal data is collected, stored, and used.
43
playbook
A checklist of actions to perform to detect and respond to a specific type of incident.
44
e-discovery
Procedures and tools to collect, preserve, and analyze digital evidence.
45
Information Sharing and Analysis Center (ISAC)
A not-for-profit group set up to share sector-specific threat intelligence and security best practices among its members.
46
certificate signing request (CSR)
A Base64 ASCII file that a subject sends to a CA to get a certificate.
47
Kerberos
A single sign-on authentication and authorization service that is based on a time-sensitive, ticket-granting system.
48
advanced persistent threat (APT)
Threat actors with the ability to craft novel exploits and techniques to obtain, maintain, and diversify unauthorized access to network systems over a long period.
49
recovery time objective (RTO)
The maximum time allowed to restore a system after a failure event.
50
Extensible Authentication Protocol over LAN (EAPoL)
A port-based network access control (PNAC) mechanism that allows the use of EAP authentication when a host connects to an Ethernet switch.
51
access badge
An authentication mechanism that allows a user to present a smart card to operate an entry system.
52
layer 4 firewall
A stateful inspection firewall that can monitor TCP sessions and UDP traffic.
53
cable lock
Devices can be physically secured against theft using cable ties and padlocks. Some systems also feature lockable faceplates, preventing access to the power switch and removable drives.
54
NetFlow
Cisco-developed means of reporting network flow information to a structured database. NetFlow allows better understanding of IP traffic flows as used by different network applications and hosts.
55
chain of custody
Record of handling evidence from collection to presentation in court to disposal.
56
organized crime
A type of threat actor that uses hacking and computer fraud for commercial gain.
57
fencing
A security barrier designed to prevent unauthorized access to a site perimeter.
58
fraud
Falsifying records, such as an internal fraud that involves tampering with accounts.
59
access control vestibule
A secure entry system with two gateways, only one of which is open at any one time.
60
false rejection rate (FRR)
A biometric assessment metric that measures the number of valid subjects who are denied access.
61
Post Office Protocol (POP)
Application protocol that enables a client to download email messages from a server mailbox to a client over port TCP/110 or secure port TCP/995.
62
Memorandum of Agreement (MoA)
A legal document forming the basis for two parties to cooperate without a formal contract (a cooperative agreement). MOAs are often used by public bodies.
63
passive reconnaissance
Penetration testing techniques that do not interact with target systems directly.
64
malicious update
A vulnerability in a software repository or supply chain that a threat actor can exploit to add malicious code to a package.
65
financial data
Data held about bank and investment accounts, plus information such as payroll and tax returns.
66
key exchange
Any method by which cryptographic keys are transferred among users, thus enabling the use of a cryptographic algorithm.
67
cross-site scripting (XSS)
A malicious script hosted on the attacker's site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser's security model of trusted zones.
68
cookie
A text file used to store information about a user when they visit a website. Some sites use cookies to support user sessions.
69
Diffie-Hellman (DH)
A cryptographic technique that provides secure key exchange.
70
internet of things (IoT)
Devices that can report state and configuration data and be remotely managed over IP networks.
71
inline
Placement and configuration of a network security control so that it becomes part of the cable path.
72
data exfiltration
The process by which an attacker takes data that is stored inside of a private network and moves it to an external network.
73
canonicalization attack
An attack method where input characters are encoded in such a way as to evade vulnerable input validation measures.
74
journaling
A method used by file systems to record changes not yet made to the file system in an object called a journal.
75
due diligence
A legal principal that a subject has used best practice or reasonable care when setting up, configuring, and maintaining a system.
76
physical penetration testing
Assessment techniques that extend to site and other physical security systems.
77
business continuity (BC)
A collection of processes that enable an organization to maintain normal business operations in the face of some adverse event.
78
dependencies
Resources and other services that must be available and running for a service to start.
79
bluejacking
Sending an unsolicited message or picture message using a Bluetooth connection.
80
FTPS
A type of FTP using TLS for confidentiality.
81
control plane
In zero trust architecture, functions that define policy and determine access decisions.
82
incident response lifecycle
Procedures and guidelines covering appropriate priorities, actions, and responsibilities in the event of security incidents, divided into preparation, detection, analysis, containment, eradication/recovery, and lessons learned stages.
83
cyber threat intelligence (CTI)
The process of investigating, collecting, analyzing, and disseminating information about emerging threats and threat sources.
84
command and control (C2)
Infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets.
85
cryptography
The science and practice of altering data to make it unintelligible to unauthorized parties.
86
hardening
A process of making a host or app configuration secure by reducing its attack surface, through running only necessary services, installing monitoring software to protect against malware and intrusions, and establishing a maintenance schedule to ensure the system is patched to be secure against software exploits.
87
logical segmentation
Network topology enforced by switch, router, and firewall configuration where hosts on one network segment are prevented from or restricted in communicating with hosts on other segments.
88
detectability
A risk evaluation parameter that defines the likelihood of a company detecting a risk occurrence before it impacts the project, process, or end user.
89
IEEE 802.1X
A standard for encapsulating EAP communications over a LAN (EAPoL) or WLAN (EAPoW) to implement port-based authentication.
90
fake telemetry
Deception strategy that returns spoofed data in response to network probes.
91
reputational threat intelligence
Blocklists of known threat sources, such as malware signatures, IP address ranges, and DNS domains.
92
ARP poisoning
A network-based attack where an attacker with access to the target local network segment redirects an IP address to the MAC address of a computer that is not the intended recipient. This can be used to perform a variety of attacks, including DoS, spoofing, and on-path (previously known as man-in-the-middle).
93
mobile device management (MDM)
Process and supporting technologies for tracking, controlling, and securing the organization's mobile infrastructure.
94
integrated penetration testing
A holistic approach that combines different types of penetration testing methodologies and techniques to evaluate an organization's security operations.
95
maximum tolerable downtime (MTD)
The longest period that a process can be inoperable without causing irrevocable business failure.
96
access control list (ACL)
The collection of access control entries (ACEs) that determines which subjects (user accounts, host IP addresses, and so on) are allowed or denied access to the object and the privileges given (read-only, read/write, and so on).
97
internal threat
A type of threat actor who is assigned privileges on the system and causes an intentional or unintentional incident.
98
incident
An event that interrupts standard operations or compromises security policy.
99
eXtensible Markup Language (XML)
A system for structuring documents so that they are human and machine readable. Information within the document is placed within tags, which describe how information within the document is structured.
100
data subject
An individual that is identified by privacy data.
101
chief technology officer (CTO)
Company officer with the primary role of making effective use of new and emerging computing platforms and innovations.
102
offensive penetration testing
The "hostile" or attacking team in a penetration test or incident response exercise.
103
hot site
A fully configured alternate processing site that can be brought online either instantly or very quickly after a disaster.
104
caching engine
A feature of many proxy servers that enables the servers to retain a copy of frequently requested web pages.
105
internal/external
The degree of access that a threat actor possesses before initiating an attack. An external threat actor has no standing privileges, while an internal actor has been granted some access permissions.
106
guidelines
Best practice recommendations and advice for configuration items where detailed, strictly enforceable policies and standards are impractical.
107
hashing
A function that converts an arbitrary-length string input to a fixed-length string output. A cryptographic hash function does this in a way that reduces the chance of collisions, where two different inputs produce the same output.
108
Message Digest Algorithm v5 (MD5)
A cryptographic hash function producing a 128-bit output.
109
network attack
An attack directed against cabled and/or wireless network infrastructure, including reconnaissance, denial of service, credential harvesting, on-path, privilege escalation, and data exfiltration.
110
enterprise authentication
A wireless network authentication mode where the access point acts as pass-through for credentials that are verified by an AAA server.
111
machine learning (ML)
A component of AI that enables a machine to develop strategies for solving a task given a labeled dataset where features have been manually identified but without further explicit instructions.
112
endpoint log
A target for security-related events generated by host-based malware and intrusion detection agents.
113
community cloud
A cloud that is deployed for shared use by cooperating tenants.
114
annualized loss expectancy (ALE)
The total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO).
115
fault tolerance
Protection against system failure by providing extra (redundant) capacity. Generally, fault-tolerant systems identify and eliminate single points of failure.
116
discretionary access control (DAC)
An access control model where each resource is protected by an access control list (ACL) managed by the resource's owner (or owners).
117
file integrity monitoring (FIM)
A type of software that reviews system files to ensure that they have not been tampered with.
118
forensics
The process of gathering and submitting computer evidence for trial. Digital evidence is latent, meaning that it must be interpreted. This means that great care must be taken to prove that the evidence has not been tampered with or falsified.
119
blockchain
A concept in which an expanding list of transactional records listed in a public ledger is secured using cryptography.
120
identity and access management (IAM)
A security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications.
121
fail-open
A security control configuration that ensures continued access to the resource in the event of failure.
122
decentralized computing architecture
A model in which data processing and storage are distributed across multiple locations or devices.
123
continuity of operations plan (COOP)
Identifies how business processes should deal with both minor and disaster-level disruption by ensuring that there is processing redundancy supporting the workflow.
124
directive control
A type of control that enforces a rule of behavior through a policy or contract.
125
reaction time
The elapsed time between an incident occurring and a response being implemented.
126
environmental variables
In vulnerability assessment, factors or metrics due to local network or host configuration that increase or decrease the base likelihood and impact risk level.
127
host-based intrusion prevention system (HIPS)
Endpoint protection that can detect and prevent malicious activity via signature and heuristic pattern matching.
128
Point-to-Point Tunneling Protocol (PPTP)
Developed by Cisco and Microsoft to support VPNs over PPP and TCP/IP. PPTP is highly vulnerable to password cracking attacks and considered obsolete.
129
cloud computing
Computing architecture where on-demand resources provisioned with the attributes of high availability, scalability, and elasticity are billed to customers on the basis of metered utilization.
130
jump server
A hardened server that provides access to other hosts.
131
full disk encryption (FDE)
Encryption of all data on a disk (including system files, temporary files, and the pagefile) can be accomplished via a supported OS, third-party software, or at the controller level by the disk device itself.
132
phishing
An email-based social engineering attack in which the attacker sends email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim.
133
data owner
A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of an information asset.
134
legal data
Documents and records that relate to matters of law, such as contracts, property, court cases, and regulatory filings.
135
authentication, authorization, and accounting (AAA)
A security concept where a centralized platform verifies subject identification, ensures the subject is assigned relevant permissions, and then logs these actions to create an audit trail.
136
level of sophistication/capability
A formal classification of the resources and expertise available to a threat actor.
137
distributed denial-of-service (DDoS)
An attack that involves the use of infected Internet-connected computers and devices to disrupt the normal flow of traffic of a server or service by overwhelming the target with traffic.
138
bollards
Sturdy vertical posts installed to control road traffic or designed to prevent ram-raiding and vehicle-ramming attacks.
139
near-field communication (NFC)
A standard for two-way radio communications over very short (around four inches) distances, facilitating contactless payment and similar technologies. NFC is based on RFID.
140
out of band management (OOB)
Accessing the administrative interface of a network appliance using a separate network from the usual data network. This could use a separate VLAN or a different kind of link, such as a dial-up modem.
141
impersonation
Social engineering attack where an attacker pretends to be someone they are not.
142
preventive control
A type of security control that acts before an incident to eliminate or reduce the likelihood that an attack can succeed.
143
closed/proprietary
Software code or security research that remains in the ownership of the developer and may only be used under permitted license conditions.
144
digital certificate
Identification and authentication information presented in the X.509 format and issued by a certificate authority (CA) as a guarantee that a key pair (as identified by the public key embedded in the certificate) is valid for a particular subject (user or host).
145
likelihood
In qualitative risk analysis, the chance of an event that is expressed as a subjectively determined scale, such as high or low.
146
compensating control
A security measure that takes on risk mitigation when a primary control fails or cannot completely meet expectations.
147
data exposure
A software vulnerability where an attacker is able to circumvent access controls and retrieve confidential or sensitive data from the file system or database.
148
non-repudiation
The security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.
149
credential replay
An attack that uses a captured authentication token to start an unauthorized session without having to discover the plaintext password for an account.
150
disinformation
A type of attack that falsifies an information resource that is normally trusted by others.
151
centralized computing architecture
A model where all data processing and storage is performed in a single location.
152
reporting
A forensics process that summarizes significant contents of digital data using open, repeatable, and unbiased methods and tools.
153
data retention
The process an organization uses to maintain the existence of and control over certain data in order to comply with business policies and/or applicable laws and regulations.
154
Common Vulnerabilities and Exposures (CVE)
A scheme for identifying vulnerabilities developed by MITRE and adopted by NIST.
155
asset
A thing of economic value. For accounting purposes, assets are classified in different ways, such as tangible and intangible or short term and long term. Asset management means identifying each asset and recording its location, attributes, and value in a database.
156
acceptable use policy (AUP)
A policy that governs employees' use of company equipment and Internet services. ISPs may also apply AUPs to their customers.
157
credentialed scan
A scan that uses credentials, such as usernames and passwords, to take a deep dive during the vulnerability scan, which will produce more information while auditing the network.
158
computer-based training (CBT)
Training and education programs delivered using computer devices and e-learning instructional models and design.
159
air-gapped
A type of network isolation that physically separates a host from other hosts or a network from all other networks.
160
account lockout
Policy that prevents access to an account under certain conditions, such as an excessive number of failed authentication attempts.
161
authorization
The process of determining what rights and privileges a particular entity has.
162
recovery point objective (RPO)
The longest period that an organization can tolerate lost data being unrecoverable.
163
exception handling
An application vulnerability that is defined by how an application responds to unexpected errors that can lead to holes in the security of an app.
164
encryption level
Target for data-at-rest encryption, ranging from more granular (file or row/record) to less granular (volume/partition/disk or database).
165
concurrent session usage
A potential indicator of malicious activity where an account has started multiple sessions on one or more hosts.
166
Document Object Model (DOM)
When attackers send malicious scripts to a web app's client-side implementation of JavaScript to execute their attack solely on the client.
167
open-source intelligence (OSINT)
Publicly available information plus the tools used to aggregate and search it.
168
provisioning
The process of deploying an account, host, or application to a target production environment. This involves proving the identity or integrity of the resource, and issuing it with credentials and access permissions.
169
information-sharing organization
Collaborative groups that exchange data about emerging cybersecurity threats and vulnerabilities.
170
physical attack
An attack directed against cabling infrastructure, hardware devices, or the environment of the site facilities hosting a network.
171
passwordless
Multifactor authentication scheme that uses ownership and biometric factors, but not knowledge factors.
172
escalation
In the context of support procedures, incident response, and breach-reporting, escalation is the process of involving expert and senior staff to assist in problem management.
173
network monitoring
Auditing software that collects status and configuration information from network devices. Many products are based on the Simple Network Management Protocol (SNMP).
174
password spraying
A brute force attack in which multiple user accounts are tested with a dictionary of common passwords.
175
device placement
Considerations for positioning security controls to protect network zones and individual hosts to implement a defense in depth strategy and to meet overall security goals.
176
horizontal privilege escalation
When a user accesses or modifies specific resources that they are not entitled to.
177
remote access Trojan (RAT)
Malware that creates a backdoor remote administration channel to allow a threat actor to access and control the infected host.
178
DevSecOps
A combination of software development, security operations, and systems operations, and refers to the practice of integrating each discipline with the others.
179
metadata
Information stored or recorded as a property of an object, state of a system, or transaction.
180
AES Galois Counter Mode Protocol (GCMP)
A high performance mode of operation for symmetric encryption. Provides a special characteristic called authenticated encryption with associated data, or AEAD.
181
non-credentialed scan
A scan that uses fewer permissions and many times can only find missing patches or updates.
182
account policies
A set of rules governing user security information, such as password expiration and uniqueness, which can be set globally.
183
procedure
Detailed instructions for completing a task in a way that complies with policies and standards.
184
attack surface
The points at which a network or application receive external connections or inputs/outputs that are potential vectors to be exploited by a threat actor.
185
indicator of compromise (IoC)
A sign that an asset or network has been attacked or is currently under attack.
186
heat map
In a Wi-Fi site survey, a diagram showing signal strength and channel uitilization at different locations.
187
data plane
Functions that enforce policy decisions configured in the control plane and facilitate data transfers.
188
project stakeholder
A person who has a business interest in the outcome of a project or is actively involved in its work.
189
Encapsulating Security Payload (ESP)
IPSec sub-protocol that enables encryption and authentication of the header and payload of a data packet.
190
data loss prevention (DLP)
A software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.
191
disassociation attack
Spoofing frames to disconnect a wireless station to try to obtain authentication data to crack.
192
credential harvesting
Social engineering techniques for gathering valid credentials to use to gain unauthorized access.
193
endpoint detection and response (EDR)
A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats.
194
Internet Key Exchange (IKE)
Framework for creating a security association (SA) used with IPSec. An SA establishes that two hosts trust one another (authenticate) and agree on secure protocols and cipher suites to use to exchange data.
195
factors
In authentication design, different technologies for implementing authentication, such as knowledge, ownership/token, and biometric/inherence. These are characterized as something you know/have/are.
196
Extensible Authentication Protocol (EAP)
Framework for negotiating authentication methods that enable systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication and to establish secure tunnels through which to submit credentials.
197
password attack
Any attack where the attacker tries to gain unauthorized access to and use of passwords.
198
distinguished name (DN)
A collection of attributes that define a unique identifier for any given resource within an X.500-like directory.
199
IP Flow Information Export (IPFIX)
Standards-based version of the Netflow framework.
200
penetration testing
A test that uses active tools and security utilities to evaluate security by simulating an attack on a system. A pen test will verify that a threat exists, then will actively test and bypass security controls, and will finally exploit vulnerabilities on the system.
201
attribute-based access control
An access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted.
202
digital signature
A message digest encrypted using the sender's private key that is appended to a message to authenticate the sender and prove message integrity.
203
biometric authentication
An authentication mechanism that allows a user to perform a biometric scan to operate an entry or access system. Physical characteristics stored as a digital data template can be used to authenticate a user. Typical features used include facial pattern, iris, retina, fingerprint pattern, and signature recognition.
204
enterprise risk management (ERM)
The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization.
205
persistence (load balancing)
In load balancing, the configuration option that enables a client to maintain a connection with a load-balanced server over the duration of the session. Also referred to as sticky sessions.
206
log aggregation
Parsing information from multiple log and security event data sources so that it can be presented in a consistent and searchable format.
207
least privilege
A basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.
208
power distribution unit (PDU)
An advanced strip socket that provides filtered output voltage. A managed unit supports remote administration.
209
cross-site request forgery (CSRF)
A malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser.
210
deception and disruption
Cybersecurity resilience tools and techniques to increase the cost of attack planning for the threat actor.
211
backup
A security copy of production data made to removable media, typically according to a regular schedule. Different backup types (full, incremental, or differential) balance media capacity, time required to backup, and time required to restore.
212
defense in depth
Security strategy that positions the layers of diverse security control categories and functions as opposed to lying on perimeter controls.
213
IT Infrastructure Library (ITIL)
An IT best practice framework, emphasizing the alignment of IT Service Management (ITSM) with business needs. ITIL was first developed in 1989 by the UK government. ITIL 4 was released in 2019 and is now marketed by AXELOS.
214
first responder
The first experienced person or team to arrive at the scene of an incident.
215
intrusion detection system (IDS)
A security appliance or software that analyzes data from a packet sniffer to identify traffic that violates policies or rules.
216
Common Vulnerability Scoring System (CVSS)
A risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information.
217
anything as a service
The concept that most types of IT requirements can be deployed as a cloud service model.
218
downgrade attack
A cryptographic attack where the attacker exploits the need for backward compatibility to force a computer system to abandon the use of encrypted messages in favor of plaintext messages.
219
DNS poisoning
An attack where a threat actor injects false resource records into a client or server cache to redirect a domain name to an IP address of the attacker's choosing.
220
group account
A group account is a collection of user accounts that is useful when establishing file permissions and user rights because when many individuals need the same level of access, a group could be established containing all the relevant users.
221
radio-frequency ID (RFID)
A means of encoding information into passive tags which can be energized and read by radio waves from a reader device.
222
buffer overflow
An attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory. This can allow the attacker to crash the system or execute arbitrary code.
223
false negative
In security scanning, a case that is not reported when it should be.
224
perfect forward secrecy (PFS)
A characteristic of transport encryption that ensures if a key is compromised, the compromise will only affect a single session and not facilitate recovery of plaintext data from other sessions.
225
dd command
Linux command that makes a bit-by-bit copy of an input file, typically used for disk imaging.
226
asymmetric algorithm
Cipher that uses public and private keys. The keys are mathematically linked, using either Rivel, Shamir, Adleman (RSA), or elliptic curve cryptography (ECC) alogrithms, but the private key is not derivable from the public one. An asymmetric key cannot reverse the operation it performs, so the public key cannot decrypt what it has encrypted, for example.
227
privileged access management (PAM)
Policies, procedures, and support software for managing accounts and credentials with administrative permissions.
228
preparation
An incident response process that hardens systems, defines policies and procedures, establishes lines of communication, and puts resources in place.
229
potentially unwanted program (PUP)
Software that cannot definitively be classed as malicious, but may not have been chosen by or wanted by the user.
230
Internet Protocol (IP)
Network (Internet) layer protocol in the TCP/IP suite providing packet addressing and routing for all higher-level protocols in the suite.
231
cloud service model
Classifying the provision of cloud services and the limit of the cloud service provider's responsibility as software, platform, infrastructure, and so on.
232
botnet
A group of hosts or devices that has been infected by a control program called a bot, which enables attackers to exploit the hosts to mount attacks.
233
gap analysis
An analysis that measures the difference between the current and desired states in order to help assess the scope of work included in a project.
234
configuration baseline
Settings for services and policy configuration for a network appliance or for a server operating in a particular application role (web server, mail server, file/print server, and so on).
235
destruction
An asset disposal technique that ensures that data remnants are rendered physically inaccessible and irrevocable, through degaussing, shredding, or incineration.
236
patch management
Identifying, testing, and deploying OS and application updates. Patches are often classified as critical, security-critical, recommended, and optional.
237
real-time operating system (RTOS)
A type of OS that prioritizes deterministic execution of operations to ensure consistent response for time-critical tasks.
238
jailbreaking
Removes the protective seal and any OS-specific restrictions to give users greater control over the device.
239
algorithm
Operations that transform a plaintext into a ciphertext with cryptographic properties, also called a cipher. There are symmetric, asymmetric, and hash cipher types.
240
public key cryptography standards (PKCS)
A series of standards defining the use of certificate authorities and digital certificates.
241
business partnership agreement (BPA)
Agreement by two companies to work together closely, such as the partner agreements that large IT companies set up with resellers and solution providers.
242
authenticator
A PNAC switch or router that activates EAPoL and passes a supplicant's authentication data to an authenticating server, such as a RADIUS server.
243
proxy server
A server that mediates the communications between a client and another server. It can filter and often modify communications as well as provide caching services to improve performance.
244
blocked content
A potential indicator of malicious activity where audit logs show unauthorized attempts to read or copy a file or other data.
245
on-site backup
Backup that writes job data to media that is stored in the same physical location as the production system.
246
hard authentication token
An authentication token generated by a cryptoprocessor on a dedicated hardware device. As the token is never transmitted directly, this implements an ownership factor within a multifactor authentication scheme.
247
authentication
A method of validating a particular entity's or individual's unique credentials.
248
appliance firewall
A standalone hardware device that performs only the function of a firewall, which is embedded into the appliance's firmware.
249
collision
In cryptography, the act of two different plaintext inputs producing the same exact ciphertext output.
250
key encryption key (KEK)
In storage encryption, the private key that is used to encrypt the symmetric bulk media encryption key (MEK). This means that a user must authenticate to decrypt the MEK and access the media.
251
crossover error rate
A biometric evaluation factor expressing the point at which FAR and FRR meet, with a low value indicating better performance.
252
NT LAN Manager authentication (NTLM authentication)
A challenge-response authentication protocol created by Microsoft for use in its products.
253
residual risk
Risk that remains even after controls are put into place.
254
mean time between failures (MTBF)
A metric for a device or component that predicts the expected time between failures.
255
governance committee
Leaders and subject matter experts with responsibility for defining policies, procedures, and standards within a particular domain or scope.
256
private cloud
A cloud that is deployed for use by a single entity.
257
internet relay chat (IRC)
A group communications protocol that enables users to chat, send private messages, and share files.
258
out-of-cycle logging
A potential indicator of malicious activity where event dates or timestamps are not consistent.
259
federation
A process that provides a shared login capability across multiple systems and enterprises. It essentially connects the identity management services of multiple systems.
260
data custodian
An individual who is responsible for managing the system on which data assets are stored, including being responsible for enforcing access control, encryption, and backup/recovery measures.
261
data processor
In privacy regulations, an entity trusted with a copy of personal data to perform storage and/or analysis on behalf of the data collector.
262
command injection
Where a threat actor is able to execute arbitrary shell commands on a host via a vulnerable web application.
263
mission essential function (MEF)
Business or organizational activity that is too critical to be deferred for anything more than a few hours, if at all.
264
intrusion prevention system (IPS)
A security appliance or software that combines detection capabilities with functions that can actively block attacks.
265
HTML5 VPN
Using features of HTML5 to implement remote desktop/VPN connections via browser software (clientless).
266
data historian
Software that aggregates and catalogs data from multiple sources within an industrial control system.
267
memorandum of understanding (MoU)
Usually a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money.
268
private key
In asymmetric encryption, the private key is known only to the holder and is linked to, but not derivable from, a public key distributed to those with whom the holder wants to communicate securely. A private key can be used to encrypt data that can be decrypted by the linked public key or vice versa.
269
application virtualization
A software delivery model where the code runs on a server and is streamed to a client.
270
conflict of interest
When an individual or organization has investments or obligations that could compromise their ability to act objectively, impartially, or in the best interest of another party.
271
hacker
Often used to refer to someone who breaks into computer systems or spreads viruses, ethical hackers prefer to think of themselves as experts on and explorers of computer security systems.
272
malware
Software that serves a malicious purpose, typically installed without the user's consent (or knowledge).
273
qualitative risk analysis
The process of determining the probability of occurrence and the impact of identified risks by using logical reasoning when numeric data is not readily available.
274
hash-based message authentication code (HMAC)
A method used to verify both the integrity and authenticity of a message by combining a cryptographic hash of the message with a secret key.
275
active security control
Detective and preventive security controls that use an agent or network configuration to monitor hosts. This allows for more accurate credentialed scanning, but consumes some host resources and is detectable by threat actors.
276
cloud service provider (CSP)
Organization providing infrastructure, application, and/or storage services via an "as a service" subscription-based, cloud-centric offering.
277
honeypot
A host (honeypot), network (honeynet), file (honeyfile), or credential/token (honeytoken) set up with the purpose of luring attackers away from assets of actual value and/or discovering attack strategies and weaknesses in the security configuration.
278
cold site
A predetermined alternate location where a network can be rebuilt after a disaster.
279
dump file
A file containing data captured from system memory.
280
nation state actor
A type of threat actor that is supported by the resources of its host country's military and security services.
281
data masking
A de-identification method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data.
282
antivirus
Inspecting traffic to locate and block viruses.
283
containerization
An operating system virtualization deployment containing everything required to run a service, application, or microservice.
284
disposal/decommissioning
In asset management, the policies and procedures that govern the removal of devices and software from production networks, and their subsequent disposal through sale, donation, or as waste.
285
extortion
Demanding payment to prevent or halt some type of attack.
286
pivoting
When an attacker uses a compromised host (the pivot) as a platform from which to spread an attack to other points in the network.
287
pluggable authentication module (PAM)
A framework for implementing authentication providers in Linux.
288
defensive penetration testing
The defensive team in a penetration test or incident response exercise.
289
bug bounty
Reward scheme operated by software and web services vendors for reporting vulnerabilities.
290
identity provider
In a federated network, the service that holds the user account and performs authentication.
291
Media Access Control filtering (MAC filtering)
Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.
292
malicious process
A process executed without proper authorization from the system owner for the purpose of damaging or compromising the system.
293
permissions
Security settings that control access to objects including file system items and network resources.
294
choose your own device (CYOD)
An enterprise mobile device provisioning model where employees are offered a selection of corporate devices for work and, optionally, private use.
295
open public ledger
Distributed public record of transactions that underpins the integrity of blockchains.
296
lighting
Physical security mechanisms that ensure a site is sufficiently illuminated for employees and guests to feel safe and for camera-based surveillance systems to work well.
297
replay attack
An attack where the attacker intercepts some authentication data and reuses it to try to reestablish a session.
298
Payment Card Industry Data Security Standard (PCI DSS)
The information security standard for organizations that process credit or bank card payments.
299
cryptanalysis
The science, art, and practice of breaking codes and ciphers.
300
off-site backup
Backup that writes job data to media that is stored in a separate physical location to the production system.
301
cryptographic primitive
A single hash function, symmetric cipher, or asymmetric cipher.
302
platform as a service (PaaS)
A cloud service model that provisions application and database services as a platform for development of apps.
303
incident response plan (IRP)
Specific procedures that must be performed if a certain type of event is detected or reported.
304
key risk indicator (KRI)
The method by which emerging risks are identified and analyzed so that changes can be adopted to proactively avoid issues from occuring.
305
next-generation firewall (NGFW)
Advances in firewall technology, from app awareness, user-based filtering, and intrusion prevention to cloud inspection.
306
network access control (NAC)
A general term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level.
307
packet analysis
Analysis of the headers and payload data of one or more frames in captured network traffic.
308
one-time password (OTP)
A password that is generated for use in one specific session and becomes invalid after the session ends.
309
percent encoding
A mechanism for encoding characters as hexadecimal values delimited by the percent sign.
310
inherent risk
Risk that an event will pose if no controls are put in place to mitigate it.
311
master service agreement (MSA)
A contract that establishes precedence and guidelines for any business documents that are executed between two parties.
312
configuration management
A process through which an organization's information systems components are kept in a controlled state that meets the organization's requirements, including those for security and compliance.
313
acquisition/procurement
Policies and processes that ensure asset and service purchases and contracts are fully managed, secure, use authorized suppliers/vendors, and meet business goals.
314
parallel processing tests
Running primary and backup systems simultaneously to validate the functionality and performance of backup systems without disrupting normal operations.
315
replication
Automatically copying data between two processing systems either simultaneously on both systems (synchronous) or from a primary to a secondary location (asynchronous).
316
password manager
Software that can suggest and store site and app passwords to reduce risks from poor user choices and behavior. Most browsers have a built-in password manager.
317
escrow
In key management, the storage of a backup key with a third party.
318
keylogger
Malicious software or hardware that can record user keystrokes.
319
analysis
An incident response process in which indicators are assessed to determine validity, impact, and category.
320
intentional threat
A threat actor with a malicious purpose.
321
reconnaissance
The actions taken to gather information about an individual's or organization's computer systems and software. This typically involves collecting information such as the types of systems and software used, user account information, data types, and network configuration.
322
ephemeral
In cryptography, a key that is used within the context of a single session only.
323
database encryption
Applying encryption at the table, field, or record level via a database management system rather than via the file system.
324
Remote Desktop Protocol (RDP)
Application protocol for operating remote connections to a host using a graphical interface. The protocol sends screen data from the remote host to the client and transfers mouse and keyboard input from the client to the remote host. It uses TCP port 3389.
325
public key infrastructure (PKI)
A framework of certificate authorities, digital certificates, software, services, and other cryptographic components deployed for the purpose of validating subject identities.
326
injection attack
An attack that exploits weak request handling or input validation to run arbitrary code in a client browser or on a server.
327
offboarding
The process of ensuring that all HR and other requirements are covered when an employee leaves an organization.
328
key distribution center (KDC)
A component of Kerberos that authenticates users and issues tickets (tokens).
329
human-machine interface (HMI)
Input and output controls on a PLC to allow a user to configure and monitor the system.
330
nondisclosure agreement (NDA)
An agreement that stipulates that entities will not share confidential information, knowledge, or materials with unauthorized third parties.
331
industrial camouflage
Methods of disguising the nature and purpose of buildings or parts of buildings.
332
legal hold
A process designed to preserve all relevant information when litigation is reasonably expected to occur.
333
call list
A document listing authorized contacts for notification and collaboration during a security incident.
334
group policy object (GPO)
On a Windows domain, a way to deploy per-user and per-computer settings such as password policy, account restrictions, firewall status, and so on.
335
dictionary attack
A type of password attack that compares encrypted passwords against a predetermined list of possible password values.
336
industrial control system (ICS)
Network managing embedded devices (computer systems that are designed to perform a specific, dedicated function).
337
bring your own device (BYOD)
Security framework and tools to facilitate use of personally owned devices to access corporate networks and data.
338
objective probability
The mathematical measure of the possibility of a risk occurring.
339
data in transit
Information that is being transmitted between two hosts, such as over a private network or the Internet.
340
data classification
The process of applying confidentiality and privacy labels to information.
341
card cloning
Making a copy of a contactless access card.
342
host-based intrusion detection system (HIDS)
A type of IDS that monitors a computer system for unexpected behavior or drastic changes to the system's state.
343
accounting
Tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted.
344
infrastructure as code (IaC)
Provisioning architecture in which deployment of resources is performed by scripted automation and orchestration.
345
Global Positioning System (GPS)
A means of determining a receiver's position on Earth based on information received from orbital satellites.
346
data in use
Information that is present in the volatile memory of a host, such as system memory or cache.
347
firewall log
A target for event data related to access rules that have been configured for logging.
348
indoor positioning system (IPS)
Technology that can derive a device's location when indoors by triangulating its proximity to radio sources such as Bluetooth beacons or Wi-Fi access points.
349
corporate owned, business only (COBO)
An enterprise mobile device provisioning model where the device is the property of the organization and personal use is prohibited.
350
false positive
In security scanning, a case that is reported when it should not be.
351
impact
The severity of the risk if realized by factors such as the scope, value of the asset, or the financial impacts of the event.
352
correlation
A function of log analysis that links log and state data to identify a pattern that should be logged or alerted as an event.
353
questionnaires
In vendor management, structured means of obtaining consistent information, enabling more effective risk analysis and comparison.
354
exposure factor (EF)
In risk calculation, the percentage of an asset's value that would be lost during a security incident or disaster scenario.
355
governance
Creating and monitoring effective policies and procedures to manage assets, such as data, and ensure compliance with industry regulations and local, national, and global legislation.
356
data inventory
List of classified data or information stored or processed by a system.
357
allow listing
A security configuration where access is denied to any entity (software process, IP/domain, and so on) unless the entity appears on an allow list.
358
passive security control
An enumeration, vulnerability, or incident detection scan that analyzes only intercepted network traffic rather than sending probes to a target. More generally, passive reconnaissance techniques are those that do not require direct interaction with the target.
359
key management system
In PKI, procedures and tools that centralize generation and storage of cryptographic keys.
360
on-path attack
An attack where the threat actor makes an independent connection between two victims and is able to read and possibly modify traffic.
361
data at rest
Information that is primarily stored on specific media, rather than moving from one medium to another.
362
change control
The process by which the need for change is recorded and approved.
363
artificial intelligence
The science of creating machines with the ability to develop problem-solving and analysis strategies without significant human direction or intervention.
364
authorized
A hacker engaged in authorized penetration testing or other security consultancy.
365
cipher suite
Lists of cryptographic algorithms that a server and client can use to negotiate a secure connection.
366
corporate owned, personally enabled (COPE)
An enterprise mobile device provisioning model where the device remains the property of the organization, but certain personal use, such as private email, social networking, and web browsing, is permitted.
367
annualized rate of occurrence (ARO)
In risk calculation, an expression of the probability/likelihood of a risk as the number of times per year a particular loss is expected to occur.
368
probability
In quantitative risk analysis, the chance of an event that is expressed as a percentage.
369
chief information officer (CIO)
Company officer with the primary responsibility for management of information technology assets and procedures.
370
cybersecurity framework (CSF)
Standards, best practices, and guidelines for effective security risk management. Some frameworks are general in nature, while others are specific to industry or technology types.
371
hybrid cloud
A cloud deployment that uses both private and public elements.
372
anomalous behavior recognition
Systems that automatically detect users, hosts, and services that deviate from what is expected, or systems and training that encourage reporting of this by employees.
373
integrity
The fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications.
374
encryption
Scrambling the characters used in a message so that the message can be seen but not understood or modified unless it can be deciphered. Encryption provides for a secure means of transmitting data and authenticating users. It is also used to store data securely. Encryption uses different types of cipher and one or more keys. The size of the key is one factor in determining the strength of the encryption product.
375
cryptominer
Malware that hijacks computer resources to create cryptocurrency.
376
on-premises network
A private network facility that is owned and operated by an organization for use by its employees only.
377
maneuver
In threat hunting, the concept that threat actor and defender may use deception or counterattacking strategies to gain positional advantage.
378
ransomware
Malware that tries to extort money from the victim by blocking normal operation of a computer and/or encrypting the victim’s files and demanding payment.
379
attack vector
A specific path by which a threat actor gains unauthorized access to a system.
380
personal area network (PAN)
A network scope that uses close-range wireless technologies (usually based on Bluetooth or NFC) to establish communications between personal devices, such as smartphones, laptops, and printers/peripheral devices.
381
corrective control
A type of security control that acts after an incident to eliminate or minimize its impact.
382
Internet Message Access Protocol (IMAP)
Application protocol providing a means for a client to access and manage email messages stored in a mailbox on a remote server. IMAP4 utilizes TCP port number 143, while the secure version IMAPS uses TCP/993.
383
open authorization (OAuth)
A standard for federated identity management, allowing resource servers or consumer sites to work with user accounts created and managed on a separate identity provider.
384
birthday attack
A type of password attack that exploits weaknesses in the mathematical algorithms used to encrypt passwords, in order to take advantage of the probability of different password inputs producing the same encrypted output.
385
eradication
An incident response process in which malicious tools and configurations on hosts and networks are removed.
386
business impact analysis (BIA)
Systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations.
387
high availability (HA)
A metric that defines how closely systems approach the goal of providing data availability 100% of the time while maintaining a high level of system performance.
388
hacktivist
A threat actor that is motivated by a social issue or political cause.
389
application programming interface
Methods exposed by a script or program that allow other scripts or programs to use it. For example, an API enables software developers to access functions of the TCP/IP network stack under a particular operating system.
390
implicit deny
The basic principle of security stating that unless something has explicitly been granted access, it should be denied access.
391
infrastructure as a service (IaaS)
A cloud service model that provisions virtual machines and network infrastructure.
392
Opal
Standards for implementing device encryption on storage devices.
393
chief security officer (CSO)
Typically the job title of the person with overall responsibility for information assurance and systems security. This may also be referred to as chief information security officer (CISO).
394
kill chain
A model developed by Lockheed Martin that describes the stages by which a threat actor progresses to a network intrusion.
395
host-based firewall
A software application running on a single host and designed to protect only that host.
396
key stretching
A technique that strengthens potentially weak input for cryptographic key generation, such as passwords or passphrases created by people, against brute force attacks.
397
arbitrary code execution
A vulnerability that allows an attacker to run their own code or a module that exploits such a vulnerability.
398
multifactor authentication (MFA)
An authentication scheme that requires the user to present at least two different factors as credentials; for example, something you know, something you have, something you are, something you do, and somewhere you are. Specifying two factors is known as "2FA."
399
personal identification number (PIN)
A number used in conjunction with authentication devices such as smart cards; as the PIN should be known only to the user, loss of the smart card should not represent a security risk.
400
remote access
Infrastructure, protocols, and software that allow a host to join a local network from a physically remote location, or that allow a session on a host to be established over a network.
401
proximity reader
A scanner that reads data from an RFID or NFC tag when in range.
402
remote code execution (RCE)
A vulnerability that allows an attacker to transmit code from a remote host for execution on a target host or a module that exploits such a vulnerability.
403
load balancer
A type of switch, router, or software that distributes client requests between different resources, such as communications links or similarly configured servers. This provides fault tolerance and improves throughput.
404
Lightweight Directory Access Protocol Secure (LDAP Secure)
A method of implementing LDAP using SSL/TLS encryption.
405
fail-closed
A security control configuration that blocks access to a resource in the event of failure.
406
input validation
Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application.
407
clustering
A load balancing technique where a group of servers are configured as a unit and work together to provide network services.
408
attestation
Capability of an authenticator or other cryptographic module to prove that it is a root of trust and can provide reliable reporting to prove that a device or computer is a trustworthy platform.
409
Domain Name System Security Extensions (DNSSEC)
Security protocol that provides authentication of DNS data and upholds DNS data integrity.
410
bluesnarfing
A wireless attack where an attacker gains access to unauthorized information on a device using a Bluetooth connection.
411
public cloud
A cloud that is deployed for shared use by multiple independent tenants.
412
false acceptance rate (FAR)
A biometric assessment metric that measures the number of unauthorized users who are mistakenly allowed access.
413
disaster recovery (DR)
A documented and resourced plan showing actions and responsibilities to be used in response to critical incidents.
414
race condition
A software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer.
415
denial of service attack (DoS)
Any type of physical, application, or network attack that affects the availability of a managed resource.
416
CIA triad
Three principles of security control and management. Also known as the information security triad. Also referred to in reverse order as the AIC triad.
417
common name (CN)
An X500 attribute expressing a host or username; also used as the subject identifier for a digital certificate.
418
directory service
A network service that stores identity information about all the objects in a particular network, including users, groups, servers, client computers, and printers.
419
impossible travel
A potential indicator of malicious activity where authentication attempts are made from different geographical locations within a short timeframe.
420
JavaScript Object Notation (JSON)
A file format that uses attribute-value pairs to define configurations in a structure that is easy for both humans and machines to read and consume.
421
embedded system
An electronic system that is designed to perform a specific, dedicated function, such as a microcontroller in a medical drip or components in a control system managing a water treatment plant.
422
non-human-readable data
Information stored in a file that human beings cannot read without a specialized processor to decode the binary or complex structure.
423
multi-cloud
A cloud deployment model where the cloud consumer uses mutiple public cloud services.
424
online certificate status protocol (OCSP)
Allows clients to request the status of a digital certificate to check whether it is revoked.
425
governance board
Senior executives and external stakeholders with responsibility for setting strategy and ensuring compliance.
426
policy
A strictly enforceable ruleset that determines how a task should be completed.
427
log data
OS and applications software can be configured to log events automatically. This provides valuable troubleshooting information. Security logs provide an audit trail of actions performed on the system as well as warning of suspicious activity. It is important that log configuration and files be made tamperproof.
428
evil twin
A wireless access point that deceives users into believing that it is a legitimate network access point.
429
detective control
A type of security control that acts during an incident to identify or record that it is happening.
430
National Institute of Standards and Technology (NIST)
Develops computer security standards used by US federal agencies and publishes cybersecurity best practice guides and research.
431
memory injection
A vulnerability that a threat actor can exploit to run malicious code with the same privilege level as the vulnerable process.
432
certification
An asset disposal technique that relies on a third party to use sanitization or destruction methods for data remnant removal, and provides documentary evidence that the process is complete and successful.
433
chmod command
Linux command for managing file permissions.
434
authentication header
IPSec protocol that provides authentication for the origin of transmitted data as well as integrity and protection against replay attacks.
435
block list
A security configuration where access is generally permitted to a software process, IP/domain, or other subject unless it is listed as explicitly prohibited.
436
antivirus scan (A-V)
Software capable of detecting and removing virus infections and (in most cases) other types of malware, such as worms, Trojans, rootkits, adware, spyware, password crackers, network mappers, DoS tools, and so on.
437
confidentiality
The fundamental security goal of keeping information and communications private and protecting them from unauthorized access.
438
covert channel
A type of attack that subverts network security systems and policies to transfer data without authorization or detection.
439
privilege escalation
The practice of exploiting flaws in an operating system or other application to gain a greater level of access than was intended for the user or application.
440
ciphertext
Data that has been enciphered and cannot be read without the cipher key.
441
dynamic analysis
Software testing that examines code behavior during runtime. It helps identify potential security issues, potential performance issues, and other problems.
442
packet filtering firewall
A layer 3 firewall technology that compares packet headers against ACLs to determine which network traffic to accept.
443
blackmail
Demanding payment to prevent the release of information.
444
geolocation
The identification or estimation of the physical location of an object, such as a radar source, mobile phone, or Internet-connected computing device.
445
lure
An attack type that will entice a victim into using or opening a removable device, document, image, or program that conceals malware.
446
isolation
Removing or severely restricting communications paths to a particular device or system.
447
IDS/IPS log
A target for event data related to detection/prevention rules that have been configured for logging.
448
network behavior anomaly detection (NBAD)
A security monitoring tool that monitors network packets for anomalous behavior based on known signatures.
449
patch
A small unit of supplemental code meant to address either a security problem or a functionality flaw in a software package or operating system.
450
detection
An incident response process that correlates event data to determine whether they are indicators of an incident.
451
access point (AP)
A device that provides a connection between wireless devices and can connect to wired networks, implementing an infrastructure mode WLAN.
452
geofencing
Security control that can enforce a virtual boundary based on real-world geography.
453
microservice
An independent, single-function module with well-defined and lightweight interfaces and operations. Typically this style of architecture allows for rapid, frequent, and reliable delivery of complex applications.
454
layer 7 firewall
A stateful inspection firewall that can filter traffic based on specific application protocol headers and data, such as web or email data.
455
on-premises
Software or services installed and managed on a customer’s computing infrastructure rather than in the cloud or hosted by a third-party provider.
456
DomainKeys Identified Mail (DKIM)
A cryptographic authentication mechanism for mail utilizing a public key published as a DNS record.
457
public key
During asymmetric encryption, this key is freely distributed and can be used to perform the reverse encryption or decryption operation of the linked private key in the pair.
458
certificate chaining
A method of validating a certificate by tracing each CA that signs the certificate, up through the hierarchy to the root CA. Also referred to as chain of trust.
459
cellular
Standards for implementing data access over cellular networks are implemented as successive generations. For 2G (up to about 48 Kb/s) and 3G (up to about 42 Mb/s), there are competing GSM and CDMA provider networks. Standards for 4G (up to about 90 Mb/s) and 5G (up to about 300 Mb/s) are developed under converged LTE standards.
460
distributed reflected DoS (DRDoS)
A malicious request to a legitimate server is created and sent as a link to the victim, so that a server-side flaw causes the malicious component to run on the target’s browser.
461
dark web
Resources on the Internet that are distributed between anonymized nodes and protected from general access by multiple layers of encryption and routing.
462
redundancy
Overprovisioning resources at the component, host, and/or site level so that there is failover to a working instance in the event of a problem.
463
alert tuning
The process of adjusting detection and correlation rules to reduce incidence of false positives and low-priority alerts.
464
containment
An incident response process in which scope of affected systems is constrained using isolation, segmentation, and quarantine techniques and tools.
465
code of conduct
Professional behavior depends on basic ethical standards, such as honesty and fairness. Some professions may have developed codes of ethics to cover difficult situations; some businesses may also have a code of ethics to communicate the values it expects its employees to practice.
466
Mandatory Access Control (MAC)
An access control model where resources are protected by inflexible, system-defined rules. Resources (objects) and users (subjects) are allocated a clearance level (or label).
467
computer incident response team (CIRT)
Team with responsibility for incident response. The CIRT must have expertise across a number of business domains (IT, HR, legal, and marketing, for instance).
468
certificate revocation list (CRL)
A list of certificates that were revoked before their expiration date.
469
pre-shared key (PSK)
A wireless network authentication mode where a passphrase-based mechanism is used to allow group authentication to a wireless network. The passphrase is used to derive an encryption key.
470
identification
The process by which a user account (and its credentials) is issued to the correct person. Sometimes referred to as enrollment.
471
recovery
An incident response process in which hosts, networks, and systems are brought back to a secure baseline configuration.
472
due process
A term used in US and UK common law to require that people only be convicted of crimes following the fair application of the laws of the land.
473
intelligence fusion
In threat hunting, using sources of threat intelligence data to automate detection of adversary IoCs and TTPs.
474
Health Insurance Portability and Accountability Act (HIPAA)
US federal law that protects the storage, reading, modification, and transmission of personal healthcare data.
475
lateral movement
The process by which an attacker is able to move from one part of a computing environment to another.
476
ad hoc network
A type of wireless network where connected devices communicate directly with each other instead of over an established medium.
477
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
Framework for ensuring proper application of SPF and DKIM, utilizing a policy published as a DNS record.
478
power failure
Complete loss of building power.
479
pharming
An impersonation attack in which a request for a website, typically an e-commerce site, is redirected to a similar-looking, but fake, website.
480
dashboard
A console presenting selected information in an easily digestible format, such as a visualization.
481
Lightweight Directory Access Protocol (LDAP)
Protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information.
482
data acquisition
In digital forensics, the method and tools used to create a forensically sound copy of data from a source device, such as system memory or a hard disk.
483
adware
Software that records information about a PC and its user. Adware is used to describe software that the user has acknowledged can record information about their habits.
484
code signing
The method of using a digital signature to ensure the source and integrity of programming code.
485
compute
Processing, memory, storage, and networking resources that allow a host or network appliance to handle a given workload.
486
failover
A technique that ensures a redundant component, device, or application can quickly and efficiently take over the functionality of an asset that has failed.
487
change management
The process through which changes to the configuration of information systems are implemented as part of the organization's overall configuration management efforts.
488
human-readable data
Information stored in a file type that human beings can access and understand using basic viewer software, such as documents, images, video, and audio.
489
amplification attack
A network-based attack where the attacker dramatically increases the bandwidth sent to a victim during a DDoS attack by implementing an amplification factor.
490
deprovisioning
The process of removing an account, host, or application from the production environment. This requires revoking any privileged access that had been assigned to the object.
491
obfuscation
A technique that essentially "hides" or "camouflages" code or other information so that it is harder to read by unauthorized users.
492
monitoring/asset tracking
Enumeration and inventory processes and software that ensure physical and data assets comply with configuration and performance baselines, and have not been tampered with or suffered other unauthorized access.
493
heuristic
A method that uses feature comparisons and likenesses rather than specific signature matching to identify whether the target of observation is malicious.
494
directory traversal
An application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.
495
deduplication
A technique for removing duplicate copies of repeated data. In SIEM, the removal of redundant information provided by several monitored systems.
496
Event Viewer
A Windows console related to viewing and exporting events in the Windows logging file format.
497
backdoor
A mechanism for gaining access to a computer that bypasses or subverts the normal method of authentication.
498
package monitoring
Techniques and tools designed to mitigate risks from application vulnerabilities in third-party code, such as libraries and dependencies.
499
order of volatility
The order in which volatile data should be recovered from various storage locations and devices after a security incident occurs.
500
business email compromise (BEC)
An impersonation attack in which the attacker gains control of an employee's account and uses it to convince other employees to perform fraudulent actions.
