Regardless of your role in an organization, this glossary of cybersecurity terms was compiled for everyone from the security professional to the general end-user. You’ll find definitions of terms commonly used in the security industry here. Uncover knowledge areas in which you excel and where you want to expand.
This refers to both a tool and a process. Access Control is designed to only give access to information or systems to those that need it. For example, access control can limit your frontline workers from being able to access all employee HR files.
Access control is primarily done in 3 ways:
- Discretionary Access Control (DAC) – Gives permission/privileges to specific people to access specific things.
- i.e. John Smith has access to Payroll.
- Mandatory Access Control (MAC)- Assigns people and systems a label, then limits access based on the labels, with those having higher clearance being able to access more.
- i.e. John Smith has a “Top Secret” label and Payroll access is granted to anyone with “Classified” designation or higher.
- Role Based Access Control (RBAC) – Controls access through use of job labels for people so they can accomplish job-related tasks.
- i.e. John Smith is an Accountant, so he can access any software in the Accounting department list.
APT (Advanced Persistent Threat)
An Advanced Persistent Threat (APT) is a security breach that allows an attack to gain access or control of a system for an extended period of time. The attackers can stay in your systems, often unnoticed, for days, months, or even years, collecting data before you know they exist. Some of the most well-known (and best-named) APT attacks include Titan Rain, GhostNet, and Deep Panda.
A security program designed to monitor a system for malicious software. The anti-virus (AV) software will then try to remove or quarantine any threats.
An asset is a person, place, or — tangible or intangible — used to complete business tasks. Assets include equipment (like phones and computers), software code, data, facilities, personnel, and more.
The process of proving a person is who they say they are. Authentication can happen by having the person provide one of the following:
- Something they know (like a password or security question)
- Something they are (a biometric measure like a fingerprint or face scan)
- Something you have (like a token or authenticator app on a phone)
The security mechanism determines and enforces what users can do. Authorization uses the rules and roles established in Access Control (DAC, MAC, and RBAC) to determine what authenticated users can do.
Recording the events and activities of a system and its users. These recorded events can then be compared against security policies and behavioral baselines to find violations or anomalies. By monitoring behaviors, you can establish trendlines that can help to spot increasing errors (indicating more tech support is needed), abnormal load levels (often indicating malicious activity), or understand when production/growth means you need to upgrade/expand your capacity.
BCP (Business Continuity Planning)
Business continuity planning (BCP) is the act of creating a business management plan to resolve issues that threaten core business tasks. BCP aims to limit the impact of breaches and/or accidents by ensuring core business tasks can continue. BCP can help get businesses back into operation quickly in the event of a cyber attack, ransomware event, or natural disaster. If operations have been impacted past the level of your BCP protocol, it’s time to work through a Disaster Recovery Process.
A version of penetration testing where the customer provides network access. Black-box testing mimics real-world cyber attacks and tests all security defenses (firewalls, EDR tools, etc.). It is the most time-consuming and expensive form of penetration test.
A security mechanism that blocks specified files or programs from running. The blacklist can contain both benign or malicious software and is often used to prevent users from knowingly or unknowingly running programs that may lead to a breach or other loss of productivity.
A group of innocent computers that have been compromised by malicious code granting an attacker the ability to remotely take advantage of the system’s resources to perform illicit or criminal activities. These activities can include DoS flooding attacks, hosting false web services, spoofing DNS, transmitting spam, eavesdropping on network communications, recording VOIP communications, and attempting to crack encryption or password hashes. Botnets can be comprised of dozens to 1 million+ computers.
CND (Computer Network Defense)
Actions taken and tools implemented to defend a computer network against cyberattacks. A CND is defined by a security policy and can be stress tested using a vulnerability assessment and penetration testing measures.
Any attempt to gain unauthorized access to a digital environment. An attack can focus on gathering information, damaging business processes, exploiting flaws, monitoring targets, interrupting business tasks, extracting value, causing damage to logical or physical assets, or using system resources to support attacks against other targets.
The efforts to design, implement, and maintain security for an organization’s network, which is connected to the internet. It’s a combination of technical, physical, and personnel-focused countermeasures, safeguards, and security controls. An organization’s cybersecurity should be defined in a security policy, verified (through evaluations like a penetration test or vulnerability scan), and updated as the organization changes and new threats are discovered.
Common Vulnerabilities and Exposures (CVE)
An online database of attacks, exploits, and compromises organized by the MITRE organization for the benefit of the public. It includes any and all types of attacks and abuses known for any type of computer system or software product.
Access to or disclosure of confidential information by an unauthorized party. Data breaches may also be the destruction of data or abusive use of a private IT environment.
DDoS/DoS (Distributed Denial of Service/ Denial of Service) Attacks
DDoS and DoS attacks aim to block access to the use of a resource. These can include:
- Flooding attacks – massive amounts of network traffic are sent in efforts to overload devices/servers
- Connection exhaustion – Repeatedly making connection requests to a target to consume all system resources
- Resource demand – repeatedly requesting a resource from a server in order to keep it too busy to respond to other requests
DoS attacks originate from one source, while DDoS attacks come from multiple sources simultaneously.
The act of gathering digital information to be used as evidence in a legal proceeding. Computer data that is relevant to a security breach and/or criminal action is often mixed with standard, benign data from business functions and personal activities. Digital forensics can be challenging to properly collect relevant evidence while complying with the rules of evidence to ensure it is admissible in court.
The act of transforming plaintext into ciphertext. Encrypt and encode are often used interchangeably.
Endpoints are (mostly) physical devices that connect to a network system, such as mobile devices, laptops, desktop computers, IoT Devices (thermostats, sensors, etc.), Servers, POS devices, printers, wearables, Cloud-based servers/Apps, and other network devices.
EDR (Endpoint Detection and Response)
Endpoint Detection and Response (EDR) is a security solution designed to protect endpoints. This technology continuously monitors the end-user devices (endpoints) to detect and respond to threats.
A security tool, which may be a hardware or software solution, is used to filter network traffic. A firewall is based on an “implicit deny” stance where all traffic is blocked by default. Rules, filters, or access control lists can be defined to indicate which traffic is allowed to cross the firewall. Advanced firewalls can make allow/deny decisions based on user authentication, protocol, header values, and payload contents.
Gray-box testing is a version of penetration testing where the customer provides limited information such as the number of active devices, the number of subnets, and IP addresses/ranges. A gray-box test can be used for thoroughness and efficiency by simulating an insider threat or an attack that has breached the network perimeter.
IaaS (Infrastructure as a Service)
Type of cloud computing service where the provider offers the customer the ability to craft virtual networks within their computing environment. Some of the most popular examples of IaaS are Amazon Web Services (AWS), Linode, Microsoft Azure, and Google Compute Engine (GCE).
IDS (Intrusion Detection System)
An Intrusion Detection System (IDS) is a tool that attempts to detect the presence of intruders or the occurrence of security violations. The goal of an IDS is to notify administrators, enable more detailed or focused logging, or trigger a response like blocking an IP or disconnecting a session. IDS is considered a passive security tool as it detects and responds to threats after they have started instead of preventing them.
IPS (Intrusion Prevention System)
An Intrusion Prevention System is a security tool designed to detect attempts to compromise a target's security and prevent that attack from becoming successful. An IPS is considered a more active security tool as it proactively attempts to respond to potential threats. An IPS can block IP addresses, turn off services, block ports, disconnect sessions, and notify administrators.
MDR (Managed Detection and Response)
Managed Detection and Response (MDR) is a cybersecurity service that uses technology and human expertise to perform threat hunting, monitoring, and response. MDR solutions protect cloud, on-premises, and hybrid environments by proactively looking for potential threats and triggering alerts about suspicious activity.
MSP (Managed Services Provider)
A Managed Services Provider (MSP) is a third-party company that manages a company's IT infrastructure, networks, and end-user systems. An MSP can be a beneficial addition to your business when there is no internal IT resource to help with the selection, procurement, implementation, management, and/or maintenance of IT tools and systems.
MSSP (Managed Security Services Provider)
A Managed Security Services Provider (MSSP) is a third-party company that manages cybersecurity for an organization or business. The MSSP can offer various services, including consulting, monitoring, alerting, implementing security tools, remediation, and more, to help a business stay protected from cybersecurity threats.
NIST CSF (National Institute for Standards & Technology Cyber Security Framework)
The National Institute for Standards & Technology (NIST) has been charged with creating a standardized cybersecurity framework for the U.S. Government. The NIST CSF was initially designed to help ensure the security of critical infrastructure systems but has been widely adopted by non-governmental organizations. A primary advantage to using the NIST CSF is that it provides standardized language so that security and risk levels can be quantified across businesses and industries in a supply chain.
An update or change to an operating system or application. A patch often repairs flaws or bugs in deployed code and introduces new features and capabilities. It is good security practice to test all updates and patches before implementation and attempt to stay current on patches to have the latest version of code with the fewest known flaws and vulnerabilities.
The management activity related to researching, testing, approving, and installing updates and patches to computer systems, firmware, operating systems, and applications. Patch management is essential to security management to prevent downtime, minimize vulnerabilities, and prevent new untested updates from interfering with productivity.
Penetration Testing (Pen Test)
A security evaluation where automated tools and manual exploitations are performed by security and attack experts. This advanced security assessment should only be used by environments with a mature security infrastructure. A penetration test will use the same tools, techniques, and methodologies as criminal hackers; thus, it can cause downtime and system damage in some cases. These evaluations are designed to assist with securing a network by discovering flaws that are not visible to automated tools based on human (i.e., social engineering) or physical attack concepts. This is sometimes also known as "ethical hacking."
A social engineering attack that attempts to collect information from victims. Phishing attacks can occur over email, text messages, social networks, or smartphone apps. The goal of a phishing attack may be to learn login credentials, credit card information, system configuration details, or other company, network, computer, or personal identity information. Phishing attacks are often successful because they mimic legitimate communications from trusted entities or groups, such as false emails from a bank or a retail website. The text message version is sometimes known as "Smishing," while the phone call/voicemail equivalent is known as "vishing."
Ransomware is a form of malware that holds a victim's data hostage on their computer, usually through strong encryption. This is followed by a demand for payment (often in the form of Bitcoin) to release access to systems and control of the captured data back to the user.
The process of evaluating the state of risk of an organization. Risk assessment is often initiated by taking an inventory of all assets, assigning each asset a value, and then considering any potential threats against each asset. Threats are evaluated for their exposure factor (EF) (i.e., the amount of loss that would be caused by the threat causing harm) and frequency of occurrence (i.e., ARO—Annualized Rate of Occurrence) to calculate a relative risk value known as the ALE (Annualized Loss Expectancy). The largest ALE indicates the most significant concern or risk for the organization.
Performing a risk assessment and evaluating the responses to risk to mitigate or otherwise handle the identified risks. Countermeasures, safeguards, or security controls are to be selected to eliminate or reduce risk, assign or transfer risk to others (i.e., outsourcing or buying insurance), or avoid and deter risk. The goal is to reduce risk down to an acceptable or tolerable level.
Security Information and Event Management (SIEM)
A formal process by which an organization's security is monitored and evaluated constantly. SIEM helps automatically identify systems that are out of compliance with the security policy and notify the IRT (Incident Response Team) of any security-violating events.
SOC (Security Operations Center)
A Security Operations Center (SOC) is a team of IT professionals responsible for protecting an organization from cyber threats. These professionals configure, use, and maintain tools such as firewalls, EDRs, and others to spot and stop cybersecurity threats.
An attack focusing on people rather than technology. This attack is psychological and aims to either gain access to information or a virtual or physical environment. A social engineering attack may be used to gain access to a facility by tricking a worker into assisting by holding the door when making a delivery, gaining access into a network by tricking a user into revealing their account credentials to the false technical support staff or gaining copies of data files by encouraging a worker to cut-and-paste confidential materials into an email or social networking post.
While phishing casts a wide net to capture the information of any unsuspecting target, spear phishing is an attack that is targeted at a specific person or group. A spear phishing message is often an email —although there are also text message and VoIP spear phishing attacks as well — which looks exactly like a legitimate communication from a trusted entity. The attack tricks the victim into clicking on a hyperlink to visit a company website, only to be re-directed to a false version of the website operated by attackers. The false website will often look and operate similarly to the legitimate site and focus on having the victim provide their login credentials and potentially other personal identity information such as answers to their security questions, an account number, their social security number, mailing address, email address and/or phone number. The goal of a spear phishing attack is to steal identity information for the purpose of account takeover or identity theft.
The process of evaluating the actions, events, and behaviors that can cause harm to an asset or organization. Threat assessment is an element of risk assessment and management. (Also known as threat modeling and threat inventory.)
VPN (Virtual Private Network)
A communication link between systems or networks that is typically encrypted to provide a secured, private, isolated pathway of communications.
A form of phishing attack that takes place over VoIP (telephone systems). In this attack, the attacker uses VoIP systems to be able to call any phone number and often falsifies their caller ID in order to trick the victim into believing they are receiving a phone call from a legitimate or trustworthy source such as a bank, retail outlet, law enforcement, or charity. The victims do not need to be using VoIP themselves in order to be attacked over their phone system by a vishing attack.
Any weakness in an asset or security protection that would allow for a threat to cause harm. It may be a coding flaw, a configuration mistake, a limitation of scope or capability, an architecture, design, or logic error, or a clever abuse of valid systems and their functions. Known vulnerabilities can be detected via a vulnerability scan and may require patches, reconfigurations, or other changes to be fixed.
A style of assessment where the organization provides the assessor with detailed information about the network, including IP addresses, network diagrams, and more. By providing this information, the assessor will be able to quickly simulate a targeted attack on a specific system using as many attack vectors as possible.
A pre-approved list of software programs that are allowed to run. The whitelist is often a list of the approved software's file name, path, file size, and hash value. Any code that is not on the list, whether benign or malicious, cannot execute on the protected system.
XDR (Extended Detection and Response)
A holistic approach to threat detection that allows for monitoring, detection, and response to threats across endpoints, networks, and clouds. XDR platforms take in data from many assets and pair it with machine learning, AI, and behavior-monitoring trendlines to get a clear view of the safety and security of the entire environment. An XDR platform may only be able to work with data from specific tools (usually those made by the XDR platform's parent company), or it can be an "Open XDR," allowing for data to be accepted from various tools.
Secure Your Business’s Future with CNP Technologies
CNP Technologies is the leader in cybersecurity services. Our team of experienced engineers and security experts has extensive knowledge and experience in the:
- Cyber Defense
- Identity and access management
- Threat prevention and response
- Cloud Security
- Compliance and governance solutions
Our commitment to providing top-notch service has earned us an excellent reputation among businesses of all sizes.
We understand that every organization has specific needs regarding its digital security requirements. Our consultants will work closely with you to develop tailored strategies based on your specifications.
Expect 24/7 customer support, ensuring prompt resolution of any IT issues or concerns. CNP Technologies is dedicated to providing cutting-edge solutions to stay ahead of the ever-evolving landscape of cyber threats, allowing you peace of mind knowing that your data is secure from malicious actors. Schedule a free expert consultation today and take charge of your cybersecurity.