The world of security has terms that are all its own in the grander landscape of information technology. Below is a collection of key terms, phrases, acronyms, and concepts that should be firmly emblazoned on every practitioner’s mind.
API: Application Programming Interface (API) allows inter-application communication. In essence, an API is the messenger between two applications. It’s a popular method for access to structured data sources via URL (e.g. REST or SOAP API). Internet-facing APIs can prove vulnerable if not properly secured.
APTs: Advanced Persistent Threats (APT) are specialized, complex, prolonged attack campaigns to establish long-term access in a network. APTs usually have financial backing, often from a political power, to employ a team of cybercriminals to infiltrate the target network.
Availability: The ensured accessibility of a system, application, and/or data when needed by an authorized user is known as availability and is one of the three principles in the CIA Triad.
Azure: Microsoft Azure is a cloud platform and portal that allows companies to manage Microsoft cloud services. Azure is a PaaS (Platform-as-a-Service) and provides the hardware, software, and infrastructure needed by a company, often used instead of or in conjunction with an on-premises platform.
BYOD connections: Bring-Your-Own-Devices refers to the use of personal devices to access work-related network, systems, and/or data. Such connections can be difficult to secure because personal application use cannot be controlled or restricted.
Cloud: Cloud technology refers to servers and services accessed via the internet instead of on a local computer. These servers are in remote data centers and allow users to access files and applications from any device. Companies who use cloud technology remove the need to manage their own physical servers and applications, which can cut costs. Cloud servers also offer flexibility on deployments, because configurations can be created and deleted without extra cost or trouble.
Comm ports: A communication port (COM or COMM port) is a two-way serial (bit-stream) connection. It is a way for a computer to communicate with devices like mouses, keyboards, printers, etc.
Command and Control Server: Also called C&C or C2, is a server that acts as a control hub for any kind of malware that is designed to respond to remote control. This allows attackers or botnet managers to issue instructions after the malware has been deployed instead of hardcoding it, allow for greater flexibility with actions and timing.
Compromise: Also known as a security breach, a compromise is when sensitive data has been released or exposed to unauthorized people, whether intentionally or unintentionally.
Confidentiality: The protection against unauthorized viewing and/or access to data and information is referred to as confidentiality. Confidentiality is one of the three principles in the CIA Triad.
Container: This technology packages all the dependencies and processes needed to run an application so that it can be moved as one unit to any infrastructure without issue.
Crypto mining: Crypto, short for cryptocurrency, refers to a type of digital currency that relies on decentralized control and a distributed public ledger called a blockchain. Bitcoin is a type of cryptocurrency. Crypto miners validate the crypto transactions to ensure users cannot spend the same cryptocurrency twice. The validation process requires a high amount of computing power and does not always result in a reward.
Cryptojacking: Associated with crypto mining and is when an adversary hacks into a computer or mobile device to install software that steals the computer’s resources to mine for crypto or to steal crypto wallets.
Cyber Hygiene: Everyday basic routines and practices to maintain a base level of security. Practices like proper asset inventory, complex passwords, regular software updates and data backups, tight control of admin privileges, vulnerability management, and incident response plans are a few examples of what good cyber hygiene looks like.
DevOps: Development Operations (DevOps) is a hybrid practice of development and IT concerned with systematically and reliably building and deploying software from an uncompiled source code to a product running in a production environment. It is rooted in a continuous iteration philosophy which uses automation techniques to reduce errors and achieve consistently reproducible deployments. A variation called DevSecOps augments the process with the addition of security controls and auditing, preferably earlier in the software development lifecycle.
EDR: Endpoint Detection and Response, or EDR, is an automated security solution that uses front-line threat intel to analyze and react to endpoint data.
Endpoint Protection Platform: Like EDR, EPP monitors endpoint security. Unlike EDR, EPP does not have the capability to analyze and react to the endpoint data. EPP detects and stops threats using technologies like antivirus, data encryption, intrusion prevention, and data loss prevention.
Endpoint: In cybersecurity, an endpoint is a computing device that communicates remotely with a corresponding network. Examples include laptops, desktops, tablets, phones, servers, etc.
File-less threats: Not all infections require a file to be first downloaded onto the system. Fileless threats use legitimate files to indirectly to enact malicious commands. Because the files are legitimate or aren’t usable to verify the threat, fileless threats are difficult to detect and remove.
Firewall: Either hardware, software, or both, a firewall is a barrier between secured internal networks and external, public networks. Based on certain security rulesets, the firewall monitors and either allows or blocks specific incoming and outgoing traffic on the network.
Honeypot: Servers set up to lure adversaries into a system to study real hacking attempts are called honeypot servers. These servers are specifically made to appear vulnerable while not actually containing sensitive data and while being monitored.
Impossible Login: Impossible Login refers to unusual user activity between two locations, like if the same user logs in to their account in California and then in New York an hour later. VPNs can often result in false positives for this rule.
Information security: The methodologies designed to protect confidential or sensitive data from unauthorized access or use, particularly electronic data but also print data, is known as information security. The three principles of information security, the CIA Triad, includes: confidentiality, integrity, and availability.
Integrated log management: The difference between log management systems and SIEMs is a matter of focus. SIEMs focus on security while log management systems focus on the collection of log data. An integrated log management system combines the two focuses.
Internet Content Adaptation Protocol (ICAP): a lightweight HTTP-like protocol used to extend transparent proxy servers. ICAP is generally used to implement virus scanning and content filters in transparent HTTP proxy caches.
Kill chain: The cyber kill chain is a series of steps, derived from a military model, which traces the stages of an attack from early reconnaissance to the final objective, often exfiltration of data or extortion.
Location-based attacks: These attacks are defined by how the adversary targets their victims. More often, geo-malware or regionalized email attacks are being used to refine attack content to make the attack more profitable and/or believable.
Log data: A log file is generated by a computer and records activity, operations, and usage of a device, like a system, application, or server. The data contained in a log file is raw, unfiltered data.
Malware: Software designed to steal, damage, or destroy data and computer systems is referred to as malware. A virus, discussed earlier, is a type of malware.
Managed Detection & Response MORE: MDR is a service that provides customers with a group of security specialists and engineers responsible for 24/7 monitoring, analyzing, and responding to security events. MDR often includes services like threat hunting and incident response.
Monitoring: The gathering of metrics of an environment to review and assess its functions and security is referred to as monitoring. These metrics are usually log data.
Multifactor Authentication (MFA): An authentication method is based on something you know, something you have, or something you are. An authentication method requiring more than one of these is known as multifactor authentication. Thus, using a password and a code sent to an authenticating app on a mobile device to gain access to a system is multifactor authentication.
Phishing MORE: The use of deceptive internet communication (such as email, Facebook message, etc.) to get the victim to voluntarily reveal confidential information (like login credentials) is a form of social engineering called phishing. According to Cisco Umbrella’s 2021 Threat Report, phishing accounts for 90% of data breaches.
Privacy: Data privacy refers to a party’s understanding of their data’s confidentiality, how it’s collected, used, disseminated, and/or protected.
Privileged Access Management (PAM) MORE: In contrast to a standard user and their access in an environment, a user with privileged access is designated with special access or permissions that a normal user does not have. Both human and non-human users can have privileged access. Privileged Access Management (PAM) is a solution to proxy usage of privileged accounts so that no single real user account can become a vulnerability if compromised.
Processing integrity: The assurance that the system’s data is authorized, whole, and correct, that is has remained unaltered unless authorized, is processing integrity.
Pseudocode: A text-based programming language meant to describe algorithms and steps in a human-readable form.
Ransomware: A type common type of attack method uses malicious software designed to block access to a computer system and/or its confidential data until a ransom is paid. The most common type of ransomware encrypts the victim files and then demands payment to restore access to the data. If the ransom is not paid, the data is lost. Often, the ransomware infects the system via a phishing email attachment.
Remote Code Execution (RCE): Exploitation of a vulnerability that allows an attacker to execute arbitrary code on a remote device. These include Injection attacks, Deserialization attacks, and Out-of-Bounds memory writes. Executing code on a remote device is an effective way to gain further access or deploy malware, rootkits, etc.
SaaS: Software-as-a-service, or SaaS, is software hosted and maintained by a third-party made available to customers via the internet. Examples include Slack, Amazon Web Services, Microsoft 365, Box, Google Apps, DocuSign, etc.
SASE more: Now that data, services, applications, users etc. are no longer tied solely to a location, the Secure Access Service Edge (SASE) framework adapts to a cloud-based platform that combines security and network connectivity technologies and places networking and network security controls as close to the user as possible.
Shifting Security Left: An initiative to introduce security controls and practices into the software development lifecycle earlier, versus the conventional approach of post-development review during testing.
SIT: Sensitive Information Types, or SITs, are pattern-based classifiers used in configuration of policies and labels in DLP tools. They detect sensitive information like social security, credit card, or bank account numbers to identify sensitive items.
SIEM MORE: Security Information and Event Management , or SIEM, software provides a view of an entire IT security infrastructure by collecting, aggregating, and analyzing log and event data from applications, devices, networks, systems, etc.
Single-factor authentication: An authentication factor is based on something you know, something you have, or something you are. Thus, a method of authentication using only one of those authentication factors is considered single-factor authentication. Using only a password to authenticate to gain access to a system is single-factor authentication.
SOC: A security operations center (SOC) is a dedicated team of security analysts who often monitor multiple customer environments 24/7 for threats. A SOC analyzes, detects, and responds to threats in an environment’s activity in real time.
Supply Chain Attack MORE: A contrived attack method that aims to compromise an ultimate target by first compromising less secure and more easily compromised software packages or libraries. This can be leveraged to add backdoors, vulnerabilities, or remote trojans that the attacker can execute once it’s been packaged or released to the target.
Third-party sites: Websites created by a developer who isn’t the owner of the website using its service is considered a third-party website. PayPal is an example of a third-party site. Third-party sites have a higher rate of being dangerous, but most websites, particularly social media sites, use third-party sites to gather information on users.
Trojan: A type of malware, a trojan virus refers to malicious software disguised as legitimate, much like its Greek myth namesake. Trojans allow adversaries to steal data and gain backdoor access into the target system.
TTPs: Tactics, Techniques, and Procedures (TTPs) identify the tools and patterns a specific threat actor group generally uses in their attacks. With a known related TTP, it is easier to identify other vectors or types of data to look for.
Virus: A computer virus refers to malicious code secretly loaded onto a victim computer that can then self-replicate, infect, and act in an environment. Often destructive, viruses can corrupt, destroy, or move sensitive data if not detected.
VPN: When connecting to the internet from a device using a virtual private network (VPN), the connection is encrypted, which increases the security of any transmitted data. The VPN also hides the device’s IP address by threading the secure connection through a server in another location.
Zero Trust: In contrast to a traditional security model that allows anything inside the network some measure of inherited permissions or authentication based purely on network topology, the Zero Trust model requires all users or devices inside and outside the network perimeter to be and continuously authenticated, authorized, and validated for every action.