Cybersecurity Dictionary /* A never ending work in progress */ ACCESS CONTROL Processes and mechanisms that help ensure information technology (IT) resources are only granted to the those who are authorized. It might help to think about all the people in the company who have keys to the office. The locks are the control, and you’ve given them access by issuing them a key. ACCESS CONTROL LIST A mechanism that implements access control for an IT resource by listing the identities of those who are permitted to access the resource. In a more sophisticated scenario than the previous example, your alarm system contains a list of everyone who has an employee badge that lets them into the office/building. If you take their name off the list, their badge should not work. APT “Advanced Persistent Threat.” Originally, a term applied to nation-state actors (government hackers) and the particular ways in which they went about their business against U.S. government, government contractor, and other organizations of national import. Over time it has morphed in some circles to mean any threat actor who uses particular methods to compromise and otherwise have their way with a computer system without detection for an extended period of time. AUTHENTICATION The process of confirming that someone is who they claim to be. The most common form of authentication you may be familiar with in this context is a user ID and password. In a simple authentication system, the right user ID and password will grant access to the system. AVAILABILITY The principle that a system should be operating and accessible to those with access, when they need it. BACKDOOR A tool installed after a compromise to give an attacker easier access to the compromised system around any security mechanisms that are in place. BIOMETRICS The use of physical characteristics of a system user to grant access. Think fingerprints, or if you’re into action movies, retinal scans. BOTNET A botnet is a large number of compromised computers used to create and send spam or viruses or flood a network with network traffic as a way to deny access to a targeted system. BRUTE FORCE A type of attack method involving an exhaustive procedure that tries all possibilities, one-by-one. In the context of cracking passwords, a brute force attack might attempt to try all passwords starting with “a” then “ab” and so on. B BUFFER OVERFLOW A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information – which has to go somewhere – can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. BUSINESS CONTINUITY PLAN A BCP is the plan for emergency response, backup operations, and post-disaster recovery steps that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation. CIA In the contect of cybersecurity: C = Confidentiality, I = Integrity, A = Availability. The key factors one has to consider when looking at the security of a system and the data it creates/stores/processes. Do only the people who should have access have it? Is the data accurate? Can I get at it when I need it? CISO Chief Information Security Officer. An executive responsible for developing cybersecurity policy and procedure, developing and implementing security strategy, and in some cases managing the day to day operations of the security team. COMPUTER EMERGENCY RESPONSE TEAM A CERT is an organization that studies computer and network security in order to provide incident response services to victims of attacks, publish alerts concerning vulnerabilities and threats, and offer other information to help improve computer and network security. COMPUTER FORENSICS The use of specialized tools and techniques to obtain, process, and analyze evidence in support of an investigation. Think of the TV show CSI and what they do to reconstruct what happened at a crime scene, only the crime scene is a computer or network. CONFIDENTIALITY Confidentiality is the need to ensure that information is disclosed only to those who are authorized to view it. CONFIGURATION MANAGEMENT Establishing a known baseline condition and managing it. COUNTERMEASURE Reactive methods used to prevent an exploit from successfully occurring once a threat has been detected. Intrusion Prevention Systems (IPS) commonly employ countermeasures to prevent intruders form gaining further access to a computer network. Other counter measures are patches, access control lists and malware filters. CREDENTIALS A fancy way security nerds refer to ‘the thing or data that grants you access to a system.’ For us regular folk that usually means a user ID and password. It can also include other data like a alpha-numeric code or PIN, a physical key like a USB stick or security badge, in addition to an ID and password (see Factor). CRIMEWARE A type of malware used by cyber criminals. The malware is designed to enable the cyber criminal to make money off of the infected system (such as harvesting key strokes, using the infected systems to launch Denial of Service Attacks, etc.). CRYPTOGRAPHIC ALGORITHM OR HASH An algorithm that employs the science of cryptography, including encryption algorithms, cryptographic hash algorithms, digital signature algorithms, and key agreement algorithms. DEFACEMENT Defacement is the method of modifying the content of a website in such a way that it becomes “vandalized” or embarrassing to the website owner. DEFENSE IN-DEPTH Defense In-Depth is the approach of using multiple layers of security to guard against failure of a single security component. DEMILITARIZED ZONE In computer security, a DMZ or perimeter network is a network area that sits between an organization’s internal network and an external network, usually the Internet. DMZ’s help to enable the layered security model in that they provide subnetwork segmentation based on security requirements or policy. DMZ’s provide either a transit mechanism from a secure source to an insecure destination or from an insecure source to a more secure destination. In some cases, a screened subnet which is used for servers accessible from the outside is referred to as a DMZ. DENIAL OF SERVICE The prevention of authorized access to a system resource or the delaying of system operations and functions. DICTIONARY ATTACK An attack that tries all of the phrases or words in a dictionary, trying to crack a password or key. A dictionary attack uses a predefined list of words (not necessarily “the” dictionary) compared to a brute force attack that tries all possible combinations. DIGITAL CERTIFICATE A digital certificate establishes your credentials when doing business or other transactions on the Web. It is issued by a certification authority. It contains your name, a serial number, expiration dates, a copy of the certificate holder’s public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. DIGITAL SIGNATURE A digital signature is a hash of a message that uniquely identifies the sender of the message and proves the message hasn’t changed since transmission. DISASTER RECOVERY PLAN A DRP documents the process used to recover the use of IT systems in the event of a disruption or disaster. DISRUPTION A circumstance or event that interrupts or prevents the proper operation of system services and its functions. DOMAIN NAME A domain name locates an organization or other entity on the Internet. For example, the domain name “www.sans.org” locates an Internet address for “sans.org” at Internet point 22.214.171.124 and a particular host server named “www”. The “org” part of the domain name reflects the purpose of the organization or entity (in this example, “organization”) and is called the top-level domain name (TLD). The “sans” part of the domain name defines the organization or entity and together with the top-level is called the second-level domain name. DOMAIN NAME SYSTEM DNS is the way that Internet domain names are located and translated into Internet Protocol addresses. A domain name is a meaningful and easy-to-remember “handle” for an Internet address. Its easier for humans to rememeber “yourcompany.com” than 123.456.78.90. ENCRYPTION Cryptographic transformation of data (called “plaintext”) into a form (called “cipher text”) that conceals the data’s original meaning to prevent it from being known or used. ETHERNET The most widely-installed LAN technology. Specified in a standard, IEEE 802.3, an Ethernet LAN typically uses coaxial cable or special grades of twisted pair wires. Devices are connected to the cable and compete for access using a CSMA/CD protocol. EVENT An event is an observable occurrence in a system or network. FACTOR A physical item (physically controlled) or piece of information (a secret) that is used as a part of an authentication process to grant access to a system. Your system password is a factor (a secret, or at least it should be) (see Multi-Factor Authentication). FIREWALL A logical or physical discontinuity in a network to prevent unauthorized access to data or resources. FLOODING An attack that attempts to cause a failure in (especially, in the security of) a computer system or other data processing entity by providing more input than the entity can process properly. FUZZING The use of special regression testing tools to generate out-of-spec input for an application in order to find security vulnerabilities. Also see “regression testing”. GATEWAY A network point that acts as an entrance to another network. HACKER Originally, someone who tinkered with technology in order to better understand how it works. Often this involved bypassing or otherwise overcoming controls or policies designed to limit a system user’s capabilities, without malicious intent. Later used to describe those who exceeded their system priviliges (if they had them at all) for malicious purposes. HARDENING Hardening is the process of identifying and fixing vulnerabilities on a system. HONEY POT Programs that simulate one or more network services that you designate on your computer’s ports. An attacker assumes you’re running vulnerable services that can be used to break into the machine. A honey pot can be used to log access attempts to those ports including the attacker’s keystrokes. This could give you advanced warning of a more concerted attack. HOST Any computer that has full two-way access to other computers on the Internet. Or a computer with a web server that serves the pages for one or more Web sites. HTTPS When used in the first part of a URL (the part that precedes the colon and specifies an access scheme or protocol), this term specifies the use of HTTP enhanced by a security mechanism, which is usually SSL. INCIDENT An incident as an adverse network event in an information system or network or the threat of the occurrence of such an event. INCIDENT HANDLING Incident Handling is an action plan for dealing with intrusions, cyber-theft, denial of service, fire, floods, and other security-related events. It is comprised of a six step process: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. INCIDENT RESPONSE The detection of computer security incidents or intrusions on a computer or network, and the processes by which such incidents are contained and managed. You may see the acronym “DFIR” used from time to time. It stands for digital forensics (DF) and incident response (IR); two disciplines that are often executed together. INDICATORS OF COMPROMISE (IOC) Datum, data, or information associated with known malicious activity on a computer system or network. If you come home and find your front door forced open and your poessions strewn about, those are indicators that someone broke into your house. Same thing, only usually more subtle, for your computers. INTEGRITY Integrity is the need to ensure that information has not been changed accidentally or deliberately, and that it is accurate and complete. INTERNET PROTOCOL IP is the method or protocol by which data is sent from one computer to another on the Internet. INTRUSION DETECTION A security management system for computers and networks. An IDS gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization). IP ADDRESS A computer’s inter-network address that is assigned for use by the Internet Protocol and other protocols. An IP version 4 address is written as a series of four 8-bit numbers separated by periods. KERNEL The essential center of a computer operating system, the core that provides basic services for all other parts of the operating system. A synonym is nucleus. A kernel can be contrasted with a shell, the outermost part of an operating system that interacts with user commands. Kernel and shell are terms used more frequently in Unix and some other operating systems than in IBM mainframe systems. LEAST PRIVILEGE Least Privilege is the principle of allowing users or applications the least amount of permissions necessary to perform their intended function. MAC ADDRESS A physical address; a numeric value that uniquely identifies that network device from every other device on the planet. MALICIOUS CODE Software (e.g., Trojan horse) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic. MALWARE MALicious softWARE. You’re probably more familiar with terms like a computer virus or worm. Malware is a meta way of describing all types of computer programs that are designed to do, if not outright bad things, things that the system user or owner didn’t authorize. MAN IN THE MIDDLE As the name implies a MITM attack is one where the attacker is positioned between the victim and a targeted system, such as your bank. The attacker uses one of several methods to trick you into entering your credentials into a web form (that looks exactly like your bank login screen for example), then takes those credentials and logs into your bank’s actual login screen, pretending to be you. MULTI-FACTOR AUTHENTICATION The use of two or more factors in order to authenticate a user to a system. You’re already familiar with one-factor authentication: user ID and password (factor). Multi- or two-factor authentication uses another factor like a PIN sent to your mobile phone, or a number generated by a physical device as an additional layer of security. The second factor makes it much more difficult to compromise an account by guessing or stealing a single factor like a password. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY NST is a unit of the US Commerce Department. NIST promotes and maintains measurement standards. It also has active programs for encouraging and assisting industry and science to develop and use these standards. NETWORK-BASED INTRUSION DETECTION SYSTEM A NIDS monitors the traffic on its network segment as a data source. This is generally accomplished by placing the network interface card in promiscuous mode to capture all network traffic that crosses its network segment and only its network segment. Packets are considered to be of interest if they match a signature. NIDS passively monitors network activity for indications of attacks. PACKET A piece of a message transmitted over a packet-switching network. One of the key features of a packet is that it contains the destination address in addition to the data. In IP networks, packets are often called datagrams. PASSWORD CRACKING Password cracking is the process of attempting to guess passwords, given the password file information. PASSWORD SNIFFING Passive wiretapping, usually on a local area network, to gain knowledge of passwords. PATCH A patch is a small update released by a software manufacturer to fix bugs in existing programs. PATCHING Patching is the process of updating software to a different version. PENETRATION TESTING Penetration testing is used to test the external perimeter security of a network or facility. PHARMING This is a more sophisticated form of MITM attack. A user’s session is redirected to a masquerading website. This can be achieved by corrupting a DNS server on the Internet and pointing a URL to the masquerading website’s IP. Almost all users use a URL like www.worldbank.com instead of the real IP (126.96.36.199) of the website. Changing the pointers on a DNS server, the URL can be redirected to send traffic to the IP of the pseudo website. At the pseudo website, transactions can be mimicked and information like login credentials can be gathered. With this the attacker can access the real www.worldbank.com site and conduct transactions using the credentials of a valid user on that website. PHISHING The use of e-mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site looks like they are part of a bank the user is doing business with. PORT A port is nothing more than an integer that uniquely identifies an endpoint of a communication stream. Only one process per machine can listen on the same port number. PORT SCAN A port scan is a series of messages sent by someone attempting to break into a computer to learn which computer network services, each associated with a “well-known” port number, the computer provides. Port scanning gives the attacker an idea where to probe for weaknesses. RANSOMWARE Malware designed to infect a targeted system and encrypt all the data on that system. The perpetrators behind ransomware then demand a ransom (hence the name) – usually payable in bitcoin – in exchange for the key that will unlock the files. REVERSE ENGINEERING Acquiring sensitive data by disassembling and analyzing the design of a system component. RISK ASSESSMENT A Risk Assessment is the process by which risks are identified and the impact of those risks determined. ROLE BASED ACCESS CONTROL Role based access control assigns users to roles based on their organizational functions and determines authorization based on those roles. ROOT Root is the name of the administrator account in Unix systems. ROOTKIT A collection of tools (programs) that a hacker uses to mask intrusion and obtain administrator-level access to a computer or computer network. ROUTER Routers interconnect logical networks by forwarding information to other networks based upon IP addresses. SECURE SOCKETS LAYER SSL is a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a public key to encrypt data that’s transferred over the SSL connection. SECURITY POLICY A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources. SEPARATION OF DUTIES Separation of duties is the principle of splitting privileges among multiple individuals or systems. SHADOW PASSWORD FILES A system file in which encrypted user password are stored so that they aren’t available to people who try to break into the system. SIEM Security Information and Event Management. Software that takes in a wide range of system logs, data feeds and other information and presents it in a (hopefully) more easy to read and interpret format for analysis and possible action by a security team. SNIFFER A sniffer is a tool that monitors network traffic as it received in a network interface. SNIFFING A synonym for “passive wiretapping.” SOCIAL ENGINEERING A euphemism for non-technical or low-technology means – such as lies, impersonation, tricks, bribes, blackmail, and threats – used to attack information systems. SPAM Electronic junk mail or junk newsgroup postings. SPOOF Attempt by an unauthorized entity to gain access to a system by posing as an authorized user. TCP/IP A synonym for “Internet Protocol Suite;” in which the Transmission Control Protocol and the Internet Protocol are important parts. TCP/IP is the basic communication language or protocol of the Internet. It can also be used as a communications protocol in a private network (either an Intranet or an Extranet). THREAT ASSESSMENT A threat assessment is the identification of types of threats that an organization might be exposed to. THREAT HUNTING A continuous process searching for indicators of a potential threat or compromise in a computer system or network. THREAT MODEL A threat model is used to describe a given threat and the harm it could to do a system if it has a vulnerability. THREAT VECTOR The method a threat uses to get to the target. TROJAN HORSE A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. TWO-FACTOR AUTHENTICATION A form of multi-factor authentication. In theory, you could require more than two factors in a multi-factor authentication scheme, but the most common approach is to just use two (e.g. password and PIN). VIRTUAL PRIVATE NETWORK A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network. For example, if a corporation has LANs at several different sites, each connected to the Internet by a firewall, the corporation could create a VPN by (a) using encrypted tunnels to connect from firewall to firewall across the Internet and (b) not allowing any other traffic through the firewalls. A VPN is generally less expensive to build and operate than a dedicated real network, because the virtual network shares the cost of system resources with other users of the real network. VIRUS A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting – i.e., inserting a copy of itself into and becoming part of – another program. A virus cannot run by itself; it requires that its host program be run to make the virus active. WORM A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively. ZERO DAY “Zero Day” (often times referred to as 0-day or ‘oh-day’) is the day a new vulnerability is made known. In some cases, a “zero day” exploit is referred to an exploit for which no patch is available yet. (“day one” – day at which the patch is made available). ZOMBIES A zombie computer (often shortened as zombie) is a computer connected to the Internet that has been compromised by a hacker, a computer virus, or a trojan horse. Generally, a compromised machine is only one of many in a botnet, and will be used to perform malicious tasks of one sort or another under remote direction. Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to zombies. Thanks and credit to SANS and their Glossary of Security Terms from which much of this list was derived.