Security concept where a centralized platform verifies subject identification, ensures the subject is assigned relevant permissions, and then logs these actions to create an audit trail.

Access control decisions based on the attributes of the user, the resource to be accessed, and other contextual information. Rules or policies define how those attributes need to interact to grant access.

Internal policy that details how company resources, such as company-owned devices, can be used.

Set of rules governing user security information, such as password expiration and uniqueness, which can be set globally.

Collection of access control entries (ACEs) that determines which subjects (user accounts, host IP addresses, and so on) are allowed or denied access to the object and the privileges given (read only, read/write, and so on).

Practice of responding to a threat by destroying or deceiving a threat actor's capabilities.

Practice of using AI to identify vulnerabilities and attack vectors to circumvent security systems.

Symmetric 128-, 192-, or 256-bit block cipher based on the Rijndael algorithm developed by Belgian cryptographers Joan Daemen and Vincent Rijmen and adopted by the U.S. government as its encryption standard to replace DES.

Software development model that focuses on iterative and incremental development to account for evolving requirements and expectations.

IPSec protocol that provides authentication for the origin of transmitted data as well as integrity and protection against replay attacks.

Type of network isolation that physically separates a network from all other networks.

Suite of tools for 802.11 wireless network security assessments. It focuses on areas like monitoring, attacking, testing, and cracking. Aircrack-ng allows users to assess WiFi network security by capturing data packets and exploiting vulnerabilities in wireless security protocols such as WEP and WPA.

Threat intelligence data feed operated by the DHS.

Total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE (single loss expectancy) by the ARO (annual rate of occurrence).

Device that provides a connection between wireless devices and can connect to wired networks. Also known as WAP (wireless access point).

Library of programming utilities used, for example, to enable software developers to access functions of the TCP/IP network stack under a particular operating system.

Layer 7 firewall technology that inspects packets at the Application layer of the OSI (Open Systems Interconnection) model.

Software designed to run on a server to protect a particular application such as a web server or SQL server.

Type of attacker's ability to obtain, maintain, and diversify access to network systems using exploits and malware.

Open-source platform producing programmable circuit boards (CPU, RAM and ROM) for education and industrial prototyping. No OS required.

In risk calculation, an expression of the probability/likelihood of a risk as the number of times per year a particular loss is expected to occur.

Optional security feature of a switch that prevents excessive ARP replies from flooding a network segment.

Network-based attack where an attacker with access to the target local network segment redirects an IP address to the MAC address of a computer that is not the intended recipient. This can be used to perform a variety of attacks, including DoS, spoofing, and Man-in-the-Middle.

Any evidence or traces that are left behind by the incident. Artifacts can be either physical or digital.

Cipher that uses public and private keys. The keys are mathematically linked, using either Rivel, Shamir, Adleman (RSA) or elliptic curve cryptography (ECC) algorithms, but the private key is not derivable from the public one. An asymmetric key cannot reverse the operation it performs, so the public key cannot decrypt what it has encrypted, for example. Also known as Elliptic Curve Cryptography or ECC.

Knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and procedures.

Points at which a network or application receives external connections or inputs/outputs that are potential vectors to be exploited by a threat actor.

Specific path by which a threat actor gains unauthorized access to a system. Also known as vector.

Validation technique that compares the identifiers of hardware, such as a mobile phone, against authorized identifiers to allow or deny access to a network or resource.

A port-based network access control (PNAC) switch or router that activates EAPoL and passes a supplicant's authentication data to an authenticating server, such as a RADIUS server.

Using scripts and APIs to provision and deprovision systems without manual intervention.

GUI sitting on top of TSK (The Sleuth Kit) that also provides a case management/workflow tool.

Fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need.

Components and protocols that facilitate the centralized configuration and monitoring of mechanical and electrical systems within offices and data centers.

Chip and firmware in a smartphone that acts as a cellular modem.

Collection of security and configuration settings that are to be applied to a particular system or network in the organization.

Command shell and scripting language for Unix-like systems.

(also known as jump box) Server typically found in a DMZ that is configured to provide a single service to reduce the possibility of compromise.

Network monitoring system that detects changes in normal operating data sequences and identifies abnormal sequences. Also known as behavior-based detection.

Systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations.

Type of password attack that exploits weaknesses in the mathematical algorithms used to encrypt passwords, in order to take advantage of the probability of different password inputs producing the same encrypted output.

Type of symmetric encryption that encrypts data one block at a time, often in 64-bit blocks. It is usually more secure, but is also slower, than stream ciphers.

Concept in which an expanding list of transactional records listed in a public ledger is secured using cryptography.

Defensive team in a penetration test or incident response exercise.

Bluetooth connection has been breached and unsolicited messages are sent to a device.

Bluetooth attack where an attacker gains access to unauthorized information on a device.

Report of boot state integrity data that is signed by a tamper-proof TPM key and reported to a network server.

Set of hosts that has been infected by a control program called a bot that enables attackers to exploit the hosts to mount attacks. Also known as zombie.

Agreement by two companies to work together closely, such as the partner agreements that large IT companies set up with resellers and solution providers.

Switch port security feature that disables the port if it receives BPDU notifications related to spanning tree. This is configured on access ports where any BPDU frames are likely to be malicious.

When broadcast or multicast signals are amplified as they traverse a network, which can overwhelm a network. Using loop protection, STP (Spanning Tree Protocol), and rate-limiters (or TTL) can reduce the risk and likelihood of a broadcast storm.

Type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted passwords.

Attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory. This can allow the attacker to crash the system or execute arbitrary code.

Reward scheme operated by software and web services vendors for reporting vulnerabilities.

Security framework and tools to facilitate use of personally-owned devices to access corporate networks and data.

Infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets. Also known as C2.

Server that guarantees subject identities by issuing signed digital certificate wrappers for their public keys. The online CA is the certificate authority that actively generates certificates using an intermediate CA. The offline CA is responsible for the safe storage of the root certificate of the CA and is only accessed when necessary.

Devices can be physically secured against theft using cable ties and padlocks. Some systems also feature lockable faceplates, preventing access to the power switch and removable drives.

Smart card that provides certificate-based authentication and supports two-factor authentication. A CAC is produced for Department of Defense employees and contractors in response to a Homeland Security Directive.

Serial network designed to allow communications between embedded programmable logic controllers.

Image of text characters or audio of some speech that is difficult for a computer to interpret. CAPTCHAs are used for purposes such as preventing bots from creating accounts on web forums and social media sites to spam them.

Web page or website to which a client is redirected before being granted full network access.

Training event where learners must identify a token within a live network environment.

Duplicating a smart card by reading (skimming) the confidential data stored on it. Also known as skimming.

Process of extracting data from a computer when that data has no associated file system metadata.

Enterprise management software designed to mediate access to cloud services by users across all types of devices.

Linux command to view and combine (concatenate) files.

Encryption mode of operation where an exclusive or (XOR) is applied to the first plaintext block

Standards, best practices, and applicable regulations pertaining to the cloud environment produced by the Cloud Security Alliance (CSA).

Encryption protocol used for wireless LANs that addresses the vulnerabilities of the WEP protocol.

Method of sanitizing a self-encrypting drive by erasing the media encryption key.

Custom Word List Generator, creates word lists from the content of web pages.

Record of evidence history from collection to presentation in court, to disposal. A chain of custody form is a document created to track the movement of a piece of evidence from collection to presentation in court.

Process by which the need for change is recorded and approved.

Process through which changes to the configuration of information systems are implemented, as part of the organization's overall configuration management efforts.

Authentication scheme developed for dial-up networks that uses an encrypted three-way handshake to authenticate the client to the server. The challenge-response is repeated throughout the connection (though transparently to the user) to guard against replay attacks.

Output of a hash function.

A fast TCP/UDP tunnel, transported over HTTP, secured via SSH.

Linux command for managing file permissions.

The three principles of security control and management. Also known as the information security triad. or AIC triad.

Automates the processes of integrating code changes from multiple contributors into a shared project and deploying them to production environments, promoting more frequent, consistent, and reliable software releases. [step 1] continuous integration, [step 2] continuous delivery, [step 3] continuous deployment and [step 4] continuous monitoring.

Layer 5 firewall technology that tracks the active state of a connection, and can make decisions based on the contents of network traffic as it relates to the state of the connection.

Not-for-profit organization (founded partly by SANS). It publishes the well-known "Top 20 Critical Security Controls" (or system design recommendations).

Organizational policy that mandates employee work areas be free from potentially sensitive information; sensitive documents must not be left out where unauthorized personnel might see them.

Deceptive technique where an attacker tricks a user into clicking on something different from what the user perceives, potentially revealing confidential information or taking control of their computer.

Data that is processed on a local machine. An internet web browser is a good example of something that relies on client-side execution.

Classifying the ownership and management of a cloud as public, private, community, or hybrid.

Classifying the provision of cloud services and the limit of the cloud service provider's responsibility as software, platform, infrastructure, and so on. clustering A load balancing technique where a group of servers are configured as a unit and work together to provide network services.

X500 attribute expressing a host or user name, also used as the subject identifier for a digital certificate.

Enterprise mobile device provisioning model where the device is the property of the organization and personal use is prohibited.

Professional behavior depends on basic ethical standards, such as honesty and fairness. Some professions may have developed codes of ethics to cover difficult situations; some businesses may also have a code of ethics to communicate the values it expects its employees to practice. Also known as ethics.

Potentially unsecure programming practice of using code originally written for a different context.

Method of using a digital signature to ensure the source and integrity of programming code.

Predetermined alternate location where a network can be rebuilt after a disaster.

Network appliance that gathers or receives log and/or state data from other network systems.

Act of two different plaintext inputs producing the same exact ciphertext output.

Cloud that is deployed for shared use by cooperating tenants.

Security measure that takes on risk mitigation when a primary control fails or cannot completely meet expectations.

Fundamental security goal of keeping information and communications private and protecting them from unauthorized access.

Security method that separates specified storage and data from other data contained on a device. The container can be configured with additional access controls, encryption, or use controls, among others.

Software application or gateway that filters client requests for various types of internet content (web, FTP, IM, and so on).

Access control scheme that verifies an object's identity based on various environmental factors, like time, location, and behavior.

Software development method in which app and platform requirements are frequently tested and validated for immediate availability.

Software development method in which app and platform updates are committed to production rapidly.

Software development method in which code updates are tested and committed to a development or build server/code repository rapidly.

Technique of constantly evaluating an environment for changes so that new risks may be more quickly detected and business operations improved upon. Also known as continuous security monitoring or CSM.

Process that allows code to be checked after each change during development.

Risk that arises when a control does not provide the level of mitigation that was expected.

Program that provides an outline or guidelines for disaster recovery and business continuity for an organization in the case of a major incident.

Enterprise mobile device provisioning model where the device remains the property of the organization, but certain personal use, such as private email, social networking, and web browsing, is permitted.

Type of security control that acts after an incident to eliminate or minimize its impact. correlation Function of log analysis that links log and state data to identify a pattern that should be logged or alerted as an event.

Automates security assessments of large Active Directory networks post-exploitation.

Brute force attack in which stolen user account names and passwords are tested against multiple websites.

Vulnerability scan that uses verified credential to access all parts of a network, unlike an uncredentialed scan, which is only able to scan the publicly accessible portions of a network.

List of certificates that were revoked before their expiration date.

Biometric evaluation factor expressing the point at which FAR (false acceptance rate) and FRR (false rejection rate) meet, with a low value indicating better performance.

Generates wordlists for use in password cracking, allowing customization of the character set.

Unauthorized use of someone else’s computer to mine cryptocurrency

Industry body providing security guidance to CSPs, including enterprise reference architecture and security controls matrix. Produces the Cloud Controls Matrix (CCM), which provides users with standards, best practices, and applicable regulations pertaining to the cloud environment.

Cybersecurity framework published by the Center for Internet Security (CIS) and used for strengthening an entity’s cybersecurity posture. Equivalent to Australia’s Essential 8.

Vendor offering public cloud service models, such as PaaS, IaaS, or SaaS.

Base64 ASCII file that a subject sends to a CA (Certificate Authority) to get a certificate.

Process of investigating, collecting, analysing, and disseminating information about emerging threats and threat sources. Also known as threat intelligence.

Encryption mode of operation where a numerical counter value is used to create a constantly changing IV. Also referred to as CM (counter mode).

Malware analysis tool that automatically sandboxes identified malware threats for analysis and reporting. Source: https://github.com/cuckoosandbox

Utility for command-line manipulation of URL-based protocol requests.

Scheme for identifying vulnerabilities developed by MITRE and adopted by NIST.

Risk management approach to quantifying vulnerability data and then considering the degree of risk to different types of systems or information.

Model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion. Stages: (1) reconnaissance, (2) weaponization, (3) delivery, (4) exploitation, (5) installation, (6) command and control, (7) actions of objectives.

Enterprise mobile device provisioning model where employees are offered a selection of corporate devices for work and, optionally, private use.

The owner of a resource (e.g., a file or folder) has the discretion to specify who can access the resource and what actions they can perform on it.

Information that is primarily stored on specific media, rather than moving from one medium to another.

When confidential or private data is read, copied, or changed without authorization. Data breach events may have notification and reporting requirements.

Entity that dictates the reasons and methods for collecting, storing, and using personal data in privacy regulations.

Individual who is responsible for managing the system on which data assets are stored, including being responsible for enforcing access control, encryption, and backup/recovery measures.

Process by which an attacker takes data that is stored inside of a private network and moves it to an external network.

Software vulnerability where an attacker can circumvent access controls and retrieve confidential or sensitive data from the file system or database.

Overall management of the availability, usability, and security of the information used in an organization.

Information that is present in the volatile memory of a host, such as system memory or cache.

Information that is being transmitted between two hosts, such as over a private network or the Internet. Also known as data in motion.

Deidentification method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data.

Principle that only necessary and sufficient personal information can be collected and processed for the stated purpose.

Senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of an information asset.

Entity trusted with a copy of personal data to perform storage and/or analysis on behalf of the data collector.

Leftover information on a storage medium even after basic attempts have been made to remove that data. Also known as remnant.

Principle that countries and states may impose individual requirements on data collected or stored within their jurisdiction.

Individual who is primarily responsible for data quality, ensuring data is labeled and identified with appropriate metadata and that data is collected and stored in a format and with values that comply with applicable laws and regulations.

Linux command that makes a bit-by-bit copy of an input file, typically used for disk imaging. Example: dd if=/dev/sdb1 of =/dev/sdc1 creates an image of the specified drive or file (if) in a specified output location (of)

Attack that uses multiple compromised hosts (a botnet) to overwhelm a service with request or response traffic.

Code that is redundant, forgotten or no longer called within the logic of the program flow.

Spoofing frames to disconnect a wireless station to try to obtain authentication data to crack.

Cybersecurity resilience tools and techniques to increase the cost of attack planning for the threat actor.

Default administrative and guest accounts configured on servers and network devices are possible points of unauthorized access.

Security strategy that positions the layers of network security as network traffic roadblocks; each layer is intended to slow an attack's progress, rather than eliminating it outright.

Process of rendering a storage drive inoperable and its data unrecoverable by eliminating the drive's magnetic charge.

Methods and technologies that remove identifying information from data before it is distributed.

Process of removing an application from packages or instances.

Method for encoding a data object based on its ASN.1 specification. Commonly used for encoding X.509 certificates in binary form.

Type of security control that acts during an incident to identify or record that it is happening.

Type of security control that discourages intrusion attempts.

Cryptographic technique that provides secure key exchange.

Network configuration option that enables a switch to inspect DHCP traffic to prevent MAC spoofing. Note that DHCP does not have a specific secure protocol. To secure a DHCP server, you must layer security around the server and monitor and audit the server for anomalies.

Attack in which an attacker responds to a client requesting address assignment from a DHCP server.

Relationship-based framework for analyzing cybersecurity incidents. Focuses on the relationship between elements and events that occur during an intrusion.

Type of password attack that compares encrypted passwords against a predetermined list of possible password values.

Backup type in which all selected files that have changed since the last full backup are backed up.

The Differentiated Services Code Point (DSCP) field is used to indicate a priority value for a layer 3 (IP) packet to facilitate Quality of Service (QoS) or Class of Service (CoS) scheduling.

Message digest encrypted using the sender's private key that is appended to a message to authenticate the sender and prove message integrity.

Web content scanner designed to discover existing and hidden files, directories, and scripts on web servers. By launching a dictionary-based attack against a web server and analyzing the response, Dirb helps identify potential security risks associated with exposed files and directories.

Java application designed to brute force directories and file names on web and application servers. It employs a multithreaded approach to speed up the scanning process and is able to discover hidden resources that are not linked (or listed) on the webpage.

Network service that stores identity information about all the objects in a particular network, including users, groups, servers, client computers, and printers.

Application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory. Example: .../…/…/

Cybersecurity resilience strategy that increases attack costs by provisioning multiple types of controls, technologies, vendors, and crypto implementations.

Provide monitoring of data throughout its lifecycle in all connected locations from endpoints to servers as well as policy implementation, auditing, and reporting.

Network segment isolated from the rest of a private network by one or more firewalls that accepts connections from the Internet over designated ports.

NAT service where private internal addresses are mapped to one or more public addresses to facilitate Internet connectivity for hosts on a local network via a router.

Attack in which an attacker modifies a computer's DNS configurations to point to a malicious DNS server.

Network-based attack where an attacker exploits the traditionally open nature of the DNS system to redirect a domain name to an IP address of the attacker's choosing.

Sets up covert channels using DNS queries and responses.

A lightweight server tool that offers DNS caching and DHCP services.

Security protocol that provides authentication of DNS data and upholds DNS data integrity. Note that DNSSEC only validates the authenticity of the DNS query response, it does not provide confidentiality for the requesting party.

Type of hijacking attack where the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. Sometimes referred to as brandjacking.

Any type of physical, application, or network attack that affects the availability of a managed resource.

Cryptographic attack where the attacker exploits the need for backward compatibility to force a computer system to abandon the use of encrypted messages in favor of plaintext messages.

Institutional data governance role with responsibility for compliant collection and processing of personal and sensitive data.

Documented and resourced plan showing actions and responsibilities to be used in response to critical incidents.

Public key encryption standard used for digital signatures that provides authentication and integrity verification for messages.

A network configuration method where devices run both IPv4 and IPv6 protocols simultaneously. It ensures compatibility and smooth transition from IPv4 to IPv6, allowing devices to communicate using either protocol as needed.

File containing data captured from system memory.

Social engineering technique of discovering things about an organization (or person) based on what it throws away.

Procedures and tools to collect, preserve, and analyze digital evidence.

Framework for negotiating authentication methods that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication.

Design paradigm accounting for the fact that data center traffic between servers is greater than that passing in and out (north-south).

Asymmetric encryption algorithm that leverages the algebraic structures of elliptic curves over finite fields to derive public/private key pairs.

Provisioning processing resource close to the network edge of IoT devices to reduce latency.

Software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats.

Percentage of an asset's value that would be lost during a security incident or disaster scenario.

The property by which a computing environment can instantly react to both increasing and decreasing demands in workload.

A measure of disorder. Cryptographic systems should exhibit high entropy to better resist brute force attacks.

Product life cycle phase where sales are discontinued and support options reduced over time.

Product life cycle phase where support is no longer available from the vendor.

A software agent and monitoring system that performs multiple security tasks.

The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization.

Coding methods to anticipate and deal with exceptions thrown during execution of a process.

In key management, the storage of a backup key with a third party.

IPSec(layer 3) sub-protocolthat enables encryption and authentication of the header and payload of a data packet.

A WAP (wireless access point) that deceives users into believing that it is a legitimate network access point.

The process of determining what additional software may be installed on a client or server beyond its baseline to prevent the use of unauthorized software.

Suite of tools (e.g., Metasploit) designed to automate delivery of exploits against common software and firmware vulnerabilities.

A private network that provides some access to outside parties, particularly vendors, partners, and select customers.

A technique that ensures a redundant component, device, or application can quickly and efficiently take over the functionality of an asset that has failed.

Deception strategy that returns spoofed data in response to network probes.

In security scanning, a case that is not reported when it should be.

In security scanning, a case that is reported when it should not be.

Biometric assessment metric that measures the number of unauthorized users who are mistakenly allowed access.

A wire mesh container that blocks external electromagnetic fields from entering into the container.

High speed network communications protocol used to implement SANs.

Encryption of all data on a disk (including system files, temporary files, and the pagefile) can be accomplished via a supported OS, third-party software, or at the controller level by the disk device itself.

A process that provides a shared login capability across multiple systems and enterprises. It essentially connects the identity management services of multiple systems.

A type of software that reviews system files to ensure that they have not been tampered with.

Biometric authentication device that can produce a template signature of a user's fingerprint then subsequently compare the template to the digit submitted for authentication.

The first experienced person or team to arrive at the scene of an incident.

A processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture.

Provides an enterprise with the steps to restore the basics required for functionality, while a DRP (disaster recovery plan) is designed to return an enterprise to full, pre-disaster functionality.

Biometric assessment metric that measures the number of valid subjects who are denied access.

A commercial digital forensics investigation management and utilities suite, published by AccessData.

A type of FTP using TLS for confidentiality.

A backup type in which all selected files, regardless of prior state, are backed up. full tunnel VPN configuration where all traffic is routed via the VPN gateway.

A dynamic code analysis technique that involves sending a running application random and unusual input so as to evaluate how the app responds.

Biometric mechanism that identifies a subject based on movement pattern.

A mode of block chained encryption that provides message authenticity for each block.

Provisions and requirements protecting the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US's Privacy Shield requirements.

The practice of creating a virtual boundary based on real-world geography.

Identifies geographical information of IP addresses.

The identification or estimation of the physical location of an object, such as a radar source, mobile phone, or Internet-connected computing device.

Tool written in Go that is used to brute-force URIs (directories and files) in web sites and DNS subdomains (with wildcard support). It uses a wordlist to guide its search, making it highly effective for discovering hidden directories and files that are not typically found through standard enumeration techniques.

On a Windows domain, a way to deploy per-user and per-computer settings such as password policy, account restrictions, firewall status, and so on.

Linux command for searching and filtering input. This can be used as a file search tool when combined with ls.

A group account is a collection of user accounts that are useful when establishing file permissions and user rights because when many individuals need the same level of access, a group could be establishedcontaining all the relevant users.

A globally unique IPv6 address assigned to a single interface, enabling devices to communicate over the Internet. It is routable and accessible across the entire IPv6 Internet, ensuring unique identification and connectivity worldwide.

Measures the difficulty for an attacker to correctly guess a password or cryptographic key. It typically estimates the average number of attempts an attacker might need to make to guess the correct password or key.

The property that defines how closely systems approach the goal of providing data availability 100 percent of the time while maintaining a high level of system performance.

The process of making a host or app configuration secure by reducing its attack surface, through running only necessary services, installing monitoring software to protect against malware and intrusions, and establishing a maintenance schedule to ensure the system is patched to be secure against software exploits.

Command-line tool used to perform brute force and dictionary attacks against password hashes.

A function that converts an arbitrary length string input to a fixed length string output. A cryptographic hash function does this in a way that reduces the chance of collisions, where two different inputs produce the same output. Also known as message digest.

Linux utility for showing the first lines in a file.

In a Wi-Fi site survey, a diagram showing signal strength at different locations.

A method that uses feature comparisons and likenesses rather than specific signature matching to identify whether the target of observation is malicious.

Same as HIDS but with added ability to prevent and remediate intrusion.

A method used to verify both the integrity and authenticity of a message by combining a cryptographic hash of the message with a secret key.

Method that allows computation of certain fields in a dataset without decrypting it.

Host, network, or file set up with the purpose of luring attackers away from assets of actual value and/or discovering attack strategies and weaknesses in the security configuration.

When a user accesses or modifies specific resources that they are not entitled to.

A software application running on a single host and designed to protect only that host. Also known as personal firewall.

Arrangement of server racks to maximize the efficiency of cooling systems. Also known as cold/hot aisle.

A fully configured alternate network that can be online quickly after a disaster.

An algorithm that generates a one-time password using a hash-based authentication code to verify the authenticity of the message.

Linux & Windows command that provides the functionality to create custom packets as well as spoofed originating IPs. Example: send a custom packet with a spoofed IP address to find the latency of a target system’s response

An appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage.

Using features of HTML5 to implement remote desktop/VPN connections via browser software (clientless).

Cloud deployment that uses both private and public elements.

Quickly cracks network logins for various services.

Occurs after an incident occurs to analyse all aspects of the life cycle of the incident and can be used to provide insight into future occurrences.

Provides the user with the highest levels of control over their infrastructure by providing only the hardware needed to craft an infrastructure in the cloud.

Provisioning architecture in which deployment of resources is performed by scripted automation and orchestration.

Security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications.

Protocol used for error messaging and diagnostic functions in IPv6. It manages packet processing, handling errors, and providing diagnostic capabilities like ping and traceroute to ensure robust and reliable communication within IPv6 networks.

Network managing embedded devices (computer systems that are designed to perform a specific, dedicated function).

Invention of fake personal information or the theft and misuse of an individual's personal information.

In a federated network, the service that holds the user account and performs authentication.

Software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress.

Standard for encapsulating EAP communications over a LAN (EAPoL) to implement port-based authentication.

Framework for creating a Security Association (SA) used with IPSec. An SA establishes that two hosts trust one another (authenticate) and agree secure protocols and cipher suites to use to exchange data.

Provides Python classes for interacting with network protocols.

A basic principle of security stating that unless something has explicitly been granted access, it should be denied access.

A backup type in which all selected files that have changed since the last full or incremental backup (whichever was most recent) are backed up.

Methods of disguising the nature and purpose of buildings or parts of buildings.

Risk that an event will pose if no controls are put in place to mitigate it.

Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application. Whitelists or blacklists may be used.

Coding vulnerability where unvalidated input is used to select a resource object, such as a file or database.

A type of threat actor who is assigned privileges on the system that cause an intentional or unintentional incident.

Attack in which a computed result is too large to fit in its assigned storage space, which may lead to crashing or data corruption, and may trigger a buffer overflow.

The fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications.

In threat hunting, using sources of threat intelligence data to automate detection of adversary IoCs and TTPs.

A private network that is only accessible by the organization's own personnel.

A sign that an asset or network has been attacked or is currently under attack.

Software consolidating management of multiple DHCP and DNS services to provide oversight into IP address allocation across an enterprise network.

Layer 3 collection and analysis (also called bandwidth monitor). Standards-based version of the Netflow framework.

An IDS that can actively block attacks.

Set of open, non-proprietary layer 3 standards used to secure data through authentication and encryption as the data travels across the network or the Internet.

Specific procedures that must be performed if a certain type of event is detected or reported. Step of incident response: (1) preparation, (2) identification, (3) containment, (4) eradication, (5) recovery, (6) lessons learned

Not-for-profit group set up to share sector-specific threat intelligence and security best practices amongst its members.

A comprehensive set of standards for information security, including best practices for security and risk management, compliance, and technical implementation.

A comprehensive set of standards for enterprise risk management.

Wireless attack where the attacker is able to predict or control the IV of an encryption process, thus giving the attacker access to view the encrypted data that is supposed to be hidden from everyone else except the user or network.

Attack in which radio waves disrupt 802.11 wireless signals.

The policy of preventing any one individual performing the same role or tasks for too long. This deters fraud and provides better oversight of the person's duties.

Password cracking tool that is popular among penetration testers and security auditors. It automatically detects password hash types and includes several cracking modes to handle different ciphertexts and encryption standards.

Linux command showing systemd journal records.

A hardened server that provides access to other hosts. Also known as jumpbox.

Method that leverages the individual’s knowledge to properly identify the user, such as a previous address or vehicle associated with the user.

A single sign-on authentication and authorization service that is based on a time-sensitive ticket-granting system.

Malicious software or hardware that can record user keystrokes.

Detects networks and devices, functioning as a sniffer and intrusion detection system.

VPN protocol for tunneling PPP sessions across a variety of network protocols such as IP, Frame Relay, or ATM.

Process by which an attacker is able to move from one part of a computing environment to another.

Application attack that targets web-based applications by fabricating LDAP statements that are typically created by user input. For example, *,[ ],&, and" " could be inputted into the username space on a login page.

A network protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information.

A method of implementing LDAP using SSL/TLS encryption.

See EAP for reference table.

A basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.

Cryptographic algorithms with reduced compute requirements that are suitable for use in resource-constrained environments, such as battery-powered devices.

Simplifies penetration testing in restricted environments with reverse tunneling.

An analysis of events that can provide insight into how to improve response processes in the future. Also known as after action report or AAR.

A type of switch or router that distributes client requests between different resources, such as communications links or similarly-configured servers. This provides fault tolerance and improves throughput.

Linux utility that writes data to the system log.

A malicious program or script that is set to run under particular circumstances or in response to a defined event.

If broadcast traffic is allowed to continually loop around a network, the number of broadcast packets increases exponentially, crashing the network. Loop protection in switches such as STP (Spanning Tree Protocol), and in routers, TTL (Time To Live) for instance, is designed to prevent this.

Cloud service providing ongoing security and availability monitoring of on-premises and/or cloud-based hosts and services.

Attack in which an attacker falsifies the factory-assigned MAC address of a device's network interface. Also known as MAC spoofing.

Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.

Variation of an ARP poisoning attack where a switch's cache table is inundated with frames from random source MAC addresses.

Access to resources is determined by system-defined policies, typically involving labels (often referred to as security classifications: Public, Confidential, Critical) on both users and data objects. Users with certain clearance levels can access data with corresponding classification labels.

Proving the integrity and authenticity of a message by combining its hash with a shared secret.

Enterprise management function that enables control over apps and storage for mobile devices and other endpoints.

A category of security control that gives oversight of the information system.

The principle that states when and how long an employee must take time off from work so that their activities may be subjected to a security review.

In threat hunting, the concept that threat actor and defender may use deception or counterattacking strategies to gain positional advantage.

A secure entry system with two gateways, only one of which is open at any one time.

Scans entire Internet in minutes to detect open ports.

A cryptographic hash function producing a 128-bit output.

The process and supporting technologies for tracking, controlling, and securing the organization's mobile infrastructure.

UEFI feature that measures (or checks) the components being loaded during the boot process and logs the measurements to a TPM (Trusted Platform Module) chip. The TPM can then be queried later to determine what has been loaded and run on the system. However, as opposed to secure boot, measuring doesn't prevent the system from booting with unauthorized or malicious software. It simply notes what was booted.

A business or organizational activity that is too critical to be deferred for anything more than a few hours, if at all.

Linux utility developed as part of the Coroner's Toolkit to dump system memory data to a file.

Software vulnerability that can occur when software does not release allocated memory when it is done using it, potentially leading to system instability.

Information stored or recorded as a property of an object, state of a system, or transaction.

Set of tools designed to assist in attacking a target device or network. Source: https://www.metasploit.com/

Authentication scheme that requires the user to present at least two different factors as credentials, from something you know, something you have, something you are, something you do, and somewhere you are. Specifying two factors is known as 2FA.

Software architecture where components of the solution are conceived as highly decoupled services not dependent on a single platform type or technology.

Type of RAID that using two hard disks, providing the simplest way of protecting a single disk against failure. Data is written to both disks and can be read from either disk.

Attack when the web browser is compromised by installing malicious plug-ins or scripts, or intercepting API calls between the browser process and DLLs. Tools like the Browser Exploitation Framework (BeEF) facilitate such attacks.

Form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently.

Refer to ATT&CK. Technique based framework, MITTRE ATT&CK is a comprehensive digest of tactics and techniques used for adversarial activity throughout the threat lifecycle.

A protocol used in IPv6 to manage multicast group memberships on a local network. It enables routers to discover which devices want to receive specific multicast traffic, optimizing the delivery of multicast packets.

Extension to SMS allowing digital data (picture, video, or audio) to be sent over a cellular data connection.

Implementation of a block symmetric cipher, with some modes allowing secure encryption of a stream of data, with or without authentication for each block.

Usually a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money.

Developed by Cisco from ATM as a means of providing traffic engineering (congestion control), Class of Service, and Quality of Service within a packet switched, rather than circuit switched, network.

Evaluates the data collection and statistical methods used by a quality management process to ensure they are robust.

Integrates payload creation and encoding for exploit development.

Third-party provision of security configuration and monitoring as an outsourced service.

Rating on a device or component that predicts the expected time between failures.

Longest period a business can be inoperable without causing irrevocable business failure.

Average time a device or component is expected to be in operation.

Average time taken for a device or component to be repaired, replaced, or otherwise recover from a failure.

The largest size of a packet that can be transmitted over a network medium. It is determined by the network layer and dictates the maximum payload size, ensuring efficient and reliable data transfer. MTU optimization helps prevent fragmentation and enhances network performance.

Model where cloud consumer uses multiple public cloud services.

Overprovisioning controllers and cabling so that a host has failover connections to storage media.

General term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level. NAC is designed to evaluate the security stance of network-attached devices and can be done pre-admission or post-admission.

Low-power cellular networks designed to provide data connectivity to IoT devices.

Routing mechanism that conceals internal addressing schemes from the public Internet by translating between a single public address on the external side of a router and private, non-routable addresses internally.

Utility for reading and writing raw data over a network connection. Also known as netcat.

Agreement that stipulates that entities will not share confidential information, knowledge, or materials with unauthorized third parties.

IPv6 protocol used for address autoconfiguration, discovering other network nodes, determining link-layer addresses, finding available routers, and maintaining reachability information. It replaces ARP in IPv6 and is crucial for efficient and accurate network communication.

One of the best-known commercial vulnerability scanner, produced by Tenable Network Security. Source: https://www.tenable.com/products/nessus

Layer 3 collection and analysis. Cisco-developed means of reporting network flow (also called bandwidth monitor) information to a structured database. Allows better understanding of IP traffic flows as used by different network applications and hosts. Source: https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-netflow/index.html

Standard for peer-to-peer (2-way) radio communications over very short (around 4") distances, facilitating contactless payment and similar technologies. NFC is based on RFID.

Provisioning virtual network appliances, such as switches, routers, and firewalls, via VMs and containers.

Advances in firewall technology, from app awareness, user-based filtering, and intrusion prevention to cloud inspection. Also known as layer 7 firewall.

Monitors network traffic and identifies typical behaviour patterns (heuristic). The NIPS acts when traffic deviates from these behaviour patterns.

Versatile port scanner used for topology, host, service, and OS discovery and enumeration. Source: https://nmap.org/

Security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.

Arbitrary number used only once in cryptographic communication, often to prevent replay attacks.

Routine that applies a common consistent format to incoming data so that it can be processed safely. Normalization is referred to in the context of log collection and software coding.

Challenge-response authentication protocol created by Microsoft for use in its products.

Open-source tool that provides aggregation and syslog centralization, as well as log generation in multiple formats. Can also be integrated with SIEM systems. Source: https://nxlog.co/

Industry body comprising the main PKI providers, such as Verisign and Entrust, that was established with the aim of developing an open, strong authentication framework.

Federated identity management protocol used for authentication and authorization in RESTful APIs, enabling users to share resources between sites without sharing passwords, and it supports various grant types for different contexts.

Technique that essentially "hides" or "camouflages" code or other information so that it is harder to read by unauthorized users.

Provides information on certificates that have been prematurely revoked. Contrarily to the (CRL) certificate revocation list, the OCSP allows for the process to be automated with a real-time check process.

Process of ensuring that all HR and other requirements are covered when an employee leaves an organization. Also known as exit interview.

In PKI, a CA (typically the root CA) that has been disconnected from the network to protect it from compromise. The online CA is the certificate authority that actively generates certificates using an intermediate CA. The offline CA is responsible for the safe storage of the root certificate of the CA and is only accessed when necessary.

Numeric schema used for attributes of digital certificates.

Method of authentication that sits on top of the OAuth 2.0 authorization protocol and provides a decentralized third-party credential verification process that turns the validating party, into the identity provider (IdP). E.g., sign in using his Facebook or Google account.

Process of bringing in a new employee, contractor, or supplier.

Accessing the administrative interface of a network appliance using a separate network from the usual data network. This could use a separate VLAN or a different kind of link, such as a dial-up modem.

Standards for implementing device encryption on storage devices. operational control A category of security control that is implemented by people.

Automation of multiple steps in a deployment process.

Order in which volatile data should be recovered from various storage locations and devices after a security incident occurs. Example for a laptop: (1) routing tables, (2) swap space, (3) hard disk, (4) remote logs. Explanation: the routing table is a temporary table and should be collected first, followed by the swap space. The onboard hard disk would come next, since it is physically connected to the laptop, followed by the remote logs, which are stored in an offsite location, making them more stable.

Conceptual framework used to understand network interactions in seven distinct layers, from physical transmission to application processes. Layers: (1) Physical, (2) Data Link, (3) Network, (4) Transport, (5) Session, (6) Presentation, (7) Application. Mnemonic method: Please Do Not Throw Sausage Pizza Away.

Publicly available information plus the tools used to aggregate and search it.

Communications network designed to implement an industrial control system rather than data networking.

Firmware update delivered on a cellular data connection.

Coding methods to sanitize output created from user input.

Charity and community publishing several secure application development resources.

Binary file format that allows a private key to be exported along with its digital certificate. Known as PFX by Windows users.

Point-to-point topology is one where two nodes have a dedicated connection to one another. In a point-to-multipoint topology, a central node mediates links between remote nodes.

Text file format for transmitting a chain of digital certificates.

Provides less control to the user than IaaS by providing the computing platform in the cloud, which the user can use to create applications.

Framework for implementing authentication providers in Linux.

Enumeration or vulnerability scan that analyzes only intercepted network traffic rather than sending probes to a target. More generally, passive reconnaissance techniques are those that do not require direct interaction with the target.

Maps private host IP addresses onto a single public IP address. Each host is tracked by assigning it a random high TCP port for communications. Also known as network address port translation (NAPT) or NAT overloading.

Identifying, testing, and deploying OS and application updates. Patches are often classified as critical, security-critical, recommended, and optional.

Information security standard for organizations that process credit or bank card payments.

An IPv6 feature that allows an Internet Service Provider (ISP) to delegate a network prefix to a customer’s network. It facilitates automatic configuration of subnets within the customer’s network, ensuring efficient address management and routing.

Advanced strip socket that provides filtered output voltage. A managed unit supports remote administration.

See EAP for reference table.

Widely used text format for cryptographic keys and certificates. For use with OpenSSH. It isessentially a base64 encoded version ofbinary data, typically used for DER-encoded certificates. PEM formatted files are easily identifiable by their characteristic "BEGIN"and"END" delimiters (e.g., "-----BEGIN CERTIFICATE-----"and"-----END CERTIFICATE-----"). They can containprivate keys, public keys, certificates, and even entire certificate chains.

Test that uses active tools and security utilities to evaluate security by simulating an attack on a system. A pen test will verify that a threat exists, then will actively test and bypass security controls, and will finally exploit vulnerabilities on the system. Also known as pentest.

Mechanism for encoding characters as hexadecimal values delimited by the percent sign.

In load balancing, the configuration option that enables a client to maintain a connection with a load-balanced server over the duration of the session. Also referred to as sticky sessions.

Ability of a threat actor to maintain covert access to a target host or network.

A characteristic of transport encryption that ensures if a key is compromised the compromise will only affect a single session and not facilitate recovery of plaintext data from other sessions. Note that WPA3-Enterprise is designed to provide perfect forward secrecy between the client and server.

Windows version of P12 to store private key and certificate data. The file is binary and can be password-protected.

Data encryption and decryption program that provides cryptographic privacy and authentication for data communication.

An impersonation attack in which a request for a website, typically an e-commerce site, is redirected to a similar-looking, but fake, website.

Information that identifies someone as the subject of medical and insurance records, plus associated hospital and laboratory test results.

A type of email-based social engineering attack, in which the attacker sends email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim.

A type of security control that acts against in-person intrusion attempts.

Data that can be used to identify or contact an individual (or in the case of identity theft, to impersonate them).

Portable router equipped with software designed for network security testing and attacks. It allows security researchers and hackers to easily perform man-in-the-middle attacks by creating a fake WiFi network or mimicking legitimate networks to intercept communications, capture credentials, and manipulate traffic.

A deprecated method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize man-in-the-middle attacks.

A smart card that meets the standards for FIPS 201, in that it is resistant to tampering and provides quick electronic authentication of the card's owner.

Series of standards defining the use of certificate authorities and digital certificates.

Framework of certificate authorities, digital certificates, software, services, and other cryptographic components deployed for the purpose of validating subject identities.

A checklist of actions to perform to detect and respond to a specific type of incident PLC (programmable logic controller) A type of computer designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems.

A switch (or router) that performs some sort of authentication of the attached device before activating the port.

Software vulnerability that can occur when code attempts to read a memory location specified by a pointer, but the memory location is null. Also known as dereferencing.

A process in which a router takes requests from the Internet for a particular application (such as HTTP) and sends them to a designated host on the LAN. Also known as destination network address translation or DNAT.

Copying ingress and/or egress communications from one or more switch ports to another port. This is used to monitor communications passing over the switch. Also known as switched port analyzer or SPAN.

Preventing a device attached to a switch port from communicating on the network unless it matches a given MAC address or other protection profile.

Anticipating challenges to current cryptographic implementations and general security issues in a world where threat actors have access to significant quantum processing capability.

A command shell and scripting language built on the .NET Framework.

Proprietary format for private keys used by the PuTTY SSH client. PuTTY doesn't natively support OpenSSH's default key format, so it uses PPK format for private keys. The companion utility "PuTTYgen" can be used to generate these keys and also to convert between OpenSSH and PPK formats.

Dial-up protocol working at layer 2 (Data Link) used to connect devices remotely to networks.

Security concept that advises granting users, systems, or processes the minimum levels of access - or permissions - necessary to perform their functions or tasks, but no more. This minimizes the risk of unauthorized access or the spread of a security breach by ensuring that entities have only the essential rights they need to operate.

A cloud that is deployed for use by a single entity.

the private key is known only to the holder and is linked to, but not derivable from, a public key distributed to those with which the holder wants to communicate securely. A private key can be used to encrypt data that can be decrypted by the linked public key or vice versa.

Use of authentication and authorization mechanisms to provide an administrator with centralized or decentralized control of user and group role-based privilege management.

Practice of exploiting flaws in an operating system or other application to gain a greater level of access than was intended for the user or application.

Ability to trace the source of evidence to a crime scene and show that it has not been tampered with.

Server that mediates the communications between a client and another server. It can filter and often modify communications, as well as provide caching services to improve performance. Also known as forward proxy.

Enforces TCP connections to pass through proxies like TOR, SOCKS4, SOCKS5, or HTTP(S)

Removing personal information from a data set to make identification of individuals difficult, even if the data set is combined with other sources.

Passphrase-based mechanism to allow group authentication to a wireless network. The passphrase is used to derive an encryption key.

Network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on.

Cloud that is deployed for shared use by multiple independent tenants.

During asymmetric encryption, this key is freely distributed and can be used to perform the reverse encryption or decryption operation of the linked private key in the pair.

Software that cannot definitively be classed as malicious, but may not have been chosen by or wanted by the user.

Mode of penetration testing where red and blue teams share information and collaborate throughout the engagement. purpose limitation In data protection, the principle that personal information can be collected and processed only for a stated purpose to which the subject has consented.

Messages that are generated by an application based on preset criteria and sent to a user with a prompt request are push notifications. This differs from short message service (SMS) and authentication applications due to its application-based generation.

High-level programming language that is widely used for automation.

Policies, procedures, and tools designed to ensure defect-free development and delivery.

Systems that differentiate data passing over the network that can reserve bandwidth for particular applications. A system that cannot guarantee a level of available bandwidth is often described as Class of Service (CoS).

Method that uses opinions and reasoning to measure the likelihood and impact of risk.

Method that is based on assigning concrete values to factors.

Using quantum computing for cryptographic tasks, such as distributing keys or cracking (traditional) cryptographic systems. Quantum computing works on the principle that its units (qubits) have more properties than the bits used in "classical" computers, notably (and very crudely) that a qubit can have a probability of being 1 or 0 and that inspecting the value of one qubit can instantly determine that of others (entanglement).

In PKI, an account or combination of accounts that can copy a cryptographic key from backup or escrow and restore it to a subject host or user.

In PKI, an authority that accepts requests for digital certificates and authenticates the entities making those requests.

A message type in IPv6 used by routers to announce their presence along with various link and Internet parameters. It enables devices to discover routers on their link and obtain necessary configuration parameters for network communication.

Situation where the behavior of a system depends on the relative timing of events, leading to unpredictable or undesirable outcomes. TOCTOU (Time of Check to Time of Use) is a specific type of race condition where the vulnerability arises between the time a system checks a condition and the time it uses the results of that check.

A standard protocol used to manage remote and wireless authentication infrastructures. While OpenID can validate users with a single credential, a RADIUS federation can limit access to members in the federation.

Specifications that support redundancy and fault tolerance for different configurations of multiple-device storage systems.

Tool for speeding up attacks against Windows passwords by precomputing possible hashes. Salting is the most appropriate method for protecting against rainbow attacks.

Malware that tries to extort money from the victim by blocking normal operation of a computer and/or encrypting the victim’s files and demanding payment.

Open-source platform producing programmable circuit boards for education and industrial prototyping.

Malware that creates a backdoor remote administration channel to allow a threat actor to access and control the infected host.

Access permissions are based on the roles assigned to users within an organization. Users are granted permissions based on their role, and not directly based on their individual identity.

Evaluation of a company’s security posture and preparedness, designed for a higher-level risk evaluation than the RCSA, and can be done in-house or by a third party.

Platform-independent advanced messaging functionality designed to replace SMS and MMS.

Evaluation of a company’s security posture and preparedness, focused primarily on the specifics of risk response controls and is commonly done in-house.

The "hostile" or attacking team in a penetration test or incident response exercise. regex (regular expression) A group of characters that describe how to execute a specific search pattern on a given text.

On-path attack where the attacker intercepts some authentication data and reuses it to try to re-establish a session.

Automatically copying data between two processing systems either simultaneously on both systems (synchronous) or from a primary to a secondary location (asynchronous).

Risk that remains even after controls are put into place.

Dictates for how long information needs to be kept available on backup and archive systems. This may be subject to legislative requirements.

Type of proxy server that protects servers from direct contact with client requests.

Maliciously spawned remote command shell where the victim host opens the connection to the attacking host.

Method of recovering by setting the system back to a previous state.

Response of determining that a risk is within the organization's appetite and no countermeasures other than ongoing monitoring is needed.

Practice of ceasing activity that presents risk.

In ESA, a framework that uses risk assessment to prioritize security control selection and investment.

Response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Also known as risk reduction.

Graphical table indicating the likelihood and impact of risk factors identified for a workflow, project, or department for reference by stakeholders.

Response of reducing risk to fit within an organization's risk appetite.

Document highlighting the results of risk assessments in an easily comprehensible format (such as a "traffic light" grid). Its purpose is for department managers and technicians to understand risks associated with the workflows that they manage.

Response of moving or sharing the responsibility of risk to another entity, such as by purchasing cybersecurity insurance.

Remote-controlled or autonomous robot capable of patrolling site premises or monitoring gateways.

In PKI, a CA that issues certificates to intermediate CAs in a hierarchical structure. The online CA is the certificate authority that actively generates certificates using an intermediate CA. The offline CA is responsible for the safe storage of the root certificate of the CA and is only accessed when necessary.

Monitors the routing protocols used by a network for possible vulnerabilities such as on-path attacks, loops, and congestion.

Hardware device that has the primary function of a router, but also has firewall functionality embedded into the router firmware.

Rules that govern how routers communicate and forward traffic between networks.

Longest period that an organization can tolerate lost data being unrecoverable.

Named for its designers, Ronald Rivest, Adi Shamir, and Len Adelman, the first successful algorithm for public key encryption with a variable key length and block size.

Using a trigger device to send a BGP route update that instructs routers to drop traffic that is suspected of attempting DDoS.

Length of time it takes after an event to resume normal business operations and activities.

Type of OS that prioritizes deterministic execution of operations to ensure consistent response for time-critical tasks.

Opens a data stream for video and voice applications over UDP. The data is packetized and tagged with control information (sequence numbering and time-stamping).

Access is granted or denied based on a set of rules defined by a system administrator. The rules can encompass various conditions, such as time of access, network location, type of access method, etc. (e.g., MS365 Conditional Access)

Automated version of a playbook that leaves clearly defined interaction points for human analysis.

Email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications.

Most limiting cloud environment (compared to IaaS and PaaS), providing the user with predefined software that can be used but not altered.

WPA3 increased security by instituting the use of SAE which validates between a client and a network rather than using a preshared key (WPA-PSK)for validation.

Security countermeasure that mitigates the impact of a rainbow table attack by adding a random value to (Salting) each plaintext input.

XML-based data format used to exchange authentication information between a client and a service.

Field in a digital certificate allowing a host to be identified by multiple host names/subdomains.

Computing environment that is isolated from a host system to guarantee that the environment runs in a controlled, secure fashion. Communication links between the sandbox and the host are usually completely prohibited.

Process of thorough and completely removing data from a storage medium so that file remnants cannot be recovered.

Developed from parallel SCSI, SAS represents the highest performing hard disk interface available.

Type of industrial control system that manages large-scale, multiple-site devices and equipment spread over geographically large areas.

Property by which a computing environment is able to gracefully fulfill its ever-increasing resource needs.

Utility that runs port scans from outside the network through third-party websites to evade detection. Netcat, netstat, and Nmap are all used within the network.

A NIST framework that outlines various accepted practices for automating vulnerability scanning.

Dual-homed proxy/gateway server used to provide Internet access to other network nodes, while protecting them from external attack.

Network segmentation method that locates a designated portion of a network, typically for external use, away from the primary network. While the screened subnet is still on the network, it has extremely limited access to the primary network.

Inexperienced, unskilled attacker that typically uses tools or scripts created by others.

Coding resources provided by a vendor to assist with development projects that use their platform or API.

APIs and compatible hardware/virtual appliances allowing for programmable network appliances and systems.

API technology that provides network visibility throughout an entire network, integrating and collaborating between various technologies and vendors to provide a single visible network.

Method of sanitizing a drive using the ATA command set.

Since version 4.3, Android has been based on Security-Enhanced Linux, enabling granular permissions for apps, container isolation, and storage segmentation.

Searches through exploits and shellcodes in Exploit-DB via command line.

Computing method that enables clients to take advantage of information, software, infrastructure, and processes provided by a cloud vendor in the specific area of computer security.

UEFI feature that ensures that only signed and trusted software can boot on the system. It establishes a chain of trust from the firmware up through the boot process. If any software in the boot process doesn't have the correct signature (i.e., it isn't trusted), the UEFI will stop and prevent the system from booting.

Technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the confidentiality, integrity, and availability (CIA) of information.

Disk drive where the controller can automatically encrypt data that is written to it.

Portion of a network where all attached hosts can communicate freely with one another.

Mechanism to account for unexpected error conditions that might arise during code execution. Effective error handling reduces the chances that a program could be exploited.

Digital certificate that has been signed by the entity that issued it, rather than by a CA.

Devising an AI/ML algorithm that can describe or classify the intention expressed in natural language statements SIEM tools provide many capabilities, including sentiment analysis to identify opinion and emotion patterns in data.

Concept that states that duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers.

Digital certificate that guarantees the identity of e-commerce sites and other websites that gather and store confidential information.

In a web application, input data that is executed or validated as part of a script or process running on the server.

Software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances.

Host or network account that is designed to run a background service, rather than to log on interactively.

Scheduling approach used by load balancers to route traffic to devices that have already established connections with the client in question. Also known as source IP affinity.

Type of spoofing attack where the attacker disconnects a host then replaces it with his or her own machine, spoofing the original host's IP address.

Provides data collection and analysis (also called bandwidth monitor) from Layer 2 to 7, while both NetFlow and IPFIX only provide Layer 3 collection and analysis. Source: https://sflow.org/

Secure version of the File Transfer Protocol that uses a Secure Shell (SSH) tunnel as an encryption method to transfer, access, and manage files.

Cryptographic hashing algorithm created to address possible weaknesses in MDA. The current version is SHA-2.

Computer hardware, software, or services used on a private network without authorization from the system owner.

Account with no credential (guest) or one where the credential is known to multiple persons.

Lightweight block of malicious code that exploits a software vulnerability to gain initial access to a victim system.

Process of developing and implementing additional code between an application and the OS to enable functionality that would otherwise be unavailable.

Social engineering tactic to obtain someone's password or PIN by observing him or her as he or she types it in.

The value assigned to an account by Windows and that is used by the operating system to identify that account.

Central security-monitoring tool used to collect and aggregate log data.A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.

Network monitoring system that uses a predefined set of rules provided by a software vendor or security personnel to identify events that are unacceptable.

Small chip card that identifies the user and phone number of a mobile device, via an IMSI (International Mobile Subscriber Identity).

DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis.

Used to establish, disestablish, and manage VoIP and conferencing communications sessions. It handles user discovery (locating a user on the network), availability advertising (whether a user is prepared to receive calls), negotiating session parameters (such as use of audio/ video), and session management and termination.

Operating procedures and standards for a service contract.

A method in IPv6 for devices to automatically configure their own IP addresses without the need for a central server. It allows devices to generate unique addresses using router advertisements, ensuring simplified and efficient network setup.

Amount that would be lost in a single occurrence of a particular risk factor.

Similar to a credit card that can store authentication information, such as a user's private key, on an embedded microchip.

Utility meter that can submit readings to the supplier without user intervention.

Form of phishing that uses SMS text messages to trick a victim into revealing information.

Software utility designed for penetration testing reporting and evidence gathering that can also run automated test suites. Source: https://github.com/1N3/Sn1per

Protocol for monitoring and managing network devices. SNMP works over UDP ports 161 and 162 by default.

Software architecture where components of the solution are conceived as loosely coupled services not dependent on a single platform type or technology.

XML-based web services protocol that is used to exchange messages.

Class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment.

Evaluations of the controls and processes of a service organization, particularly those relevant to user entities. These reports are issued by external auditors and provide valuable insights into the organization's control environment. There are different types of SOC reports, and they vary based on the kind of information they provide and their intended audience.

Processor that integrates the platform functionality of multiple logical controllers onto a single chip. E.g., Apple Silicon with CPU, GPU and RAM on same chip.

Email-based or web-based form of phishing which targets specific individuals.

Spam attack that is propagated through instant messaging rather than email.

VPN configuration where only traffic for the private network is routed via the VPN gateway.

Component or system that would cause a complete interruption of a service if it failed.

Attack that injects a database query into the input data directed at a server by accessing the client-side of the application. Example: or 1=1

Audit specifications designed to ensure that cloud/hosting providers meet professional standards. A SOC2 (Type II) report is created for a restricted audience, while SOC3 reports are provided for general consumption.

Remote administration and file-copy program that supports VPNs by using port forwarding, and that runs on TCP port 22.

Character string that identifies a particular wireless LAN (WLAN).

Authentication technology that enables a user to authenticate once and receive authorizations for multiple services.

Attack that attempts to exploit the trust relationship between a user and a server to get the user to execute commands against the server or vice versa. Request forgeries can originate from either the client side via a SSRF or the server side via a CSRF/XSRF (cross-site request forgery).

SSTIs occur when user input is embedded in a template in an unsafe manner and results in remote code execution on the server. Any features that support advanced user-supplied markup may be vulnerable to SSTI including wiki-pages, reviews, marketing applications, CMS systems etc. Some template engines employ various mechanisms (eg. sandbox, whitelisting, etc.) to protect against SSTI.

Protocol that uses the HTTP over SSL protocol and encapsulates an IP packet with a PPP header and then with an SSTP header.

Applying consistent names and labels to assets and digital resources/identities within a configuration management system.

Mechanism used to mitigate performance and privacy issues when requesting certificate status from an OCSP responder.

Type of threat actor that is supported by the resources of its host country's military and security services. Also known as nation state actor.

Information about sessions between hosts that is gathered by a stateful firewall.

Technique used in firewalls to analyse packets down to the application layer rather than filtering packets only by header information, enabling the firewall to enforce tighter and more security.

Type of firewall provides the least amount of capabilities.

Authentication method that provides a one-time, pre-set authentication verifier, such as a password or code, that is not limited by a set time frame.

Technique for obscuring the presence of a message, often by embedding information within a file or other entity.

Framework for analyzing cybersecurity incidents.

Small applications that use Structured Query Language (SQL) statements that can manipulate data in a relational database management system.

Switching protocol that prevents network loops by dynamically disabling links as needed.

Type of symmetric encryption that combines a stream of plaintext bits or bytes with a pseudorandom stream initialized by a secret key.

Software testing method that evaluates how software performs under extreme load.

Device requesting access to the network.

SMTP testing tool with scripting capabilities.

An appliance or proxy server that mediates client connections with the Internet by filtering spam and malware and enforcing access restrictions on types of sites visited, time spent, and bandwidth consumed.

A two-way encryption scheme in which encryption and decryption are both performed by the same key. Also known as shared-key encryption.

A protocol enabling different appliances and software applications to transmit logs or event records to a central server.

An AAA protocol developed by Cisco that is often used to authenticate to administrator accounts for network appliance management.

Linux utility for showing the last lines in a file.

Social engineering technique to gain access to a building by following someone who is unaware of their presence.

Hardware device inserted into a cable to copy frames for analysis.

Tape media provides robust, high-speed, high-capacity backup storage. Tape drives and autoloader libraries can be connected to the SATA and SAS buses or accessed via a SAN.

A protocol for supplying codified information to automate incident detection and analysis.

Command-line packet sniffing utility.

Command-line utility that replays packets saved to a file back through a network adapter.

Category of security control that is implemented as a system (hardware, software, or firmware). Technical controls may also be described as logical controls.

Using the cellular data plan of a mobile device to provide Internet access to a laptop or PC. The PC can be tethered to the mobile by USB, Bluetooth, or Wi-Fi (a mobile hotspot). Also known as hotspot.

Utility for gathering results from open-source intelligence queries. Source: https://github.com/laramies/theHarvester

Access point that requires a wireless controller to function.

Vulnerabilities that arise from dependencies in business relationships with suppliers and customers.

Person or entity responsible for an event that has been identified as a security incident or as a risk.

Cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring.

Animated map showing threat sources in near real-time.

Policies or configuration settings that limit a user's access to resources.

Identifying whether a time zone offset has been applied to a file's time stamp.

Tool that shows the sequence of file system events within a source image in a graphical format.

Mechanism used in the first version of WPA to improve the security of wireless encryption mechanisms, compared to the flawed WEP standard.

Security protocol that uses certificates for authentication and encryption to protect web communication.

Vulnerability where the state of a system changes between a check and its use, representing a specific type of race condition.

Physical or virtual item that contains authentication and/or authorization data, commonly used in multifactor authentication.

Deidentification method where a unique token is substituted for real data.

Improvement on HOTP that forces one-time passwords to expire after a short period of time.

Specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information. transit gateway In cloud computing, a virtual router deployed to facilitate connections between VPC subnets and VPN gateways.

Process of detecting patterns within a dataset over time, and using those patterns to make predictions about future events or better understand past events.

Malicious software program hidden within an innocuous-seeming piece of software. Usually, the Trojan is used to try to compromise the security of the target computer. Also known as Trojan.

Analyzes network traffic via command line, based on Wireshark.

Open-source collection of command line and programming libraries for disk imaging and file analysis. Autopsy sits as a GUI on top of TSK.

Analysis of historical cyber-attacks and adversary actions.

Attack in which an attacker registers a domain name with a common misspelling of an existing domain, so that a user who misspells a URL is taken to the attacker's website. Also known as URL hijacking.

System that can provide automated identification of suspicious activity by user accounts and computer hosts.

Enterprise software for controlling device settings, apps, and corporate data storage on all types of fixed, mobile, and IoT computing devices.

An IPv6 address intended for local communications within a private network. It is not routable on the global Internet, ensuring secure and isolated communications. ULA provides stable addressing for internal use, facilitating site-local networking and avoiding address collisions.

Vulnerability scan which is only able to scan the publicly accessible portions of a network (contrarily to the credentialed scan).

Hardware plug to prevent malicious data transfer when a device is plugged into a USB charging point.

All-in-one security appliances and agents that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, data loss prevention, content filtering, and so on.

Secure room with walls and gateway hardened against physical assault.

Programming languages used to implement macros and scripting in Office document automation.

User desktop and software applications provisioned as an instance under VDI.

Networking technology that provides secure access to the corporate space through a virtual desktop hosted on the corporate hypervisor.

Policies and procedures to identify vulnerabilities and ensure security of the supply chain. It is important to have vendor management when managing third-party risk. Issues can be promptly found and fixed with a strong vendor-management program. The proper channels can be followed when a security breach is detected, and it can be addressed much more quickly. A weak vendor-management program can lead to increased downtime and policies not being followed adequately.

Code designed to infect computer files (or disks) when it is activated.

Human-based attack where the attacker extracts information while speaking over the phone or leveraging IP-based voice messaging services (VoIP).

Logically separate network, created by using switching technology. Even though hosts on two VLANs may be physically connected to the same cabling, local traffic is isolated to each VLAN so they must use a router to communicate.

Attack where malware running in a VM is able to interact directly with the hypervisor or host kernel.

Configuration vulnerability where provisioning and deprovisioning of virtual assets is not properly authorized and monitored.

Private network segment made available to a single cloud consumer on a public cloud.

Secure tunnel created between two endpoints connected via an unsecure network (typically the Internet).

Weakness that could be triggered accidentally or exploited intentionally to cause a security breach.

Evaluation of a system's security and ability to meet compliance requirements based on the configuration state of the system, as represented by information collected from the system.

Firewall designed specifically to protect software running on web servers and their back-end databases from code injection and DoS attacks.

Practice of using a Wi-Fi sniffer to detect WLANs and then either making use of them (if they are open/unsecured) or trying to break into them (using WEP and WPA cracking tools).

Location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site if needed.

Attack in which an attacker targets specific groups or organizations, discovers which websites they frequent, and injects malicious code into those sites.

Legacy mechanism for encrypting data sent over a wireless connection.

Email-based or web-based form of phishing which targets senior executives or wealthy individuals.

Identifies technologies used on websites.

Staff administering, evaluating, and supervising a penetration test or incident response exercise.

Forensics tool for Windows that allows collection and inspection of binary code in disk and memory images.

Network protocol analyzer that lets users capture and interactively browse the traffic running on a computer network. It provides detailed information about network traffic and can be used for network troubleshooting, analysis, software and protocol development, and education.

Type of malware that replicates in system memory and can spread over network connections rather than infecting files.

Standards for authenticating and encrypting access to Wi-Fi networks. Also known as WPA2, WPA3.

Feature of WPA and WPA2 that allows enrollment in a wireless network based on an 8-digit PIN.

Expressing the concept that most types of IT requirements can be deployed as a cloud service model.

Attack method where malicious XML is passed as input to exploit a vulnerability in the target app.

Type of attack against an application that parses XML input. Occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Operation that outputs to true only if one input is true and the other input is false.

Malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser. Also known as client-side request forgery or CSRF.

Malicious script hosted on the attacker's site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser's security model of trusted zones. Example: <SCRIPT> and </SCRIPT>

Low-power wireless communications protocol used primarily for home automation. Z-Wave uses radio frequencies in the high 800 to low 900 MHz and a mesh topology.

Vulnerability in software that is unpatched by the developer or an attack that exploits such a vulnerability.

Method of sanitizing a drive by setting all bits to zero.

Security design paradigm where any request (host-to-host or container-to-container) must be authenticated before being allowed.

Low-power wireless communications open source protocol used primarily for home automation. ZigBee uses radio frequencies in the 2.4 GHz band and a mesh topology.