access control list (ACL)   A list of rules that control the manner in which a resource may be accessed.

active defense   Adaptive measures aimed at increasing the amount of effort attackers need to exert to be successful, while reducing the effort for the defenders.

advanced persistent threat (APT)   The name given to any number of stealthy and continuous computer-hacking efforts, often coordinated and executed by an organization or government with significant resources over a longer period of time.

anomaly analysis   Any technique focused on measuring the deviation of some observation from some baseline and determining whether that deviation is statistically significant.

assessment   A process that gathers information and makes determinations based on it.

asymmetric cryptography   A cryptosystem that uses two different but complementary keys for encryption and decryption.

atomic execution   An approach to controlling the manner in which certain sections of a program run so that they cannot be interrupted between the start and end of the section.

audit   A systematic inspection by an independent third party to determine whether the organization is in compliance with some set of external requirements.

beaconing   A periodical outbound connection between a compromised computer and an external controller.

blue team   The group of participants who are the focus of a training event or exercise; they are usually involved with the defense of the organization’s infrastructure.

cloud access security broker (CASB)   A software system that sits between each user and each cloud service, monitoring all activity, enforcing policies, and alerting when something seems to be wrong.

cloud computing   The use of shared, remote computing devices for the purpose of providing improved efficiencies, performance, reliability, scalability, and security.

common vulnerability scoring system (CVSS)   A well-known standard for quantifying severity ratings for vulnerabilities.

compensating control   A security control that satisfies the requirements of some other control when implementing the latter is not possible or desirable.

containerization   A virtualization technology that abstracts the operating system for the applications running above it, allowing for low overhead in running many applications and improved speed in deploying instances.

containment   Actions that attempt to deny the threat agent the ability or means to cause further damage.

Control Objectives for Information and Related Technologies (COBIT)   A framework and set of control objectives developed by ISACA and the IT Governance Institute that define goals for the controls that should be used to manage IT properly and to ensure that IT maps to business needs.

Controller Area Network (CAN) bus   A serial bus that enables embedded devices to communicate directly with each other, often in an industrial or vehicular environment.

credential stuffing   A type of brute-force attack in which credentials obtained from a data breach of one service are used to authenticate to another system in an attempt to gain access.

cross-site scripting (XSS)   A vulnerability in a web application that provides an opportunity for malicious users to execute arbitrary client-side scripts.

dereferencing   A common flaw that occurs when software attempts to access a value stored in memory that does not exist, which sometimes enables attackers to bypass security measures or learn more about how the program works by reading the exception information.

DevSecOps   A combination of the terms development, security, and operations that denotes the practice of incorporating development, security IT, and quality assurance (QA) staff into software development projects to align their incentives and enable frequent, efficient, and reliable releases of software products.

digital certificate   A file that contains information about the certificate owner, the certificate authority (CA) who issued it, the public key, its validity timeframe, and the CA’s signature of the certificate itself, typically following the X.509 standard defined by the Internet Engineering Task Force (IETF) in its RFC 5280.

digital signature   A short sequence of data that proves that a larger data sequence (say, an e-mail message or a file) was created by a given person and was not modified by anyone else after being signed.

domain generation algorithm (DGA)   A threat actor technique used to generate domain names rapidly using seemingly random, but predictable processes. This enables malware to connect eventually with its command and control infrastructure without providing defenders the opportunity to identify and block the domains.

eFuse   A single bit of nonvolatile memory that, once set to 1, can never be reverted to 0.

embedded system   Systems that are characterized by lightweight software running specialized tasks on low-power microprocessors.

event   Any occurrence that can be observed, verified, and documented.

eXtensible Markup Language (XML)   A markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.

false positive   A report that states that a given condition is present when in fact it is not.

field-programmable gate array (FPGA)   A programmable chip that enables programmers to reconfigure the hardware itself to accommodate new software functionality.

firewall   A device that permits the flow of authorized data through it while preventing unauthorized data flows.

firmware   Software that is stored in read-only, nonvolatile memory in a device and is executed when the device is powered on.

forensic acquisition   The process of extracting the digital contents from seized evidence so that they may be analyzed.

fuzzing   A technique used to discover flaws and vulnerabilities in software by sending large amounts of malformed, unexpected, or random data to the target program in order to trigger failures.

hardening   The process of securing information systems by reducing their vulnerabilities and functionality.

hardware security module   A removable expansion card or external device that can generate, store, and manage cryptographic keys, used to improve encryption/decryption performance by offloading these functions to a specialized module.

hashing function   A one-way function that takes a variable-length sequence of data such as a file and produces a fixed-length result called a “hash value”; sometimes referred to as a digital fingerprint.

heuristic   A “rule of thumb” or any other experience-based, imperfect approach to problem solving.

heuristic analysis   The application of heuristics to find threats in practical, if imperfect, ways.

honeynet   A network of devices that is created for the sole purpose of luring an attacker into trying to compromise it.

host-based intrusion detection system (HIDS)   An IDS that is focused on the behavior of a specific host and packets on its network interfaces.

incident   One or more related events that compromise the organization’s security posture.

incident response   The process of negating the effects of an incident on an information system.

indicator of compromise (IOC)   An artifact that indicates the possibility of an attack or compromise.

industrial control system (ICS)   A cyber-physical system that enables specialized software to control the physical behaviors of some system.

Information Technology Infrastructure Library (ITIL)   A customizable framework that provides the goals of internal IT services, the general activities necessary to achieve these goals, and the input and output values for each process required to meet these determined goals.

Infrastructure as a Service (IaaS)   A cloud computing model in which a service provider offers direct access to a cloud-based infrastructure on which customers can build and configure their own devices.

input validation   An approach to protect systems from abnormal user input by testing the data provided against appropriate values.

International Organization for Standardization (ISO)   An independent, nongovernmental international organization that is the world’s largest developer and publisher of international standards.

Internet of Things (IoT)   The broad term for Internet-connected, nontraditional computing devices such as televisions and fridges.

intrusion detection system (IDS)   A system that identifies violations of security policies and generates alerts.

intrusion prevention system (IPS)   A form of IDS that is able to stop any detected violations.

isolation   A state in which a part of an information system, such as a compromised host, is prevented from communicating with the rest of the system.

jump box   A computer that serves as a jumping-off point for external users to access protected parts of a network.

mandatory access control (MAC)   A policy in which access controls are always enforced on all objects and subjects.

man-in-the-middle (MITM) attack   An attack in which an adversary intercepts communications between two endpoints to obtain illicit access to message contents and potentially alter them.

MITRE ATT&CK   The MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework is a model that enables organizations to document and exchange attacker tactics, techniques, and procedures (TTPs).

multifactor authentication (MFA)   Authentication techniques that require multiple pieces of information to authenticate a user.

National Institute for Standards and Technology (NIST)   An organization within the U.S. Department of Commerce that is charged with promoting innovation and industrial competitiveness.

network segmentation   The practice of separating various parts of the network into subordinate zones to thwart adversaries’ efforts, improve traffic management, and prevent spillover of sensitive data.

network-based intrusion detection system (NIDS)   An IDS that is focused on the packets traversing a network.

nmap   A popular open source tool that provides the ability to map network hosts and the ports on which they are listening.

open source intelligence (OSINT)   The collection and analysis of publicly available information appearing in print or electronic form.

Open Web Application Security Project (OWASP)   An organization that promotes web security and provides development guidelines, testing procedures, and code review steps.

OpenIOC   A framework to organize indicators of compromise (IOC) in a machine-readable format for easy sharing and automated follow-up.

operational control   Security mechanisms implemented primarily through people and procedures.

packet analyzer   A tool that captures network traffic, performs some form of analysis on it, and reports the results; also known as a network or packet sniffer.

password spraying   A type of brute-force technique in which an attacker tries a single password against a system, and then iterates though multiple systems on a network using the same password.

patch management   The process by which fixes to software vulnerabilities are identified, tested, applied, validated, and documented.

patching   The application of a fix to a software defect.

Payment Card Industry Data Security Standard (PCI DSS)   A global standard for protecting stored, processed, or transmitted payment card information.

penetration test   The process of simulating attacks on a network and its systems at the request of the owner or senior management for the purpose of measuring an organization’s level of resistance to those attacks and to uncover any exploitable weaknesses within the environment.

personal health information (PHI)   Information that relates to an individual’s past, present, or future physical or mental health condition.

personally identifiable information (PII)   Information, such as Social Security number or biometric profile, that can be used to distinguish an individual’s identity.

phishing   The use of fraudulent e-mail messages to induce recipients to provide sensitive information or take actions that could compromise their information systems; a form of social engineering.

physical control   A safeguard that deters, delays, prevents, detects, or responds to threats against physical property.

Platform as a Service (PaaS)   A cloud computing model in which a service provider offers cloud-based platforms on which customers can either use preinstalled applications or install and run their own.

Public Key Infrastructure (PKI)   A framework of programs, procedures, communication protocols, and public key cryptography that enables a diverse group of individuals to communicate securely.

real-time operating system (RTOS)   An operating system designed to provide low-latency responses on input, usually used in vehicle electronics, manufacturing hardware, and aircraft electronics.

red team   A group that acts as adversaries during a security assessment or exercise.

regression testing   The formal process by which code that has been modified is tested to ensure that no features and security characteristics were compromised by the modifications.

regulatory environment   An environment in which the way an organization exists or operates is controlled by laws, rules, or regulations put in place by a formal body.

remediation   The application of security controls to a known vulnerability to reduce its risk to an acceptable level.

Remote Authentication Dial-In User Service (RADIUS)   An authentication, authorization, and accounting (AAA) remote access protocol.

representational state transfer (REST)   A software architectural style that defines a set of constraints to be used for creating web services.

reverse engineering   The process of deconstructing something in order to discover its features and constituents.

risk   The possibility of damage to or loss of any information system asset, as well as the ramifications should this occur.

risk acceptance   The decision that the potential loss from a risk is not severe enough to warrant spending resources to avoid it.

risk appetite   The amount of risk that senior executives are willing to assume.

rootkit   A typically malicious software application that interferes with the normal reporting of an operating system, often by hiding specific resources such as files, processes, and network connections.

sandbox   A type of control that isolates processes from the operating system to prevent security violations.

sanitization   The process by which access to data on a given medium is made infeasible for a given level of effort.

Security Assertion Markup Language (SAML)   An open standard for exchanging authentication and authorization data between parties, specifically, between an identity provider and a service provider.

Security Content Automation Protocol (SCAP)   A protocol developed by NIST for the assessment and reporting of vulnerabilities in the information systems of an organization.

security information and event management (SIEM)   A software product that collects, aggregates, analyzes, reports, and stores security information.

security policy   An overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization or that dictates mandatory requirements for a given aspect of security.

service-oriented architecture (SOA)   A set of interconnected but self-contained software components that communicate with each other and with their clients through standardized protocols called application program interfaces.

session hijacking   A class of attacks by which an attacker takes advantage of valid session information, often by stealing and replaying it.

Simple Object Access Protocol (SOAP)   An SOA messaging protocol that uses XML over HTTP to enable clients to invoke processes on a remote host in a platform-agnostic way.

single sign-on (SSO)   An authentication mechanism that enables a user to log in once with a single set of credentials and gain access to multiple related but separate systems.

social engineering   The manipulation of people with the intent of deceiving or persuading them to take actions that they otherwise wouldn’t take, and that typically involve a violation of a security policy or procedures.

Software as a Service (SaaS)   A software distribution model in which a service provider hosts applications for customers and makes them available to customers via the Internet.

software-defined networking (SDN)   A network architecture in which software applications are responsible for deciding how best to route data (the control layer) and then for actually moving those packets around (the data layer).

spear phishing   Phishing attempts directed at a specific individual or group.

static code analysis   A technique that is meant to help identify software defects or security policy violations and is carried out by examining the code without executing the program.

stress test   A test that places extreme demands that are well beyond the planning thresholds of the software in an effort to determine how robust it is.

Structured Threat Information eXpression (STIX)   A standardized language for conveying data about cybersecurity threats in a way that can be easily understood by humans and security technologies.

supervisory control and data acquisition (SCADA) system   A system for remotely monitoring and controlling physical systems such as power and manufacturing plants over large geographic regions.

symmetric cryptography   A cryptosystem that uses the same shared secret key for both encryption and decryption.

syslog   A popular protocol used to communicate event messages.

system on a chip (SoC)   The integration of software and hardware onto a single integrated circuit and a processor, similar to microcontrollers but usually involving more complicated circuitry.

technical control   A software or hardware tool used to restrict access to objects; also known as a logical control.

Terminal Access Controller Access Control System (TACACS)   An authentication, authorization, and accounting (AAA) remote access protocol.

trend analysis   The study of patterns over time in order to determine how, when, and why they change.

Trusted Automated eXchange of Indicator Information (TAXII)   An application protocol that defines how cyber threat intelligence, specifically that formatted in accordance with the STIX standard, may be shared among participating partners.

trusted foundry   An organization capable of developing prototype- or production-grade microelectronics in a manner that ensures the integrity of its products.

Trusted Platform Module (TPM)   A system on a chip installed on the motherboard of modern computers that is dedicated to carrying out security functions involving the storage of cryptographic keys and digital certificates, symmetric and asymmetric encryption, and hashing.

Unified Extensible Firmware Interface (UEFI)   A software interface standard that describes the way in which firmware executes its tasks.

virtual desktop infrastructure (VDI)   A virtualization technology that separates the physical devices that the users are touching from the systems hosting the desktops, applications, and data, typically resulting in a thin client environment.

virtual private network (VPN)   A system that connects two or more devices that are physically part of separate networks and enables them to exchange data as if they were connected to the same local area network.

vulnerability   A flaw in an information system that can enable an adversary to compromise the security of that system.

whaling   Spear phishing aimed at high-profile targets such as executives.

white team   The group of people who plan, document, assess, or moderate a training exercise.

write blocker   A device that prevents modifications to a storage device while its contents are being acquired.

zero-day   A vulnerability or exploit that is unknown to the broader community of software developers and security professionals.