active attack—An actual assault perpetrated by an intentional threat source that attempts to alter a system, its resources, its data, or its operations.
active content—Software that is able to automatically carry out or trigger actions without the explicit intervention of a user.
Advanced Persistent Threat—An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors.
air gap—To physically separate or isolate a system from other systems or networks (verb). Also, the physical separation or isolation of a system from other systems or networks (noun).
antispyware software—A program that specializes in detecting and blocking or removing forms of spyware.
antivirus software—A program that monitors a computer or network to detect or identify major types of malicious code and to prevent or contain malware incidents. Sometimes by removing or neutralizing the malicious code.
assumption of breach—A policy which assumes that sensitive information and resources have already been accessed by unauthorized parties.
attack signature—A characteristic or distinctive pattern that can be searched for or that can be used in matching to previously identified attacks.
attack surface—The set of ways in which an adversary can enter a system and potentially cause damage.
authentication—The process of verifying the identity or other attributes of an entity (user, process, or device). Also the process of verifying the source and integrity of data.
authenticity—A property achieved through cryptographic methods of being genuine and being able to be verified and trusted, resulting in confidence in the validity of a transmission, information or a message, or sender of information or a message.
authorization—A process of determining, by evaluating applicable access control information, whether a subject is allowed to have the specified types of access to a particular resource. Also, the process or act of granting access privileges or the access privileges as granted.
behavior monitoring—Observing activities of users, information systems, and processes and measuring the activities against organizational policies and rules, baselines of normal activity, thresholds, and trends.
black hat—A hacker who violates an information system’s security policies with malicious intent or for illegal personal gain.
blacklist—A list of entities that are blocked or denied privileges or access.
Blue Team—A group that defends an enterprise’s information systems when mock attackers (i.e., the Red Team) attack, typically as part of an operational exercise conducted according to rules established and monitored by a neutral group (i.e., the White Team). Also, a group that conducts operational vulnerability evaluations and recommends mitigation techniques to customers who need an independent technical review of their InfoSec posture.
bot—A computer connected to the Internet that has been surreptitiously compromised with malicious logic to perform activities under the command and control of a remote administrator. Also, a member of a larger collection of compromised computers known as a botnet.
bot master—The controller of a botnet that, from a remote location, provides direction to the compromised computers in the botnet.
botnet—A collection of computers compromised by malicious code and controlled across a network.
bug—An unexpected and relatively small defect, fault, flaw, or imperfection in an information system or device.
ciphertext—Data or information in its encrypted form.
Continuity of Operations Plan—A document that sets forth procedures for the continued performance of core capabilities and critical operations during any disruption or potential disruption.
cracker—A black hat hacker who attempts to gain unauthorized access to a computer system or network.
cryptanalysis—The operations performed in defeating or circumventing cryptographic protection of information by applying mathematical techniques and without an initial knowledge of the key employed in providing the protection.
cryptographic algorithm—A well-defined computational procedure that takes variable inputs, including a cryptographic key, and produces an output.
cryptography—The use of mathematical techniques to provide security services, such as confidentiality, data integrity, entity authentication, and data origin authentication. Also, the art or science concerning the principles, means, and methods for converting plaintext into ciphertext and for restoring encrypted ciphertext to plaintext.
cryptology—The mathematical science that deals with cryptanalysis and cryptography.
data breach—The unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.
data integrity—The property that data is complete, intact, and trusted and has not been modified or destroyed in an unauthorized or accidental manner.
data mining—The process or techniques used to analyze large sets of existing information to discover previously unrevealed patterns or correlations.
decipher—To convert enciphered text to plaintext by means of a cryptographic system.
decode—To convert encoded text to plaintext by means of a code.
decrypt—A generic term encompassing decode and decipher.
decryption—The process of transforming ciphertext into its original plaintext.
denial of service—An attack that prevents or impairs the authorized use of information system resources or services.
digital forensics—The processes and specialized techniques for gathering, retaining, and analyzing system-related data (digital evidence) for investigative purposes.
digital rights management—A form of access control technology to protect and manage use of digital content or devices in accordance with the content or device provider’s intentions.
digital signature—A value computed with a cryptographic process using a private key and then appended to a data object, thereby digitally signing the data.
distributed denial of service—A denial of service technique that uses numerous systems to perform the attack simultaneously.
dynamic attack surface—The automated, on-the-fly changes of an information system’s characteristics to thwart actions of an adversary.
encipher—To convert plaintext to ciphertext by means of a cryptographic system.
encode—To convert plaintext to ciphertext by means of a code.
encrypt—The generic term encompassing encipher and encode.
encryption—The process of transforming plaintext into ciphertext.
enterprise risk management—A comprehensive approach to risk management that engages people, processes, and systems across an organization to improve the quality of decision making for managing risks that may hinder an organization’s ability to achieve its objectives.
exfiltration—The unauthorized release of data from an information system.
exploit—A technique to breach the security of a network or information system in violation of security policy.
failure—The inability of a system or component to perform its required functions within specified performance requirements.
firewall—A hardware/software device or a software program that limits network traffic according to a set of rules of what access is, and is not, allowed or authorized.
grey hat—A hacker whose activities fall somewhere between white and black hat hackers in a variety of practices. The ambiguity connoted by the nomenclature suggests that such people sometimes act illegally, though in good will, to identify vulnerabilities in an information system.
greyhound—A lean breed of dog used in hunting and racing. Also, a highball cocktail of vodka and grapefruit juice.
hack—To access, or attempt to access, an information system using inventive, novel or unconventional methods (verb). Also, an inelegant but effective solution to a computing problem (noun).
hacker—A person who accesses, or attempts to access, an information system using inventive, novel or unconventional methods. Also, a person who is an expert at computer programming and solving problems utilizing IT resources.
hash value—A numeric value resulting from applying a mathematical algorithm against a set of data such as a file.
hashing—A process of applying a mathematical algorithm against a set of data to produce a numeric value (a hash value) that represents the data.
incident—An occurrence that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
incident management—The management and coordination of activities associated with an actual or potential occurrence of an event that may result in adverse consequences to information or information systems.
incident response—The activities that address the short-term, direct effects of an incident and may also support short-term recovery.
incident response plan—A set of predetermined and documented procedures to detect and respond to a incident.
information assurance—The measures that protect and defend information and information systems by ensuring their availability, integrity, and confidentiality.
information security—(“InfoSec”) is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc.).
information security policy—An aggregate of directives, regulations, rules, and practices that prescribe how an organization manages, protects, and distributes information.
information system resilience—The ability of an information system to: (1) continue to operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (2) recover effectively in a timely manner.
information technology (IT)—Any equipment or interconnected system or subsystem of equipment that processes, transmits, receives, or interchanges data or information.
inside(r) threat—A person or group of persons within an organization who pose a potential risk through violating security policies.
integrated risk management—The structured approach that enables an enterprise or organization to share risk information and risk analysis and to synchronize independent yet complementary risk management strategies to unify efforts across the enterprise.
integrity—The property whereby information, an information system, or a component of a system has not been modified or destroyed in an unauthorized manner.
intrusion—An unauthorized act of bypassing the security mechanisms of a network or information system.
intrusion detection—The process and methods for analyzing information from networks and information systems to determine if a security breach or security violation has occurred.
key—The numerical value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification.
key pair—A public key and its corresponding private key. Also, two mathematically related keys having the property that one key can be used to encrypt a message that can only be decrypted using the other key.
keylogger—Software or hardware that tracks keystrokes and keyboard events, usually surreptitiously, to monitor actions by the user of an information system.
least privilege—A policy which requires that in a particular abstraction layer of a computing environment, every process, user or program is permitted to access only the information and resources that are necessary for its legitimate purpose and nothing more.
macro virus—A type of malicious code that attaches itself to documents and uses the macro programming capabilities of the document’s application to execute, replicate, and spread or propagate itself.
malicious applet—A small application program that is automatically downloaded and executed and that performs an unauthorized function on an information system.
malicious code—Program code intended to perform an unauthorized function or process that will have an adverse impact on the confidentiality, integrity, or availability of an information system. Includes software, firmware, and scripts.
malicious logic—Hardware, firmware, or software that is intentionally included or inserted in a system to perform an unauthorized function or process that will have an adverse impact on the confidentiality, integrity, or availability of an information system.
malware—Software that compromises the operation of a system by performing an unauthorized function or process.
mitigation—The application of one or more measures to reduce the likelihood of an unwanted occurrence and/or lessen its consequences.
moving target defense—The presentation of a dynamic attack surface, increasing an adversary’s work factor necessary to probe, attack, or maintain presence in a target.
network resilience—The ability of a network to: (1) provide continuous operation (i.e., highly resistant to disruption and able to operate in a degraded mode if damaged); (2) recover effectively if failure does occur; and (3) scale to meet rapid or unpredictable demands.
non-repudiation—A property achieved through cryptographic methods to protect against an individual or entity falsely denying having performed a particular action related to data.
operational exercise—An action-based exercise where personnel rehearse reactions to an incident scenario, drawing on their understanding of plans and procedures, roles, and responsibilities.
outside(r) threat—A person or group of persons external to an organization who are not authorized to access its assets and pose a potential risk to the organization and its assets.
passive attack—An actual assault perpetrated by an intentional threat source that attempts to learn about or make use of information from a system, but does not attempt to alter the system, its resources, its data, or its operations.
password—A string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization.
payload—Code which is delivered to a compromised system and executed.
pen test—A colloquial term for penetration test or penetration testing.
penetration testing—An evaluation methodology whereby assessors search for vulnerabilities and attempt to circumvent the security features of a network and/or information system.
Personal Identifying Information / Personally Identifiable Information—The information that permits the identity of an individual to be directly or indirectly inferred.
phishing—A digital form of social engineering designed to deceive individuals into providing sensitive information.
private key—A cryptographic key that must be kept confidential and is used to enable the operation of an asymmetric (public key) cryptographic algorithm.
public key—A cryptographic key that may be widely published and is used to enable the operation of an asymmetric (public key) cryptographic algorithm.
public key cryptography—A branch of cryptography in which a cryptographic system or algorithms use two uniquely linked keys: a public key and a private key (a key pair).
Public Key Infrastructure—A framework consisting of standards and services to enable secure, encrypted communication and authentication over potentially insecure networks such as the Internet.
Red Team—A group authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s InfoSec posture.
Red Team exercise—An exercise, reflecting real-world conditions, that is conducted as a simulated attempt by an adversary to attack or exploit vulnerabilities in an enterprise’s information systems.
redundancy—Additional or alternative systems, sub-systems, assets, or processes that maintain a degree of overall functionality in case of loss or failure of another system, sub-system, asset, or process.
risk assessment—The appraisal of the risks facing an entity, asset, system, or network, organizational operations, individuals, geographic area, other organizations, or society, and includes determining the extent to which adverse circumstances or events could result in harmful consequences.
rootkit—A set of software tools with administrator-level access privileges installed on an information system and designed to hide the presence of the tools, maintain the access privileges, and conceal the activities conducted by the tools.
secret key—A cryptographic key that is used for both encryption and decryption, enabling the operation of a symmetric key cryptography scheme. Also, a cryptographic algorithm that uses a single key (i.e., a secret key) for both encryption of plaintext and decryption of ciphertext.
shoulder surfing—Using direct observation techniques, such as looking over someone’s shoulder, to get information. It is commonly used to obtain passwords, PINs, security codes, and similar data.
situational awareness—In InfoSec, comprehending the current status and security posture with respect to availability, confidentiality, and integrity of networks, systems, users, and data, as well as projecting future states of these.
spam—The abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.
spyware—Surreptitiously installed software that gathers information about a person or organization without their knowledge and sends said information to another entity without consent.
symmetric cryptography—A branch of cryptography in which a cryptographic system or algorithms use the same secret key (a shared secret key).
symmetric key—A cryptographic key that is used to perform both the cryptographic operation and its inverse, for example to encrypt plaintext and decrypt ciphertext, or create a message authentication code and to verify the code. Also, a cryptographic algorithm that uses a single key (i.e., a secret key) for both encryption of plaintext and decryption of ciphertext.
tabletop exercise—A discussion-based exercise where personnel meet in a classroom setting or breakout groups and are presented with a scenario to validate the content of plans, procedures, policies, cooperative agreements or other information for managing an incident.
tailored trustworthy space—A networked environment that provides a user with confidence in its security, using automated mechanisms to ascertain security conditions and adjust the level of security based on the user’s context and in the face of an evolving range of threats.
threat agent—An individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.
threat assessment—The product or process of identifying or evaluating entities, actions, or occurrences, whether natural or man-made, that have or indicate the potential to harm life, information, operations, and/or property.
Trojan horse—A computer program that appears to have a useful function, but also has a hidden and potentially malicious function, that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.
unauthorized access—Any access that violates the stated security policy.
virus—A computer program that can replicate itself, infect a computer without permission or knowledge of the user, and then spread to another computer.
vulnerability—A characteristic or specific weakness that renders an organization or asset (such as information or an information system) open to exploitation by a given threat or susceptible to a given hazard.
white hat—A hacker who applies his knowledge and skills with the goal of improving the security of an information system. These individuals often perform penetration tests and vulnerability assessments as described by the terms specified in a written contract.
White Team—A group responsible for refereeing an engagement between a Red Team of mock attackers and a Blue Team of actual defenders of information systems.
whitelist—A list of entities that are considered trustworthy and are granted access or privileges.
worm—A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.