The first step in protecting yourself is knowledge. Enclosed are a list of definitions to help educate you.
- Administrative Controls – Controls implemented through policy and procedures. Examples include access control processes and requiring multiple personnel to conduct a specific operation. Administrative controls in modern environments are often enforced in conjunction with physical and/or technical controls, such as an access-granting policy for new users that requires login and approval by the hiring manager.
- Application Programming Interface (API) – A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or web tool.
- Application Server – A computer responsible for hosting applications to user workstations. NIST SP 800-82 Rev.2
- Artificial Intelligence (AI) – The ability of computers and robots to simulate human intelligence and behavior.
- Asset – Anything of value that is owned by an organization. Assets include both tangible items such as information systems and physical property and intangible assets such as intellectual property.
- Audit – Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures. NIST SP 1800-15B
- Authentication – Access control process validating that the identity being claimed by a user.
- Authorization – The right or a permission that is granted to a system entity to access a system resource. NIST 800-82 Rev.2
- Availability – Ensuring timely and reliable access to and use of information by authorized users.
- Biometric – Biological characteristics of an individual, such as a fingerprint, hand geometry, voice, or iris patterns.
- Bot – Malicious code that acts like a remotely controlled “robot” for an attacker, with other Trojan and worm capabilities.
- Breach – The loss of control, compromise, unauthorized disclosure, unauthorized acquisition or any similar occurrence where: a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for other than an authorized purpose. Source: NIST SP 800-53 Rev. 5
- Business Continuity (BC) – Actions, processes and tools for ensuring an organization can continue critical operations during a contingency.
- Business Continuity Plan (BCP) – The documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business processes will be sustained during and after a significant disruption.
- Ciphertext – The altered form of a plaintext message so it is unreadable for anyone except the intended recipients. In other words, it has been turned into a secret.
- Classification – Classification identifies the degree of harm to the organization, its stakeholders or others that might result if an information asset is divulged to an unauthorized person, process or organization. In short, classification is focused first and foremost on maintaining the confidentiality of the data, based on the data sensitivity.
- Classified or Sensitive Information – Information that has been determined to require protection against unauthorized disclosure and is marked to indicate its classified status and classification level when in documentary form.
- Cloud Computing – A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. NIST 800-145
- Confidentiality – The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes. NIST 800-66
- Configuration Management – A process and discipline used to ensure that the only changes made to a system are those that have been authorized and validated.
- Criticality – A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. NIST SP 800-60 Vol. 1, Rev. 1
- Cryptography – The study or applications of methods to secure or protect the meaning and content of messages, files, or other information, usually by disguise, obscuration, or other transformations of that content and meaning.
- Data Integrity – The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing and while in transit. Source: NIST SP 800-27 Rev A
- Data Loss Prevention (DLP) – System capabilities designed to detect and prevent the unauthorized use and transmission of information.
- Decryption – Using algorithms to turn ciphertext, or coded, unreadable text, into plaintext, or readable text. Also called deciphering.
- Defense in Depth – Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization. Source: NIST SP 800-53 Rev 4
- Denial-of-Service (DoS) – The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.) Source: NIST SP 800-27 Rev A
- Digital Signature – The result of a cryptographic transformation of data which, when properly implemented, provides the services of origin authentication, data integrity, and signer non-repudiation. NIST SP 800-12 Rev. 1
- Disaster Recovery (DR) – In information systems terms, the activities necessary to restore IT and communications services to an organization during and after an outage, disruption or disturbance of any kind or scale.
- Disaster Recovery Plan (DRP) – The processes, policies and procedures related to preparing for recovery or continuation of an organization’s critical business functions, technology infrastructure, systems and applications after the organization experiences a disaster. A disaster is when an organization’s critical business function(s) cannot be performed at an acceptable level within a predetermined period following a disruption.
- Domain Name Service (DNS) – This acronym can be applied to three interrelated elements: a service, a physical server and a network protocol.
- Egress Monitoring – Monitoring of outgoing network traffic.
- Encrypt – To protect private information by putting it into a form that can only be read by people who have permission to do so.
- Encryption – The process and act of converting the message from its plaintext to ciphertext. Sometimes it is also referred to as enciphering.
- Encryption System – The total set of algorithms, processes, hardware, software, and procedures that taken together provide an encryption and decryption capability.
- Exploit - A particular attack. It is named this way because these attacks exploit system vulnerabilities.
- File Transfer Protocol (FTP) – The internet protocol (and program) used to transfer files between hosts.
- Firewalls – Devices that enforce administrative security policies by filtering incoming traffic based on a set of rules.
- Governance – The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles and procedures the organization uses to make those decisions.
- Hardening – A reference to the process of applying secure configurations (to reduce the attack surface) and locking down various hardware, communications systems, and software, including operating system, web server, application server, application, etc. Hardening is normally performed based on industry guidelines and benchmarks, such as those provided by the Center for Internet Security (CIS).
- Hardware – The physical parts of a computer and related devices.
- Health Insurance Portability and Accountability Act (HIPAA) – This U.S. federal law is the most important healthcare information regulation in the United States. It directs the adoption of national standards for electronic healthcare transactions while protecting the privacy of individual’s health information. Other provisions address fraud reduction, protections for individuals with health insurance and a wide range of other healthcare-related activities. Est. 1996.
- Hybrid Cloud – A combination of public cloud storage and private cloud storage where some critical data resides in the enterprise’s private cloud while other data is stored and accessible from a public cloud storage provider.
- Impact – The magnitude of harm that could be caused by a threat’s exercise of a vulnerability.
- Incident – An event that actually or potentially jeopardizes the confidentiality, integrity or availability of an information system or the information the system processes, stores or transmits.
- Incident Response (IR) – The mitigation of violations of security policies and recommended practices. Also known as Incident Handling. Source: NIST SP 800-61 Rev 2.
- Insider Threat – An entity with authorized access that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service. NIST SP 800-32
- Institute of Electrical and Electronics Engineers (IEEE) – IEEE is a professional organization that sets standards for telecommunications, computer engineering and similar disciplines.
- International Organization of Standards (ISO) – The ISO develops voluntary international standards in collaboration with its partners in international standardization, the International Electro-technical Commission (IEC) and the International Telecommunication Union (ITU), particularly in the field of information and communication technologies.
- Internet Protocol (IPv4) – Standard protocol for transmission of data from source to destinations in packet-switched communications networks and interconnected systems of such networks. CNSSI 4009-2015
- Intrusion - A security event, or combination of security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or system resource without authorization. Source: IETF RFC 4949 Ver 2
- iOS – An operating system manufactured by Apple Inc. Used for mobile devices.
- Layered Defense – The use of multiple controls arranged in series to provide several consecutive controls to protect an asset; also called defense in depth.
- Linux – An operating system that is open source, making its source code legally available to end users.
- Logging – Collecting and storing user activities in a log, which is a record of the events occurring within an organization’s systems and networks. NIST SP 1800-25B.
- Man-in-the-Middle – An attack where the adversary positions himself in between the user and the system so that he can intercept and alter data traveling between them. Source: NISTIR 7711
- Multi-Factor Authentication – Using two or more distinct instances of the three factors of authentication (something you know, something you have, something you are) for identity verification.
- National Institutes of Standards and Technology (NIST) – The NIST is part of the U.S. Department of Commerce and addresses the measurement infrastructure within science and technology efforts within the U.S. federal government. NIST sets standards in a number of areas, including information security within the Computer Security Resource Center of the Computer Security Divisions.
- Non-repudiation – The inability to deny taking an action such as creating information, approving information, and sending or receiving a message.
- Operating System – The software “master control application” that runs the computer. It is the first program loaded when the computer is turned on, and its main component, the kernel, always resides in memory. The operating system sets the standards for all application programs (such as the Web server) that run in the computer. The applications communicate with the operating system for most user interface and file management operations. NIST SP 800-44 Version 2
- Patch – A software component that, when installed, directly modifies files or device settings related to a different software component without changing the version number or release details for the related software component. Source: ISO/IEC 19770-2
- Payload – The primary action of a malicious code attack.
- Payment Card Industry Data Security Standard (PCI DSS) – An information security standard administered by the Payment Card Industry Security Standards Council that applies to merchants and service providers who process credit or debit card transactions.
- Personally Identifiable Information (PII) – The National Institute of Standards and Technology, known as NIST, in its Special Publication 800-122 defines PII as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information.”
- Physical Controls – Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks. Also known as Physical Access Controls.
- Plaintext – A message or data in its natural format and in readable form; extremely vulnerable from a confidentiality perspective.
- Privacy – The right of an individual to control the distribution of information about themselves.
- Private Cloud – A cloud computing platform that is implemented within the corporate firewall, under the control of the IT department. A private cloud is designed to offer the same features and benefits of cloud systems, but removes a number of objections to the cloud computing model, including control over enterprise and customer data, worries about security, and issues connected to regulatory compliance.
- Principle of Least Privilege – The principle that users and programs should have only the minimum privileges necessary to complete their tasks. NIST SP 800-179
- Privileged Account – An information system account with approved authorizations of a privileged user. NIST SP 800-53 Rev. 4
- Protected Health Information (PHI) – Information regarding health status, the provision of healthcare or payment for healthcare as defined in HIPAA (Health Insurance Portability and Accountability Act).
- Protocols – A set of rules (formats and procedures) to implement and control some type of association (that is, communication) between systems. NIST SP 800-82 Rev. 2
- Public Cloud – The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. NIST SP 800-145
- Ransomware – A type of malicious software that locks the computer screen or files, thus preventing or limiting a user from accessing their system and data until money is paid.
- Records – The recordings (automated and/or manual) of evidence of activities performed or results achieved (e.g., forms, reports, test results), which serve as a basis for verifying that the organization and the information system are performing as intended. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain the complete set of information on items). NIST SP 800-53 Rev. 4
- Records Retention – A practice based on the records life cycle, according to which records are retained as long as necessary, and then are destroyed after the appropriate time interval has elapsed.
- Risk Assessment – The process of identifying and analyzing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals and other organizations. The analysis performed as part of risk management which incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place.
- Risk Mitigation – Putting security controls in place to reduce the possible impact and/or likelihood of a specific risk.
- Risk Transference – Paying an external party to accept the financial impact of a given risk.
- Security Controls – The management, operational and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity and availability of the system and its information. Source: FIPS PUB 199
- Security Governance – The entirety of the policies, roles and processes the organization uses to make security decisions in an organization.
- Segregation of Duties – The practice of ensuring that an organizational process cannot be completed by a single person; forces collusion as a means to reduce insider threats. Also commonly known as Separation of Duties.
- Sensitivity – A measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection. Source: NIST SP 800-60 Vol 1 Rev 1
- Simple Mail Transport Protocol (SMTP) – The standard communication protocol for sending and receiving emails between senders and receivers.
- Single-Factor Authentication – Use of just one of the three available factors (something you know, something you have, something you are) to carry out the authentication process being requested.
- Social Engineering – Tactics to infiltrate systems via email, phone, text, or social media, often impersonating a person or agency in authority or offering a gift. A low-tech method would be simply following someone into a secure building.
- Software – Computer programs
- Software as a Service (SaaS) – The cloud customer uses the cloud provider’s applications running within a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Derived from NIST 800-145
- Spoofing – Faking the sending address of a transmission to gain illegal entry into a secure system. CNSSI 4009-2015
- Technical Controls – The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system.
- Threat – Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image or reputation), organizational assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service. Source: NIST SP 800-30 Rev 1
- Threat Actor – An individual or a group that attempts to exploit vulnerabilities to cause or force a threat to occur.
- Threat Vector – The means by which a threat actor carries out their objectives.
- Token – A physical object a user possesses and controls that is used to authenticate the user’s identity. NISTIR 7711
- Transport Control Protocol/Internet Protocol (TCP/IP) Model – Internetworking protocol model created by the IETF, which specifies four layers of functionality: Link layer (physical communications), Internet Layer (network-to-network communication), Transport Layer (basic channels for connections and connectionless exchange of data between hosts), and Application Layer, where other protocols and user applications programs make use of network services.
- Unix – An operating system used in software development.
- Virtual Local Area Network (VLAN) – A logical group of workstations, servers, and network devices that appear to be on the same LAN despite their geographical distribution.
- Virtual Private Network (VPN) – A virtual private network, built on top of existing networks, that can provide a secure communications mechanism for transmission between networks.
- Vulnerability – Weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source. Source: NIST SP 800-128
- Web Server - A computer that provides World Wide Web (WWW) services on the Internet. It includes the hardware, operating system, Web server software, and Web site content (Web pages). If the Web server is used internally and not by the public, it may be known as an “intranet server.” NIST SP 800-44 Version 2
- Wireless Area Network (WLAN) – A group of computers and devices that are in the same vicinity, forming a network based on radio transmissions rather than wired connections. A Wi-Fi network is a type of WLAN.
- Zero Day - A previously unknown system vulnerability with the potential of exploitation without risk of detection or prevention because it does not, in general, fit recognized patterns, signatures or methods.