Just a note on the Cybersecurity Glossary
Cybersecurity Glossary – An alphabetical listing of cybersecurity terms with definitions to help standardize some of the vocabulary out there and keep everyone on the same page. This is a dynamic glossary and I will modify it as new information and omissions are found.
Updated: 21 October 2023
A
Absolute file path: The full file path, which starts from the root
Access controls: Security controls that manage access, authorization, and accountability of information
Active packet sniffing: A type of attack where data packets are manipulated in transit
Address Resolution Protocol (ARP): A network protocol used to determine the MAC address of the next router or device on the path
Advanced persistent threat (APT): An instance when a threat actor maintains unauthorized access to a system for an extended period of time
Adversarial artificial intelligence (AI): A technique that manipulates artificial intelligence (AI) and machine learning (ML) technology to conduct attacks more efficiently
Adware: A type of legitimate software that is sometimes used to display digital advertisements in applications
Algorithm: A set of rules used to solve a problem
Analysis: The investigation and validation of alerts
Angler phishing: A technique where attackers impersonate customer service representatives on social media
Anomaly-based analysis: A detection method that identifies abnormal behavior
Antivirus software: A software program used to prevent, detect, and eliminate malware and viruses
Application: A program that performs a specific task
Application programming interface (API) token: A small block of encrypted code that contains information about a user
Argument (Linux): Specific information needed by a command
Argument (Python): The data brought into a function when it is called
Array: A data type that stores data in a comma-separated ordered list
Assess: The fifth step of the NIST RMF that means to determine if established controls are implemented correctly
Access control — The means and mechanisms of managing access to and use of resources by users. There are three primary forms of access control: DAC, MAC, and RBAC. DAC (Discretionary Access Control) manages access through the use of on-object ACLs (Access Control Lists), which indicate which users have been granted (or denied) specific privileges or permissions on that object. MAC (Mandatory Access Control) restricts access by assigning each subject and object a classification or clearance level label; resource use is then controlled by limiting access to those subjects with equal or superior labels to that of the object. RBAC (Role Base Access Control) controls access through the use of job labels, which have been assigned the permissions and privilege needed to accomplish the related job tasks.
Anti-virus (anti-malware) — A security program designed to monitor a system for malicious software. Once malware is detected, the AV program will attempt to remove the offending item from the system or may simply quarantine the file for further analysis by an administrator. It is important to keep AV software detection databases current in order to have the best chance of detecting known forms of malware.
Antivirus software — A software program that monitors a computer system or network communications for known examples of malicious code and then attempts to remove or quarantine the offending items. (Also known as Malware Scanner.) Most anti-virus (AV) products use a pattern recognition or signature matching system to detect the presence of known malicious code. Some AV products have adopted technologies to potentially detect new and unknown malware. These technologies include anomaly detection (i.e. watch for programs which violate specific rules), behavioral detection (i.e. watch for programs that have behaviors that are different from the normal baseline of behavior of the system), and heuristic detection (i.e. watch for programs that exhibit actions which are known to be those of confirmed malware; it is a type of technological profiling).
APT (Advanced Persistent Threat) — A security breach that enables an attacker to gain access or control over a system for an extended period of time usually without the owner of the system being aware of the violation. Often an APT takes advantage of numerous unknown vulnerabilities or zero day attacks, which allow the attacker to maintain access to the target even as some attack vectors are blocked.
Asset: An item perceived as having value to an organization
Asset classification: The practice of labeling assets based on sensitivity and importance to an organization
Asset inventory: A catalog of assets that need to be protected
Asset management: The process of tracking assets and the risks that affect them
Asymmetric encryption: The use of a public and private key pair for encryption and decryption of data
Attack surface: All the potential vulnerabilities that a threat actor could exploit
Attack tree: A diagram that maps threats to assets
Attack vectors: The pathways attackers use to penetrate security defenses
Authentication: The process of verifying who someone is
Authorization: The concept of granting access to specific resources in a system
Authorize: The sixth step of the NIST RMF that refers to being accountable for the security and privacy risks that might exist in an organization
Automation: The use of technology to reduce human and manual effort to perform common and repetitive tasks
Availability: The idea that data is accessible to those who are authorized to access it
B
backing up : Creating a duplicate copy of data onto a separate physical storage device or online/cloud storage solution. A backup is the only insurance against data loss. With a backup, damaged or lost data files can be restored. Backups should be created on a regular, periodic basis such as daily. A common strategy is based on the 3-2-1 rule: you should have three copies of your data – the original and 2 backups; you should use 2 different types of media (such as a physical media (such as a hard drive or tape) and a cloud storage solution); and do not store the three copies of data in 1 plane (i.e. backups should be stored offsite). It is important to store backups for disaster recovery at an offsite location in order to insure they are not damaged by the same event that would damage the primary production location. However, additional onsite backups can be retained for resolving minor issues such as accidental file deletion or hard drive failure.
Baiting: A social engineering tactic that tempts people into compromising their security
Bandwidth: The maximum data transmission capacity over a network, measured by bits per second
Baseline configuration (baseline image): A documented set of specifications within a system that is used as a basis for future builds, releases, and updates
Bash: The default shell in most Linux distributions
Basic auth: The technology used to establish a user’s request to access a server
Basic Input/Output System (BIOS): A microchip that contains loading instructions for the computer and is prevalent in older systems
BCP (Business Continuity Planning) : A business management plan used to resolve issues that threaten core business tasks. (Also known as Business Continuity Management.) The goal of BCP is to prevent the failure of mission critical processes when they have be harmed by a breach or accident. Once core business tasks have been stabilized, BCP dictates the procedure to return the environment back to normal conditions. BCP is used when the normal security policy has failed to prevent harm from occurring, but before the harm has reached the level of fully interrupting mission critical processes, which would trigger the Disaster Recovery Process (DRP).
Biometrics: The unique physical characteristics that can be used to verify a person’s identity
Bit: The smallest unit of data measurement on a computer
Behavior monitoring: Recording the events and activities of a system and its users. The recorded events are compared against security policy and behavioral baselines to evaluate compliance and/or discover violations. Behavioral monitoring can include the tracking of trends, setting of thresholds and defining responses. Trend tracking can reveal when errors are increasing requiring technical support services, when abnormal load levels occur indicating the presence of malicious code, or when production work levels increase indicating a need to expand capacity. Thresholds are used to define the levels of activity or events above which are of concern and require a response. The levels below the threshold are recorded but do not trigger a response. Responses can be to resolve conflicts, handle violations, prevent downtime or improve capabilities.
Blacklist : A security mechanism prohibiting the execution of those programs on a known malicious or undesired list of software. The blacklist is a list of specific files known to be malicious or otherwise are unwanted. Any program on the list is prohibited from executing while any other program, whether benign or malicious, is allowed to execute by default. (See whitelist.)
Block cipher: A type of symmetric encryption algorithm that divides data into fixed length sections and then performs the encryption or decryption operation on each block. The action of dividing a data set into blocks enables the algorithm to encrypt data of any size.
Boolean data: Data that can only be one of two values: either True or False
Bootloader: A software program that boots the operating system
Botnet: A collection of computers infected by malware that are under the control of a single threat actor, known as the “bot-herder”
Bracket notation: The indices placed in square brackets
Broken chain of custody: Inconsistencies in the collection and logging of evidence in the chain of custody
Brute force attack: The trial and error process of discovering private information
Botnet: A collection of innocent computers which have been compromised by malicious code in order to run a remote control agent granting an attacker the ability to remotely take advantage of the system’s resources in order to perform illicit or criminal actions. These actions include DoS flooding attacks, hosting false Web services, spoofing DNS, transmitting SPAM, eavesdropping on network communications, recording VOIP communications and attempting to crack encryption or password hashes. Botnets can be comprised of dozens to over a million individual computers. The term botnet is a shortened form of robotic network.
Bug: An error or mistake in software coding or hardware design or construction. A bug represents a flaw or vulnerability in a system discoverable by attackers and used as point of compromise. Attacks often use fuzzing technique (i.e. randomize testing tools) to locate previously unknown bugs in order to craft new exploits.
Bug bounty: Programs that encourage freelance hackers to find and report vulnerabilities
Built-in function: A function that exists within Python and can be called directly
Business continuity: An organization’s ability to maintain their everyday productivity by establishing risk disaster recovery plans
Business continuity plan (BCP): A document that outlines the procedures to sustain business operations during and after a significant disruption
Business Email Compromise (BEC): A type of phishing attack where a threat actor impersonates a known source to obtain financial advantage
BYOD (Bring Your Own Device) — A company’s security policy dictating whether or not workers can bring in their own devices into the work environment, whether or not such devices can be connected to the company network and to what extent that connection allows interaction with company resources. A BYOD policy can range from complete prohibition of personal devices being brought into the facility to allowing any device to be connected to the company network with full access to all company resources. Generally, a BYOD policy puts reasonable security limitations on which devices can be used on company property and severely limits access to sensitive company network resources. BYOD should address concerns such as data ownership, asset tracking, geo location, patching and upgrades, security applications (such as malware scanners, firewalls and IDS), storage segmentation, appropriate vs inappropriate applications, on-boarding, off-boarding, repair/replacement due to damage, legal concerns, internal investigations and law enforcement investigations and forensics.
C
Categorize: The second step of the NIST RMF that is used to develop risk management processes and tasks
CentOS: An open-source distribution that is closely related to Red Hat. Note: CentOS is at end of life and is not being developed.
Central Processing Unit (CPU): A computer’s main processor, which is used to perform general computing tasks on a computer
Chain of custody: The process of documenting evidence possession and control during an incident lifecycle
Chronicle: A cloud-native tool designed to retain, analyze, and search data
Cipher: An algorithm that encrypts information
ciphertext: The unintelligible and seeming random form of data that is produced by the cryptographic function of encryption. Ciphertext is produced by a symmetric algorithm when a data set is transformed by the encryption process using a selected key. Ciphertext can converted back into its original form (i.e. plain text) by performing the decryption process using the same symmetric encryption algorithm and the key used during the encryption process.
Clickjacking: A malicious technique by which a victim is tricked into clicking on a URL, button or other screen object other than that intended by or perceived by the user. Clickjacking can be performed in many ways; one of which is to load a web page transparently behind another visible page in such a way that the obvious links and objects to click are facades, so clicking on an obvious link actually causes the hidden page’s link to be selected.
CND (Computer Network Defense) : The establishment of a security perimeter and of internal security requirements with the goal of defending a network against cyberattacks, intrusions and other violations. A CND is defined by a security policy and can be stress tested using vulnerability assessment and penetration testing measures.
Cloud-based firewalls: Software firewalls that are hosted by the cloud service provider
Cloud computing: The practice of using remote servers, applications, and network services that are hosted on the internet instead of on local physical devices
Cloud network: A collection of servers or computers that stores resources and data in remote data centers that can be accessed via the internet
Cloud security: The process of ensuring that assets stored in the cloud are properly configured and access to those assets is limited to authorized users
Command: An instruction telling the computer to do something
Command and control (C2): The techniques used by malicious actors to maintain communications with compromised systems
Command-line interface (CLI): A text-based user interface that uses commands to interact with the computer
Comment: A note programmers make about the intention behind their code
Common Event Format (CEF): A log format that uses key-value pairs to structure data and identify fields and their corresponding values
Common Vulnerabilities and Exposures (CVE®) list: An openly accessible dictionary of known vulnerabilities and exposures
Common Vulnerability Scoring System (CVSS): A measurement system that scores the severity of a vulnerability
Compliance: The process of adhering to internal standards and external regulations
Computer security incident response teams (CSIRT): A specialized group of security professionals that are trained in incident management and response
Computer virus: Malicious code written to interfere with computer operations and cause damage to data and software
Conditional statement: A statement that evaluates code to determine if it meets a specified set of conditions
Confidentiality: The idea that only authorized users can access specific assets or data
Confidential data: Data that often has limits on the number of people who have access to it
Confidentiality, integrity, availability (CIA) triad: A model that helps inform how organizations consider risk when setting up systems and security policies
Configuration file: A file used to configure the settings of an application
Containment: The act of limiting and preventing additional damage caused by an incident
Controlled zone: A subnet that protects the internal network from the uncontrolled zone
Cross-site scripting (XSS): An injection attack that inserts code into a vulnerable website or web application
Cracker: The proper term to refer to an unauthorized attacker of computers, networks and technology instead of the misused term “hacker.” However, this term is not as widely used in the media; thus, the term hacker has become more prominent in-spite of the terms misuse. (See hacker.)
Critical infrastructure: The physical or virtual systems and assets that are vital to an organization or country. If these systems are compromised, the result would be catastrophic. If an organization’s mission critical processes are interrupted, this could result in the organization ceasing to exist. If a country’s critical infrastructure is destroyed, it will have severe negative impact on national security, economic stability, citizen safety and health, transportation and communications.
Crowdsourcing: The practice of gathering information using public input and collaboration
Cryptographic attack: An attack that affects secure forms of communication between a sender and intended recipient
Cryptographic key: A mechanism that decrypts ciphertext
Cryptography: The process of transforming information into a form that unintended reader can’t understand
Cryptojacking: A form of malware that installs software to illegally mine cryptocurrencies
CVE Numbering Authority (CNA): An organization that volunteers to analyze and distribute information on eligible CVEs
Cyberespionage: The unethical act of violating the privacy and security of an organization in order to leak data or disclose internal/private/confidential information. Cyberespionage can be performed by individuals, organization or governments for the direct purpose of causing harm to the violated entity to benefit individuals, organizations or governments.
Cybersecurity: The practice of ensuring confidentiality, integrity, and availability of information by protecting networks, devices, people, and data from unauthorized access or criminal exploitation
Cyber teams: Groups of professional or amateur penetration testing specialists who are tasked with evaluating and potentially improving the security stance of an organization. Common cyber teams include the red, blue and purple/white teams. A red team is often used as part of a multi-team penetration test (i.e. security evaluation), which is responsible for attacking the target which is being defended by the blue team. A purple team or white team is either used as a reference between the attack/red and defense/blue teams; or this team can be used as an interpreter of the results and activities of the red and blue teams in order to maximize their effectiveness in the final results.
D
Data: Information that is translated, processed, or stored by a computer
Data at rest: Data not currently being accessed
Database: An organized collection of information or data
Data breach: The occurrence of disclosure of confidential information, access to confidential information, destruction of data assets or abusive use of a private IT environment. Generally, a data breach results in internal data being made accessible to external entities without authorization.
Data controller: A person that determines the procedure and purpose for processing data
Data custodian: Anyone or anything that’s responsible for the safe handling, transport, and storage of information
Data exfiltration: Unauthorized transmission of data from a system
Data integrity: A security benefit that verifies data is unmodified and therefore original, complete and intact. Integrity is verified through the use of cryptographic hashing. A hashing algorithm generates a fixed length output known as a hash value, fingerprint or MAC (Message Authenticating Code), which is derived from the input data but which does not contain the input data. This makes hashing a one-way operation. A hash is calculated before an event, and another hash is calculated after the event (an event can be a time frame of storage (i.e. data-at-rest) or an occurrence of transmission (i.e. data-in-transit); the two hashes are then compared using an XOR Boolean operation. If the two hashes exactly match (i.e. the XOR result is zero), then the data has retained its integrity. However, if the two hashes do not match exactly (i.e. the XOR result is a non-zero value), then something about the data changed during the event.
Data in transit: Data traveling from one point to another
Data in use: Data being accessed by one or more users
Data owner: The person who decides who can access, edit, use, or destroy their information
Data mining: The activity of analyzing and/or searching through data in order to find items of relevance, significance or value. The results of data mining are known as meta-data. Data mining can be a discovery of individual important data items, a summary or overview of numerous data items or a consolidation or clarification of a collection of data items.
Data packet: A basic unit of information that travels from one device to another within a network
Data point: A specific piece of information
Data processor: A person that is responsible for processing data on behalf of the data controller
Data protection officer (DPO): An individual that is responsible for monitoring the compliance of an organization’s data protection procedures
Data theft: The act of intentionally stealing data. Data theft can occur via data loss (physical theft) or data leakage (logical theft) event. Data loss occurs when a storage device is lost or stolen. Data leakage occurs when copies of data is possessed by unauthorized entities.
Data type: A category for a particular type of data item
Date and time data: Data representing a date and/or time
Debugger: A software tool that helps to locate the source of an error and assess its causes
Debugging: The practice of identifying and fixing errors in code
Defense in depth: A layered approach to vulnerability management that reduces risk
Denial of service (DoS) attack: An attack that targets a network or server and floods it with network traffic
Detect: A NIST core function related to identifying potential security incidents and improving monitoring capabilities to increase the speed and efficiency of detections
Detection: The prompt discovery of security events
Dictionary data: Data that consists of one or more key-value pairs
Digital certificate: A file that verifies the identity of a public key holder
Digital forensics: The practice of collecting and analyzing data to determine what has happened after an attack
Directory: A file that organizes where other files are stored
Disaster recovery plan: A plan that allows an organization’s security team to outline the steps needed to minimize the impact of a security incident
Distributed denial of service (DDoS) attack: A type of denial or service attack that uses multiple devices or servers located in different locations to flood the target network with unwanted traffic
Distributions: The different versions of Linux
DMZ (Demilitarized Zone): A segment or subnet of a private network where resources are hosted and accessed by the general public from the Internet. The DMZ is isolated from the private network using a firewall and is protected from obvious abuses and attacks from the Internet using a firewall. A DMZ can be deployed in two main configurations. One method is the screened subnet configuration, which has the structure of I-F-DMZ-F-LAN (i.e. internet, then firewall, then the DMZ, then another firewall, then the private LAN). A second method is the multi-homed firewall configuration, which has the structure of a single firewall with three interfaces, one connecting to the Internet, a second to the DMZ, and a third to the private LAN.
Documentation: Any form of recorded content that is used for a specific purpose
DOM-based XSS attack: An instance when malicious script exists in the webpage a browser loads
Domain Name System (DNS): A networking protocol that translates internet domain names into IP addresses
Drive-by download: A type of web-based attack that automatically occurs based on the simple act of visiting a malicious or compromised/poisoned Web site. A drive-by download is accomplished by taking advantage of the default nature of a Web browser to execute mobile code, most often JavaScript, with little to no security restrictions. A drive-by download can install tracking tools, remote access backdoors, botnet agents, keystroke loggers or other forms of malicious utilities. In most cases, the occurrence of the infection based on the drive-by download is unnoticed by the user/victim.
Dropper: A program or a file used to install a rootkit on a target computer
E
Eavesdropping: The act of listening in on a transaction, communication, data transfer or conversation. Eavesdropping can be used to refer to both data packet capture on a network link (also known as sniffing or packet capture) and to audio recording using a microphone (or listening with ears).
Encode: The act which transforms plaintext or cleartext (i.e. the original form of normal standard data) into ciphertext (i.e. the unintelligible and seeming random form of data that is produced by the cryptographic function of encryption). Ciphertext is produced by a symmetric encryption algorithm when a data set is transformed by the encryption process using a selected key (i.e. to encrypt or encode). Ciphertext can converted back into its original form (i.e. plaintext) by performing the decryption process using the same symmetric encryption algorithm and the same key used during the encryption process (i.e. decrypt or decode).
Encryption key: The secret number value used by a symmetric encryption algorithm to control the encryption and decryption process. A key is a number defined by its length in binary digits. Generally, the longer the key length, the more security (i.e. defense against confidentiality breaches) it provides. The length of the key also determines the key space, which is the range of values between the binary digits being all zeros and all ones from which the key can be selected.
Encapsulation: A process performed by a VPN service that protects your data by wrapping sensitive data in other data packets
Encryption: The process of converting data from a readable format to an encoded format
Endpoint: Any device connected on a network
Endpoint detection and response (EDR): An application that monitors an endpoint for malicious activity
Eradication: The complete removal of the incident elements from all affected systems
Escalation policy: A set of actions that outline who should be notified when an incident alert occurs and how that incident should be handled
Event: An observable occurrence on a network, system, or device
Exception: An error that involves code that cannot be executed even though it is syntactically correct
Exclusive operator: An operator that does not include the value of comparison
Exploit: A way of taking advantage of a vulnerability
Exposure: A mistake that can be exploited by a threat
External threat: Anything outside the organization that has the potential to harm organizational assets
F
False negative: A state where the presence of a threat is not detected
False positive: An alert that incorrectly detects the presence of a threat
Fileless malware: Malware that does not need to be installed by the user because it uses legitimate programs that are already installed to infect a computer
File path: The location of a file or directory
Filesystem Hierarchy Standard (FHS): The component of the Linux OS that organizes data
Filtering: Selecting data that match a certain condition
Final report: Documentation that provides a comprehensive review of an incident
Firewall: A network security device that monitors traffic to or from a network
Float data: Data consisting of a number with a decimal point
Foreign key: A column in a table that is a primary key in another table
Forward proxy server: A server that regulates and restricts a person’s access to the internet
Function: A section of code that can be reused in a program
G
Global variable: A variable that is available through the entire program
Graphical user interface (GUI): A user interface that uses icons on the screen to manage different tasks on the computer
H
Hacker: Any person or group who uses computers to gain unauthorized access to data
Hacktivist: A person who uses hacking to achieve a political goal
Hard drive: A hardware component used for long-term memory
Hardware: The physical components of a computer
Hash collision: An instance when different inputs produce the same hash value
Hash function: An algorithm that produces a code that can’t be decrypted
Hash table: A data structure that’s used to store and reference hash values
Health Insurance Portability and Accountability Act (HIPAA): A U.S. federal law established to protect patients’ health information
Honeypot: A system or resource created as a decoy vulnerable to attacks with the purpose of attracting potential intruders
Host-based intrusion detection system (HIDS): An application that monitors the activity of the host on which it’s installed
Hub: A network device that broadcasts information to every device on the network
Hypertext Transfer Protocol (HTTP): An application layer protocol that provides a method of communication between clients and website servers
Hypertext Transfer Protocol Secure (HTTPS): A network protocol that provides a secure method of communication between clients and website servers
I
Identify: A NIST core function related to management of cybersecurity risk and its effect on an organization’s people and assets
Identity and access management (IAM): A collection of processes and technologies that helps organizations manage digital identities in their environment
IDS (Intrusion Detection System): A security tool that attempts to detect the presence of intruders or the occurrence of security violations in order to notify administrators, enable more detailed or focused logging or even trigger a response such as disconnecting a session or blocking an IP address. An IDS is considered a more passive security tool as it detects compromises after they are already occurring rather than preventing them from becoming successful.
IEEE 802.11 (Wi-Fi): A set of standards that define communication for wireless LANs
Immutable: An object that cannot be changed after it is created and assigned a value
Implement: The fourth step of the NIST RMF that means to implement security and privacy plans for an organization
Improper usage: An incident type that occurs when an employee of an organization violates the organization’s acceptable use policies
Incident: An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies
Incident escalation: The process of identifying a potential security incident, triaging it, and handing it off to a more experienced team member
Incident handler’s journal: A form of documentation used in incident response
Incident response: An organization’s quick attempt to identify an attack, contain the damage, and correct the effects of a security breach
Incident response plan: A document that outlines the procedures to take in each step of incident response
Inclusive operator: An operator that includes the value of comparison
Indentation: Space added at the beginning of a line of code
Index: A number assigned to every element in a sequence that indicates its position
Indicators of attack (IoA): The series of observed events that indicate a real-time incident
Indicators of compromise (IoC): Observable evidence that suggests signs of a potential security incident
Information privacy: The protection of unauthorized access and distribution of data
Information security (InfoSec): The practice of keeping data in all states away from unauthorized users
Injection attack: Malicious code inserted into a vulnerable application
Input validation: Programming that validates inputs from users and other programs
Integer data: Data consisting of a number that does not include a decimal point
Integrated development environment (IDE): A software application for writing code that provides editing assistance and error correction tools
Integrity: The idea that the data is correct, authentic, and reliable
Internal hardware: The components required to run the computer
Internal threat: A current or former employee, external vendor, or trusted partner who poses a security risk
Internet Control Message Protocol (ICMP): An internet protocol used by devices to tell each other about data transmission errors across the network
Internet Control Message Protocol flood (ICMP flood): A type of DoS attack performed by an attacker repeatedly sending ICMP request packets to a network server
Internet Protocol (IP): A set of standards used for routing and addressing data packets as they travel between devices on a network
Internet Protocol (IP) address: A unique string of characters that identifies the location of a device on the internet
Interpreter: A computer program that translates Python code into runnable instructions line by line
Intrusion prevention system (IPS): An application that monitors system activity for intrusive activity and takes action to stop the activity
IP spoofing: A network attack performed when an attacker changes the source IP of a data packet to impersonate an authorized system and gain access to a network
Iterative statement: Code that repeatedly executes a set of instructions
J
JBOH (JavaScript-Binding-Over-HTTP): A form of Android-focused mobile device attack that enables an attacker to be able to initiate the execution of arbitrary code on a compromised device. A JBOH attack often takes place or is facilitated through compromised or malicious apps.
K
KALI LINUX ™: An open-source distribution of Linux that is widely used in the security industry
Kernel: The component of the Linux OS that manages processes and memory
Keylogger: Any means by which the keystrokes of a victim are recorded as they are typed into the physical keyboard. A keylogger can be a software solution or a hardware device used to capture anything that a user might type in including passwords, answers to secret questions or details and information form e-mails, chats and documents.
Key-value pair: A set of data that represents two linked items: A key and its corresponding value
L
Legacy operating system: An operating system that is outdated but still being used
Lessons learned meeting: A meeting that includes all involved parties after a major incident
Library: A collection of modules that provide code users can access in their programs
Link jacking: A potentially unethical practice of redirecting a link to a middle-man or aggregator site or location rather than the original site the link seemed to indicate it was directed towards. For example, a news aggregation service may publish links that seem as if they point to the original source of their posted articles, but when a user discovers those links via search or through social networks, the links redirect back to the aggregation site and not the original source of the article.
Linux: An open-source operating system
List concatenation: The concept of combining two lists into one by placing the elements of the second list directly after the elements of the first list
List data: Data structure that consists of a collection of data in sequential form
Loader: Malicious code that launches after a user initiates a dropper program
Local Area Network (LAN): A network that spans small areas like an office building, a school, or a home
Local variable: A variable assigned within a function
Log: A record of events that occur within an organization’s systems
Log analysis: The process of examining logs to identify events of interest
Logging: The recording of events occurring on computer systems and networks
Logic error: An error that results when the logic used in code produces unintended results
Log management: The process of collecting, storing, analyzing, and disposing of log data
Loop condition: The part of a loop that determines when the loop terminates
Loop variable: A variable that is used to control the iterations of a loop
M
Malware: Software designed to harm devices or networks
Malware infection: An incident type that occurs when malicious software designed to disrupt a system infiltrates an organization’s computers or network
Media Access Control (MAC) address: A unique alphanumeric identifier that is assigned to each physical device on a network
Method: A function that belongs to a specific data type
Metrics: Key technical attributes such as response time, availability, and failure rate, which are used to assess the performance of a software application
MITRE: A collection of non-profit research and development centers
Modem: A device that connects your router to the internet and brings internet access to the LAN
Module: A Python file that contains additional functions, variables, classes, and any kind of runnable code
Monitor: The seventh step of the NIST RMF that means be aware of how systems are operating
Multi-factor authentication (MFA): A security measure that requires a user to verify their identity in two or more ways to access a system or network
N
nano: A command-line file editor that is available by default in many Linux distributions
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF): A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk
National Institute of Standards and Technology (NIST) Incident Response Lifecycle: A framework for incident response consisting of four phases: Preparation; Detection and Analysis; Containment, Eradication and Recovery, and Post-incident activity
National Institute of Standards and Technology (NIST) Special Publication (S.P.) 800-53: A unified framework for protecting the security of information systems within the U.S. federal government
Network: A group of connected devices
Network-based intrusion detection system (NIDS): An application that collects and monitors network traffic and network data
Network data: The data that’s transmitted between devices on a network
Network Interface Card (NIC): Hardware that connects computers to a network
Network log analysis: The process of examining network logs to identify events of interest
Network protocol analyzer (packet sniffer): A tool designed to capture and analyze data traffic within a network
Network protocols: A set of rules used by two or more devices on a network to describe the order of delivery and the structure of data
Network security: The practice of keeping an organization’s network infrastructure secure from unauthorized access
Network segmentation: A security technique that divides the network into segments
Network traffic: The amount of data that moves across a network
Non-repudiation: The concept that the authenticity of information can’t be denied
Notebook: An online interface for writing, storing, and running code
Numeric data: Data consisting of numbers
O
OAuth: An open-standard authorization protocol that shares designated access between applications
Object: A data type that stores data in a comma-separated list of key-value pairs
On-path attack: An attack where a malicious actor places themselves in the middle of an authorized connection and intercepts or alters the data in transit
Open-source intelligence (OSINT): The collection and analysis of information from publicly available sources to generate usable intelligence
Open systems interconnection (OSI) model: A standardized concept that describes the seven layers computers use to communicate and send data over the network
Open Web Application Security Project (OWASP): A non-profit organization focused on improving software security
Operating system (OS): The interface between computer hardware and the user
Operator: A symbol or keyword that represents an operation
Options: Input that modifies the behavior of a command
Order of volatility: A sequence outlining the order of data that must be preserved from first to last
OWASP (Open Web Application Security Project): An Internet community focused on understanding web technologies and exploitations. Their goal is to help anyone with a website improve the security of their site through defensive programming, design and configuration. Their approach includes understanding attacks in order to know how to defend against them. OWASP offers numerous tools and utilities related to website vulnerability evaluation and discovery as well as a significant amount of training and reference material related to all things web security.
OWASP Top 10: A globally recognized standard awareness document that lists the top 10 most critical security risks to web applications
P
Package: A piece of software that can be combined with other packages to form an application
Package manager: A tool that helps users install, manage, and remove packages or applications
Packet capture (P-cap): A file containing data packets intercepted from an interface or network
Packet sniffing: The practice of capturing and inspecting data packets across a network
Parameter (Python): An object that is included in a function definition for use in that function
Parrot: An open-source distribution that is commonly used for security
Parsing: The process of converting data into a more readable format
Passive packet sniffing: A type of attack where a malicious actor connects to a network hub and looks at all traffic on the network
Password attack: An attempt to access password secured devices, systems, networks, or data
Patch update: A software and operating system update that addresses security vulnerabilities within a program or product
Payment Card Industry Data Security Standards (PCI DSS): Any cardholder data that an organization accepts, transmits, or stores
Payment card skimmers: A malicious device used to read the contents of an ATM, debit or credit card when inserted into a POS (Point of Sale) payment system. A skimmer may be an internal component or an external addition. An attacker will attempt to use whatever means to imbed their skimmer into a payment system that will have the highest likelihood of not being detected and thus gather the most amount of financial information from victims.
Penetration test (pen test): A simulated attack that helps identify vulnerabilities in systems, networks, websites, applications, and processes
PEP 8 style guide: A resource that provides stylistic guidelines for programmers working in Python
Peripheral devices: Hardware components that are attached and controlled by the computer system
Permissions: The type of access granted for a file or directory
Personally identifiable information (PII): Any information used to infer an individual’s identity
Phishing: The use of digital communications to trick people into revealing sensitive data or deploying malicious software
Phishing kit: A collection of software tools needed to launch a phishing campaign
Physical attack: A security incident that affects not only digital but also physical environments where the incident is deployed
Physical social engineering: An attack in which a threat actor impersonates an employee, customer, or vendor to obtain unauthorized access to a physical location
Ping of death: A type of DoS attack caused when a hacker pings a system by sending it an oversized ICMP packet that is bigger than 64KB
Playbook: A manual that provides details about any operational action
Policy: A set of rules that reduce risk and protect information
Port: A software-based location that organizes the sending and receiving of data between devices on a network
Port filtering: A firewall function that blocks or allows certain port numbers to limit unwanted communication
Post-incident activity: The process of reviewing an incident to identify areas for improvement during incident handling
Potentially unwanted application (PUA): A type of unwanted software that is bundled in with legitimate programs which might display ads, cause device slowdown, or install other software
Private data: Information that should be kept from the public
Prepare: The first step of the NIST RMF related to activities that are necessary to manage security and privacy risks before a breach occurs
Prepared statement: A coding technique that executes SQL statements before passing them on to a database
Primary key: A column where every row has a unique entry
Principle of least privilege: The concept of granting only the minimal access and authorization required to complete a task or function
Privacy protection: The act of safeguarding personal information from unauthorized use
Procedures: Step-by-step instructions to perform a specific security task
Process of Attack Simulation and Threat Analysis (PASTA): A popular threat modeling framework that’s used across many industries
Programming: A process that can be used to create a specific set of instructions for a computer to execute tasks
Protect: A NIST core function used to protect an organization through the implementation of policies, procedures, training, and tools that help mitigate cybersecurity threats
Protected health information (PHI): Information that relates to the past, present, or future physical or mental health or condition of an individual
Protecting and preserving evidence: The process of properly working with fragile and volatile digital evidence
Proxy server: A server that fulfills the requests of its clients by forwarding them to other servers
Public data: Data that is already accessible to the public and poses a minimal risk to the organization if viewed or shared by others
Public key infrastructure (PKI): An encryption framework that secures the exchange of online information
Python Standard Library: An extensive collection of Python code that often comes packaged with Python
Q
Query: A request for data from a database table or a combination of tables
Quid pro quo: A type of baiting used to trick someone into believing that they’ll be rewarded in return for sharing access, information, or money
R
Rainbow table: A file of pre-generated hash values and their associated plaintext
Random Access Memory (RAM): A hardware component used for short-term memory
Ransomware: A malicious attack where threat actors encrypt an organization’s data and demand payment to restore access
Rapport: A friendly relationship in which the people involved understand each other’s ideas and communicate well with each other
Recover: A NIST core function related to returning affected systems back to normal operation
Recovery: The process of returning affected systems back to normal operations
Red Hat® Enterprise Linux® (also referred to simply as Red Hat in this course): A subscription-based distribution of Linux built for enterprise use
Reflected XSS attack: An instance when malicious script is sent to a server and activated during the server’s response
Regular expression (regex): A sequence of characters that forms a pattern
Regulations: Rules set by a government or other authority to control the way something is done
Relational database: A structured database containing tables that are related to each other
Relative file path: A file path that starts from the user’s current directory
Replay attack: A network attack performed when a malicious actor intercepts a data packet in transit and delays it or repeats it at another time
Resiliency: The ability to prepare for, respond to, and recover from disruptions
Respond: A NIST core function related to making sure that the proper procedures are used to contain, neutralize, and analyze security incidents, and implement improvements to the security process
Restore: The process of returning a system back to a state of normalcy. A restore or restoration process may involve formatting the main storage device before re-installing the operating system and applications as well as copying data from backups onto the reconstituted system.
Return statement: A Python statement that executes inside a function and sends information back to the function call
Reverse proxy server: A server that regulates and restricts the internet’s access to an internal server
Risk: Anything that can impact the confidentiality, integrity, or availability of an asset
Risk mitigation: The process of having the right procedures and rules in place to quickly reduce the impact of a risk like a breach
Root directory: The highest-level directory in Linux
Rootkit: Malware that provides remote, administrative access to a computer
Root user (or superuser): A user with elevated privileges to modify the system
Router: A network device that connects multiple networks together
S
Salting: An additional safeguard that’s used to strengthen hash functions
Sandboxing: A means of isolating applications, code or entire operating systems in order to perform testing or evaluation. The sandbox limits the actions and resources available to the constrained item. This allows for the isolated item to be used for evaluation while preventing any harm or damage to be caused to the host system or related data or storage devices.
Scareware: Malware that employs tactics to frighten users into infecting their device
SCADA (Supervisory Control and Data Acquisition): A complex mechanism used to gather data and physical world metrics as well as perform measurement or management actions of the monitored systems for the purposes of automatic large complex real-world processes such as oil refining, nuclear power generation or water filtration. SCADA can provide automated control over very large complex systems whether concentrated in a single physical location or spread across long distances.
Search Processing Language (SPL): Splunk’s query language
Secure File Transfer Protocol (SFTP): A secure protocol used to transfer files from one device to another over a network
Secure shell (SSH): A security protocol used to create a shell with a remote system
Security architecture: A type of security design composed of multiple components, such as tools and processes, that are used to protect an organization from risks and external threats
Security audit: A review of an organization’s security controls, policies, and procedures against a set of expectations
Security controls: Safeguards designed to reduce specific security risks
Security ethics: Guidelines for making appropriate decisions as a security professional
Security frameworks: Guidelines used for building plans to help mitigate risk and threats to data and privacy
Security governance: Practices that help support, define, and direct security efforts of an organization
Security hardening: The process of strengthening a system to reduce its vulnerabilities and attack surface
Security information and event management (SIEM): An application that collects and analyzes log data to monitor critical activities in an organization
Security mindset: The ability to evaluate risk and constantly seek out and identify the potential or actual breach of a system, application, or data
Security operations center (SOC): An organizational unit dedicated to monitoring networks, systems, and devices for security threats or attacks
Security orchestration, automation, and response (SOAR): A collection of applications, tools, and workflows that use automation to respond to security events
Security posture: An organization’s ability to manage its defense of critical assets and data and react to change
Security zone: A segment of a company’s network that protects the internal network from the internet
Select: The third step of the NIST RMF that means to choose, customize, and capture documentation of the controls that protect an organization
Sensitive data: A type of data that includes personally identifiable information (PII), sensitive personally identifiable information (SPII), or protected health information (PHI)
Sensitive personally identifiable information (SPII): A specific type of PII that falls under stricter handling guidelines
Separation of duties: The principle that users should not be given levels of authorization that would allow them to misuse a system
Session: a sequence of network HTTP requests and responses associated with the same user
Session cookie: A token that websites use to validate a session and determine how long that session should last
Session hijacking: An event when attackers obtain a legitimate user’s session ID
Session ID: A unique token that identifies a user and their device while accessing a system
Set data: Data that consists of an unordered collection of unique values
Shared responsibility: The idea that all individuals within an organization take an active role in lowering risk and maintaining both physical and virtual security
Shell: The command-line interpreter
SIEM (Security Information and Event Management): A formal process by which the security of an organization is monitored and evaluated on a constant basis. SIEM helps to automatically identify systems that are out of compliance with the security policy as well as to notify the IRT (Incident Response Team) of any security violating events.
Signature: A pattern that is associated with malicious activity
Signature analysis: A detection method used to find events of interest
Simple Network Management Protocol (SNMP): A network protocol used for monitoring and managing devices on a network
Single sign-on (SSO): A technology that combines several different logins into one
Smishing: The use of text messages to trick users to obtain sensitive information or to impersonate a known source
Smurf attack: A network attack performed when an attacker sniffs an authorized user’s IP address and floods it with ICMP packets
Social engineering: A manipulation technique that exploits human error to gain private information, access, or valuables
Social media phishing: A type of attack where a threat actor collects detailed information about their target on social media sites before initiating the attack
SPAM: A form of unwanted or unsolicited messages or communications typically received via e-mail but also occurring through text messaging, social networks or VoIP. Most SPAM is advertising, but some may include malicious code, malicious hyperlinks or malicious attachments.
Spear phishing: A malicious email attack targeting a specific user or group of users, appearing to originate from a trusted source
Speed: The rate at which a device sends and receives data, measured by bits per second
Splunk Cloud: A cloud-hosted tool used to collect, search, and monitor log data
Splunk Enterprise: A self-hosted tool used to retain, analyze, and search an organization’s log data to provide security information and alerts in real-time
Spyware: Malware that’s used to gather and sell information without consent
SQL (Structured Query Language): A programming language used to create, interact with, and request information from a database
SQL injection: An attack that executes unexpected queries on a database
Stakeholder: An individual or group that has an interest in any decision or activity of an organization
Standard error: An error message returned by the OS through the shell
Standard input: Information received by the OS via the command line
Standard output: Information returned by the OS through the shell
Standards: References that inform how to set policies
STAR method: An interview technique used to answer behavioral and situational questions
Stateful: A class of firewall that keeps track of information passing through it and proactively filters out threats
Stateless: A class of firewall that operates based on predefined rules and that does not keep track of information from data packets
Stored XSS attack: An instance when malicious script is injected directly on the server
String concatenation: The process of joining two strings together
String data: Data consisting of an ordered sequence of characters
Style guide: A manual that informs the writing, formatting, and design of documents
Subnetting: The subdivision of a network into logical groups called subnets
Substring: A continuous sequence of characters within a string
Sudo: A command that temporarily grants elevated permissions to specific users
Supply-chain attack: An attack that targets systems, applications, hardware, and/or software to locate a vulnerability where malware can be deployed
Suricata: An open-source intrusion detection system, intrusion prevention system, and network analysis tool
Switch: A device that makes connections between specific devices on a network by sending and receiving data between them
Symmetric encryption: The use of a single secret key to exchange information
Synchronize (SYN) flood attack: A type of DoS attack that simulates a TCP/IP connection and floods a server with SYN packets
Syntax: The rules that determine what is correctly structured in a computing language
Syntax error: An error that involves invalid usage of a programming language
T
Tailgating: A social engineering tactic in which unauthorized people follow an authorized person into a restricted area
TCP/IP model: A framework used to visualize how data is organized and transmitted across a network
tcpdump: A command-line network protocol analyzer
Technical skills: Skills that require knowledge of specific tools, procedures, and policies
Telemetry: The collection and transmission of data for analysis
Threat: Any circumstance or event that can negatively impact assets
Threat actor: Any person or group who presents a security risk
Threat assessment: The process of evaluating the actions, events and behaviors that can cause harm to an asset or organization. Threat assessment is an element of risk assessment and management.
Threat hunting: The proactive search for threats on a network
Threat intelligence: Evidence-based threat information that provides context about existing or emerging threats
Threat modeling: The process of identifying assets, their vulnerabilities, and how each is exposed to threats
Transferable skills: Skills from other areas that can apply to different careers
Transmission Control Protocol (TCP): An internet communication protocol that allows two devices to form a connection and stream data
Triage: The prioritizing of incidents according to their level of importance or urgency
Trojan horse: Malware that looks like a legitimate file or program
True negative: A state where there is no detection of malicious activity
True positive An alert that correctly detects the presence of an attack
Tuple data: Data that consists of a collection of data that cannot be changed
Two-factor authentication: The means of proving identity using two authentication factors usually considered stronger than any single factor authentication. A form of multi-factor authentication. Valid factors for authentication include Type 1: Something you know such as passwords and PINs; Type 2: Something you have such as smart cards or OTP (One Time Password) devices; and Type 3: Someone you are such as fingerprints or retina scans (aka biometrics).
Two-step authentication : A means of authentication commonly employed on websites as an improvement over single factor authentication but not as robust as two-factor authentication. This form of authentication requires the visitor provide their username (i.e. claim an identity) and password (i.e. the single factor authentication) before performing an additional step. The additional step could be receiving a text message with a code, then typing that code back into the website for confirmation. Alternatives include receiving an e-mail and needing to click on a link in the message for confirmation, or viewing a pre-selected image and statement before typing in another password or PIN. Two-step is not as secure as two-factor because the system provides one of the factors to the user at the time of logon rather than requiring that the user provide both.
Type error: An error that results from using the wrong data type
U
Ubuntu: An open-source, user-friendly distribution that is widely used in security and other industries
Unauthorized access: An incident type that occurs when an individual gains digital or physical access to a system or application without permission
Uncontrolled zone: Any network outside your organization’s control
Unified Extensible Firmware Interface (UEFI): A microchip that contains loading instructions for the computer and replaces BIOS on more modern systems
USB baiting: An attack in which a threat actor strategically leaves a malware USB stick for an employee to find and install to unknowingly infect a network
User: The person interacting with a computer
User Datagram Protocol (UDP): A connectionless protocol that does not establish a connection between devices before transmissions
User-defined function: A function that programmers design for their specific needs
User interface: A program that allows the user to control the functions of the operating system
User provisioning: The process of creating and maintaining a user’s digital identity
V
Variable: A container that stores data
Virtual Private Network (VPN): A network security service that changes your public IP address and hides your virtual location so that you can keep your data private when you are using a public network like the internet
Virus: Malicious code written to interfere with computer operations and cause damage to data and software
VirusTotal: A service that allows anyone to analyze suspicious files, domains, URLs, and IP addresses for malicious content
Vishing: The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source
Visual dashboard: A way of displaying various types of data quickly in one place
Vulnerability: A weakness that can be exploited by a threat
Vulnerability assessment: The internal review process of an organization’s security systems
Vulnerability management: The process of finding and patching vulnerabilities
Vulnerability scanner: Software that automatically compares existing common vulnerabilities and exposures against the technologies on the network
W
Watering hole attack: A type of attack when a threat actor compromises a website frequently visited by a specific group of users
Web-based exploits: Malicious code or behavior that’s used to take advantage of coding flaws in a web application
Whitelist: A security mechanism prohibiting the execution of any program that is not on a pre-approved list of software. The whitelist is often a list of the file name, path, file size and hash value of the approved software. Any code that is not on the list, whether benign or malicious, will not be able to execute on the protected system.
Whaling: A category of spear phishing attempts that are aimed at high-ranking executives in an organization
Wide Area Network (WAN): A network that spans a large geographic area like a city, state, or country
Wi-Fi Protected Access (WPA): A wireless security protocol for devices to connect to the internet
Wildcard: A special character that can be substituted with any other character
Wireshark: An open-source network protocol analyzer
World-writable file: A file that can be altered by anyone in the world
Worm: Malware that can duplicate and spread itself across systems on its own
X
Y
YARA-L: A computer language used to create rules for searching through ingested log data
Z
Zero-day: An exploit that was previously unknown
Zombie: A term related to the malicious concept of a botnet. The term zombie can be used to refer to the system that is host to the malware agent of the botnet or to the malware agent itself. If the former, the zombie is the system that is blinding performing tasks based on instructions from an external and remote hacker. If the latter, the zombie is the tool that is performing malicious actions such as DoS flooding, SPAM transmission, eavesdropping on VoIP calls or falsifying DNS resolutions as one member of a botnet.