Acceptable Interruption Window
Sometimes, an organization's critical systems or applications are interrupted. An acceptable interruption window is the maximum amount of time allowed for restoration of critical systems and applications such that the business goals are not negatively affected.
Acceptable Use Policy
An acceptable use policy establishes the rules that one must agree to in order to be provided access to a network or internet. The policy also sets guidelines on how the network should be used.
Access Control List
An access control list (ACL) is a list of permissions attached to an object in a computer file. Each ACL contains a list of access control entries (ACE) that specifies which users or system processes are granted access, denied access or are audited for a securable object.
An access path is a process where a specified quantity of material moves as a unit between work stations, while maintaining its unique identity. In database management system terminology, access path refers to the path chosen by the system to retrieve data after a SQL request is executed.
An access point is a computer networking device which allows a Wi-Fi compliant device to connect to a wired network wirelessly. It usually connects via a router. It is frequently referred to as a WAP (Wireless Access Point).
An access profile is accessibility information about a user that is stored on a computer. A profile includes the user's password, name and what information/systems they are allowed or denied access to.
Access rights are permissions that are granted to a user, or an application, to view, modify or delete files in the network. These rights can be assigned to a particular client, server, folder, specific programs or data files.
Access type is used to specify attributes. It is applied to an entity class, mapped superclass or embeddable class.
An account manager in an organization is responsible for the management of sales and relationships with particular customers, so that they will continue to use the company for business.
Accountability in the cyber security space entails ensuring that activities on supported systems can be traced to an individual who is held responsible for the integrity of the data.
Accounting Legend Code
Accounting legend code (ALC) is the numeric code assigned to communications security (COMSEC) material. It indicates the degree of accounting and minimum accounting controls required for items to be accountable within the control systems.
Active defense refers to a process, whereby an individual or organization takes an active role to identify and mitigate threats to the network and its systems.
Active Security Testing
Active security testing is security testing which involves directly interacting with a target, such as sending packets.
Ad Hoc Network
An ad hoc network is a local area network (LAN) that spontaneously builds as devices connect. An ad hoc network does not rely on a base station to coordinate different points, rather the individual base nodes forward packets to and from each other.
Administrative safeguards are a special set of the HIPPA security rules. Administrative safeguards focus on internal organization, policies and procedures, and the maintenance of security managers which are in place to protect sensitive patient information.
Advanced Encryption Standard
The advanced encryption standard (AES), also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST). The algorithm described by AES is a symmetric-key algorithm, where the same key is used for both encrypting and decrypting the data.
Advanced Penetration Testing
Advanced penetration testing is the process where a network is penetrated intentionally to discover vulnerabilities which make it open to harmful intruders. These vulnerabilities are then addressed and remedied early.
Advanced Persistent Threat
An advanced persistent threat (APT) is a type of network attack. An unauthorized person gains access to a network and stays there undetected for a long period of time, with an intention to steal data rather than to cause direct damage to the network.
An individual, group, organisation, or government that conducts (or intends to conduct) detrimental activities. In cryptography, an adversary has malicious intent to prevent the users of the cryptosystem from achieving their goal by threatening the privacy, integrity and availability of data. This could be done by discovering secret data, corrupting some of the data, spoofing the identity of a message sender, or forcing system downtime.
Adware is a type of software that displays or downloads unwanted advertisements on your system. Some adware which are designed to be malicious act at a speed and frequency that slows down the system and ties up resources. Adware often includes code that tracks a user's personal information and passes it on to a third party. Having multiple adware slows down your computer significantly.
An alert situation is when the interruption in an enterprise is not resolved even after the competition of the threshold stage, an alert situation requires the enterprise to start escalation procedure.
Alternate facilities are secondary backup facilities where high-priority emergency tasks can be performed when primary facilities are interrupted and made unavailable. These facilities include offices and data processing centers.
An alternate process is a back-up process devised to help continue business critical processes without any interruption, from the time the primary enterprise system breaks down to the time of its restoration.
A computer program that analyzes log files from servers.
Anti-malware refers to a software program that prevents, detects and remediates malicious programming on computing devices or IT systems.
Anti Virus Software
A program that is designed to detect and destroy computer viruses - preventing them from entering a computer system or network.
An app attack describes the scenario when a user unknowingly installs a malicious app on a device, which in turn steals their personal data.
An application layer is an abstraction layer that specifies the shared protocols and interface methods used by hosts in a communications network. It is one of the seven layers in both of the standard models of computer networking: the Internet Protocol Suite (TCP/IP) and the Open Systems Interconnection model (OSI model)
Architecture refers to a structure that defines the fundamentals of a system or an organization, its components, and the relationship across components. Ultimately, it aims to guide the system or organization towards its goals.
An asset is a resource; something of value. This could be a person, structure or facility, information, systems and resources, materials, processes, relationships, or reputation.
Assurance in cybersecurity refers to the the level of confidence that the information system architecture meditates and enforces the organization's security policy.
Asymmetric Key Cryptography, also known as Public key cryptography, is an cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner.
An attack is a malicious intent to gain unauthorized access to a system , or compromise system integrity or confidentiality. It interrupts the operations of a network.
An attack mechanism is a system or strategy by which a target is hit; the attacker may use different attack mechanisms such as a container or payload to hit the intended target.
An attack vector is the means by which the hacker accesses the targetted system. Attack vestors allow hackers to exploit system vulnerabilities, both human and non.
An individual, group, organisation, or government that executes an attack. A party acting with malicious intent to compromise an information system.
Attenuation happens when signal strengths become weak after transmitting over long distances.
Audit trail is a documented record of events or transactions. It allows the auditor to trace a piece of information to its origin and to reconstruct past system activities.This helps to maintain security and recover any lost data.
Authentication is the proces of confirming the correctedness of the claimed identity of an individual user, machines or software component, to allow access to the system.
Authenticity is the proof that a claimed identity is legitimate.
Authorization is the right, permission or empowerment that is granted to a system entity to access the system resource and do something.
Availability is the time duration a system or resource is ready for use.
A backdoor bypasses normal security authentications to enter a system. Backdoors are created by developers to speed access through security during the development phase. When they are not properly removed during final implementation, hackers can use backdoors to bypass security implementations and threaten the security of the system.
Malware, Adware and Spyware.
Bandwidth is the volume of information that can pass through a network for a given period. It specifies the capacity of the communciation channel, and is usually measured in bits per second.
A banner is a display on an information system that sets the parameters for system or data use.
Banner grabbing is the process of grabbing banner information such as the application type and version. This information is then transmitted by a remote port when a connection is initiated.
Baseline security is the minimum set of security controls required for safeguarding an IT system. Baseline security is based upon a system's identified needs for confidentiality, integrity and availability protection.
A bastion is a system of high level of security protection that offers very strong protection against attacks.
A bastion host is a special services computer on a network that is designed to withstand attacks.
A behavioral outcome is what an individual who has completed a specific training module is expected to accomplish on regular IT security job performance.
Biometrics is a type of security system, which uses unique physiological characteristics of a person such as fingerprints, DNA, hair for identification purposes.
Bit Error Rate
A bit error rate is the ratio between the number of bits incorrectly received and the total number of bits transmitted in a telecommunications system.
A black core is a communication network architecture in which user data traversing a global internet protocol (IP) is end-to-end encrypted at the IP layer.
A black hat hacker is the “bad guy” who violates computer security for few reasons beyond maliciousness or personal gain. Black Hat Hackers may share information about the hack with other black hats so that the same vulnerabilities can be exploited before the victim becomes aware and takes appropriate measures.
A list of entities that are blocked or denied privileges or access.
A form of filtering that blocks only websites specified as harmful. Parents and employers sometimes use such software to prevent children and employees from visiting certain blacklisted websites.
A blended attack is a hostile action with the intent of spreading malicious code.
A blended threat is a computer network attack that tries to maximize the severity of damage by combining various attack methods. combine the characteristics of viruses, worms, trojan horses, and malicious code with system and internet vulnerabilities to initiate, transmit and spread an attack.
A block cipher algorithm is a family of functions and their inverses parameterized by a cryptographic key in which the function map bit strings of a fixed length to bit strings of the same length. It is a method used to cipher text, information by encrypting data in blocks, strings, or group at a time rather encrypting individual bits.
A bot is a software “robot” that performs an extensive set of automated tasks on its own. Search engines like Google use bots, also known as spiders, to crawl through websites in order to scan and rank pages.When black hats use a bot, they can perform an extensive set of destructive tasks, as well as introduce many forms of malware to your system or network. They can also be used by black hats to coordinate attacks by controlling botnets.
A botnet is a remote network of zombie drones under the control of a black hat. Attackers use various malware and viruses to take control of computers to form a botnet (robotic network), which will send further attacks such as spam and viruses to target computers or networks. Most often, the users of the systems will not even know they are involved .
A bridge is an electronic device that connects two networks such as LAN that uses the same protocol such as Ethernet or Token Ring, and creates two distinct LAN's or Wide Area Networks. Operating at the Data Link Layer of the Open System Interconnect model, bridges have the ability to filter the information and can pass such information to the right nodes, or decide not to pass any information. They also help in streamlining or reducing the volume of traffic on a LAN by dividing the data into two segments.
A broadcast is a process of transmitting the same message to multiple users simultaneously without the need for acknowledgement from users.
Brute Force Attack
A brute force attack is the process of finding the solution by trying many probable variants of information such as passwords, deciphered keys, randomly.
A buffer overflow is a type of programmatic flaw, when a program tries to store more data to a buffer than it can hold. Since there is a limit on how much data a buffer can hold, any surplus data overflows to the adjoining buffers. This causes data stored in those buffers to be overwritten, and triggers unpredictable consequences.
An unexpected and relatively small defect, fault, flaw, or imperfection in an information system or device.
Business Continuity Management
Business continuity management refers to preparing for and maintaining continued business operations following disruption or crisis.
Business Continuity Plan
A Business Continuity Plan, also known as business emergency plan, offers safeguards against a disaster, and outlines the strategies, action plan on how to continue business as usual in the event of any disaster.
Business Impact Assessment
A Business Impact Analysis is the process of evaluating and identifying risks and threats that a business might face in the event of an accident, disaster, or an emergency. It evaluates the possible risk to tangible and intangible assets such as personal, infrastructure, data and goodwill. In addition, it offers steps needed to recover from any such disasters.
C2 is a computer security class defined in the Trusted Computer System Evaluation Criteria (TCSec).
C2 Infrastructure Data
C2 infrastructure data consists of domains, IP addresses, protocol signatures, email addresses, payment card data, etc.
Central Services Node
A central services node is the key management infrastructure core node that provides central security management and data management services.
In cryptography, a certificate authority is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate.
Certificate management is the process in which certificates are generated, used, transmitted, loaded and destroyed.
Certification Revocation List
A certification revocation list is an independent third party that verifies the online identity of an entity. They issue digital certificates that contains information about the owner of the certificate and details of the certificates, thus verifying the identity of the owner.
Chain of Custody
A chain of custody is a chronological documentation of how electronic evidence is handled and collected. It also contains information on how has access to it.
Chain of Evidence
The chain of evidence shows who obtained the evidence, where the evidence came from, also who secured, had control and possession of the evidence. The chain of evidence goes in the following order: collection and identification; analysis; storage; preservation; presentation in court; return to owner.
Challenge Response Protocol
Challenge response protocol is a authentication protocol, where the verifier sends the user a challenge. When the challenge is solved with a private key operation, access is then allowed.
A payment card transaction where the supplier initially receives payment but the transaction is later rejected by the cardholder or the card issuing company. The supplier's account is then debited with the disputed amount.
A numerical value that helps to check if the data transmitted is the same as the data stored and that the recipient has error free data. It is often the sum of the numerical values of bits of digital data stored, this value should match with the value at the recipients end, and a mismatch in the value indicates an error.
Chief Information Security Officer (CISO)
A Chief Information Security Officer is a senior level executive of an organization entrusted with the responsibilities of protecting the information assets of the businesses and making sure that the information policies of the organization align with the objectives of the organization.
Chief Security Officer (CSO)
A Chief Security Officer is an executive of the company with assigned responsibility to protect assets such as the infrastructure, personnel, including information in digital and physical form.
In cryptography, a cipher is an algorithm for performing encryption or decryption of code. This process encrypts data into code, or decipher the code to a required key.
Data or information in its encrypted form. "Cipher Text is data converted from plain text into code using algorithm, making it unreadable without the key."
Ciphony is the process of enciphering audio information with the result of encrypted speech.
A claimant is the party who needs to be identified via an authentication protocol.
Clear Desk Policy
A policy that directs all personnel to clear their desks at the end of each working day, and file everything appropriately. Desks should be cleared of all documents and papers, to ensure that sensitive papers and documents are not exposed to unauthorized persons outside of working hours.
Clear Screen Policy
Clear Screen Policy is a policy that directs all computer users to ensure that the contents on screen are protected from prying eyes. The easiest way is to use a screen saver that engages either on request or after a specified short period of time.
Cleartext is data in ASCII format or data that is not coded or encrypted. All applications and machines support this plain text.
Clinger Cohen Act of 1996
The Clinger–Cohen Act (CCA), formerly the Information Technology Management Reform Act of 1996 (ITMRA), is a 1996 United States federal law designed to improve the way the federal government acquires, uses and disposes information technology (IT).
Cloud computing allows remote sharing of files, data and facilitates remote working, as long as users are connected to the internet. A model for enabling on-demand network access to a shared pool of configurable computing capabilities or resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
A cold site is a backup site that can become operational fairly quickly, usually in one or two days. A cold site might have standard office equipment such as furniture and telephones, however there is unlikely to be any computer equipment. Basically, a cold site is a backup facility ready to receive computer equipment should a group need to move to an alternate location.
A collision is a situation where two or more devices try to send requests or transmit data to the same device at the same time.
Common text is a series of requirements defined by the International Organization for Standardization, that are being incorporated in all management system international standards as they are revised.
Compartmentalization is a technique of protecting confidential information by revealing it only to a few people, to those who actually need to know the details to perform their job. Thus, by restricting access to information, data the risk to business objectives is limited.
Compliance is the act of adhering to the set standards, rules, and laws of regulatory bodies and authorities. For example, in software, installation process abides by the vendor license agreement.
A compliance document is a document detailing the actions required to comply or adhere to the set standards by regulatory bodies. Any violations of the said rules attract punitive actions from the regulatory bodies.
A compromise is the violation of the company's system security policy by an attacker. It can result in the modification, destruction or theft of data.
Computer crime refers to form of illegal act involving electronic information and computer equipment.
Computer forensics is the process of analyzing computer devices which are suspected for crime, with the aim of gathering evidence for presentation in a court of law. Computer forensics offer many tools for investigation and analysis to find out such evidence.
Computer fraud is a computer crime that an intruder commits to obtain money or something of value from a company. Computer fraud can involve the modification, destruction, theft or disclosure of data. Often, all traces of the crime are covered up.
Computer Network Defence
The actions taken to defend against unauthorised activity within computer networks. Confidentiality authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Confidentiality ensures that rules are set that places restrictions on access to, or sharing of information with the aim of preserving and protecting the privacy of the information.
Configuration control is a process for controlling modifications to hardware, firmware, software, and documentation to ensure the information system is protected against improper modifications before, during, and after system implementation.
Configuration Management (CM) is a systems engineering process for ensuring consistency of a product's performance, functional, and physical attributes with its requirements, design, and operational information.
Conflict of interest escalation is a present procedure for escalating a security incident if any members of the support or security teams are suspect.
Consumerization refers to new trends or changes in enterprise technology as more and more consumers embrace such technology. Employees use devices for personal use and as they gain wide acceptance, even organizations start using such technologies.
Containment is steps taken to control any further risks when identifying a threat.
Content filtering is a process by which access to certain content, information, data is restricted or completely blocked based on organization's rules, by using either software or hardware based tools.
A contingency plan is a security plan to ensure that mission-critical computer resources are available to a company in disasters (such as earthquake or flood). It includes emergency response actions, backup operations and post-disaster recovery.
Continuous process is a process that operates on the basis of continuous flow, as opposed to batch, intermittent, or sequenced operations.
Control are the regulations taken to prevent unauthorized use of any company's system resources by external intruders or unauthorized employees.
A control algorithm is a mathematical representation of the control action to be performed.
The control center is an equipment structure from which a process is measured, controlled, and/or monitored.
A control loop is a combination of field devices and control functions arranged so that a control variable is compared to a set point and returns to the process in the form of a manipulated variable.
The control network of an enterprise is typically connected to equipment that controls physical processes and that is time or safety critical. The control network can be subdivided into zones, and there can be multiple separate control networks within one enterprise and site.
Control Server is a server that hosts the supervisory control system, typically a commercially available application for DCS or SCADA system.
A control system is a system in which deliberate guidance or manipulation is used to achieve a prescribed value for a variable. Control systems include SCADA, DCS, PLCS and other types of industrial measurement and control systems.
A controlled variable is the variable that the control system attempts to keep at the set point value. The set point may be constant or variable.
A cookie is a small packet of information which your computer’s browser stores when you visit a web server. The stored information(e.g. A set of forms) is used to customize your next visit to the same web server.
A countermeasure is a defensive mechanism that helps mitigate risk, threat, to a network or computers, using a process, system or a device.
A cracker, also known as a black hat hacker, is an individual with extensive computer knowledge whose purpose is to breach or bypass internet security or gain access to software without paying royalties. As opposed to hackers who can be internet security internet experts to hire vulnerabilities in systems, crackers has the malicious intent to do damage for criminal gain.
CRC refers to a cyclic redundancy check. The CRC is an error-detecting code commonly used to detect accidental changes to raw data. It identifies the error so that corrective action can be taken against corrupted data.
Crimeware refers to any malware that's used to compromise systems such as servers and desktops - the majority of these incidents start through web activity, not links or attachments in email.
Critical Infrastructure is the fundamental system of an organization that is important for its survival. Any threat to such basic systems would push the entire organization in to jeopardy.
Criticality is the level of importance assigned to an asset or information. The organization may not function effectively and efficiently in the absence of an asset or information that is highly critical.
Criticality Analysis is evaluating the importance of an asset or information to an organization; and the effects its failure would have on the overall performance of the organization.
CRITs (Collaborative Research Into Threats) is an open source malware and threat repository. It work by leveraging open source software to create a unified tool for security experts engaged in threat defense.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
The operations performed in defeating or circumventing cryptographic protection of information by applying mathematical techniques.
Cryptography is a method to of protect the privacy of information by encrypting it into a secret code, so no one but the authorized person with an encryption key can read or view the information. The use of mathematical techniques to provide security services, such as confidentiality, data integrity, entity authentication, and data origin authentication. The art or science concerning the principles, means, and methods for converting plaintext into ciphertext and for restoring encrypted ciphertext to plaintext.
A suite of cryptographic algorithms needed to implement a particular security service, most commonly for achieving confidentiality (encryption). Typically, a cryptosystem consists of three algorithms: one for key generation, one for encryption, and one for decryption.
Relating to, or characteristic of, the culture of computers, information technology and virtual reality (OED)
The interconnected information infrastructure of interactions among persons, processes, data, and information and communications technologies, along with the environment and conditions that influence those interactions.
Cyber espionage is the use of computer networks to gain illicit access to confidential information.
A cybercop is a law enforcement officer entrusted with the responsibilities of monitoring online activities to control criminal activities online or cybercrimes.
Cybersecurity are the processes employed to safeguard and secure crucial information of an organization. Identity management, risk management and incident management form the crux of cyber security strategies of an organization.
Cybersecurity architecture is the information security layout that describes the overall structure, including its various components, and their relationships in an organization. It displays how strong the data security, controls and preventive mechanisms implemented in the organization.
CybOX (cyber observable expression) is the standard language for cyber observables (i.e. a schema). A cyber observable is "a measurable event or stateful property in the cyber domain".
Cycle time is the time for a controller to complete one control loop where sensor signals are read into memory, control algorithms are executed, and corresponding control signals are transmitted to actuators that create changes the process resulting in new sensor signals.
A darknet is a private file sharing network where connections are made only between trusted peers using non-standard protocols and ports. Darknet networks are anonymous, and therefore users can communicate with little fear of governmental or corporate interference.
A data asset is any entity that is comprised of data; for example, a database is an example of a data asset. A system or application output file, database, document, or web page are also considered data assets. Data assets can also be a service that may be provided to access data from an application.
The unauthorised movement or disclosure of sensitive information to a party, usually outside the organisation, that is not authorised to have or see the information.
Data classification is a data management process that involves of categorizing and organizing data into different classes based on their forms, types, importance, sensitivity, and usage in an organization.
A data custodian is an executive of an organization entrusted with the responsibilities of data administration - as such protecting and safeguarding data is the primary responsibility of data custodian.
Data disclosure is a breach where where it is confirmed that data was disclosed to an unauthorized party.
A data element is a basic unit of information that has a unique meaning and subcategories (data items) of distinct value. Gender, race, and geographic location are all examples of data elements.
Data Encryption Standard
A Data Encryption Standard is a form of algorithm to convert plain text to a cipher text. Data Encryption Standard uses the same key to encrypt and decrypt the data, and hence it is a symmetric key algorithm.
Data Flow Control
Data flow control is another term for information flow control.
A data historian is centralized database supporting data analysis using statistical process control techniques.
Data that is complete, intact, and trusted and has not been modified or destroyed in an unauthorised or accidental manner.
Data leakage is the accidental or intentional transfer and distribution of private and confidential information of an organization without its knowledge or the permission.
The result of unintentionally or accidentally deleting data, forgetting where it is stored, or exposure to an unauthorised party.
The process or techniques used to analyze large sets of existing information to discover previously unrevealed patterns or correlations.
A data owner is an executive entrusted with the data accuracy and integrity in an organization. Such an individual has complete control over data, and can limit the access of data to people and assign permissions.
Data retention is the process of storing and protecting data for historical reasons and for data back up when needed. Every organization has its own rules governing data retention within the organization.
Data Server is a computer or program that provides other computers with access to shared files over a network.
The deliberate or intentional act of stealing of information.
Data Transfer Device
The Data Transfer Device (DTD) is an electronic fill device designed to replace the existing family of common electronic fill devices.
A database is a systematic collection and organization of information so that information can be easily stored, retrieved, and edited for future use.
DC Servo Drive
DC Servo Drive is a type of drive that works specifically with servo motors. It transmits commands to the motor and receives feedback from the servo motor resolver or encoder.
Decentralization is the process of distributing functions, authorities among different people or to different locations.
To convert enciphered text to plaintext by means of a cryptographic system.
Declaration of Conformity
A declaration of conformity is a confirmation issued by the supplier of a product that specified requirements have been met.
Decryption is the process of decoding cipher text to plain text, so it is readable by the user. It is the opposite of encryption, the process of converting plain text to cipher text.
A decryption key is a piece of code that is required to decipher or convert encrypted text or information into plain text or information.
Defense in Depth is the process of creating multiple layers of security to protect electronics and information resources against attackers. Also called as Castle approach, it is based on the principle that in the event of an attack, even if one layer fails to protect the information resource other layers can offer defense against the attack.
A Demilitarized Zone is a firewall setting that separates the LAN of an organization from the outside world or the internet. Demilitarized Zone (DMZ) makes certain resources servers, etc., available to everyone, yet keeping the internal LAN access private, safe and secure offering access only to authorized personnel.
Denial of Service Attack
A denial of service attack is an attack designed to make a targeted site inaccessible, through overwhelming the targeted website. A successful denial of service attack can cripple any entity that relies on its online presence by rendering their site virtually useless.
Developed by one of ThreatConnect’s founders, and the primary methodology used by ThreatConnect, the Diamond Model breaks each cyber event into four vertices or nodes. These vertices represent an Adversary, Capability, Infrastructure, and Victim. The connections between the vertices form a baseball diamond shape. Through this system analysts are able to derive a multidimensional picture of the underlying relationships between threat actors and their tools, techniques and processes.
A dictionary attack is a password-cracking attack that tries all of the words in a dictionary.
A Digital Certificate is a piece of information that guarantees that the sender is verified. The digital certificate is the electronic equivalent of an ID card that establishes your credentials when doing business or other transactions on the Web. Otherwise known as Public Key Information, Digital certificate is issued by Certificate Authority, and helps exchange information over the internet in a safe and secure manner.
Digital evidence is electronic information stored or transferred in digital form.
Digital forensics is the process of procuring, analyzing and interpreting electronic data to present it in as an acceptable evidence in a legal proceedings in a court of law.
A digital signature is an electronic code that guarantees the authenticity of the sender of information as who he claims to be. Digital signatures use the private key information of the sender and cannot be imitated or forged, easily.
A disaster is a sudden catastrophe that result in serious damages to the nature, society, human life, and property. Disaster in business or commercial sense disable an enterprise from delivering the essential tasks for a specified period; for organisations disasters may result in loss of resources, assets, including data.
Disaster Recovery Plan
A Disaster Recovery Plan (DRP) prescribes steps required to carry on the business as usual in the event of a disaster. Disaster recovery plan aims to bring business activities back to normalcy in the shortest possible time. An in-depth understanding of a business's critical processes and their continuity needs is required to create the plan.
Discretionary Access Control
Discretionary access control is a security measure, by which the owner can restrict the access of the resources such as files, devices, directories to specific subjects or users or user groups based on their identity. It is the discretion of owner to grant permit or restrict users from accessing the resources completely or partially.
Disk imaging is the process of generating a bit-for-bit copy of the original media, including free space and slack space.
A disruption is unplanned event that causes the general system or major application to be inoperable for an unacceptable length of time (e.g., minor or extended power outage, extended unavailable network, or equipment or facility damage or destruction).
Distributed Control System
A distributed control system (DCS) is a computerised control system for a process or plant, in which autonomous controllers are distributed throughout the system, but there is central operator supervisory control.
Distributed Denial of Service Attack (DDoS)
A distributed denial of service attack is a denial of service attack that is carried out using a master programme that sends information and data packets to the targeted webserver from multiple systems under control. The DDoS is more devastating than a denial of service attack launched from a single system, flooding the target server with a speed and volume that is exponentially magnified.
Distributed Plant is a geographically distributed factory that is accessible through the internet by an enterprise.
Disturbance is an undesired change in a variable being applied to a system that tends to adversely affect the value of a controlled variable.
The DMZ is a segment of a network where servers accessed by less trusted users are isolated. The name is derived from the term "demilitarized zone".
The domain controller is a server responsible for managing domain information, such as login identification and passwords.
An attack in which an attacker takes over a domain by first blocking access to the domain's DNS server and then putting his own server up in its place.
Domain Name System (DNS)
Domain name system is the system by which internet domain names and addresses are tracked and regulated.
A dual-use certificate is a certificate that is intended for use with both digital signature and data encryption services.
Due Care is the degree of care a rational person would exercise in similar situations as the one at hand. It is also known as ordinary care or reasonable care is a test of a person's preparedness to act, be responsible or neglectful of responsibility.
Due Diligence is the process of conducting a thorough and detailed investigation, to verify the truthfulness of the information provided in the statements for analysis and review before committing to a transaction.
Dumpster diving refers to the act of rummaging the trash of others to obtain useful information to access a system.
Dynamic ports are otherwise known as private ports, these ports ranging from port number 49,152 to 65, 535 do not need any registration; these ports help any computer application communicate with any other application or program that uses Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP).
Electronic commerce or e-commerce is any type of business, or commercial transaction, that involves the transfer of information across the Internet.
A non-malicious surprise contained in a program or media, that is installed by the developer. An easter egg is undocumented, non malicious, accessible to anyone, and entertaining.
Easy access refers to the circumstance where one breaks into a system with minimal effort by exploiting a well-familiarised vulnerability, and gaining super user access in a short time.
Eavesdropping is when one secretly listens to a conversation.
In computer networking, egress filtering is the practice of monitoring and restricting the flow of information between networks. Typically, information from a private TCP/IP computer network to the internet is controlled.
Egress filtering is the filtering of outgoing network traffic.
Often called "viruses" these malicious programs and codes harm your computer and compromise your privacy. In addition to the traditional viruses, other common types include worms and Trojan Horses. They sometimes work in tandem to do maximum damage (blended threat).
Electronic Key Entry
Electronic key entry is the entry of cryptographic keys into a cryptographic module using electronic methods such as a smart card or a key-loading device.
Electronic Key Management System
An electronic key management system is an interoperable collection of systems being developed by services and agencies of the U.S. government to automate the planning, ordering, generating, distributing, storing, filling, using, and destroying of electronic key and management of other types of COMSEC material.
An electronic signature is the process of applying any mark in electronic form with the intent to sign a data object and is used interchangeably with digital signature.
Electronically Generated Key
An electronically generated key is a key generated in a COMSEC device by mechanically or electronically introducing a seed key into the device and then using the seed in conjunction with a software algorithm stored in the device to produce the desired key.
An automated email ingest feature allows users to create structured, actionable threat intelligence with ease from emails originating from trusted sources and sharing partners or from suspected spearphishing emails.
Embedded cryptography is cryptography engineered into an equipment or system whose basic function is not cryptographic.
Encapsulation Security Payload
An encapsulation security payload is an IPSec protocol that offers mixed security in the areas of authentication, confidentiality, and integrity for Ipv4 and ipv6 Network packets. Encapsulation security payload offers data integrity and protection services by encrypting data, anti-replay, and preserving it in its assigned IP.
To convert plaintext to ciphertext by means of a cryptographic system.
To convert plaintext to ciphertext by means of a code.
The process of transforming plaintext into ciphertext. Converting data into a form that cannot be easily understood by unauthorised people.
An encryption algorithm is a set of mathematically expressed rules for rendering data unintelligible by executing a series of conversions controlled by a key.
An encryption certificate is a certificate containing a public key that is used to encrypt electronic messages, files, documents, or data transmissions, or to establish or exchange a session key for these same purposes.
An encryption key is a code of variable value developed with the help of encryption algorithm to encrypt and decrypt information.
End-to-end encryption describes communications encryption in which data is encrypted when passing through a network with the routing information still visible.
In network security, endpoint security refers to a methodology of protecting the corporate network when accessed via remote devices such as laptops and mobile devices. Each device with a remote connecting to the network creates a potential entry point for security threats.
An enterprise in it's most basic form is a business or company, and has a responsibility to manage its own risks and performance.
The enterprise architecture is the description of an enterprise's entire set of information systems: A configuration, integration and how they interface. Enterprise architecture also describes how they are operated to support the enterprise mission, and how they contribute to the enterprise's overall security posture.
Enterprise Risk Management
Enterprise risk management is the processes used by an enterprise to manage risks to its mission. It involves the identification and prioritization of risks due to defined threats, the implementation of countermeasures respond to threats, and assesses enterprise performance against threats and adjusts countermeasures as necessary.
Entrapment is the deliberate planting of flaws in an information system to detect attempted penetrations.
EPP stands for Endpoint Protection Platform. It is a solution that converges endpoint device security functionality into a single product that delivers antivirus, anti-spyware and security.
Endpoint Threat Detection and Response.
Ethernet is the most popular local area network (LAN) technology that specifies cabling and signalling system for home or organization networks. Ethernet uses BUS topology to support data transfers and the CSMA/CD system to process requests at the same time.
Endpoint Visibility and Control
An event is an action that a program can detect. Examples of some events are clicking of a mouse button or pressing the key.
Evidence is documents, records or any such objects or information that helps prove the facts in a case.
A fake Wi-Fi hot spot that looks like a legitimate service. When victims connect to the wireless network, a hacker can launch a spying attack on their transactions on the internet, or just ask for credit card information in the standard pay-for-access deal.
An exercise key is cryptographic key material used exclusively to safeguard communications transmitted over-the-air during military or organized civil training exercises.
An exploit is a taking advantage of a vulnerability, weakness or flaw in the sytem to intrude and attack the system.
An exploit code is a program that allows attackers to automatically break into a system.
An exploitable channel is a channel that allows the violation of the security policy governing an information system and is usable or detectable by subjects external to the trusted computing base.
The condition of being unprotected, thereby allowing access to information or access to capabilities that an attacker can use to enter a system or network.
External Escalation is the process of reporting a security breach to an individual or group outside the department, division or company in which it occurred. when a problem is escalated, responsibility for resolving that problem is either accepted or shared with the party to whom the problem is escalated.
An external network is a network not controlled by the organization.
External Security Testing
External security testing is security testing conducted from outside the organization's security perimeter.
An extranet is an extension of a company's intranet to include systems outside the company. It is used to facilitate easy access to databases and other sources of information between the company and its customers or suppliers.
A fail safe is the automatic protection of programs and processing systems when hardware or software failure is detected.
Fail soft are systems that terminate any nonessential processing when there are hardware or software failures.
Failover is a method of protecting computer systems from failure, in which standby equipment automatically takes over when the main system fails without warning or huamn intervention.
The inability of a system or component to perform its required functions within specified performance requirements.
A false positive is normal behavior that is marked as ‘different’, or possibly malicious. Too many false positives can drown out true alerts.
Fault tolerant refers to the ability of a system to have built in capability to provide continued, correct execution of its assigned function in the presence of a hardware and/or software fault.
Federal Information System
The Federal Information System is an information system used or operated by an executive agency, a contractor of an executive agency, or by another organization on behalf of an executive agency.
A field device is an equipment that is connected to the field side on an ICS. Types of field devices include RTUs, PLCs, actuators, sensors, HMIs, and associated communications.
A field site is a subsystem that is identified by physical, geographical, or logical segmentation within the ICS. A field site may contain RTUs, PLCs, actuators, sensors, HMIs, and associated communications.
Fieldbus is a digital, serial, multi-drop, two-way data bus or communication path or link between low-level industrial field equipment such as sensors, transducers, actuators, local controllers, and control room devices. Use of fieldbus technologies eliminates the need of point-to-point wiring between the controller and each device. A protocol is used to define messages over the fieldbus network with each message identifying a particular sensor on the network.
File encryption is the process of encrypting individual files on a storage and permitting access to the encrypted data only after proper verification.
File Name Anomaly
File name anomaly is a mismatch between the internal file header and its external extension. A file name anomaly is also a file name inconsistent with the content of the file (e.g., renaming a graphics file with a non-graphical extension).
File protection is the aggregate of processes and procedures designed to inhibit unauthorized access, contamination, elimination, modification, or destruction of a file or any of its contents.
File security is the method in which access to computer files is limited to authorized users only.
File Transfer Protocol (FTP)
The File Transfer Protocol (FTP) is a standard network protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client-server model architecture and uses separate control and data connections between the client and the server.
File integrity monitoring (FIM) is an internal control that validates the integrity of operating system and application software files using a verification method between the current file state and the known baseline.
A firewall is a security barrier that monitors and controls incoming and outgoing network traffic based on predetermined security rules, designed to keep unwanted intruders “outside” a computer system or network. A firewall should be regularly checked and updated to ensure continued function, as malicious hackers learn new tricks to breach the firewall.
Flooding is an attack that attempts to cause a failure in a system by providing more input than the system can process properly.
Forensic copy is an accurate bit-for-bit reproduction of the information contained on an electronic device or associated media, whose validity and integrity has been verified using an accepted algorithm.
Forensic discovery is the search and analysis of electronic documents. Electronic records can be found on a wide variety of devices such as desktop and laptop computers, network servers, personal digital assistants and digital phone, and exist in a medium that can only be read by using computers such as cache memory, magnetic disks, optical disks, and magnetic tapes.
Forensically clean describes digital media that is completely wiped of all data, including nonessential and residual data, scanned for malware, and verified before use.
A forward cipher is one of the two functions of the block cipher algorithm that is determined by the choice of a cryptographic key.
Freeware is an application, program, or software available for use at no cost.
The comparison of actual performance against expected performance.
Gateways act as an entrance to another network. A node or stopping point can be either a gateway node or a host (end-point) node.
Get Nearest Server
Get nearest server is a request packet sent by a client on an IPX network to locate the nearest active server of a particular type.
GitHub is a a web based graphical interface for website and mobile collaboration. It also provides access control and several collaboration features such as bug tracking,feature requests, task management, and wikis for every project.
Global Information Grid
The Global Information Grid (GIG) is an all-encompassing communications project of the United States Department of Defense.
GNU is an operating system and an extensive collection of computer software.
Gnutella is a large peer-to-peer network. It was the first decentralized peer-to-peer network of its kind.
Governance is a system for directing an organization. It includes a set of rules and practices established to evaluate the conditions of the stakeholders (e.g. management, suppliers, financiers, customers). It also includes framework for attaining the established goals of an organization, alongside achieving a balance between the goals of organization and interests of the stakeholders. It aims to protect the interests of the organization by protecting assets of the organization, and the interests of the creditors, customers.
Graduated security is a security system that provides several levels (e.g., low, moderate, high) of protection based on threats, risks, available technology, support services, time, human concerns, and economics.
A gray hat is a white hat/ black hat hybrid. A gray hat is a hacker with no intention to do damage to a system or network, but to expose flaws in the system security. However, they may use illegal means to gain access to the net work to expose the security weakness.
GRC stands for governance, risk and compliance
Grooming is the act of cyber criminals who use the Internet to manipulate and gain trust of a minor as a first step towards the future sexual abuse, production or exposure of that minor. Sometimes, this may involve days, weeks, months or in some cases years to manipulate the minor.
A group authenticator is used sometimes in addition to a sign-on authenticator, to allow access to specific data or functions that may be shared by all members of a particular group.
A guard system is a mechanism limiting the exchange of information between information systems or subsystems.
A guessing entropy is a measure of the difficulty that an attacker has to guess the average password used in a system. In this document, entropy is stated in bits. When a password has n-bits of guessing entropy then an attacker has as much difficulty guessing the average password as in guessing an n-bit random quantity. The attacker is assumed to know the actual password frequency distribution.
A hacker is a programmer who gains unauthorized access to a computer system. The mainstream usage of "hacker" mostly refers to computer criminals who gathers information on computer security flaws and breaks into computers without authorization.
Handshaking procedures are the dialogue between two information systems for synchronizing, identifying, and authenticating themselves to one another.
Hard Copy Key
A hard copy key is physical keying material, such as printed key lists, punched or printed key tapes, or programmable, read-only memories.
The permanent storage medium within a computer that uses magnetic storage to store and retrieve digital information, programs and data.
Hardware is the physical components of an information system.
A hardwired key is a permanently installed key.
A hash function is a function that is used to map data of arbitrary size to a data of a fixed size. The values returned by a hash function are called hash values, hash codes, hash sums, or simply hashes.
A hash value is the result of applying a cryptographic hash function to data (e.g., a message).
Hash-based Message Authentication Code (HMAC)
Hash-based Message Authentication Code is a message authentication code that uses a cryptographic key in conjunction with a hash function.
A process of applying a mathematical algorithm against a set of data to produce a numeric value (a 'hash value') that represents the data. It's a way to maintain data integrity and accuracy.
High Assurance Guard (HAG)
High assurance guard is an enclave boundary protection device that controls access between a local area network (LAN) that an enterprise system has a requirement to protect, and an external network that is outside the control of the enterprise system, with a high degree of assurance.
High availability is a feature that ensures availability during device or component interruptions.
High impact is the loss of confidentiality, integrity, or availability that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a severe degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in major damage to organizational assets; 3) results in major financial loss; or 4) results in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries).
High Impact System
A high impact system is an information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of high.
A hijack attack is a form of active wiretapping in which the attacker seizes control of a previously established communication association.
Honeyclient is a web browser-based high interaction client honeypot designed by Kathy Wang and developed at MITRE. It was the first open source client honeypot and is a mix of Perl, C++, and Ruby. HoneyClient is state-based and detects attacks on Windows clients by monitoring files, process events, and registry entries.
A honeymonkey is an automated program that imitates a human user to detect and identify websites which exploit vulnerabilities on the Internet. It is also known as honeyclient.
A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.
A hop occurs each time that a data packet is passed from one device to the another, from a specified source to its destination. Data packets pass through bridges, routers, and gateways on the way.
A network host is a device connected to a computer network. It is a network node that is assigned a network layer host address. A network host may offer information resources, services, and applications to users or other nodes on the network.
Host-Based Intrusion Detection System (HIDS)
A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors and analyses information from the operating system audit records occurring on the host.This analysis of the audit trail forces significant overhead requirements on the system due to the increased amount of processing power which must be utilized by the intrusion detection system.
A hot site is a fully operational offsite data processing facility equipped with hardware and software, to be used in the event of an information system disruption. Backup site that includes phone systems with the phone lines already connected. Networks will also be in place, with any necessary routers and switches plugged in and turned on.
A hot wash is a debrief conducted immediately after an exercise or test with the staff and participants.
An HTTP Proxy is a server that receives requests from your web browser and then, requests the Internet on your behalf. Results are returned to the browser.
HTTPS (also called HTTP over TLS, HTTP over SSL, and HTTP Secure) is an Internet protocol used for secure communication over a computer network. HTTPS is very important over insecure networks (such as public WiFi), as anyone on the same local network can discover sensitive information not protected by HTTPS. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security or its predecessor, Secure Sockets Layer.
A hub is a network device that is a common connection point for devices in a network. These are commonly used to connect segments of a LAN. A hub contains multiple ports. When a data packet is received at one port, it is transmitted to the other ports on the hub.
HUMINT (human intelligence) is intelligence gathered by means of interpersonal contact; a category of intelligence derived from information collected and provided by human sources.
A hybrid attack is a blend of both a dictionary attack method as well as brute force attack. It builds on other password-cracking attacks by adding numerals and symbols to dictionary words.
A hybrid encryption is a method of encryption that combines two or more encryption algorithms or systems. This method merges asymmetric and symmetric encryption in order to derive benefit from the strengths of each form of encryption. These strengths include speed and security respectively.
Hybrid Security Control
Hybrid security control is a security control that is implemented in an information system in part as a common control and in part as a system-specific control.
A hyperlink is a link from a hypertext file or document to another location or file, typically activated by clicking on a highlighted word or image on the screen.
Hypertext Markup Language (HTML)
Hypertext Markup Language (HTML) is a set of markup symbols or codes that are inserted in a file intended for display on a world wide web (WWW) browser page. These markup states the browser how to display a web page to the user.
Hypertext Transfer Protocol (HTTP)
HTTP is the underlying protocol used by the World Wide Web (WWW). This protocol defines how messages are formatted and transmitted on the Internet and what actions web servers and browsers should take in response to various commands.
Identification is a system to recognize user on a company's systems by using unique names.
Internet Identity (IID) is a social identity that an internet user creates on online communities or websites. While some users prefer using their real names online, others prefer to be anonymous and identify themselves by means of pseudonyms.
Identity and Access Management (IAM)
Identity and Access Management is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.
Intrusion Detection and Prevention Systems are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it. [Wikipedia]
IDLP stands for Information Leak Detection and Prevention.
IMINT, Imaginary Intelligence is a intelligence gathering discipline which collects information via satellite and aerial photography.
An incident is an unplanned disruption of a network or system service and needs to be resolved immediately. An example would be a server crash that causes a disruption in the business process.
The management and coordination of activities associated with an event that may result in adverse consequences to information or information systems.
Incident Response Procedures
Incident response procedures are formal written procedures that detail the steps to be taken in the event of a major security problem, such as break-in. Developing detailed incident-response procedures before the occurrence of a problem is a hallmark of a well-designed security system.
Incident Response Team
The incident response team is a team that meets regularly to review status reports, authorize specific remedies, and manage the response process. During incidents, they properly assess the incident and make decisions regarding the proper course of action. The incident team meets regularly to review status reports and to authorize specific remedies.
An incremental backup provides a backup of only those files that have changed, modified, or are new since the last backup. Incremental backups are often desirable as they consume minimum storage and are quicker to perform than differential backups.
Inetd stands for Internet Service Daemon and is a super-server daemon on many Unix systems to manage several Internet services. This reduces the load of the system. This means that the network services such as telnet, File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP) can be activated on demand rather running continuously.
An inference attack is a data mining technique used to illegally access information about a subject by analyzing data. This is an example of breached information security. Such an attack occurs when a user is able to deduce key information of a database from trivial information without directly accessing it.
Information Security is the set of policy regulations, rules, and practices that prescribe how an organization manages, protects, and distributes information.
Information Warfare (IW) is primarily a United States Military concept that involves the use and management of information and communication technology in pursuit of a competitive advantage over an opponent. This concept may employ a combination of tactical information, assurance(s) that the information is valid, spreading of propaganda or disinformation to demoralise or manipulate the enemy and the public, undermining the quality of opposing force information and denial of information-collection opportunities to opposing forces.
IaaS is the provision of computing infrastructure (such as server or storage capacity) as a remotely provided service accessed online (ie via the internet).
Ingress filtering is used to ensure that all incoming packets (of data) are from the networks from which they claim to originate. Network ingress filtering is a commonly used packet filtering technique by many Internet service providers to prevent any source address deceiving. This helps in combating several net abuse or crimes by making web traffic traceable to its source.
Input Validation Attacks
Input Validations Attacks are when an attacker purposefully sends strange inputs to confuse a web application. Input validation routines serve as the first line of defence for such attacks. Examples of input validation attacks include buffer overflow, directory traversal, cross-site scripting and SQL injection.
Input/ Output is a general term for the equipment that is used to communicate with a computer as well as the data involved in the communications.
Insider (Inside Threat)
An insider is an entity inside the security perimeter that is authorized to access system resources but uses them in a way not approved by those who granted the authorization.
A declaration issued by an interested party that specified requirements have been met.
Instant Messaging (IM)
A service that allows people to send and get messages almost instantly. To send messages using instant messaging you need to download an instant messaging program and know the instant messaging address of another person who uses the same IM program.
The integrity of a system or network is the assurance that information is protected, and is only made available to those who are authorised. The property whereby information, an information system, or a component of a system has not been modified or destroyed in an unauthorised manner.
Intelligent Electronic Device (IED)
Intelligent Electronic Device refers to any device incorporating one or more processors with the capability to receive or send data/control from or to an external source (e.g., electronic multifunction meters, digital relays, controllers).
Internal escalation is the process of reporting a security breach to a higher level of command with-in the department, division or company in which the breach occurred.
Internet Control Message Protocol (ICMP)
The Internet Control Message Protocol (ICMP) is one of the key Internet protocols and is used by network devices such as routers to generate error messages to the source IP address when network problems prevent delivery of IP packets. Any IP network device has the capability to send, receive or process ICMP messages.
Internet Engineering Task Force (IETF)
The Internet Engineering Task Force (IETF) is a large open international community of network designers, operators, vendors, and researchers who are concerned with the evolution of the Internet architecture and its smooth operations. This body defines the standard Internet operating protocols such as TCP/IP.
Internet Message Access Protocol (IMAP)
The Internet Message Access Protocol (IMAP) is a standard Internet protocol that is used by e-mail clients to retrieve e-mail messages from a mail server over TCP/IP. IMAP is defined by RFC 35 1. An IMAP server typically listens on port number 143. IMAP over SSL (IMAPS) is assigned the port number 993.
Internet Protocol Security (IPsec)
Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), security gateways (network-to-network), or between a security gateway and a host (network-to-host).
Internet Service Provider (ISP)
Internet Service Provider is the company through which an individual or organization receives access to the internet. Typically, ISPs provide email service and homepage storage in addition to internet access.
An internet standard is a normative specification of a technology or methodology applicable to the internet. Internet Standards are created and published by the Internet Engineering Task Force (IETF). An internet standard is characterised by technical reliability and usefulness.
The ability of two or more systems or components to exchange information.
An Interrupt is a signal sent to the processor by hardware or software indicating an event that needs immediate attention.
An intranet is a organisation's private network. It is established with the technologies for local area networks (LANs) and wide area networks (WANs).
An unauthorised act of bypassing the security mechanisms of a network or information system.
Intrusion Detection System (IDS)
Intrusion Detection System is a security service that monitors and analyzes network or system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.
Intrusion Prevention System (IPS)
Intrusion Prevention System is a system that can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its targets.
A systematic and formal inquiry into a qualified threat or incident using digital forensics to determine the events that transpired, and to collect evidence.
Indicators of Compromise is an artifact observed on a network or in an operating system that with high confidence indicates a computer intrusion.Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs or domain names of botnet command and control servers. After IOCs have been identified in a process of incident response and computer forensics, they can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.
An Internet Protocol address (IP address) is a numerical label that is assigned to any device that is using Internet Protocol and is connected to an internet network. An IP address allows network interface identification and location addressing.
IP forwarding is also known as internet routing. It is a process used to determine using which path a packet or datagram can be sent. IP forwarding is an OS option that allows a host to act as a router. A system that has more than one network interface card must have IP forwarding turned on in order for the system to be able to act as a router.
IP Spoofing is also known as IP address forgery or a host file hijack. It is a hijacking technique where a hacker impersonates as a trusted host to conceal his identity, spoof a web site, hijack browsers, or gain access to a network.
Information Sharing and Analysis Centers is a nonprofit org that provides a central resource for gathering information on cyber threats to critical infrastructure.
The International Organization for Standardization (ISO) is an international standard-setting body that is composed of voluntary representatives from various national standards organizations.
An Issue-Specific Policy is intended to address specific needs within an organisation, such as a password policy.
Jitter is any deviation in the signal pulses in a high-frequency digital signal. The aberration can be in amplitude, phase timing, or the width of the signal pulse. Jitter is sometimes referred to as "Packet Delay Variation" or PDV. Controlling jitter is critical for creating a good online experience.
Kerberos is a computer network authentication protocol allowing nodes to communicate over a non-secure network. Such protocol messages are protected against snooping and replay attacks. Massachusetts Institute of Technology (MIT) developed the Kerberos to protect network services provided by the Project Athena.
The kernel is an essential center of a computer operating system that provides basic services for other parts of the operating system. A kernel can be contrasted with a shell, the outermost part of an operating system that interacts with user commands.
The numerical value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification.
A keylogger is hardware or software designed to record the keys pressed on a computer keyboard. It's used to bypass other security measures, and can gather usernames, passwords, and other personally identifiable information.
Lattice Techniques use security designations to determine access to information.
A leased circuit is a communications link between two locations used exclusively by one organization. In modern communications, dedicated bandwidth on a shared link reserved for that user.
Least privilege is the security principle of allowing users the least amount of permissions necessary to perform their intended function.
Legion is a computer software system. It is an object-based system designed to provide secure, transparent access to large numbers of machines, both to computational power and data. It is classified as a distributed operating system, a peer-to-peer system, metacomputing software, or middleware.
A light tower is a device containing a series of indicator lights and an embedded controller used to indicate the state of a process based on an input signal.
Link-state routing protocols are one of the two main classes of routing protocols for computer communicatios. Link-state routers exchange messages to allow each router to learn the entire network topology. Link-state protocol is performed by every switching node, which creates a map of the connectivity to the network displaying all the nodes that are connected to other nodes. Each node then calculates the next best logical path.
List Based Access Control
List Based Access Control associates a list of users and their privileges with each object, such as a file directory or individual file. Each object has a security attribute that identifies its access control list. The list has an entry for each system user with access privileges. This list is implemented differently by each operating system.
Local Area Network (LAN)
A local area network (LAN) is a computer network that links devices within a building or group of adjacent buildings.
Log clipping is the selective removal of log entries from a system log to hide a compromise.
A logic bomb is a malicious program designed to execute when a certain criterion is met. This criteria can be: when a certain time is met, when a certain file is accessed, or when a certain key combination is pressed.
A logic gate is an elementary building block of a digital circuit. This device is used to implement a Boolean function. It performs a logical operation on one or more logical inputs, and produces a single logical output.
A loopback address is an pseudo address that sends outgoing signals back to the same computer for testing.
A Media Access Control address (MAC address) is the physical address and is a unique identifier assigned to the network interface for communication. MAC addresses are generally used as a network address for most IEEE 8 2 network technologies (Ethernet, WiFi). MAC addresses are used in the media access control protocol sub-layer of the OSI reference model.
A machine controller is a control system/motion network that electronically synchronizes drives within a machine system instead of relying on synchronization via mechanical linkage.
A macro virus is a malware (ie malicious software) that uses the macro capabilities of common applications such as spreadsheets and word processors to infect data. A type of malicious code that attaches itself to documents and uses the macro programming capabilities of the document’s application to execute, replicate, and spread or propagate itself.
Maintenance is any act of preventing malfunction of equipment or restoring its operating capability.
It's any act that either prevents the failure or malfunction of equipment or restores its operating capability.
Malicious code describes a broad category of system security terms that includes attack scripts, viruses, worms, trojan horses, backdoors, and other malicious active content. Malicious code is any code in any part of a software system or script that is intended to cause undesired effects, security breaches, or damage to a system. Such codes actually gain unauthorised access to system resources or tricks a user into executing other malicious logic. Program code intended to perform an unauthorised function or process that will have adverse impact on the confidentiality, integrity, or availability of an information system. This may include software, firmware, and scripts.
Hardware, firmware, or software that is intentionally included or inserted into a system to perform an unauthorised function or process that will have adverse impact on the confidentiality, integrity, or availability of an information system.
Threats can contain programs, often referred to as payloads that perform malicious activities such as denial of service attacks, destruction or modification of data, changes to system settings, and information disclosure. The majority of viruses do not contain a payload; they simply replicate.
Malware is a term used for malicious software. Malware can be any software that is used to interrupt or disrupt computer operations, gather sensitive information, or gain access to certain files or programs. It includes viruses, Trojans, worms, time bombs, logic bombs, or anything else intended to cause damage upon the execution of the payload.
Posing as an online bank or merchant, a cyber criminal allows a victim to sign in over a Secure Sockets Layer (SSL) connection. The attacker then logs onto the real server using the client's information and steals credit card numbers.
Management controls are the security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information security.
A set of processes used by an organisation to meet policies and objectives for that organisation.
Mandatory Access Control (MAC)
In computer security, Mandatory Access Control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target.
Manipulated variable is a process that is intended to regulate some condition, a quantity or a condition that the control alters to initiate a change in the value of the regulated condition.
MASINT is a technical branch of intelligence gathering, which serves to detect, track and identify or describe the signatures (distinctive characteristics) of fixed or dynamic target sources. This often includes radar, acoustic, nuclear, chemical and biological intelligence.
A masquerade attack is any attack that uses a forged identity (such as a network identity) to gain unofficial access to a personal or organisational computer. Masquerade attacks are generally performed by using either stolen passwords and logons, locating gaps in programs, or finding a way around the authentication process.
A mass mailer is a threat that self-replicates by sending itself through email. The threat obtains email addresses by searching for them in files on the system or by responding to messages found in the email client inbox.
A master program is the program a black hat cracker uses to remotely transmit commands to malicious software. It is used to carry out large scale Denial of Service attacks or spam attacks.
The MD5 message-digest algorithm is the most widely used cryptographic hash function producing a 128-bit (16-byte) hash value, typically expressed in text format as a 32 digit hexadecimal number. MD5 is currently a standard, Internet Engineering Task Force (IETF) Request for Comments (RFC) 1321.
MDM (master data management) is a comprehensive method of enabling an enterprise to link all of its critical data to one file, called a master file, that provides a common point of reference.
The application of one or more measures to reduce the likelihood of an unwanted occurrence and/or lessen its consequences.
The modem is a device used to convert serial digital data from a transmitting terminal to a signal suitable for transmission over a telephone channel.
Software products that allow parents to monitor or track the websites or email messages that a child visits or reads. See also Blacklisting Software and Whitelisting Software.
Monoculture is the case where a large number of users run the same software, and are vulnerable to the same attacks.
The Morris Worm (internet worm) program was written by a graduate student at Cornell University, Robert Tappan Morris, and launched on November 2, 1988 from MIT. It was the first computer worm distributed via the Internet and gained significant mainstream media attention.
Motion Control Network
The mission control network is the network supporting the control applications that move parts in industrial settings, including sequencing, speed control, point-to-point control, and incremental motion.
MSSP (Managed Security Service Provider) is an outsourced network security service. Businesses turn to managed security services providers to alleviate the pressures they face daily related to information security such as targeted malware, customer data theft, skills shortages and resource constraints.
An IP multi-cast is a method of sending packets of data to a group of receivers in a single transmission. This method is often used to stream media applications on the internet and private networks.
Multi-homed is any computer host that has multiple IP addresses to connected networks. A multi-homed host is physically connected to multiple data links that can be on the same or different networks. Multihoming is commonly used in web management for load balancing, redundancy, and disaster recovery.
Multiplexing is a technique by which multiple data streams are combined into one signal over a shared medium. The multiplexed signal is transmitted over a communication channel, such as a cable. A reverse process, known as demultiplexing, extracts the original channels on the receiver end.
National Institute of Standards and Technology
The National Institute of Standards and Technology (NIST) is a measurement standards laboratory, and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness.
NIST's activities are organized into laboratory programs that include Nanoscale Science and Technology, Engineering, Information Technology, Neutron Research, Material Measurement, and Physical Measurement.
Natural disasters are any act of God or natural event caused by environmental factors. Some examples of these disasters include fire, flood, earthquake, lightning, or wind and disables the system, part of it, or a network of systems.
A netmask isused to divide an IP address into subnets and specify the network's available hosts. The netmask screen out the network part of an IP address so that only the host computer part of the address remains.
A network happens when two or more computer systems that are grouped together share information, software and hardware.
Network Address Translation (NAT)
Network Address Translation (NAT) is an approach that is used to remap an IP address space into another by modifying network address information in IP datagram packet headers while they are in transit. This technique was originally used for rerouting traffic in IP networks without renumbering every host.
A network firewall is a device that controls traffic to and from a network.
Network mapping is the study of physical connectivity of networks. It is used to compile an electronic inventory of the systems and the services on any network. With the increase in complexities of networks, automated network mapping has become more popular.
The ability of a network to: 1. Provide continuous operation (i.e., highly resistant to disruption and able to operate in a degraded mode if damaged); 2. Recover effectively if failure does occur; and 3. Scale to meet rapid or unpredictable demands.
Network taps are hardware devices that help in accessing the data flow across a computer network. It is also desirable for a third party to monitor the traffic between two points in the network. The network tap has (at least) three ports, an A port, a B port, and a monitor port. Network taps are generally used for network intrusion detection systems, VoIP recording, network probes, RMON probes, packet sniffers, and other monitoring and collection devices and software that require access to a network segment.
Network-based Intrusion Detection Systems (NIDS) are placed at a strategic point (or points) to monitor the traffic on the network. It analyses the passing traffic on the entire subnet, and matches the traffic that is passed on the subnets to the library of known attacks. When an attack is identified, or abnormal behaviour is detected, an alert is sent to the administrator. OPNET and NetSim are commonly used tools for simulation network intrusion detection systems.
Next Generation Firewall is an integrated network platform that combines a traditional firewall with other network device filtering functionalities such as an application firewall using in speed integrated network platform that performs deep inspection of traffic and blocking of attacks.”
NGIPS (next generation intrusion prevention system) offers protection against advanced and evasive targeted attacks with high accuracy. Usually using a combination of technologies such as deep packet inspection, threat reputation, and advanced malware analysis, it provides enterprises with a proactive approach to security.
NIPS (network intrusion prevention system) examines network traffic flows to detect and prevent vulnerability exploits. Following a successful exploit, the attacker can disable the target application.
A non printable character is a character that doesn't have a corresponding character letter to its corresponding ASCII code. Examples would be the Linefeed, which is ASCII character code 1 decimal, the carriage return, which is 13 decimal, or the bell sound, which is decimal 7. On a PC, you can often add non-printable characters by holding down the Alt key, and typing in the decimal value (i.e., Alt- 7 gets you a bell). There are other character encoding schemes, but ASCII is the most prevalent.
Non-repudiation refers to the ability of a system to prove that a specific user and only that specific user sent a message and that it hasn't been modified. On the Internet, a digital signature is used not only to ensure that a message or document has been electronically signed by the person, but also, since a digital signature can only be created by one person, to ensure that a person cannot later deny that they furnished the signature.
A Null session is also known as Anonymous Logon. It is a method that allows an anonymous user to retrieve information such as user names and share this over the network, or connect without authentication. Null sessions are one of the most commonly used methods for network exploration employed by hackers. A null session connection allows you to connect to a remote machine without using a user name or password. Instead, you are given anonymous or guest access.
An octet is a unit of digital information that consists of eight bits. Octets are generally displayed using a variety of representations, for example in the hexadecimal, decimal, or octal number systems. The binary value of all 8 bits set (or turned on) is 11111111, equal to the hexadecimal value FF, the decimal value 255, and the octal value 377. One octet can be used to represent decimal values ranging from to 255.
One-way encryption is also known as a one-way hash function. It's a cryptography algorithm that maps data of an arbitrary size to a hash function. Any small change to a message would change the hash value so extensively that the new hash value would seem unrelated to the old one. It's designed so as to be near impossible to reverse - brute force usually being the only method of doing so.
Open Shortest Path First
Open Shortest Path First (OSPF) is a routing protocol for Internet Protocol (IP) networks. It uses a link state routing (LSR) algorithm and falls into the group of interior gateway protocols (IGPs), operating within a single autonomous system (AS). It is defined as OSPF Version 2 in RFC 2328 (1998) for IPv4.
An operating system (OS) is a software that manages computer hardware and software resources to support the computer's basic functions. All computer programs require an operating system to provide the fundamental controls for controlling the computer. Popular operating systems include the Linux operating system, the Mac operating system and the Windows operating system.
An operational control is the security control (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by people (as opposed to systems).
An action-based exercise where personnel rehearse reactions to an incident scenario, drawing on their understanding of plans and procedures, roles, and responsibilities.
Operational Threat Intelligence
Information about specific impending attacks against the organization and is initially consumed by higher level security.
The hardware and software systems used to operate industrial control devices.
OPSEC (operations security) is a process by which we protect unclassified information that can hurt us.
OSI stands for Open System Interconnection and is an ISO standard for worldwide communications. OSI defines a networking framework for implementing protocols in seven layers. OSI defines seven layers of functions that take place at each end of a communication. Although OSI is not always strictly adhered to in terms of keeping related functions together in a well-defined layer, many products involved in telecommunication attempt to describe themselves in relation to the OSI model.
OSI layer is a physical layers that conveys the bit stream, electrical impulse, light, or radio signal through the network at the electrical and mechanical level. Fast Ethernet, RS232, and ATM are protocols with physical layer components.
OSINT (Open source threat intelligence) is data collected from publicly available Web sources such as social media, blogs, news publications, and forums. With an estimated 9 % of required intelligence available in open source, it is imperative intelligence analysts become adept at mining open sources.
A person or group of persons external to an organization who are not authorised to access its assets and pose a potential risk.
Overload is defined as the limitation of system operation by excessive burden on the performance capabilities of a system component.
A packet is a unit of data that is routed between an origin and a destination on the Internet or any other packet-switched network. When any file (such as e-mail message, HTML file, Graphics Interchange Format file) is sent from one place to another, the Transmission Control Protocol (TCP) layer of TCP/IP divides the file into smaller chunks ideal for routing.
Partitioning is the division of a computer hard disk or other secondary storage into one or more regions. Many computers have hard disk drives with only a single partition but others have multiple partitions so that an OS can manage information in each region separately. Each partition then appears in the OS as a distinct logical disk that uses part of the actual disk.
Passing off is making false representation that goods or services are those of another business.
An assault perpetrated by an intentional threat source that attempts to learn or make use of information from a system, but does not attempt to alter the system, its resources, its data, or its operations.
A string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorisation.
Password Authentication Protocol
Password Authentication Protocol (PAP) is a password-based authentication protocol used by Point to Point Protocol (PTP) to validate users. Almost all network operating system remote servers support PAP.
Password cracking is the process of trying to guess or crack passwords to gain access to a computer system or network. Crackers generally use a variety of tools, scripts, or software to crack a system password. Password cracks work by comparing every encrypted dictionary word against the entries in system password file until a match is found.
Password sniffing is a technique used to gain knowledge of passwords that involves monitoring traffic on a network to pull out information. Softwares can be used for automatic password sniffing.
A patch is a piece of software security update designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs in existing programs, usually called bug fixes.
In computing, a payload is the actual intended message within transmitted data. In cybersecurity, however, a payload is the part of malware that performs the malicious action.
Penetration is defined as gaining unauthorised access to sensitive information by evading a system's protections.
A penetration test, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders. The process involves an active analysis of the system for any potential vulnerabilities from improper system configuration, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities. Penetration Testing is also known as pen testing.
Permissions are the authorized actions that a subject can perform with an object (that is read, write, modify or delete).
Permutation is a process where the letters within a text are kept the same, but the position changes to scramble the message.
Personal firewalls is a software that controls network traffic to and from a computer. Firewalls are installed and run on individual computers. A personal firewall is an application which controls network traffic to and from a computer, permitting or denying communications based on a security policy. Typically it works as an application layer firewall.
Personally Identifiable Information
Personal data relating to an identifiable living individual.
Pharming is a type of cyber attack that redirect a website's traffic to a masquerading website. Pharming is achieved by corrupting a DNS server to steer the URL to the IP address of the pseudo website instead of the real IP address. This attack is used to gather private information such as login credentials.
Phishing is a form of social engineering carried out by black hats in electronic form, usually by email, with the purpose of gathering sensitive information by impersonating a trustworthy entity. Phishing communications are made to look like they come from a legitimate source like a social networking site, entity or bank.
Photo eye is a light sensitive sensor utilizing photoelectric control that converts a light signal into an electrical signal, ultimately producing a binary signal based on an interruption of a light beam.
Phreakers are people who hack into a telecommunications system. Phreakers can hack into a system, circumvent telecommunications security systems by using electronic recording devices or simply creating tones with a whistle.
A ping sweep is a technique that is used to establish a range of IP addresses mapping to live hosts. Well-known tools with ping sweep capability include nmap for Unix systems, and the Pinger software from Rhino9 for Windows NT. There are many other tools with this capability, including: Hping, Simple Nomad's ICMPEnum, SolarWind's Ping Sweep, and Foundstone's SuperScan.
Plaintext is the most portable format and is supported by almost every application. In cryptography, plaintext refers to any message that is not encrypted.
Poison reverse is a method where the gateway node communicates to its neighbour gateways that one of the gateways is no longer connected. The notifying gateway sets the number of hops to the unconnected gateway to a number that indicates infinite. In effect, advertising the fact that there routes are not reachable.
Polyinstantiation is the ability of a database to maintain multiple records with the same key. It is used to prevent inference attacks. It may also indicate, such as in the case of database polyinstantiation, that two different instances have the same name (identifier, primary key).
A polymorphic virus is a virus that will change its digital footprint every time it replicates. Anti virus software relies on a constantly updated and evolving database of virus digital footprint signatures to detect any virus that may have infected a system. By changing its signature upon replication, a polymorphic virus may elude antivirus software, making it very hard to eradicate.
A port is an end point of communication in an operating system, identified by a 16 bit port number. It is the entry or exit point from a computer for connecting communications or peripheral devices.
A port scan is a sequence of messages sent by an attacker attempting to break into a computer. Port scanning provides the attacker with an idea of where to probe for weaknesses. A port scan consists of sending a message to each port, one at a time to determine which ports on a system are open.
A small, easily transportable computing device such as a smartphone, laptop or tablet computer.
A pressure sensor is a sensor system that produces an electrical signal related to the pressure acting on it by its surrounding medium. Pressure sensors can also use differential pressure to obtain level and flow measurements.
Privacy is the protection of a company's data from being accessed by unauthorized parties. Safeguards such as encryption can assurance that the integrity of the data is protected from exposure. The assurance that the confidentiality of, and access to, certain information about an entity is protected.
IANA has set aside three address ranges for use by private or non-internet connected networks. This is referred to as Private Address Space and is defined in RFC 1918. The reserved address blocks are: 1 . . . to 1 .255.255.255 (1 /8 prefix) 172.16. . to 172.31.255.255 (172.16/12 prefix) 192.168. . to 192.168.255.255 (192.168/16 prefix).
A cryptographic key that must be kept confidential and is used to enable the operation of an asymmetric (public key) cryptographic algorithm.
A process controller is a proprietary computer system, typically rack-mounted, that processes sensor input, executes control algorithms, and computes actuator outputs.
A program infector is a piece of malware (or virus) that attaches itself to existing program files. Once the original infected program is run the virus transfers to the computer memory and may replicate itself further, spreading the infection. This type of virus can be spread beyond one's system as soon as the infected file or program is passed to another computer.
A program policy is a high-level policy that sets the overall tone of an organisation's security approach.
Programmable Logic Controller
A programmable logic controller (PLC), or programmable controller is an industrial digital computer which has been ruggedised and adapted for the control of manufacturing processes, such as assembly lines, or robotic devices, or any activity that requires high reliability control and ease of programming and process fault diagnosis.
Promiscuous mode allows a network device to intercept and read each network packet. This is used by network administrators to diagnose network problems, but also by crackers who are trying to eavesdrop on network traffic for confidential information.
Proprietary information is information that is unique and will affect a company's ability to compete, such as customer lists, technical data, product costs, and trade secrets.
A protocol is a set of rules to implement and control communications and associations between systems. Protocols guide connections between end points in a telecommunication connection, and specify interactions between the communicating entities. Protocols exist at several levels in a telecommunication connection.
A protocol analyzer is a device or software application that enables the user to analyze the performance of network data so as to ensure that the network and its associated hardware/software are operating within network specifications.
A proximity sensor is a non-contact sensor with the ability to detect the presence of a target within a specified range.
A proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. Most proxies are web proxies, facilitating access to content on the World Wide Web and providing anonymity.
A Public Key is the publicly-disclosed component of a pair of cryptographic keys used for asymmetric cryptography.
A cryptographic key that can be obtained and used by anyone to encrypt messages intended for a particular recipient, such that the encrypted messages can be deciphered only by using a second key that is known only to the recipient (the private key).
Public Key Encryption
Public Key Encryption is also known as asymmetric cryptography. Public key encryption is a cryptographic system that uses two keys, a public key known to everyone and a private or secret key known only to the recipient of the message.
Python is a widely used high-level programming language for general-purpose programming, created by Guido van Rossum and first released in 1991.
A QAZ is a network worm with backdoor capabilities.
Quality of Service (QoS)
Quality of service (QoS) is the overall performance of a computer network, particularly the performance seen by the users of the network.
Race condition is also known as race hazard. Race condition is the behavior of an electronic, software, or other system where the output is dependent on the sequence or timing of other uncontrollable events. This becomes a bug when events don't happen in the order the programmer planned. Race conditions can occur in electronics systems, especially logic circuits, and in computer software, especially multithreaded or distributed programs.
Radiation monitoring is the process of receiving images, data, or audio from an unprotected source by snooping on radiation signals.
Ransomware is a form of computer malware that can be easily installed covertly on a victim’s computer. Ransomware prevents a user from being able to operate their PC normally unless they comply with the demands of the attacker. To regain access to your PC and files, you typically have pay money – a ‘ransom’ – to the attacker in exchange for unlocking your system.
Real time pertains to the performance of a computation during the actual time that the related physical process transpires, so that the results of the computation can be used to guide the physical process.
Active reconnaissance is a type of computer attack in which an intruder engages with the targeted system to gather information about vulnerabilities. The attacker often uses port scanning, for example, to discover any vulnerable ports.
The activities after an incident or event to restore essential services and operations in the short and medium term, and fully restore all capabilities in the longer term. Redundancy Additional or alternative systems, subsystems, assets, or processes that maintain a degree of overall functionality in case of loss or failure of another system, subsystem, asset, or process.
Redundant Control Server
A redundant control server is a backup to the control server that maintains the current state of the control server at all times.
Registry is a system-defined database where applications and system components store and retrieve configuration data. Applications use the registry API to retrieve, modify, or delete registry data.
The use of scripted tests which are used to test software for all possible input is should expect. Typically developers will create a set of regression tests that are executed before a new version of a software is released.
Relay is an an electromechanical device that completes or interrupts an electrical circuit by physically moving conductive contacts. It's motion can be coupled to another mechanism such as a valve.
Reliability is the assurance that a system will adequately accomplish its tasks for a specific period of time under the expected operating conditions.
Remote access by users (or information systems) communicating external to an information system security perimeter.
Remote diagnostics are diagnostic activities conducted by individuals communicating externally to an information system security perimeter.
Remote maintenance is maintenance activities conducted by individuals communicating externally to an information system security perimeter.
Remotely exploitable vulnerabilities are those that can be exploited by attackers across a network. for example, vulnerabilities in web servers that can be exploited by web clients are remotely exploitable vulnerabilities.
The ability to adapt to changing conditions and prepare for, withstand, and rapidly recover from disruption.
Resource exhaustion is a kind of attack where the attacker or hacker ties up finite resources on a system, making them unavailable to others.
Resource starvation is a condition where a computer process cannot be supported by available computer resources. It can occur due to the lack of computer resources or the existence of multiple processes that are competing for the same computer resources.
A response is information that is sent in response to a request or sitimulus.
Restore refers to the recovery of data following computer failure or loss.
Reverse engineering is the process of extracting any kind of sensitive information by disassembling and analyzing the design of a system component.
Reverse lookup is a technique that uses the IP (Internet Protocol) address to find a domain name.
A reverse proxy is a device or service that is placed between a client and a server in a network. All the incoming HTTP requests are handled by the proxy (back-end webservers), so the proxy can then send the content to the end-user.
Risk is the probability of that a vulnerability in a system or network will be exploited for attack, both intentionally or accidentlly. The level of impact of having risk gives the potential impact of losing valuable and sensitive information.
Risk assessment is a systematic process to identify, analyze and evaluate any possible threats that may leave sensitive information vulnerable to attacks. It also employs methods to calculate the risk impact and eliminate the impact.
Risk averse means avoiding risks even if this leads to the loss of opportunity. An example is using a (more expensive) phone call vs. sending an e-mail in order to avoid risks associated with e-mail.
Risk management is the process of managing risks to agency operations, assets, or individuals resulting from the operation of an information system. It includes risk assessment; cost-benefit analysis; the selection, implementation, and assessment of security controls; and the formal authorization to operate the system.
Role Based Access Control
Role Based Access Control (RBAC) assigns users to roles based on their organizational functions and determines authorization based on those roles. It is used by enterprises with more than five employees, and can implement Mandatory Access Control (MAC) or Discretionary Access Control (DAC).
Root is the account that has access to all commands and files on a Linux or Unix operating system. Root is also known as the super user.
A rootkit is a malicious malware programme that allows the attacker to gain administrator access to a network. Once installed, the attacker gains privileged access. What makes a rootkit particularly lethal is the ability to erase tracks and mask the intrusion from the vulnerable system, allowing the attacker to navigate the entire network without being noticed.
A router is a hardware device that transfers data packets to the appropriate networks. Many Internet Service Providers (ISPs) provide routers to their customers, with inbuild firewall protections.
Router flapping is a router that transmits routing updates alternately advertising a destination network first via one route, then via a different route.
A routing loop is where two or more poorly configured routers repeatedly exchange the same data packet over and over. In case of distance vector protocols, the fact that these protocols route by rumor and have a slow convergence time can cause routing loops.
Safety is the requirement to ensure that the individuals involved with an organization (e.g. employees, customers, and visitors) are safeguarded from any kind of malicious attack.
Safety Instrumented System (SIS)
SIS is a system that is composed of sensors, logic solvers, and final control elements whose purpose is to take the process to a safe state when predetermined conditions are violated. Other terms commonly used include Emergency Shutdown System (ESS), Safety Shutdown System (SSD), and Safety Interlock System (SIS).
In cryptography, a salt is random data that is used as an additional input to a one-way function that "hashes" a password or passphrase.
In computer security, sandboxing is a security system to run suspicious programmes in an isolated environment. It is used to seperate out untest and untrusted programmes to run them safely in a virtual address space. Untrusted machine interpretable code modules are transformed so that all memory accesses are confined to code and data segments within their fault domain. A restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which the software is authorized.
A SCADA server is the device that acts as the master in a SCADA system.
A scatternet is a type of ad hoc computer network consisting of two or more piconets. The terms "scatternet" and "piconet" are typically applied to Bluetooth wireless technology.
Scavenging is the process of searching through data residue in a system or a network to gain unauthorized knowledge of sensitive information.
Scoping guidance is a part of tailoring guidance providing organizations with specific considerations on the applicability and implementation of individual security controls in the security control baseline.
A virus or physical device that logs information sent to a visual display to capture private or personal information.
A script is a file containing active content such as commands or instructions that are executed by the computer.
An individual uses existing codes to hack into a system, lacking the expertise to write their own. While they may not possess a lot of computing talent, they're easily as dangerous as hackers.
Secret Key Cryptographic Algorithm
Secret Key (symmetric) Cryptographic Algorithm is a cryptographic algorithm that uses a single secret key for both encryption and decryption. A cryptographic algorithm that uses a single key (i.e., a secret key) for both encryption and decryption.
A secret seed is a secret value used to initialize a pseudorandom number generator.
Secure Communication Protocol
Protocols that establishes rules that encourages secure communication. Examples include Transport Layer Security and HTTPS.
A Secure Electronic Transaction (SET) is a communications protocol standard for securing credit card transactions over insecure networks. SET ensures that all parties (customers, merchant, and bank) are authenticated using digital signatures, encryption protects the message and provides integrity, and provides end-to-end security for credit card transactions online.
Secure Electronic Transactions
Secure Electronic Transaction (SET) was a communications protocol standard for securing credit card transactions over insecure networks, specifically, the internet.
Secure Shell (SSH)
A Secure Shell (SSH) is also known as Secure Socket Shell. SSH is a UNIX-based command interface and protocol used to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another.
Secure Sockets Layer
A Secure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. SSL was developed by Netscape for transmitting private documents via the internet.
Secure state is a condition in which no subject can access any object in an unauthorized manner.
A secure subsystem is a subsystem containing its own implementation of the reference monitor concept for those resources it controls. A secure subsystem must depend on other controls and the base operating system for the control of subjects and the more primitive system objects.
Security is acheived when an organization establishes and maintains protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems.
Security Assertion Markup Language (SAML)
Security Assertion Markup Language (SAML, pronounced sam-el) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is a product of the OASIS Security Services Technical Committee.
A security association is a relationship established between two or more entities to enable them to protect data they exchange.
A security attribute is a security-related quality of an object. Security attributes may be represented as hierarchical levels, bits in a bit map, or numbers. Compartments, caveats, and release markings are examples of security attributes. A security attribute is also an abstraction representing the basic properties or characteristics of an entity with respect to safeguarding information; typically associated with internal data structures (e.g., records, buffers, files) within the information system.
A security audit is an independent review and examination of a system's activity records to determine if system control is adequate. The process ensures compliance with established security policies, detects breaches in security, and recommends any changes.
Security Authorization Boundary
A security authorization boundary is an information security area that includes a grouping of tools, technologies, and data.
Security category is the characterization of information based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on the organization or individuals, other organizations, and the nation.
Security Concept of Operations
Security concept of operations is a security-focused description of an information system, its operational policies, classes of users, interactions between the system and its users, and the system’s contribution to the operational mission.
A security control is the management, operational, and technical control (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. Security Control is something that modifies or reduces one or more security risks.
Security Control Assessment
Security control assessment is the testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, and producing the desired outcome with respect to meeting the security requirements.
Security Control Assessor
A security control assessor is the individual, group, or organization responsible for conducting a security control assessment.
Security Control Baseline
A security control baseline is the set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.
Security Control Effectiveness
Security control effectiveness is the measure of correctness of implementation (i.e., how consistently the control implementation complies with the security plan) and how well the security plan meets organizational needs in accordance with current risk tolerance.
Security Control Enhancements
Security control enhancements are statements of security capability to 1) build in additional, but related, functionality to a basic control; and/or 2) increase the strength of a basic control. Statements of security capability to: (i) build in additional, but related, functionality to a security control; and/or (ii) increase the strength of the control.
Security Control Inheritance
Security control inheritance is a situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides.
A security domain is the determining factor in the classification of an enclave of servers/computers. A network with a different security domain is kept separate from other networks. Examples: NIPRNet, SIPRNet.
Security Engineering is an interdisciplinary approach and means to enable the realization of secure systems. It focuses on defining customer needs, security protection requirements, and required functionality early in the systems development life cycle, documenting requirements, and then proceeding with design, synthesis, and system validation while considering the complete problem.
Security Fault Analysis (SFA)
A security fault analysis is an assessment, usually performed on information system hardware, to determine the security properties of a device when hardware fault is encountered.
Security Features Users Guide
A security features users guide is a guide or manual explaining how the security mechanisms in a specific system work.
A security filter is a secure subsystem of an information system that enforces security policy on the data passing through it.
A security function is the implementation of a security policy as well as a security objective. It enforces the security policy and provides required capabilities
All information security measures try to address at least one of three goals:
1) Protect the confidentiality of data.
2) Preserve the integrity of data.
3) Promote the availability of data for authorized use.
Security Information and Event Management (SIEM)
Process in which network information is aggregated, sorted and correlated to detect suspicious activities.
In computer and communications security, the security kernel is the central part of a computer or communications system hardware, and software that implements the basic security procedures for controlling access to system resources.
A security label is a marking bound to a resource (which may be a data unit) that names or designates the security attributes of that resource.
Security Management Dashboard
A security management dashboard is a tool that consolidates and communicates information relevant to the organizational security posture in near real time to security management stakeholders.
Security markings are human-readable indicators applied to a document, storage media, or hardware component to designate security classification, categorization, and/or handling restrictions applicable to the information contained therein. For intelligence information, security markings could include compartment and sub-compartment indicators and handling restrictions.
Security Net Control Station
A security net control system is a management system overseeing and controlling implementation of network security policy.
A security perimeter is a well-defined boundary within which security controls are enforced.
A security plan is a formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements.
Security Policy is a set of rules and practices that specify how a system or organization delivers security services to protect sensitive and critical information.
It defines the objectives and constraints for the security program.
Security Procesures is a set of detailed instructions, configurations and recommendations to implement company's security policies.
Security Requirements Baseline
Security requirements baseline is the description of the minimum requirements necessary for an information system to maintain an acceptable level of risk.
A security service is a capability that supports one, or mutiple security goals to maintain confidentiality, integrity and availability of system information. Examples of security services are key management, access control, and authentication.
Security specification is the detailed description of the safeguards required to protect an information system.
Security strength is a measure of the computational complexity associated with recovering certain secret and/or security-critical information concerning a given cryptographic algorithm from known data (e.g. plaintext/ciphertext pairs for a given encryption algorithm). It is also a number associated with the amount of work (that is, the number of operations) that is required to break a cryptographic algorithm or system. Sometimes referred to as a security level.
A security tag is an information unit containing a representation of certain security related information (e.g., a restrictive attribute bit map).
Security Test & Evaluation (ST&E)
A security test and evaluation is an examination and analysis of the safeguards required to protect an information system, as they have been applied in an operational environment, to determine the security posture of that system.
Security testing is the process to determine that an information system protects data and maintains functionality as intended.
A security relevant change is any change to a system’s configuration, environment, information content, functionality, or users which has the potential to change the risk imposed upon its continued operations.
A seed key is an initial key used to start an updating or key generation process.
A segment is another name for TCP packets. Dividing an ethernet into multiple segments is one of the most common ways of increasing available bandwidth on the LAN.
Sensitive information is data that must be protected from unauthorised access to safeguard the privacy or security of an individual, organisation, or nation. Information sensitivity is the control of access to information or knowledge that might result in loss of an advantage or level of security, if disclosed to others.
Separation of Duties
Separation of duties (SoD) is also known as segregation of duties. It is based on the principle of splitting privileges among multiple individuals or systems.
A server is a computer entity or a machine that waits for requests from other machines or software (clients) and responds to them. The purpose of a server is to share data or hardware and software resources, hence allowing for the provision of services and data within a network.
A servo valve is an actuated valve whose position is controlled using a servo actuator.
A session is a virtual connection between two hosts by which network traffic is passed. It is a way to store information (in variables) to be used across multiple pages.
Session hijacking is also known as cookie hijacking. It is an exploitation of a valid computer session, sometimes also called a session key, to gain unauthorised access to sensitive information or services in a computer system or network.
A session key is a key that is temporary. It is an encryption and decryption key that is randomly generated to ensure the security of a communications session between a user and another computer or between two computers. These keys are sometimes called symmetric keys, because the same key is used for both encryption and decryption.
An input variable that sets the desired value of the controlled variable. This variable may be manually set, automatically set, or programmed.
Secure Hash Algorithm 1 (SHA-1) is a cryptographic hash function designed by the United States National Security Agency and is a U.S. Federal Information Processing Standard published by the United States NIST.
Shadow Password Files
Shadow password files are system files where encrypted user passwords are stored, so that they aren't available to people who try to break into the system.
A share is any resource that has been made public on a system or network, such as a directory or printer.
Shell is a Unix term for the interactive user interface with an operating system. The shell is the layer of programming that recognises and executes the commands that a user enters. In some systems, the shell is called a command interpreter.
Shoulder Surfing is the act of looking over a person's shoulder to obtain confidential information. It is an effective way to get information in crowded places as one fill up a form, or enter a PIN number at an ATM machine.
Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of an organization’s information technology (IT) security. The acronym is pronounced “sim” with a silent e.
Signals intelligence- intelligence gathering by interception of signals, whether communications are from people or from electronic signals not directly used in communication
Signals Analysis is a process of gaining indirect knowledge of communicated data by monitoring and analysing a signal that is emitted by a system and that contains the data, but is not intended to communicate the data.
A signature is a distinct pattern in network traffic that can be identified by a specific tool.
Simple Integrity Property
In simple integrity property, a user cannot write data to a higher integrity level than their own.
Simple Network Management Protocol (SNMP)
Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks and more. SNMP is widely used in network management systems to monitor network-attached devices for conditions that warrant administrative attention.
Simple Security Property
In simple security property, a user cannot read data of a higher classification than their own.
Single Loop Controller
A single loop controller controls a very small process or a critical process.
Skimming is a high-tech method by which thieves capture your personal or account information from your credit card, driver's license or even passport using an electronic device called a skimmer. Such devices can be purchased online for under $5.
A smart card is an electronic badge that includes a magnetic strip or chip that can record and replay a set key. The card connects to a reader with direct physical contact or with a remote contactless radio frequency interface.
A Smurf Attack is a distributed denial-of-service attack where large numbers of Internet Control Message Protocol (ICMP) packets a spoofed IP is broadcast to a computer network. Most devices on a network respond by sending a reply to the source IP address. This can slow down the victim's computer to the point where it becomes impossible to work on.
A snapshot is a copy of a computer's memory in a specific point in time. The snapshot captures information such as primary storage and specific registers.
Sniffing is also known as passive wiretapping. Packet sniffing allows individuals to capture data as it is transmitted over a network. Packet sniffer programs are used by network professionals to diagnose network issues and by malicious users to capture unencrypted data like passwords and usernames in network traffic. Once this information is captured, the user can then gain access to the system or network.
A snooping tool is a program that an intruder uses to capture passwords and other data.
Snort Rules/Snort Signatures
Snort rules are a different methodology for performing detection.
Social engineering is the physcological method to deceive someone for the purpose of acquiring sensitive and personal information (e.g. credit card details, passwords) for unauthorized use. To prevent yourself from becoming a victim of social engineering, do not give your personal and sensitive information to anyone you are not absolutely sure about.
Social Networking Websites
Social networking sits are sites specifically focused on the building and verifying of social networks. Known social networking websites include Facebook, Twitter, LinkedIn, MySpace and Blogspot. The sites facilitate connecting with other users with similar interests, activities and locations.
A socket is an end point for communication between two systems. The socket tells a host's IP stack where to plug in a data stream so that it connects to the right application.
A socket pair is a way to uniquely specify a connection, i.e., source IP address, source port, destination IP address, destination port.
Socket Secure (SOCKS) is an Internet protocol that routes data packets between a client and server. It ensure proper authentication of users and allows only authorised users to access a server.
Security operations center. A security operations center (SOC) is a centralized unit that deals with security issues on an organizational and technical level. A SOC within a building or facility is a central location from where staff supervises the site, using data processing technology.
Software is any computer instructions, data, or programs that can be stored electronically and executed by a computer hardware. In particular, an antivirus software is designed to detect and potentially eliminate viruses before they have a chance to create substantial damage in the system.
Software Development Kit (SDK)
A Software Development Kit (SDK or “devkit”) is typically a set of software development tools that allows the creation of applications for a certain software package, software framework, hardware platform, computer system, video game console, operating system, or similar development platform.
A Solenoid valve is a valve actuated by an electric coil. It typically consist of two states: open and closed.
A source port is a port that a host uses to connect to a server. It is usually a number greater than or equal to 1 24. It is randomly generated and is different each time a connection is established.
Spam is simply unsolicited email, also known as junk email. Spammers gather lists of email addresses, which they use to bombard users with this unsolicited mail. Spam emails are used to achieve objectives such as advertising and phishing.
A spanning port is used to configure the switch to behave like a hub for a specific port.
Spim is unwanted, unsolicited instant messages from someone you don't know. It is often sent in an attempt to sell you something or get you to reveal personal information.
A split horizon is an algorithm used to prevent routing loops in distance-vector routing protocols by prohibiting a router from advertising a route back onto the interface from which it was learned.
A split key is a cryptographic key that is divided into two or more separate data items that individually convey no knowledge of the whole key or information that results from combining the items.
A spoofing is the act of falsifying data to gain an illegitimate advantage. Black hat crackers will often cover their tracks by spoofing (faking) an IP address or masking/changing the sender information on an email so as to deceive the recipient as to its origin. Malicious spoof attacks are made to look like it come from a safe source, while linking to a page that will infect your system with malware.
Spyware is software designed to gather information about a user’s computer use without their knowledge. Spyware can track a user’s internet surfing habits for advertising habits, scan computers to create pop up ads, and change one’s homepage to redirect to pre chosen websites.
SQL injection is a code injection technique that is used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution.
SSL (Secure Socket Layer)
An encryption system protects the privacy of data exchanged by a website and the individual user. Used by websites whose URLs begin with https instead of http.
Stack smashing is used to cause a stack in a computer application or operating system to overflow. This makes it possible to weaken the program or system or cause it to crash. The stack is also called a pushdown stack or first-in last-out circuit. It is a form of buffer that holds the intermediate results of an operation or data that is awaiting processing.
Standard access control lists (ACLs) are essentially a set of commands, grouped together by a number or name that is used to filter traffic entering or leaving an interface. ACLs make packet filtering decisions based on source IP address only.
Star networks are one of the most common computer network topologies. A star network consists of one central switch, hub or computer, which acts as a conduit to transmit messages. This consists of a central node, to which all other nodes are connected. The central node provides a common connection point for all nodes through a hub.
Stateful inspection is also known as dynamic packet filtering. It is a firewall technology that monitors the state of active connections and uses this information to determine which network packets to allow through the firewall.
Static Host Tables
Static host tables are text files that contain hostname and address mapping.
Static routing is a form of routing that occurs when a router uses a manually-configured routing entry, rather than information from a dynamic routing traffic. Static routing can also be used in stub networks, or to provide a gateway of last resort.
Statistical Process Control (SPC)
Statistical process control is the use of statistical techniques to control the quality of a product or process.
A steady state is a characteristic of a condition, such as value, rate, periodicity, or amplitude, exhibiting only negligible change over an arbitrarily long period of time.
Stealthing is a term that refers to approaches used by malicious code to conceal its presence on the infected system.
Steganalysis is the study of detecting and defeating the use of steganography. This is analogous to cryptanalysis applied to cryptography.
Steganography is a technique used to hide the existence of a message, files, or any other information. The first recorded use of the term was in 1499 by Johannes Trithemius in his Steganographia. This is different than cryptography, which hides the meaning of a message but does not hide the message itself. An example of a steganographic method is the invisible ink.
Stimulus is network traffic that initiates a connection or solicits a response.
STIX is a language for having a standardized communication for the representation of cyberthreat information. Similar to TAXII, it is not a sharing program or tool, but rather a component that supports programs or tools.
Store-and-Forward is a telecommunications technique in which information is sent to an intermediate station where it is kept and sent at a later time to the final destination or to another intermediate station.
A straight-through cable is a type of twisted pair cable that is used in local area networks (LANs) to connect a computer to a network hub such as a router. This type of cable is also sometimes called a patch cable and is an alternative to wireless connections where one or more computers access a router through a wireless signal.
A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream. In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of ciphertext stream.
Strong Star Property
In strong star property, a user cannot write data to higher or lower classifications levels than their own.
A sub network is a separately identifiable part of a larger network that typically represents a certain limited number of host computers, the hosts in a building or geographic area, or the hosts on an individual local area network (LAN).
A subnet mask is used to determine the number of bits that are used for the subnet and host portions of the address. It is used as a screen of numbers used for routing traffic within a subnet. Once a packet has arrived at a gateway or connection point with its unique network number, it can be routed to its destination within the internal gateways using the subnet number.
Supervisory control is used to imply that the output of a controller or computer program is used as input to other controllers.
Supervisory Control and Data Acquisition (SCADA)
SCADA is a generic name for a computerized system that is capable of gathering and processing data and applying operational controls over long distances. The typical uses include power transmission and distribution and pipeline systems.
A switch is also called switching hub, bridging hub, officially MAC bridge. It is a computer networking device that connects devices together on a computer network by using packet switching to receive, process and forward data to the destination device.
A switched network is a computer network that uses only network switches rather than network hubs on ethernet local area networks (LANs). The switches allow for a dedicated connection to each workstation. A switch allows for many conversations to occur simultaneously.
Symbolic links are sometimes also known as symlinks. Symbolic links are essentially advanced shortcuts that point to another file.
Symmetric cryptography is a branch of cryptography involving algorithms that use symmetrical keys for two different steps of the algorithm. Symmetric cryptography is called secret key cryptography because the entities that share the key.
A symmetric key is a cryptographic key that is used in a symmetric cryptographic algorithm.
A SYN flood is a type of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
Synchronization is the signal made up of a distinctive pattern of bits that network hardware looks for to signal that start of a frame. Synchronization refers to one of two distinct but related concepts: synchronization of processes, and synchronization of data.
A syslog is a widely used standard for message logging facility in Unix systems. It permits separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them.
System Security Officer (SSO)
A System Security Officer (SSO) is an individual responsible for enforcement or administration of the security policy that applies to the system.
A system-specific policy is a policy written for a specific system or device and may change with changes in the system or device, its functionality, or its vulnerabilities.
A T1, T3 is a digital circuit using TDM (Time-Division Multiplexing).
An ultra-portable, touch screen computer that shares much of the functionality and operating system of smartphones, but generally has greater computing power.
Tamper is an action to deliberately change or alter a system's logic, data, or control information to cause the system to perform unauthorized functions or services.
TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may be used to infer the remote machine's operating system (OS), or incorporated into a device fingerprint.
TCP Full Open Scan
A TCP Full Open Scan checks each and every port after performing a full three-way handshake on each port to determine if it was open.
TCP Half Open Scan
A TCP Half Open Scan determines if a port is open by performing the first half of a three-way handshake. It is also referred as the SYN scanning. In SYN scanning, the hostile client or attacker attempts to set up a TCP/IP connection with a server at every possible port. This is done by sending a SYN (synchronization) packet, as if to initiate a three-way handshake, to every port on the server.
A TCP wrapper is a software package that is used to restrict access to certain network services based on the source of the connection. In other words, it is a host-based networking ACL system, used to filter network access to internet protocol servers on (Unix-like) operating systems such as GNU/Linux or BSD.
TCP/IP stands for Transmission Control Protocol/Internet Protocol. It is a basic communication language or protocol of the internet and can be used as a communications protocol in a private network as well (either an intranet or an extranet).
A TCPDump is a freeware protocol analyzer for Unix systems that can monitor network traffic on a wire. It allows the user to display TCP/IP and other packets being transmitted or received over a network. TCPDump works on most Unix-like operating systems. It was originally written in 1987 by Van Jacobson, Craig Leres and Steven McCanne who were working in the Lawrence Berkeley Laboratory Network Research Group.
Technical controls are the security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented through mechanisms contained in the hardware, software, or firmware components of the system.
Telnet is a TCP-based, application-layer, internet standard protocol and an essential TCP/IP protocol for accessing remote computers. Through Telnet, an administrator or another user can access someone else's computer remotely.
A sensor system that produces an electrical signal related to its temperature which allows it to sense the temperature of its surrounding medium.
A threat is a possible danger that might exploit a vulnerability to violate security protocols and cause possible harm. In cybersecurity, advanced persistent threat (APT) usually refers to a group, such as a foreign government, with both the capability and the intent to persistently target a specific entity. It can also refer to a circumstance or event that has or indicates the potential to exploit vulnerabilities and to adversely impact organisational operations, assets (including information and information systems), individuals, other organisations, or society.
Threat Actor (or Threat Agent)
An individual, group, organisation, or government that conducts or has the intent to conduct detrimental activities.
The detailed evaluation of the characteristics of individual threats.
Threat Assessment is a structured process used to identify and evaluate various risks or threats that an organization might be exposed to. The product or process of identifying or evaluating entities, actions, or occurrences, whether natural or man-made, that have or indicate the potential to cause harm.
A threat model is a process that is used to optimize network security by identifying the key objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system or network.
A threat vector is a path or tool that a threat actor uses to attack the target.
A tiger team is a group of professional security experts employed by a company to test the effectiveness of security by trying to break in into the system.
A time bomb is a malicious program designed to execute at a predetermined time and/or date. Time bombs are often set to trigger on special days like holidays, or sometimes they mark things like Hitler’s birthday or 9/11 to make some sort of political statement.
Time to Live
Time to Live (TTL) or the hop limit is a mechanism that limits the lifespan of data in a computer or network. TTL is generally implemented as a counter or time stamp attached to or embedded in the data. TTL value in an IP data packet tells a network router whether or not the packet has been in the network too long and should be discarded.
Tiny Fragment Attack
A tiny fragment attack is IP fragmentation that is the process of breaking up a single Internet Protocol (IP) datagram into multiple packets of smaller size. If the data packet size is made small enough to force some of a TCP packet's TCP header fields into the second data fragment, filter rules that specify patterns for those fields will not match. If the filtering implementation does not enforce a minimum fragment size, a disallowed packet might be passed because it didn't hit a match in the filter.
A token ring network is a local area network in which all computers are connected in a ring or star topology and a binary digit or token-passing scheme is used in order to prevent the collision of data between two computers that want to send messages at the same time. It uses a special three-byte frame called a token that travels around a logical ring of workstations or servers.
Token-Based Access Control
Token-based Access Control is an authentication method that offers additional security. Using this method, each user has a smart card or token that displays a constantly changing password. Without this card or token, it is impossible to authenticate yourself to the system. This two-factor authentication provides additional security by requiring an attacker to both guess the user's password and steal the smart card.
A token-based device or a security token is known by several names such as, hardware token, authentication token, USB token, cryptographic token, or key fob. A security token may be a physical device that an authorized user is given to access a system or network. Security tokens are used to prove one's identity electronically and is used in addition to or in place of a password to prove that the customer is who they claim to be.
Topology is the geometric arrangement of a computer system. Two networks have the same topology if the connection configuration is the same, although the networks may have variations in physical interconnections, distances between nodes, transmission rates, and signal types.
Traceroute is a tool the maps the route a packet takes from the local machine to a remote destination. The history of the route is recorded as the round-trip times of the packets received from each successive host (remote node) in the route (path). The sum of the mean times in each hop indicates the total time spent to establish the connection.
Transmission Control Protocol (TCP/IP)
Transmission Control Protocol (TCP) is a set of rules or protocol that is used along with the Internet Protocol to send data in the form of message units between computers over the Internet. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP takes care of keeping track of the individual units of data called packets. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP.
Transport Layer Security (TLS)
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and the users on the Internet. When a server and client communicate, TLS ensures that no third party may overhear or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).
Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm (TDEA or Triple DEA) symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. It transforms each 64-bit plaintext block by applying the DES three successive times, using either two or three different keys, for an effective key length of 112 or 168 bits.
Triple wrapped describes any data that has been signed with a digital signature, encrypted, and then signed again is called triple-wrapped.
A Trojan, or Trojan Horse, is a malicious program disguised to look like a valid program, making it difficult to distinguish from programs that are supposed to be there. Once introduced, a Trojan is designed to execute malicious tasks such as destroy files, alter information, steal passwords or other information. Alternatively, it may stay dormant, waiting for a hacker to access it remotely and take control of the system. However, unlike viruses, a Trojan doesn’t have the ability to replicate.
Trunking is a method for a system to provide network access to many clients by sharing a set of lines instead of providing them individually. This is analogous to the structure of a tree with one trunk and many branches.
Trust determines what permissions and actions other systems or users can perform on remote machines.
A trusted certificate is any digital certificate that a certificate user accepts as being valid without testing it.
Trusted ports are ports below number 1024 usually allowed to be opened by the root user.
A tunnel is a communication channel that is created in a computer network by encapsulating a protocol's data packets within a different type of protocol. The purpose is to move data between computers that use a protocol not supported by the network connecting them. For example, a tunnel may encapsulate a transport protocol (such as TCP), in a network layer protocol (such as IP).
Two-factor authentication is a security measure that is used to obtain evidence of an identity by two independent means, such as knowing a password and successfully completing a smartcard transaction.
A UDP Scan performs scans to determine which UDP ports are open or vulnerable. UDP is a connectionless protocol so there is no equivalent to a TCP SYN packet. However, if a UDP packet is sent to a port that is not open, the system will respond with an ICMP port unreachable message.
Unauthorized access is when a person gains logical or physical access without permission to a network, system, application, data, or other resource.
Unicast is any communication between a single sender and a single receiver over a network. The term exists in contradiction to multicast, communication between a single sender and multiple receivers, and any cast, communication between any sender and the nearest of a group of receivers in a network.
Uniform Resource Identifier
A uniform resource identifier (URI) is a string of characters that are used to identify the name of a resource. Such identification enables interaction with representations of the resource over a network (such as the world wide web) using specific protocols. In other words, URI is the generic term for all types of names and addresses that refer to objects on the world wide web.
Unix is a popular multi-user, multi-tasking operating system developed at Bell Labs in the early 1970's. Unix was designed to be a small, flexible system used exclusively by programmers.
An unprotected share is a mechanism that allows a user to connect to file systems and printers on other systems. An unprotected share is one that allows anyone to connect to it.
URL(or Uniform/Universal Resource Locator) is also known as the web address. It is a way of specifying the location of publicly available information on the internet.
URL Obfuscation is when scammers use phishing emails to guide recipients to fraudulent sites with names very similar to established sites. They use a slight misspelling or other subtle difference in the URL, such as "monneybank.com" instead of "moneybank.com" to redirect users to share their personal information unknowingly.
A user is any person or organization entity that accesses a system. Users generally use a system or a software product without the technical expertise required to fully understand it.
The record of a user kept by a computer to control their access to files and programs.
User Contingency Plan
A user contingency plan is the alternative methods of continuing business operations if IT systems are unavailable.
The name associated with a particular computer user.
Unified Threat Management/Unified Security Management is a solution in the network security industry. It has become established as a primary network gateway defense solution for organizations. In theory, UTM is the evolution of the traditional firewall into an all appliance reporting.
Variable Frequency Drive
A variable-frequency drive (VFD) is a adjustable-speed drive used in electro-mechanical drive systems to control AC motor speed and torque.
VCDB is a community data initiative to catalog security incidents in the public domain using the VERIS framework. The database contains raw data for thousands of security incidents shared under a creative commons license. You can download the latest release, follow the latest changes on github, and even help catalog and code incidents to grow the database.
The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is a response to one of the most critical and persistent challenges in the security industry a lack of quality information. VERIS targets this problem by helping organizations to collect useful incident data.
Virtual Private Network (VPN)
A virtual private network (VPN) extends a private network across a public network, such as the internet. VPN enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryption. FA VPN is generally less expensive to build and operate than a dedicated real network, because the virtual network shares the cost of system resources with other users of the real network.
A virus is a malicious program that attaches itself to another program file and can replicate itself and thereby infect other systems. Viruses often perform some type of harmful activity on infected host computers, such as acquisition of hard disk space or central processing unit (CPU) time, accessing private information (e.g., credit card numbers), corrupting data, or displaying messages on a computer’s screen.
Vishing is the act of collecting private information from customers by fooling them into divulging confidential personal and financial information. People are lured into sharing user names, passwords, account information or credit card numbers, usually by an official-looking message that urges them to act immediately.
A voice firewall is a physical discontinuity in a voice network that monitors, alerts, and controls inbound and outbound voice network activity based on user-defined call admission control (CAC) policies, voice application layer security threats or unauthorized service use violations.
Voice Intrusion Prevention System
A voice intrusion prevention system (VIPS) is a security management system for voice networks that monitors voice traffic for multiple calling patterns or attack/abuse signatures to proactively detect and prevent toll fraud, denial of service, telecom attacks, service abuse, and other anomalous activities.
A vulnerability is a flaw that allows someone to operate a computer system with authorization levels in excess of that which the system owner specifically granted.
A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in the information technology system.
War chalking is the marking of areas, usually on sidewalks with chalk, that receive wireless signals to advertise an open Wi-Fi network. They were publicised by Matt Jones who designed the set of icons and produced a downloadable document containing them.
A war dialer is a computer program that automatically dials a series of telephone numbers to locate lines connected to computer systems, and catalogs those numbers so that a cracker or attacker can try to break into the systems.
Wardriving is the act of driving around in a vehicle with the purpose of finding an open, unsecured Wi-Fi wireless network. The range of a wireless network will exceed the perimeter of a building and create zones in public places that can be exploited to gain entry to the network. If your WiFi network is not secure, malicious hackers will often use a GPS system to make maps of exploitable zones so they can be used at a later time or passed on to others.
A computer attack strategy, in which the victim is a particular group (organization, industry, or region). In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with malware. Eventually, some member of the targeted group gets infected. Relying on websites that the group trusts makes this strategy efficient, even with groups that are resistant to spear phishing and other forms of phishing.
A shortcoming or imperfection in software code, design, architecture, or deployment that, under proper conditions, could become a vulnerability or contribute to the introduction of vulnerabilities.
Web of Trust
The Web of trust is a concept that is used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and its owner. Its decentralized trust model is an alternative to the centralized trust model of a public key infrastructure (PKI), which relies exclusively on a certificate authority.
A Web server is a computer system that processes requests via HTTP, the basic network protocol used to distribute information on the World Wide Web. Web server is used to refer either the entire system, or specifically to the software that accepts and supervises the HTTP requests.
White hats are ethical hackers who use. They use their knowledge and skill to thwart the black hats and secure the integrity of computer systems or networks. If a black hat decides to target you, it’s a great thing to have a white hat around. But if you don’t, you can always call on one of ours at Global Digital Forensics.
A list of entities that are considered trustworthy and are granted access or privileges.
A WHOIS is a protocol used for query and response of a database. It is popular for querying databases that store data such as registered users, domain name, IP address block, or an autonomous system. The protocol stores and delivers database content in a human-readable format. The WHOIS protocol is documented in RFC 3912.
Wireless local area network based upon IEEE 8 2.11standards.
A Windump is a freeware tool for Windows that is a protocol analyzer that can monitor network traffic on a wire.
Wireless Application Protocol (WAP)
Wireless Application Protocol (WAP) is a technical standard for accessing information over a mobile wireless network. A WAP browser is a web browser for mobile devices such as mobile phones that uses the protocol.
A wireless device is a device that can connect to a manufacturing system via radio or infrared waves to typically collect/monitor data, but also in cases to modify control set points.
Wiretapping is the process of monitoring and recording data that is flowing between two points in a communication system.
Workstation is a computer used for tasks such as programming, engineering, and design.
World Wide Web
The World Wide Web (abbreviated WWW or the Web) is an information space where documents and other web resources are identified by Uniform Resource Locators (URLs), interlinked by hypertext links, and can be accessed via the Internet. English scientist Tim Berners-Lee invented the World Wide Web in 1989.
A worm, like a virus, is a destructive self-contained program that can replicate itself. However, unlike viruses, a worm does not need to be part of another program and can self-replicate without user intervention. A worm can become devastating if not isolated and removed. Even if it does not cause outright damage, a worm replicating out of control can exponentially consume system resources like memory and bandwidth until a system becomes unstable and unusable.
XHTML is short for eXtensible HyperText Markup Language. XHTML is a hybrid between XML and HTML and designed for network devices as a method of displaying web pages on network and portable devices.
XML is short for eXtensible Markup Language. XML is a specification developed by W3C starting with the recommendation on February 1 , 1998. XML is similar to HTML, XML uses tags to markup a document, allowing the browser to interpret the tags and display them on a page. Unlike HTML, XML language is unlimited (extensible) which allows self-defining tags and can describe the content instead of only displaying a page's content. Using XML other languages such as RSS and MathML have been created, even tools like XSLT were created using XML.
XMPP which stands for Extensible Messaging and Presence Protocol, is a communications protocol for messaging systems. It is based on XML, storing and transmitting data in that format. It is used for sending and receiving instant messages, maintaining buddy lists, and broadcasting the status of one's online presence. XMPP is an open protocol standard. Anyone can operate their own XMPP service, and use it to interact with any other XMPP service. The standard is maintained by XSF, the XMPP Standards Foundation.
XMT is also called transmit. XMT is the method of sending data to an alternate computer or device.
XNS is short for Xerox Network Services, XNS is a proprietary network communications protocol developed by Xerox. XNS is no longer used and has been replaced by Transmission Control Protocol / Interface Program (TCP/IP).
Y2K is short for the millennium bug. Y2K is a warning first published by Bob Bemer in 1971 describing the issues of computers using a two-digit year date stamp.
YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic.
A Ymodem is a file-transfer protocol developed by Chuck Forsburg, that is similar to the enhanced 1K version of Xmodem. Ymodem allows for multiple file transmissions at once, performs cyclical redundancy checks (CRC), and can reduce the transfer size to compensate for poor connections.
A yottabyte is equal to one septillion bytes and is the largest recognized value used with storage. Yottabyte is abbreviated as YB.
A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack.
Zombie / Zombie Drone
A zombie is a malware program that can be used by a black hat cracker to remotely take control of a system, which is then used as a zombie drone for further attacks (e.g. spam emails, Denial of Service attacks), without a user’s knowledge. Zombie drones are used to cover the black hat’s tracks and increase the magnitude of activities by using other’s resources. As zombies are benign and non destructive, the users infected are usually unaware that it is there.
A remote-access Trojan horse installs hidden code that allows your computer to be controlled remotely. Digital thieves then use robot networks of thousands of zombie computers to carry out attacks on other people and cover up their tracks. Authorities have a harder time tracing criminals when they go through zombie computers.