Information Security Hyper-glossary

 

This hyperlinked glossary defines over 2,000 terms used in information risk,
information security, cybersecurity, governance, compliance, privacy,
business continuity and related areas.
 

Click any underlined word to explore its definition.

 

Term

Meaning

0-day

See zero-day.

3DES

See triple-DES.

2G, 3G, 3½G, 4G, 5G …

Second and successive generations of the digital network used by devices such as cellphones/smartphones and USB modem sticks for voice calls, SMS/TXT messaging and data communications including mobile Internet access.  Defined by the ITU under the International Mobile Telecommunications-2000 (IMT-2000) and successive standards.  The 5G standards were introduced in 2017 with networks and consumer devices on the way.

419

Section number of the Nigerian penal code criminalizing advance fee frauds.  Often refers to other social engineering scams as well, hence email scammers are known colloquially as “419ers”.

AAA
(Authentication, Authorisation and Accounting)

The main IT security controls associated with the logon process i.eauthentication to verify the user’s claimed identity, authorisation or allocation of the user’s defined access rights and permissions, and logging key details concerning the user’s login and subsequent activities for accountability purposes.  See also I&A.

ABAC
(Attribute Based Access Control)

“An access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions” (NIST SP800-162).

ABUEA
(Attribute-Based Unlinkable Entity Authentication)

A means for people to authenticate themselves anonymously, without revealing so much personal information that their identity can be ‘linked’ (inferred or determined), compromising their privacy.  See ISO/IEC 27551.

Access

The ability of a person, computer program etc. to enter, interact with, use or misuse a controlled resource such as information, a site, building, facility, room, system, network, database, file, filing cabinet, directory, disk or other device.

Access authority

Organisation, department, person, system, program or function that determines whether to grant or deny access to controlled information assets such as personal information.  See also reference monitor.

Access card, proximity card,
pass card, access badge,
staff pass, ID card,
RFID (Radio Frequency IDentification) tag etc.

Authentication device that (normally) communicates wirelessly with a card reader (normally) located at an access controlled door or gate to determine whether the expected card holder is authorized to proceed.  Vulnerable to being lost, stolen or handed to someone else, and perhaps cloned or hacked.  Often carries the authorized holder’s photograph as well, giving alert and diligent security guards, receptionists and other workers the chance to determine at a glance whether the person presenting, wearing or using the card resembles the mugshot (assuming they have not simply replaced the photo or faked the entire pass!).

Access control

Security control intended to govern access to an asset, permitting authorized and appropriate access whilst preventing unauthorized or inappropriate access.  May be physical (such as a lock), electronic/digital (such as encryption), or procedural (such as a nightclub bouncer checking the VIP guest list for the name on your photo-ID).  Often critically important, implying the need for strong assurance that it is correctly designed, implemented, configured, operating, managed and controlled.  “Means to ensure that access to assets is authorized and restricted based on business and security requirements” (ISO/IEC 27000).

Access gateway

“A gateway that provides the system user access to multiple security domains from a single device, typically a workstation” (NZ information security manual).

Access matrix

Table relating users or their rôles (on one axis) to the IT systems, application functions and/or classes of data (on the other axis), showing the types of access permitted and/or denied (within the body of the table).

Access Point
(AP),
wireless access point

Network router providing Wi-Fi services, generally on a wired LAN.  “A device that logically connects wireless client devices operating in infrastructure to one another and provides access to a distribution system, if connected, which is typically an organisation’s enterprise wired network” (NIST SP 800-48 and SP 800-121).  “Device or piece of equipment that allows wireless devices to connect to a wired network. Note: The connection uses a wireless local area network (WLAN) or related standard.” (ISO/IEC 27033-6).

Access policy,
access control policy

Security policy or a set of defined rules determining authorized and controlled access to information assets such as functions, tables or records in a database, or programs, files and directories on an IT system, or IT systems on a network, or locations (sites, buildings, rooms, cabinets etc.) holding such assets.  Typically used to configure appropriate access rights (for example read, write, delete and/or control) for user rôles which are then assigned to individual users authorized to perform those rôles (see RBAC).

Access right,
logical access right,
right,
access permission

Individual people, systems, programs, organisations etc. may be granted or denied access to controlled resources such as data, transactions/functions or physical locations according to whether the access is authorized i.e. their logical access rights, permissions or attributes match the access rules or criteria associated with those resources according to the access policy.  May be documented in the form of an access matrix or permit.  See also right.

Accident

While information security incidents may result from deliberate acts by hackers, malware, fraudsters, spies etc., the greater proportion by number are in fact the result of inadvertent or unintentional acts, natural or chance events, or errors.  Physical accidents and health-and-safety failures that befall workers constitute information security incidents since people are information assets.

Accommodation address

Mail drop used for convenience and sometimes to conceal the true location/identity of a fraudster by giving the appearance of belonging to a legitimate business or an innocuous member of the general public.

Account hijack,
account takeover

Taking unauthorized control of a target’s bank, credit card, email, IT system or telephone account by means of hacking, social engineering, malware etc., typically as part of identity fraud or some other attack.

Accountable,
accountability,
held to account

Someone (a person or organisation) who is held accountable for something (such as a privacy breach or some other incident) may be sanctioned in some way (‘held to account’) by an authority if they do not fulfil their obligations.  Sanctions may include penalties, disciplinary action, dismissal, prosecution, withdrawal of privileges etc.  In contrast to responsibility, accountability is a sticky property that cannot be unilaterally delegated or passed by the accountable person or organisation to another, in other words the buck stops here“Required or expected to justify actions or decisions; being answerable and responsible” (NZ information security manual).

Accounting,
account

Whereas normally the term implies financial accounting, the underlying principles and practices of systematically, formally and thoroughly recording and cross-checking various details such that relevant parties can be held to account for their activities are more widely applicable.  Most IT systems, for instance, can automatically record information about user logons, use of privileges and overrides, alerts, alarms and other potentially significant events in their log or accounting files, with utilities to search and report on them, even if these days they are no longer required to re-charge users for their use of the computers (common practice prior to the 1990s).

Accreditation

The process of checking that an organisation or individual is competent to check and certify others, to a level specified by some trusted authority.  Often confused with certification, the process of issuing certificates.  “A procedure by which an authoritative body gives formal recognition, approval and acceptance of the associated residual security risk with the operation of a system and issues a formal approval to operate the system” (NZ information security manual).

Accurate

Precise, truthful and valid, faithfully representing factual reality.  An integrity property.

ACL
(Access Control List)

Security metadata associated with a computer file, directory, disk, port etc. specifying, for example, which users may or may not access or change the object’s security settings, and whether successful and/or unsuccessful attempts to do so are logged.  ACL capabilities vary between operating systems.

Acquirer

“Stakeholder that procures a product or service from another party.  Note: Procurement may or may not involve the exchange of monetary funds.” (ISO/IEC 27036-1).

Acquisition

Initial phase or activity in the process of gathering, analysing and presenting forensic evidence, or procuring a product.  “Process of creating a copy of data within a defined set.  Note: The product of an acquisition is a potential digital evidence copy.” (ISO/IEC 27037).  “Process for obtaining a product or service” (ISO/IEC 27036-1).

Active Directory
Federation Services
(ADFS)

Proprietary Microsoft technology blending LDAP (Lightweight Directory Access Protocol) with SAML for identification and authentication, authorisation and access control purposes.

Active shooter,
active killer

Suicidal terrorist or brutally unhinged nutcase, often armed, who indiscriminately and violently attacks innocent people with intent to injure or kill as many as possible before being arrested, disabled or killed.  An extreme safety threat to everyone in the vicinity.

ActiveX

Microsoft technology for interactive web pages.  Malicious ActiveX controls (a form of malware) may potentially compromise the userssystems: if the browser security settings allow, even unauthenticated (‘unsigned’) ActiveX controls may access files on the user’s hard drive for example.  Microsoft dropped Active X support from its browsers in 2016.

Activist

Relatively mild extremist.

Actuary

A professional (typically employed by insurance companies) who uses probability theory and mathematical techniques to analyse data and so quantify and hence manage risk with scientific rigor.

Acunetix

Hacking/penetration testing tool.

Ad injection

Browser malware that displays advertisements and (in some cases) steals personal information from infected systems.  See also adware, XSS and HTML injection.

Administrative account

See privileged user.  “A user account with full privileges on a computer.  Such an account is intended to be used only when performing personal computer (PC) management tasks, such as installing updates and application software, managing user accounts, and modifying operating system (OS) and application settings” (NIST SP800-114 rev1).

Administrative control
(ADCON)

See manual control and management control.  ADCON is a US Navy abbreviation.

Admissible

Forensic evidence must be trustworthy if it is to be presented in court.  Evidence that is dubious for some reason (e.g. if there is reasonable doubt that it was in fact properly collected, stored and analysed in full accordance with applicable laws, regulations and standards of good forensic practice) may be ruled inadmissible by the judge and hence cannot be used to support or refute a case.

Advance fee fraud

Type of fraud in which the fraudster fools a naïve and vulnerable victim into sending money as ‘advance fees’ supposedly in order to secure a substantial payout (such as an inheritance or lottery win) or other benefit (such as an immigration visa) which, strangely enough, gets tantalizingly close but never quite materializes.  Commonly known as a 419 scam.  Originally perpetrated by letter, Telex and FAX but latterly more often by email, SMS/TXT, social media etc.  Commonplace form of social engineering.

Adversary

An enemy of the organisation such as a malicious person, group or organisation.  May be a worker, fraudster, hacker, competitor, pressure group, government or terrorist, who is willing to attack and harm the organisation in some way (not necessarily physically) e.gVXers, insider threats, lobbyists, rumour-mongers, saboteurs and cyberteurs.  A threat agent.

Adware

Annoying software that displays advertisements etc.  Considered by some to be malware since it is often covert, seldom knowingly authorized, consumes resources and may have undesirable side-effects.  See also ad injection“Application which pushes advertising to users and/or gathers user online behavior.  NOTE The application may or may not be installed with the user’s knowledge or consent or forced onto the user via licensing terms for other software.” (ISO/IEC 27032).

Adwind, AlienSpy, Frutas, Unrecom, Sockrat, JSocket, jRat

Heavily obfuscated species of RAT malware available to rent on the black market (MaaS).  Built using Java so it can run on Windows, Linux, Android, MacOS and other systems with Java capabilities.  Frutas was first discovered in 2012 and variants were still in the wild as of 2018.

AES
(Advanced Encryption Standard)

‘Military grade’ cryptographic algorithm chosen by NIST in 2001 to replace DES and specified in the standard FIPS 197.  A symmetric block cipher generally understood to be strong, but widespread distrust of the NSA following Ed Snowden’s revelations casts doubt on that assertion.

Affirmative cyber risk

Cyber incidents explicitly covered in cyberinsurance or other forms of insuranceCf. non-affirmative cyber risk.

Agent

(a) Person who somehow (usually covertly) obtains legitimate access to confidential proprietary or personal information but betrays their position of trust by disclosing or permitting access to the information by an unauthorized third party (sometimes unwittingly), typically through a collector.  See also spy.  (b) A benign or malicious program, person or organisation acting on behalf of another, for example gathering and passing-on data from one system or network for collation and analysis centrally in conjunction with data fed by agents running on other systems or networks.

Agent provocateur

French term literally translated as ‘agent who provokes’, meaning a secret agent who infiltrates an organisation and incites them to act illegally in such a way that they are likely to be caught in the act.  A cyberteur.

Agreement

Joint commitment of two or more parties to a shared objective.  “Mutual acknowledgement of terms and conditions under which a working relationship is conducted” (ISO/IEC 27036-1).

Aggregation

The collection of information from disparate sources, for example to profile a target.  Due to explicit and/or inferred relationships between items of information, aggregation and subsequent analysis can generate new knowledge, hence databases are usually more valuable than the unorganised data items they contain: the whole is greater than the sum of the parts.

Aircrack ng

Wi-Fi network hacking and penetration testing tool, capable of cracking WEP,  WPA and WPA2/PSK.

Air gap

Complete physical and logical separation between entities, for example isolating highly-secure networks from less-secure ones by prohibiting any connections between them.  Tends to fail-insecure, in other words if the air-gap is somehow breached, the destination tends to be highly vulnerable if excessive trust (faith) or reliance was placed on the air-gap.

Air lock, air-lock, airlock

See man trap.

Alarm

Audio/visual warning of the occurrence of a critical security and/or safety condition (e.gfire/smoke, intruder, flood, gross system integrity failure) or incident requiring an urgent, high-priority response.  See also alert.

Alert

(a) Warning that a critical system security event (e.gaudit or security log file full, system shutdown initiated, user authentication failure) has occurred.  While definitions vary, alerts generally signal important but not necessarily critical conditions requiring less urgent responses than alarms.  They are usually logged for analysis and follow-up action if and when convenient.  (b) A state of awareness, vigilance and preparedness to react appropriately to events and incidents“’Instant’ indication that an information system and network may be under attack, or in danger because of accident, failure or human error” (ISO/IEC 27033-1).

Algorithm,
cipher,
cypher

Mathematical function, process and/or protocol at the heart of a cryptosystem.  Determines the specific sequence of actions or operations necessary, for example, to encrypt the plaintext and decrypt the cyphertext, or to calculate and verify a hash.

Allocated space

“Area on digital media, including primary memory, which is in use for the storage of data, including metadata” (ISO/IEC 27037).

Amplification attack,
reflection attack

Type of attack in which network servers are tricked into transmitting a large volume of traffic to a target system, potentially overloading it and causing Denial of Service.  NTP, DNS or other request packets with spoofed source IP addresses matching the target are sent to one or more network servers which then forward their responses to the target instead of the originator.  See also DRDoS.

AMT
(Active Management Technology)

Intel incorporate hardware subsystems into some of their CPU chips to facilitate low-level system management.  In May 2017, Intel disclosed a design flaw in AMT that creates a severe vulnerability allowing hackers to gain privileged access to systems using the “Q series” chipset, either locally or through the network.  The wisdom of allowing low-level privileged system management in this way, through hardware that bypasses normal BIOS and operating system security (a backdoor), is in question.

Analysis

The process of systematically analysing (exploring, investigating or evaluating) something (such as risks, incidents or forensic evidence) in depth.  “Process of evaluating potential digital evidence in order to assess its relevance to the investigation.  Note: Potential digital evidence, which is determined to be relevant, becomes digital evidence.” (ISO/IEC 27042).

Analytical model

Mathematical formula for generating metrics (such as a positive trend in a relevant security parameter) from measurements (normally a time series of values of the parameter), giving meaning to the numbers (“See, things are improving!”).  “Algorithm or calculation combining one or more base measures and/or derived measures with associated decision criteria” (ISO/IEC 27000).

Anarchy,
anarchism,
anarchist

For ideological or other reasons, anarchists typically seek to overthrow the government and disrupt organised society by (among other things) sabotaging vulnerable parts of the critical [national] infrastructure.

Angler

A crimeware kit, in the wild in 2016.

Angry IP Scanner,
ipscan

Network administration/security/penetration testing tool vaguely similar to nmap.  It scans (queries) IP address and port ranges to identify network nodes.

Anomaly,
anomalous

Something different, unusual, unexpected or out of the ordinary.  While large data anomalies (such as numerous data values completely missing for a significant period) may be easily spotted by eye (provided someone is actually looking!), small anomalies in large data sets or databases can be identified much more easily and reliably by systematic statistical analysis e.g. applying Benford’s law.  Such anomalies are inherently interesting, hinting at the possibility of unexpected relationships, biases or events, perhaps even information security incidents such as bugs, flaws, frauds, malware or hacks in progress.

Anonymity

A person’s ability or right to go about their life and business while withholding their identity, for example whistleblowing  or for privacy  reasons.  Typically achieved through discretion, sometimes through a trusted third party using techniques such as anonymisation, tokenisation or redaction.

Anonymisation

The redaction of information needed to identify specific individuals in a database, document etc. for example by tokenisation, usually for privacy reasons.

Anonymous

(a) Information that is not and cannot be linked unambiguously to a specific, identifiable originator or source.  (b) The name of a “hacker collective”, a loosely-organised and indistinct group or movement of pranksters, hackers, digital vigilantes and subversive hacktivists active since 2004.  Their proclamations famously include the line “We are legion” spoken in a synthetic voice emanating from a stylized mask.  See also LulzSec.

Anti-pass-back

Physical security access control arrangement such as a man trap designed to prevent someone presenting their access card to open a one-person-at-a-time controlled entrance for themselves, then handing their card back to someone else (typically an unauthorized visitor) permitting them also to access the controlled area.  Electronic access control systems may keep track of people, preventing them from re-accessing an area unless they have previously exited it, requiring them to present their access cards at both entry and exit points.  “A security mechanism preventing an access card or similar device from being used to enter an area a second time without first leaving it (so that the card cannot be passed back to a second person who wants to enter).” (PCI Card Production and Provisioning Physical Security Requirements, v2.0 January 2017).

Antivirus [software, app, program, package]

Software designed to minimize the risk of malware by detecting, preventing and/or removing infections with viruses, network worms, Trojans, spyware, ransomware, rootkits etc.

APN
(Access Point Name)

A gateway linking a mobile network to the Internet or another network.  Malware may surreptitiously alter the APN on mobile devices, redirecting users to access points monitored and controlled by hackers.

Appliance

Computer system or device dedicated to a specific purpose, ready to use straight out of the box, requiring little if any configuration or management.  Consumer networking equipment such as broadband modems and access points are usually appliances, as are some commercial firewalls.  Usually built around an embedded system.  Some whiteware (household appliances) are smart.

App, application

Computer program or suite of programs providing a useful function.  Apps on smartphones, tablet and portable PCs, particularly free social media or security apps downloaded from the Web and installed by naïve users, may be Trojans, spyware, network worms or other malware, especially on jailbroken devices.

Application development, software development,
systems development

The process, method, approach, phase or stage within which new or updated software is coded (created).  Sometimes taken to include the earlier specification, architecture and design phases, and perhaps the software testing, version control, change and configuration management, and implementation activities that normally follow development.

Application services

“Software with functionality delivered on-demand to subscribers through an online model which includes web based or client-server applications” (ISO/IEC 27032).

Application whitelist

The application of whitelisting to apps. “An approach in which all executables and applications are prevented from executing by default, with an explicitly defined set of allowed executables” (NZ information security manual).

APT
(Advanced Persistent Threat)

A highly sophisticated, sustained and ultimately damaging attack, or a series of attacks, by a very resourceful, determined and capable adversary.  Generally involves a combination of methods and tools, such as custom malware, social engineering, hacking (including hacked hardware, software or firmware, including things) and/or physical intrusion.

ARA
(Analog Risk Assessment),
PIG
(Probability Impact Graph)

Visual security metric analysing information risks in two dimensions according to their relative likelihood or probability of occurrence (on one axis) and (on the other axis) their relative severity or potential impacts on the organisation if they were to occur.  Risks that are both relatively likely and severe, or those that are heading in that direction, are generally of greater concern than the remainder and may be displayed in red or on a red background to catch the readers’ attention.

Architecture

Overall grand design or blueprint for an organisation’s information systems and business processes, linking even higher level objectives from various strategies to lower-level designs for individual systems and processes.  May incorporate the information security architecture.  In the physical security context, the architectural design of a facility can enhance or hinder its security.  “Fundamental organisation of a system embodied in its components, their relationships to each other, and to the environment, and the principles guiding its design and evolution” (ISO/IEC 15288:2008, cited by ISO/IEC 27033-1).

Archive,
archival

Secure long-term storage of valuable information, designed to ensure its integrity, availability and often (but not necessarily) its confidentiality and so maintain its value.  May be required for compliance reasons e.gorganisations are obliged by applicable laws and regulations to provide certain types of business record several years after they were created.  In a few cases, the retention period is indefinite.

Armor

Strong protective plates, typically comprising layers of leather, steel, Kevlar/carbon-fibre/composite materials and ceramics that absorb and spread the energy, resisting penetration by weapons such as swords, daggers/knives, shrapnel and bullets.  The physical security version of hardening.

Arson

Deliberately setting fire to or burning something without its owner’s permission, or with intent to defraud another (such as an insurance company).  A form of sabotage.  A threat to many tangible assets.

ASLR
(Address Space Layout Randomisation)

Security technique that randomizes memory addressing for processes, function calls etc., frustrating hacking attempts to invoke or replace privileged functions occupying fixed and hence predictable addresses through buffer overflows and similar exploits.  See also KASLR.

ASP (Application Service Provider)

“Operator who provides a hosted software solution that provides application services which includes web based or client-server delivery models.  EXAMPLE Online game operators, office application providers and online storage providers.” (ISO/IEC 27032).

Assert,
assertion

Unilaterally state or claim something to be true, without necessarily having or providing the evidence to prove it.

Assertive

Dominant, coercive, overbearing or authoritarian, able to exert strong influence on another without resorting to overt aggression or violence.  A powerful technique in many social engineering attacks as well as legitimate controlling activities (“Hands up!  You’re nicked!” for instance).

Asset

Something of value to its owner whereas if it has little, no or even negative value to its owner, or is more valuable to another, it may be a liability.  May be tangible (e.g. a building, hardware, signed/executed contract or license/approval, person, cash, IOU, padlock), intangible (e.gknowledge, experience, know-how, skill, capability, competence, tradecraft, information, software, creative idea, concept, relationship, virtual organisation, brand, reputation, trust, loyalty, goodwill, bank credit, application or service, right or permission, understanding, verbal contract, obligation) or indeterminate sharing both tangible and intangible characteristics (e.gtrademark, patent, firmware, data, database, system, security).  See also information asset“Anything of value to an agency, such as IT equipment and software, information, personnel, documentation, reputation and public confidence” (NZ information security manual).  “Legal right or organisational resource which is controllable by an entity and has the capacity to generate economic benefits” (ISO 10668).  “Anything that has value to an individual, an organisation or a government” (ISO/IEC 27032).

Assurance

The provision of a certain level of trust, confidence, confirmation or proof of something, typically by reviewing, checking, testing, certified compliance or auditing it.  A security-assured program, for example, has been tested to confirm that it fulfils information security requirements.

Asymmetric

Type of cryptosystem that uses pairs of mathematically related but quite different public and private keys to either encrypt or decrypt.  Although the pairs of keys are related and are fairly simple to generate (on a computer at least), it is infeasible to guess or calculate either key from the other without additional informationCf. symmetric.

AtomBombing

Code injection exploit that alters the atom tables used internally by Windows to store and communicate strings during program execution.

ATT&CK
(Adversarial Tactics, Techniques, & Common Knowledge)

MITRE’s knowledgebase of cyber-attack tactics and techniques, first published in 2015.  See attack.mitre.org.

Attack

Type of information security incident actively and deliberately perpetrated by someone (the attacker or adversary) on one or more victims (people and/or organisations) without their permissionCf. accident or act of god.  “Attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset” (ISO/IEC 27000).

Attacker

Person, group or organisation actively mounting one or more attacks“Person deliberately exploiting vulnerabilities in technical and non-technical security controls in order to steal or compromise information systems and networks, or to compromise availability to legitimate users of information system and network resources” (ISO/IEC 27033-1).

Attack surface

A notional 3-dimensional representation of the organisation’s information assets, risks etc. where the height axis in some way reflects vulnerabilities and/or their exposure by various parts of the organisation, forming a complex and dynamic ‘surface’ that might be actively attacked or exploited by hackers, malware etc. to the corresponding extent.  Implies that improving the protection of information assets and/or reducing the exposure or extent of vulnerabilities will somehow improve the organisation’s information security … without specifying precisely how.  A security metric.  See also security landscape, risk universe, risk profile and heatmap“The amount of IT equipment and software used in a system.  The greater the attack surface the greater the chances are of an attacker finding an exploitable vulnerability” (NZ information security manual).

Attack toolkit

See crimeware.

Attagging

The use of QRcodes, perhaps stuck over legitimate QRcodes, containing malicious JavaScript or URLs linking to infectious or phishing websites.  Exploits our inability to interpret them simply by eye.

Attest,
attestation

Formally documented assertion by a duly authorized and accountable person that the organisation complies with (fulfils the requirements of) particular laws, regulations or professional practices (such as relevant governance, accounting and audit standards).  Although highly stylized and very precisely worded to exclude other liabilities, the signatories are personally accountable for the veracity of such statements, hence attestation carries a lot of weight and is taken very seriously.  A surprisingly powerful administrative control, akin to taking an oath.

Attribute

 

Characteristic.  “Property or characteristic of an object that can be distinguished quantitatively or qualitatively by human or automated means” (ISO/IEC 27000).

Attribution

(a) Acknowledgement referencing the source, originator and/or owner of intellectual property being reproduced elsewhere in order to thank them and (hopefully) reduce the risk of being accused of plagiarism or copyright abuse.  [Note: strictly speaking, attribution is irrelevant to copyright infringement but it is ethical and polite to acknowledge one’s sources.]  (b) Cybersecurity incidents are often blamed on (attributed to) certain perpetrators according to someone’s evaluation of evidence in the malware or hacking tools used, or other clues such as the demands and claims made.  However, perpetrators of illegal acts are (for obvious reasons) keen to remain undercover and may deliberately mislead the analysts by seeding false leads.  Furthermore, attacks often involve a blend of code, tools and techniques from disparate sources, obtained through the hacking underground scene and used or adapted for the specific purpose at hand.

Audit

Structured assurance process of examination, review, assessment, testing and reporting by one or more competent and trusted people who – crucially – are independent of the subject area being audited.  In many organisations, ‘audit’ also refers to the business department or function (usually “Internal Audit”, “Quality Audit” etc.) and/or third party organisation (more formally “External Audit”) responsible for auditing.  Derived from the Latin audio (to listen).  “Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.  Notes: an audit can be an internal audit (first party) or an external audit (second party or third party), and it can be a combined audit (combining two or more disciplines); ‘audit evidence’ and ‘audit criteria’ are defined in ISO 19011” (ISO/IEC 27000).  “An independent review of event logs and related activities performed to determine the adequacy of current security measures, to identify the degree of conformance with established policy or to develop recommendations for improvements to the security measures currently applied” (NZ information Security Manual).

Auditability

An assurance objective for many important IT systems, processes, business relationships etc. meaning that they are capable of being audited.  Implies the need to retain high integrity records of relevant events and activities (e.g. secure logs) that can be independently reviewed if and when required.

Audit logging

“Recording of data on information security events for the purpose of review and analysis, and ongoing monitoring” (ISO/IEC 27033-1).

Audit scope

Coverage of an audit“Extent and boundaries of an audit (ISO 19011:2011).

Audit tools

“Automated tools to aid the analysis of the contents of audit logs” (ISO/IEC 27033-1).

Audit trail

Chronological record of important transactions or stages in a business or ICT process, which may be used to reconstruct the exact sequence of events.  An IT system security log, for example, is typically configured to record details such as successful and failed system logons, security alarms and alerts etc. with timestamps.

AUP
(Acceptable Use Policy)

Semi-formal policy or guideline laying out and contrasting acceptable against unacceptable use of information, ICT services, systems etc. in plain English.

Authentication,
authenticate

Control process by which a specific individual user, system, message, block of data etc. is positively identified and confirmed authentic, typically on the basis of something they know (e.g. a password) and sometimes something they have (credentials), something they are (meaning biometrics) and/or where they are (their virtual/network or physical location).  Usually involves cryptography.  Authentication is a critically important and hence inherently risky control: if the process fails, is bypassed, undermined, spoofed or disabled, many other security controls (such as access controls, audit trails, logging and alerting) are also rendered ineffective, often with no indication of anything amiss.  “Provision of assurance that a claimed characteristic of an entity is correct” (ISO/IEC 27000).

Authentic,
authenticity

Verifiably genuine, not counterfeit or fake“Property that an entity is what it claims to be” (ISO/IEC 27000).

Authority

Person, rôle, organisation etc. of high status or seniority (such as a manager, regulator, government agency, tribal elder or significant other) or a stakeholder that commands respect, compliance and/or obedience, thus exerting influence or control over subordinates.

Authorisation,
authorize

Permitted, accepted and/or agreed by management or some other authority as being in the best interests of the organisation, the workforce, the stakeholders or society at large.  Cf. unauthorized.

Autodiscovery

Some network servers advertise their services (such as multimedia or printing) by routinely broadcasting network messages, allowing them to be ‘discovered’ by other network systems

Automated control

Control embedded in an electronic or mechanical system capable of operating automatically without necessarily involving a person in order to function.  Cf. manual control.

Autonomous weapon

A ‘fire-and-forget’ cyberweapon capable of acting autonomously or semi-autonomously using smarts (artificial intelligence) to complete complex reconnaissance, surveillance and/or combat missions with little if any direct involvement and real-time control by human operators, in contrast to remote-controlled or dumb weapons.  May be a physical device or malware.

Autorooter

Software tool (malware) that gives hackers or script kiddies fully privileged access to vulnerable systems.

Availability

One of the three core objectives of information security, along with confidentiality and integrity (the CIA triad).  Availability concerns the requirement for information, IT systems, people and processes to be operational and accessible when needed, implying the use of resilience and/or recovery controls to guard against unacceptable disruption or interruption of necessary services.  “Property of being accessible and usable upon demand by an authorized entity” (ISO/IEC 27000).

Avalanche

A global criminal botnet infrastructure used for phishing, malware distribution and money mule recruitment.

Awareness,
vigilance

General appreciation by workers of their rôle in the process of securing the organisation’s information assets, for instance through compliance with policies, laws and other security obligations and responsibilities.  Being vigilant for, and responding appropriately to, information security threats, vulnerabilities, near misses, events and incidents is an extremely important form of control.  See also education, training and security culture.

Axiom

A fundamental information security policy requirement, architectural principle or rule.  Axioms may be derived from first principles, and/or from sources such as the control objectives defined in ISO/IEC 27002 to justify and underpin the organisation’s information security policy statements, standards, procedures, guidelines and controls.

BabyShark

Malware species used by the Kimsuky hacker group.  Written in Visual Basic Script.

Back channel

See covert channel.

Backdoor,
trapdoor

Cryptic control bypass function in a program allowing users to access the system without proper authorisation.  Sometimes coded in for legitimate software development, testing or support purposes (e.g. ‘cheat codes’ used to bypass the early stages in an electronic game or make a game character invincible, immune to attacks), occasionally for dubious, unethical, nefarious or malicious purposes (e.ghacking, coercion, embezzlement, fraud, espionage or covert license compliance checks, or introduced by malware).

Background check

Pre-employment screening process that evaluates a new starter’s social and family background, identity, employment record, immigration status, criminal record, credit status etc. to identify security and trustworthiness issues.  A service often provided by specialist suppliers.  The nature, extent and thoroughness of the checks varies widely in practice due to legal and time constraints, privacy concerns, policy, costs and practicalities, the particular rôle etc.  See also security clearance and positive vetting.

Backup

Snapshot copy of data, programs, configurations etc. from an IT system at a given point in time.  Backups provide the ability to restore a system to a known state after an incident (such as a ransomware infection) but are generally not intended to last as long as archivesIntegrity and availability are critical concerns for backups, plus confidentiality if the information content is sensitive, hence backups must be risk-assessed and secured, normally by means of documented policies and procedures, redundancy, firesafes, off-line and off-site storage, encryption, testing to prove recoverability, oversight/monitoring etc.

BadRabbit

One of several species of ransomware in the wild that surreptitiously encrypts victimsdata, coercing them into paying a ransom for the decryption keys

Badge access

See access card.

Bailey

Courtyard in a Mediaeval castle.

Baiting

Social engineering method of [figuratively] dangling something attractive in front of victims, such as a 419 or phishing email, what appears to be a dropped/lost USB stick, or an advertisement, web page etc., typically containing malware.

Bait-and-switch

Ancient social engineering trick in which a victim is enticed to purchase an attractive display item that is then surreptitiously substituted by an item of much lesser value.

Balancing control

Control that involves reconciling complementary (equal and opposite) values, as in double-entry bookkeeping etc.

Bank Trojan,
banking Trojan,
online banking Trojan,
banker Trojan

Trojan (such as Zeus) that captures user authentication credentials (typically by keylogging) or hijacks web sessions (usually via man-in-the-middle attacks) to steal funds from online bank accounts.

Barbed wire

Fencing wire with sharp barbs evenly spaced every few inches to snag the clothing and prick the skin of any intruders foolish enough to climb over.  A physical security control with some deterrent effect, though less extreme than razor wire or spikes.

Bare metal

Refers to the tangible computer hardware platform on which host operating systems, including hypervisors, run, as distinct from the virtual (simulated) hardware on which guest systems run in a virtual system.

Base measure

Measure defined in terms of an attribute and the method for quantifying it.  Note: a base measure is functionally independent of other measures” (ISO/IEC 15939:2007).

Baseline security

The lowest permissible/acceptable level or form of security in a given situation (such as a particular organisation, physical security zone or data classification level, or a genuine security culture).  Forms a sound platform, basis or foundation on which additional security can be implemented where appropriate.  May be documented in a baseline security standard.  [Baseline:] “Information and controls that are used as a minimum implementation or starting point to provide a consistent minimum standard of systems security and information assurance” (NZ information Security Manual).

Baseline security standard

Corporate information security standard defining the ‘lowest common denominator’ controls i.e. the minimal information security control requirements that are expected to be met or exceeded in all circumstances unless formally declared exempt.

Base station,
wireless base station

“Equipment that provides the connection between mobile or cellular phones and the core communication network” (ISO/IEC 27033-6).

Bashdoor

See shellshock.

Basic collection

CIA term for OSINT including information ‘voluntarily disclosed’ by individuals.  It is not clear what techniques are or are not permitted to ‘encourage’ individuals to ‘volunteer’ information, but at least the CIA acknowledges their use of both standard collection and special collection.

Battery backup

Electronic devices require electricity to operate normally, making them dependent on the power supply and vulnerable to power interruptions.  For devices that are at all important, power interruptions constitute a substantial risk, hence batteries are an important form of control to maintain services as long as necessary to restore the primary or standby supply.  Unfortunately, batteries bring their own risks (such as finite capacities and lifetimes, leakage of corrosive chemicals, and explosions) which must also be addressed.  See also UPS.

Battlement

High walkway topping Medieval castle walls, usually crenelated, from which defenders could fire arrows, spears, stones and pour boiling oil on attackers below.

Bayesian

Heuristic technique based on probability theory, originally developed by Thomas Bayes, sometimes used to identify potential information security events (such as spam and malware).

Bell-LaPadula model

Formal model or architecture developed by David Elliott Bell and Leonard J. LaPadula in 1973 applies strict (mandatory) access control rules (usually expressed as ‘no read up, no write down’ – the converse of the Biba model) and other constraints (such as the tranquillity principle) to maintain data confidentiality.  Subjects (generally programs or systems) can neither read objects (generally data) at a higher level of classification nor write to or share data with objects or subjects at lower classification levels in the hierarchy.

BEC
(Business Email Compromise), EAC
(Email Account Compromise),
“bogus boss”,
“bogus invoice”,
MITE (Man-In-The-Email)

Extremely lucrative type of social engineering attack involving misuse or falsification of email addresses, accounts or systems (e.g. through hacking, spyware or simply faking email sender addresses) to scam or defraud victims.  There are many variants, for example masquerading as a manager or supplying a false invoice in order to trick an accounts clerk to change the payee’s bank account, diverting funds into the fraudster’s money laundering mechanisms.  See also VEC.

Benford’s law

Physicist Frank Benford realized that the digits in a set of numbers (such as the values of corporate expense claims) tend to be unevenly distributed, high value digits such as 9 normally occurring less often than low ones such as 1, especially for the most significant (leftmost) digits.  Statistical analyses and tools use Benford’s law to identify data subsets with anomalous distributions, such as expense claims by a particular worker that might have been systematically and fraudulently manipulated or falsified.  One of several techniques for identifying patterns, correlations, anomalies and exceptions in databases according to the nature and distribution of the data (metadata).

Benign

Harmless or helpful, having beneficial or negligible/neutral intent or consequences.  Cf. malicious.

Best Current Practice
(BCP)

Internet Engineering Task Force’s description of a de facto level of performance, security etc.  Serially-numbered and occasionally updated BCPs are used to document evolving or dynamically changing practices for which static standards are impracticable or inappropriate.  Cf. Business Continuity Plan.

Best evidence

The forensic evidence originally gathered or seized from the scene of a crime and destined to be presented in court (e.g. the defendant’s computer) rather than forensic copies made for forensic investigation purposes (e.gbit-copies of the computer hard drive).  Evidence is considered ‘best’ if there is none better.  Although forensic copies may sometimes be presented in court for various reasons (e.g. if the best evidence has unfortunately gone missing or degraded in storage), they carry slightly less weight than the best evidence.

Best practice

By convention or common agreement, the ultimate approach.  However, since security controls are often highly context-dependent, so-called best practices may be inappropriate, inadequate or even detrimental in any given situation, hence good practice is the better term.

BHO
(Browser Helper Object)

Program that loads and runs automatically when Internet Explorer is launched.  Some BHOs are malicious i.emalware.

Biba model

Formal model or architecture developed by Kenneth J. Biba in 1975 applies strict (mandatory) access control rules (usually expressed as ‘no read down, no write up’ – the converse of the Bell–LaPadula model) to maintain data integrity.  Subjects (generally programs or systems) can neither corrupt higher-level objects (generally data) nor be corrupted by lower-level objects or subjects in the hierarchy.

Big data

Huge (multi-exabyte), rapidly changing, highly complex data sets that cannot be processed adequately with conventional database applications may require radically different approaches.  Security-related logs in large organisations may approach this scale, where conventional data analyses intended to predict impending security threats can take so long to complete that the incidents may have already happened by the time they are reported.  Term often misused by advertisers with a penchant for hyperbole.  See also UBA, SIEM, IDS/IPS and NTA.

Big Brother

Name of the overbearing authoritarian establishment in George Orwell’s dystopian novel “Nineteen eighty-four”.  Euphemism for mass surveillance.

Binder

Hacker term for a program that combines multiple executables within one program.

BIN
(Bank Identification Number),
IIN
(Issuer Identification Number)

The first six digits of a payment card number identifying the card issuer, hence a cracker or carder revealing several is indicating that he has card numbers for those institutions.

Binding corporate rules

“Personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity” (GDPR).

Biometric

Measurable physical characteristic of a person, such as their fingerprints, DNA profile, iris or retinal pattern, palm print, ear shape, facial shape, voice pattern, vein pattern, signature or cursive writing and typing dynamics, that can be used as a credential to identify and/or authenticate them.  Personal information.

Biometric data

“Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data” (GDPR).

BIOS
(Basic Input/Output System)

Low level firmware used to interact with peripherals such as disks, keyboards and mice, complete self-checks and initiate the operating system boot sequence on a computer.  Normally supplied with the motherboard and stored on a ROM, EPROM, EEPROM or flash memory chip capable of being updated or replaced.  Deprecated in favour of UEFI.

BIOS password

Some BIOS firmware requires the user to enter a password to continue the boot sequence or access a device.  This is meant to stop a casual thief from booting/accessing system resources, files etc. but the control is usually weak and easily defeated or bypassed by a competent hacker or forensics specialist.

Birthday paradox

Term reflecting the counterintuitive fact that, in a random group of at least 23 people, it is ‘likely’ (i.e. the probability is greater than 50%) that two of them celebrate their birthdays on the same day of the year.  Has been used as the basis for a cryptanalytic attack that exploits relationships between two sets of data (e.gpasswords and the corresponding hash values) where a match between any value from one set against any value from the other set is considered significant (i.e. discovering any valid password in an entire password file).  This is far more likely than finding a match to a given value (e.g. finding the password for a particular user ID).  A valid concern if all entries in a fingerprint database are scanned for any cross-matches as opposed to scanning a particular set of prints from a crime scene or suspect against the database.

Bit-bucket,
sinkhole

Notional device or network address to which unwanted data/traffic can be sent.  Antivirus analysts sometimes hijack the command-and-control features of malware to send stolen data down a sinkhole instead of going to the criminals behind the scams.  See also blackhole.

BitPaymer

One of several species of ransomware in the wild in 2019 that strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keysTargets medium to large organisations, demanding ransoms between ~$50k and ~$1m.

Bitwise image,
bit copy

A bit-by-bit identical image copy of all readable information on a storage medium that includes not only conventional data content but also metadata, alternative streams and the unallocated spaces between data files, past the end of file markers.  Normally used for forensic purposes.  May include remnants of data left behind after files have been incompletely deleted or moved, and perhaps (using special forensic techniques and/or hardware) data from disk sectors marked unreadable by the firmware or disk operating system.

Black bag ops,
black bag operations

Covert activities to penetrate, infiltrate or otherwise physically compromise a target’s premises in order to capture useful intelligence, filling the notional swag bag.  See also black ops.

Black hat

Malicious, self-serving, unethical hacker or crackerCfgrey hat and white hat.

Blackhole

List of email servers believed to be pumping out spam, used as a crude form of spam filtering (‘crude’ in that it tars all users of those servers with the same broad brush).

Blacklist

List of email addresses, email servers (see blackhole), URLs (see bit-bucket), people, apps etc. that management deems unacceptable, banned or barred.  Since the default action for unlisted items is usually to permit their access or use, this control generally fails insecure“A list of email senders who have previously sent spam to a user” (NIST SP800-114 rev1). Cf. whitelist.

Blackmail

Form of coercion or extortion used to force someone into doing something inappropriate, illegal or simply against their will, for example by threatening to reveal some embarrassing corporate or personal secret (perhaps a previous criminal act or sexual proclivity) if they do not comply with the blackmailer’s instructions.  See also sextortion.

Black market,
criminal underground

Unofficial, covert, unregulated and untaxed commercial market for stolen property (both physical and intellectual) plus the knowledge, tools, processes (such as money laundering) and other resources of the criminal fraternity.  See also hacker underground, Darknet and Silk Road.

Black ops

Covert (‘blacked-out’) activities normally run by government-sponsored or state security services to infiltrate, undermine or otherwise compromise an adversary, in a manner that permits them plausibly to deny the existence, knowledge or sponsorship of the operation, typically because it is unethical or illegal.  See also black bag ops.

Blackout,
power cut

Extended interruption to the power feed.  Computers and other electronic systems without alternative power sources such as battery-backup, UPS or standby generators, will of course fail in a blackout, potentially corrupting vital system or data files in the process as well as interrupting services.  See also dip, brownout, surge and spike.

BlackPOS

Species of POS memory-scraping malware in the wild.  Used to compromise the US retailer Target in 2014.

Blackshades

Species of malware deceptively marketed as a $40 antivirus and spyware package until the criminal operation behind it was shut down by the FBI in 2014.

Black swan event

Outlier/extreme/rare event which is so unusual that it could not reasonably have been predicted using risk analysis processes and models.  Metaphorical term coined by Nassim Nicholas Taleb, originally in connection with financial management but later applied across other fields.  We humans find it difficult to even contemplate, let alone deal rationally with black swans.  Many of us struggle even to take credible worst case scenarios seriously.

Blaster

Infamous network worm from 2003.

Bleichenbacher

Name of a talented Swiss cryptographer who invented a brute force attack on PKCS#1 v1.5, used by SSL.  Millions of challenges and responses concerning the validity of the message padding are used to determine the key.

Blended threat,
blended attack

Form of attack that combines methods, for instance using social engineering to dupe a target into unwittingly infecting their system with malware.

Bletchley Park

For most of the 20th Century, this manor house and grounds North of London housed a top-secret UK government communications and cryptography unit.  During World War II, Alan Turing, Tommy Flowers and team designed and built the Colossus computer to decrypt German and Japanese traffic including Enigma.  Now a fascinating museum.

Bloatware

Software that has become ‘bloated’ through the incremental addition of marginally useful functions and features, making it more complex and less secure (more vulnerable) as a consequence.

Block

(a) To prevent something from taking place.  (b) Unit of data, either of a fixed size (so many bits, bytes or characters) or delineated by specific marker sequences, characters etc.  (c) “Unit in which data is stored and retrieved on disk and tape devices” (ISO/IEC 27040).

Blockchain

Distributed data architecture used to establish an auditable, high-integrity record of changes to data by linking each change in a ledger to predecessors in the logical sequence using digital signatures.  Does not rely on a trusted authority.  Commonly applied in cryptocurrencies such as Bitcoin.

Block cypher

Symmetric encryption algorithm that encrypts a block consisting of a defined number of sequential plaintext characters at a time.  Cf. stream cypher.

Blooper

Embarrassing and often humorous human error.  Variously known as a bailout, balls-up, bloomer, blunder, boner, booboo, boob, botch, bungle, bust-up, clanger, corpsing, gaffe, foul-up, fumble, faux pas, goof-up, howler, mistake, screw‑up, snafu, Spoonerism, wipeout etc.  An accidental integrity failure.

Blue-

Prefix in the terms that follow, implying the exploitation of Bluetooth connections, with or without the device owner’s authorisation and/or knowledge.

BlueBorne

A cluster of Bluetooth driver spoofing vulnerabilities, disclosed in 2017, affecting over five billion Android, Linux and Apple devices.

Bluebugging

The covert exploitation of security vulnerabilities in someone’s Bluetooth equipment to bug them, for example by surreptitiously causing a compromised Bluetooth cellphone to call another number and so transmit private conversations in the vicinity of the compromised device.

Bluejacking

Sending unsolicited text, audio or video messages (e.gspam) to a Bluetooth device.  While that may be annoying, it is essentially harmless but Bluejacking may also encompass more sinister Bluesnarfing, Bluespying or Bluebugging attacks that involve hijacking (taking control of) the victim’s device.

Bluesnarfing

Hacking a Bluetooth device, violating the user’s privacy and potentially compromising confidential personal and/or proprietary data such as email or SMS/TXT messages, contact details, diaries, photos/videos etc. stored on the device.

Bluespying

Type of hacker attack that exploits security vulnerabilities on Bluetooth equipment to spy on the user, for example accessing stored GPS data to determine where they have been.

Blue team

The defensive team, tasked with protecting the enterprise (or at least its flags) against mock assaults by outsmarting the red team.  See also purple and white team.

Bluetooth

Wireless networking protocol intended for short-range use over a few meters (e.g. to connect a wireless headset to a mobile phone) but often accessible over longer distances, especially with higher-power Bluetooth systems built-in to some laptops and vehicles, and things.  Early versions of Bluetooth were notoriously insecure but even current versions have issues.  “Wireless technology standard for exchanging data over short distances. Note: ‘Bluetooth’ is a trademark owned by the Bluetooth SIG.” (ISO/IEC 27033-6).  See also ZigBee.

Bluff ransomware,
bluffware

Malware that gives the appearance of having encrypted or otherwise blocked access to the usersdata in order to extort a ransom payment out of naïve victims, but in reality is simply displaying the message (which typically warns against further checks by threatening to destroy the data).  A form of scareware, a social engineering incident.

Board of Directors
(the Board)

The most senior level of management within the organisation with overarching accountability for protecting and legitimately exploiting the organisation’s assets on behalf of its owners or other stakeholders.  The Board typically delegates responsibility for corporate governance including information security to Officers such as the Executives, retaining a strategic oversight rôle.

Body cam[era], bodycam

Portable CCTV camera worn on or about a person, recording the activities of people around or interacting with the wearer.  The police are increasingly using body cameras both to record valuable evidence from scenes of crime and to exonerate themselves if accused of excessive violence etc.  Miniature cameras can be used for covert surveillance (i.e. spying) as well as for more mundane activities such as recording extreme sports.  See also dash cam.

Body language

See non-verbal communication.

Boiler room

Fraud involving heavy promotion of over-valued or non-existent stocks and shares by bogus stockbrokers promising big investment returns to naïve investors.

Bollard

Strong post mounted firmly in the ground, intended to reduce the risk of vehicular attacks on a facility.  A physical security control.

Boot sector virus

Form of malware that infects the boot sector (Master Boot Record) on a disk i.e. that part of the disk which is accessed first by the bootloader (itself stored in firmware) in order to load the operating system and so start up the computer.  This precedes the loading of most security software, including old/basic antivirus programs which execute only after the operating system has started (modern antivirus programs load and execute at the earliest opportunity).

Booter

See stresser.

Bot,
zombie

Short for ‘robot’.  (a) Networked computer under the remote control of hackers, often compromised using Trojans.  The owner of the computer usually remains oblivious to the compromise.  Often corralled together in botnets.  Also known as a zombie, as in the ‘living dead’ of Hammer horror fame.  (b) Any autonomous piece of software capable of roaming systems and/or networks, whether for benign (e.g. indexing Web pages for search engines) or malicious (e.gspyware) purposes.

Bot master, botmaster

Hacker or cracker who commands and controls a botnet.

Botnet

Networks of bots that are used for hacking/criminal activities such as spamming, identity theft, carrying out DDoS attacks or as launch pads for attacking other systems.  Botnets comprising hundreds or thousands of compromised machines are rented out to hackers on the black market.

Botware

Malware used to command and control a bot, for example allowing the bot master to download, install and run a code module for a particular type of network attack.

Bounced

Emails that are undeliverable for some reason (e.g. addressee unknown) may be returned with an explanatory note (“bounced”) or silently deleted – the former approach helps senders but gives spammers clues about the status of email addresses.

Bouncer

See security guard.

Boundary

Demarcation between zones, typically where private property abuts public land or someone else’s private property, or private networks abut public networks, or the edge of someone’s personal space.  Alternatively, the values or other parameters that distinguish valid from invalid data.  See also perimeter.

BRAIN.A

Widely held to have been the first personal computer virus, created in 1986 as a proof-of-concept by two Pakistani geeks who subsequently set up an ISP called Brain Communications.  Spread on floppy disks.  Strictly speaking, it was not a true virus since it did not attach itself to executable programs, and it was pre-dated by viruses on other platforms such as Creeper (DEC PDP-10, 1971), ANIMAL/PERVADE (Univac, 1974) and Elk Cloner (Apple II, 1981).

Brand

The set of commonly-held perceptions, values and beliefs in the minds of prospects and customers about an organisation and/or its products (goods and services) e.g. “They are trustworthy and high quality”.  Whereas logos and phrases may be trademarked, inventions patented, designs registered and written/spoken words copyrighted, the intangible component of brands makes them difficult to describe let alone protect, yet brands can be extremely valuable, if vulnerable, corporate information assets“Marketing-related intangible asset including, but not limited to, names, terms, signs, symbols, logos and designs, or a combination of these, intended to identify goods, services or entities, or a combination of these, creating distinctive images and associations in the minds of stakeholders, thereby generating economic benefits/values” (ISO 10668).  See also reputation.

[Monetary] Brand value

“Economic value of the brand in transferable monetary units.  Note: The result obtained can be either a single economic value or a range of values” (ISO 10668).

Breach

Form of information security incident normally involving deliberate action by someone, as opposed to those with purely accidental causes, for example penetrating a defensive barrier such as a wall or firewall, or actively compromising security in general.

Bribe, bribery

The offered, promised or actual provision and acceptance of illicit financial or other inducements with the expectation of favours in return, such as the opportunity to bid favourably for or enter into a contract, or lenience (‘turning a blind eye’) following a compliance failure.  A form of corruption and malfeasance that, despite being both unethical and illegal, is an integral part of business life in some cultures and industries.

Bricking,
PDoS
(Permanent Denial of Service)

To damage a device and take it out of service in such a way that it is impossible or uneconomic to recover it, making it ‘as useful as a brick’.  May result from an accident (such as a bug or error when updating flash BIOS, or mechanical damage such as dropping the device in the sea) or a deliberate attack.

BrickerBot

Malware that infects things and, if they fail a simple security test, irreparably damages their file systems, thus bricking them.  A vigilante worm.

Brownout

Reduction in power supply voltage lasting more than just a few micro- or milliseconds, enough to dim incandescent lights (hence the name) and cause the failure of electronic systems having inadequate voltage regulation.  See also dip, surge, spike and blackout.

Browser hijack

Malware attack that changes the user’s normal browser home page or new tab selection to bring up some other inappropriate/unsafe website.

Brute force

(a) Form of cryptanalytic attack in which multiple passwords, PINs or encryption keys are entered in rapid succession in an attempt to guess the correct one by chance, exhausting the key space.  Often involves automated tools such as rainbow tables but may be performed manually against low-entropy PIN codes and weak passwords.  (b) A straightforward attack on physical security, such as ram-raiding, chain-sawing through fences and walls, or threatening/assaulting security guards or receptionists.

BS7858:2012

British Standard code of practice for pre-employment security screening (background checks and security clearance).

Buffer overflow

Software bug that allows – or fails to prevent – a buffer space in memory being over-filled with excessive amounts of data, such that it overwrites adjacent memory locations.  While this normally results in the program simply crashing, hackers are adept at crafting malicious data in such a way that the overspill is directly executed or points to another memory location where exploit code has also been inserted.  Buffers are used to hold interim values and the results of internal calculations and text operations as well as to hold data input through the keyboard or arriving through the network: internal buffers may also be vulnerable to overflows if unchecked.

Bug

(a) Programming fault accidentally inserted into a program by a programmer.  Most bugs are relatively benign but some create vulnerabilities that may lead to security incidents such as a crash or compromise.  See also web bug and flaw.  (b) A covert surveillance device used to snoop surreptitiously on the online activities, conversations etc. of a target, potentially compromising trade secrets or personal information.

BULLRUN

TOP SECRET NSA ‘decryption program’ disclosed by whistleblower Ed Snowden.  Part of a global surveillance/SIGINT framework systematically snooping on encrypted traffic including SSL and (some) VPNs.  A similar program in the UK is called Edgehill.

Burglary

Trespass with intent to steal.

Burp suite, Burp

Network hacking/penetration testing tool for attacking Web applications.  Free and commercial versions.

Business-critical,
mission-critical

Class of information asset, business function, process etc. that is vitally important to the organisation’s core purposes, objectives or mission.  The potential severity of information security incidents affecting such assets, the scale and nature of the impacts, implies that realistic threats acting on known vulnerabilities almost certainly qualify as high risks.  See also Tier 1, 2 or 3 and safety-critical.

Business continuity

Term encompassing the resilience, recovery and contingency arrangements and plans used to mitigate the effects of incidents and disasters affecting information processes, IT systems, networks and business processes, supply chains etc.

Business Continuity Management (BCM)

The process of directing, controlling and overseeing the organisation’s approach to business continuity, such as business impact assessment to characterize business-critical processes and identify the supporting systems and resources, plus the production, exercising and maintenance of the business continuity plans etc.

Business Continuity Management System
(BCMS)

The management system for business continuity.

Business Continuity Plan, Plans or Planning
(BCP)

A pre-considered preparative approach intended to ensure the continued operation of essential business processes (including essential supporting systems, resources and so forth), despite serious incidents or disasters that might occur, through a suitable combination of controls such as resilience, disaster recovery and contingency arrangements that will minimize the impactsCf. Best Current Practice.

Business directory fraud

Through social engineering, fraudsters manipulate victims into over-paying for entries in business directories, listings or databases that are largely worthless and may not even exist.  Common techniques include persistent cold-calling and spamming, misrepresenting the directories, misleading websites, submitting invoices to ‘renew’ non-existent subscriptions directly to lowly procurement or accounts clerks or personal assistants, innocuous-looking forms using the word ‘insertions’ (meaning paid advertisements) in the small print, inducements such as ‘free offers’ and entries in business awards, and baseless coercive threats from self-styled ‘debt collection agencies’.

Business Email Compromise

See BEC and VEC.

Business Impact Assessment
[or
Analysis]
(BIA)

That part of risk analysis which involves reviewing the potential business impacts of more or less serious information security incidents on critical business processes, in order to determine the associated availability and conceivably other information assurance or security requirements.

Business Resumption (or Recovery) Plan (BRP)

Preparations to enable essential business activities to be recovered or restored following a disaster that has disrupted them, typically by providing business-critical information services from an alternate location.

BYOC
(Bring Your Own Cloud)

Corporate scheme allowing workers to use certain cloud computing services for business purposes, provided suitable information security controls (such as policies concerning classified information, strong user authentication, data encryption and other access controls) are employed.  Unless blocked by network security controls, cloud apps (such as Google Docs or Office365) and cloud storage (such as Google Drive or Dropbox) may be used by workers to exfiltrate valuable information from the organisation, while malicious cloud apps are a form of malware.

BYOD
(Bring Your Own Device)

Corporate scheme allowing workers to use their PODs for business purposes, provided suitable information security controls are employed (e.gpolicies, MDM, encryption and antivirus software).

BYOT
(Bring Your Own Thing)

Corporate scheme allowing workers to use their things for business purposes, provided suitable information security controls are employed (e.gpolicies, MDM, encryption and antivirus software).

Byzantine fault

A class of system failures with symptoms or characteristics that depend on the observer’s perspective or context.  A faulty system may generate data that differ and perhaps appear normal to some other systems, frustrating the use of simple consensus to spot and react to exceptions.

Byzantine Fault Tolerance (BFT)

System architecture designed to avoid or at least identify and respond appropriately to [some types of] Byzantine fault.

Caesar’s cipher

Cryptographic algorithm originally used by Julius Caesar to encrypt secret messages for soldiers in the Roman colonies.  A simple monoalphabetic substitution cipher, easy to break today but evidently adequate to meet Caesar’s data confidentiality requirements back then.  See also Vigenére’s cipher.

Cain and Able,
“Cain”

Password recovery and hacking tool capable of brute-force and dictionary attacks on a wide variety of password hashes and cryptographic keys, on Windows systems.

Caller ID (identity)

Technical facility to display and store a phone caller’s phone number on the called phone, enabling the recipient to identify the caller, call them back etc.  Unfortunately, the technology is not sufficiently secure to prevent social engineers spoofing their numbers (e.g. so fraudsters appear to be calling from a bank’s number).

CANbus
(Controller Area Network bus)

Communications standards for microcontrollers (Electronic Control Units) and other electronic devices in vehicles, developed by Bosch.  The primary security requirements in such environments are to ensure data and system integrity and availability.

CANVAS

Costly commercial network security/penetration test tool from IMMUNITY.  Automates hundreds of exploits against known vulnerabilities.

Capability

Ability, competence, suitability, capacity and/or willingness to do something successfully.  “Quality of being able to perform a given activity” (ISO 19440:2007).

Capacity

Capability of an IT system, database, network, generator etc. to deliver the required services, process the requisite number of transactions, store sufficient data etc.  Related to availability and performance.  See also capacity management.

Capacity management

Dynamically aligning the provision of IT systems and services with changing demands, in order to maintain appropriate service levels (availability and performance).

Capture The flag

See CTF.

Carbanak

Bank Trojan in-the-wild, built using Carberp

Carberp

Crimeware kit for building Trojans.  As with Zeus, the source code for Carberp was released onto the Internet.

Carder

Criminal who steals, counterfeits, trades and/or validates credit card data.

Carding

Stealing, counterfeiting, trading or validating credit card data.

Careless

Without due care, failing to act sufficiently cautiously under the circumstances.  Less severe than negligent or reckless.

Carnivore

Early Internet surveillance system implemented by the FBI in 1997 as PC software, capable of selectively monitoring the Internet traffic to/from specified users by ‘packet sniffing’ on particular network cables.  Based on even earlier surveillance systems (such as Omnivore).  Renamed DCS1000 to appear less threatening.  Superseded in 2001 by ever more sophisticated and capable remote, distributed surveillance systems.

CARTA
(Continuous Adaptive Risk
and
Trust Assessment)

Assurance approach involving security monitoring that is continuous (as opposed to periodic e.gpenetration testing), integrated across all levels (from the hardware platform to the applications) and adaptive (responding to risks in real time e.g. using SOAR).  Concept promoted by Gartner in 2018.

CASB
(Cloud Access Security Broker)

Similar to a firewall, the CASB acts as a trusted go-between linking cloud computing users with their Cloud Service Providers, applying security rules to the commands and data passing through.

Cascade,
cascading failure

Information security incidents adversely affecting something (such as electricity generation) on which something else depends (most electrical and electronic devices in that case) are likely to cause widespread, rolling and longer-lasting disruption as the effects spread, with additional impacts  further down the line.  Therefore, incidents which harm critical infrastructure are likely to be magnified by the consequential impacts over an extended timeframe.

Cashing out

Hacker phrase for the process of converting “hot” (stolen) information assets into untraceable cash through various black market trades and money laundering schemes.  See also monetize.

CATNAP
(Cheapest Available Technology/Technique Narrowly Avoiding Prosecution)

Spending the least amount necessary to satisfy the letter of the law, where there is no apparent business advantage in going any further.  A drawback of setting low hurdles in compliance-driven cultures.

Caveat

Warning or proviso.  “A marking that indicates that the information has special requirements in addition to those indicated by the classification.  The term covers codewords, source codewords, releasability indicators and special-handling caveats” (NZ information Security Manual).

CBEST

UK financial services industry scheme, based on CREST, to accredit and guide penetration testers in testing banking systems

CCM
(Cloud Controls Matrix)

Generic suite of information security controls applicable to various types of cloud computing services, as defined by the CSA.  Addresses both the service providers’ and consumers’ perspectives.  More.

CCPA
(California Consumer Protection Act of 2018)

An EU-style privacy law comes into force in January 2020, imposing obligations on medium to large commercial organisations to ‘implement and maintain reasonable security procedures and practices’ in order to protect personal data (as defined in the Act) and give Californians the right to opt out of companies selling their personal data.

CCTV
(Closed Circuit TeleVision)

Private audio-visual surveillance system typically used by security guards to monitor premises, safes/vaults etc. for intruders, thieves and saboteurs, by local councils, public bodies and the police to oversee public places for disorder, crimes and safety issues, and by industrial plant operators to monitor the state of the plant.  Modern CCTV systems typically use high definition digital IP cameras on a network.

CDN
(Content Delivery Network)

Essentially a geographically-dispersed commercial Web content caching service that, where possible, delivers content from copies held on Web servers near to the user rather than from the original sources.  Reduces latency, increases download speeds, and can help mitigate the effect of Denial of Service attacks and other incidents.

Cease and desist letter,
demand letter,
infringement notification

A lawyer’s letter formally requiring someone permanently to stop doing something, generally reinforced with an explicit or implicit threat to take legal action against them if they persist. 

Cerber

One of several species of ransomware in the wild that surreptitiously encrypts victimsdata, coercing them into paying a ransom for the decryption keys.  Evidently does not run on Russian-language computers, hinting at its possible origin.  Available to rent as Ransomware as a ServiceFlawed cryptosystem in the initial version has presumably been replaced in Cerber 2.

CERT
(Computer [or Cyber] Emergency Response Team),
CIRT
(Computer [or Cyber] Incident Response Team)

An IRT that specifically handles IT-related incidents.  Many countries have national CERTs, globally supported and coordinated through the CERT-Coordination Center (CERT/CC) in Carnegie Mellon University’s Software Engineering Institute.

Certification

The process by which something is formally evaluated against a set of pre-defined criteria and, if appropriate, confirmed compliant“A procedure by which a formal assurance statement is given that a deliverable confirms to a specified standard” (NZ information Security Manual).

Certification Authority
(CA)

Trusted body that digitally signs and issues digital certificates to authenticated users or systems in a PKI.  “Authority trusted by one or more users to create and assign public-key certificates.  Notes: Optionally, the certification authority can create the users' keys.  The role of the certification authority in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be.  Usually, this means that the CA has an arrangement with an institution which provides it with information to confirm an individual's claimed identity.  CAs are a critical component in information security and electronic commerce because they guarantee that the two parties exchanging information are really who they claim to be.” (ISO/IEC 27033-1).  “An official with the authority to assert that a system complies with prescribed controls within a standard” (NZ information Security Manual).

Certification body,
registrar

Accredited organisation deemed sufficiently independent, competent, diligent and trustworthy to review and certify other organisations’ compliance with specifications or requirements formally defined in applicable standards or regulations such as ISO/IEC 27001.  See also Certification Authority.

Certification documents

Compliance certificates, statements etc“Documents indicating that a client's ISMS conforms to specified ISMS standards and any supplementary documentation required under the system” (ISO/IEC 27006).

Certification Practice Statement (CPS)

Policy document formally and explicitly defining a given PKI.

Certification report

“A report generated by a certification body of a Common Criteria scheme that provides a summary of the findings of an evaluation” (NZ information Security Manual).

Certificate Revocation List
(CRL)

A published list of digital certificates that have been revoked by the Certification Authority and are therefore invalidPKI systems are supposed to check for, and handle, certificates that have been revoked, for instance if the CA has been compromised meaning that fake certificates are or might be in circulation.

Certifi-Gate

Vulnerability in digital certificate handling by some privileged remote access/systems administration tools on Android, exploited by malware in 2015.

Chain letter

An item of correspondence (originally a postal letter, latterly an electronic message such as an email) entreats the recipient to pass it on to further recipients.  The content of chain letters varies and, although some are legitimate, most are fraudulently using social engineering techniques to part fools from their valuables (e.gpyramid schemes).  Apart from consuming network bandwidth, data storage capacity, wasting users’ time and fooling victims, chain letters sometimes gain false respectability as a result of being passed on, and effectively endorsed, by trusted but foolish intermediaries.

Chainmail

Flexible but heavy body armour constructed from interlocking steel rings, guarding against glancing blows.  Supplemented by armour plates, shields and helmets protecting the most vulnerable areas of the body against direct hits and penetration by weapons.

Chain of custody

Maintenance of a complete, accurate and trustworthy record of the physical custody and treatment of forensic evidence at every point between its original collection and eventual presentation in court, such that there is no reasonable doubt as to its origin, authenticity and integrity“Demonstrable possession, movement, handling and location of material from one point in time until another” (ISO/IEC 27050-1).

Challenge

(a) Pose a question intended to raise or dispel doubt or concern, or to elicit a strong reaction, for example a lawyer cross-examining a witness in court.  (b) Something difficult to overcome or complete successfully.

Challenge-response

Protocol or process in which the respondent has to provide the correct, anticipated response or credential, otherwise the challenger knows something is amiss.  Mediaeval gatekeepers demanded “Who goes there?” in anticipation of a visitor revealing the secret pass word to authenticate themselves and be allowed to pass through a gate.  Nowadays used to establish network communications by confirming that a counterparty holds the correct private key without actually disclosing the key over the network, typically by having them encrypt and return a nonce supplied by the challenger who can then decrypt the response with the respondent’s public key to verify that the respondent does in fact hold the corresponding private key (a zero knowledge approach).

CHAMP
(Counter-electronics High-powered microwave Advanced Missile Project)

Boeing EMP cyberweapon which directs intense bursts of electromagnetic energy at selected target buildings (and perhaps vehicles and other cyberweapons) from a passing aircraft or drone in order to destroy/disable the electronic systems, devices, IT systems and network infrastructure within. 

Chance

See probability.

Change control

Management process for proposing, reviewing and accepting or rejecting changes to a process, system and/or the associated documentation.  Part of change management.

Change key

Conventional physical locks are designed to be unlocked only by keys having the corresponding patterns, keys which will not open locks of other patterns: these single-lock keys are known by locksmiths as change keys.  Cf. master keys.

Change management

The totality of activities used to plan, risk-assess, authorize, control, direct, document changes to the organisation, and its IT systems, business processes, products etc.

Chatham House rule

An informal arrangement (a gentleman’s agreement) to protect the anonymity of information sources at meetings.  “When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed” [Chatham House].

Cheat

A dishonest person who deliberately bends or breaks the rules for personal gain.  A relatively minor fraud.

Checkpoint

(a) A static record or snapshot of the state of a computer system, program, database etc. at one point in time to which the system may be rolled-back if necessary.  See also backup.  (b) A physical guard house or similar place manned by security guards through which people must pass some sort of inspection (e.g. checking ID cards, metal detectors).

Checks and balances

The reconciliation of accounts or data files compiled separately but supposed to match item-for-item, for example in double-entry bookkeeping every credit should correspond to an equal and opposite debit, hence the total of a debit account should precisely equal the total of the matching credit account.

ChewBacca

One of several species of memory-scraping malware in the wild.

Chief Security Officer
(CSO)

Director or senior/executive manager with overall responsibility for security, including physical security and perhaps information security.  Chairs the Security Committee and reports to executive management.  See also CISO.

Chinese wall,
paper wall

Notional physical isolation or air-gap separation between people, business functions/departments/units, organisations, networks, systems etc. intended to prevent the inappropriate passage of confidential information between them, avoid conflicts of interest and/or maintain divisions of responsibility.

Chip-n-PIN,
chip and PIN,
chip card

Physically secure payment, charge, store, bank, credit, debit or EFTPOS card containing an embedded cryptographic module – in practice, a small integrated circuit laminated within the card.  Compared to magnetic stripe cards, it is extremely difficult for forgers to duplicate well-designed and implemented cryptographic modules due to their physical and logical security controls.  Normally, the user must enter their correct PIN code into the chip-n-PIN card reader to authenticate themselves and ‘unlock’ the card (multi-factor authentication), further controlling against loss or theft of the card provided neither the card reader nor the PIN code have been compromised (two known modes of attack).

Chipzilla

See meltdown.

Chosen plaintext

Cryptanalytic technique in which the analyst can obtain the cyphertext corresponding to some plaintext of his choosing, which acts as a crib.  See also known plaintext.

Christmas tree

One of the earliest network worms, released in 1987.  Less damaging than The Internet Worm.

CIA
(Central Intelligence Agency)

Spooky US government agency responsible for overseas intelligence and intelligence on foreigners, relating to illegal drugs, arms trafficking, terrorism etc.  See also FBI and DHS.

CIA triad

The primary objective of information security is to protect information assets against the compromise of their Confidentiality, Integrity and Availability (CIA).  In addition to those three, other objectives may also be relevant under various circumstances e.gassurance, auditability, accountability, non-repudiation and complianceCf. Parkerian hexad.

Cipher

A message written in a secret code, or the mechanism for generating it.  See algorithm.

Circumstantial evidence

Forensic evidence that is peripheral, implicated or related in some indirect way with an incident, requiring inference to make the association.  Cf. direct evidence.

CIRT

See CERT.

CISA
(Certified Information Systems Auditor)

The preeminent qualification for ICT auditors worldwide, issued by ISACA.

CISA
(Cybersecurity Information Sharing Act)

US law to encourage the sharing of cyberthreat indicators between US corporations and the US government by limiting their liabilities in so doing.

CISO
(Chief Information Security Officer)

Executive with overall responsibility for the governance and management of information risks.  See also CSO and ISM“A senior executive who is responsible for coordinating communication between security, ICT and business functions as well as overseeing the application of controls and security risk management processes within an agency” (NZ information Security Manual).

Citadel

RAT generated using the Zeus crimeware kit installs a remotely-configurable botnet to mount various attacks.

Citizen programmer

Largely untrained and self-taught amateur software developer who writes spreadsheets, macros, utilities, databases, custom reports and/or other programs more as a hobby interest than a profession.  See also End User Computing.

Claim

Assertion or verifiable statement of fact e.g. a patent claim defines possible applications of an invention protected by the patent; an insurance claim is an application by an insured party for compensation under the policy as a result of an insured event; manufacturers’ claims regarding their products (goods and services) may include information security, privacy and other features and strengths.

Clark-Wilson model

Formal model or architecture developed by David D. Clark and David R. Wilson in 1987 elaborates on the Biba model to protect the integrity of information in general, not just computer data.

Class, classify, classification

Pragmatic grouping-together of similar or related information assets that are believed to share similar risks and hence control requirements.  While classification is a quick process that reduces the need individually to risk assess and identify security controls needed to protect every single asset in each class, the appropriate generic controls still need to be applied.  Furthermore, generic controls may not be ideal for a specific situation, hence higher classes may require more intense risk analysis and bespoke controls.  Classification typically involves confidentiality or privacy criteria but more complex schemes may also take account of integrity and availability requirements.  Unfortunately, there is no universal agreement on classification labels and their meanings, hence in addition to the compliance issues within any organisation there are additional risks of misinterpretation leading to inadequate or inappropriate security when classified materials are shared between organisations.

Classified information

“Government information that requires protection from unauthorised disclosure” (NZ information Security Manual).

Classified systems

“Systems that process, store or communicate classified information” (NZ information Security Manual).

Clear

A basic low-assurance form of sanitisation“Sanitize using logical techniques on data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques using the same interface available to the user” (ISO/IEC 27040).

Cleartext

See plaintext.

Click bait, click-bait, clickbait

Something attractive or intriguing (such as fake news and scantily clad people) that lures unsuspecting computer users to click a link, open an attachment, install or run a program or whatever, leading typically to their devices being infected with malware and/or their being defrauded or otherwise compromised.  A form of social engineering.  The thriving underground market in clickbait pays a premium for clickbait pages with tens or hundreds of thousands of visitors, especially affluent Westerners.

Click fraud

Fraud techniques targeting click-through affiliate marketing schemes that pay a bounty for visitors’ clicks.  In one form, malware surreptitiously swaps genuine affiliate codes embedded in URLs and cookies for codes to the fraudsters’ own accounts.  In another, malware racks up large pay-per-click charges and/or artificially inflates website reputational ratings (and hence commercial value) by ‘clicking’ online advertisements.

Clickjacking

Hacking technique that surreptitiously an unexpectedly diverts visitors’ browsers to a different website, typically then launching malware attacks against visitors’ ICT devices.  See also click fraud.

Click-regret

The sinking feeling that follows an unwise click on a dubious link, app, attachment or security warning message.

Clipper chip

Failed US government initiative in the mid-1990s to introduce a cryptographic subsystem on a proprietary computer chip using Skipjack with cryptographic keys recoverable by the authorities, allowing them to decrypt data at will.  Aside from flaws in the cryptographic design, introducing additional security vulnerabilities, and the obvious trust, privacy and oversight issues relating to key escrow and surveillance, black hats would simply avoid Clipper thus negating its alleged purpose.  The project’s incredible naïveté hints at ulterior motives: the real goal might have been to raise awareness of the social issues arising from the use of strong encryption, particularly by criminals and terrorists.  Side-effects included stimulating the dissemination and use of other strong encryption systems, and a backlash against invasions of privacy by the authorities.

Clone, cloning

Controlled security devices such as authentication tokens and passes, keys, virtual systems, databases, programs etc. are vulnerable to being duplicated/copied illicitly unless there are adequate preventive and/or detective controls.  They may also be cloned for legitimate reasons such as backups, business continuity, disaster recovery, hardware replacement, testing or forensic purposes.

Close call, close shave,
dodging the bullet

See near miss.

CLOUD
(Clarifying Lawful Overseas Use of Data) Act

Another US law with a contrived name, this one concerning requests to the US by foreign organisations for intercepted data.  Provisions in the law are intended to authorize and facilitate appropriate requests for legitimate law enforcement purposes but block inappropriate disclosures.

Cloud bursting

Capacity management technique whereby private cloud services temporarily utilize public cloud services to handle peaks in demand.

Cloud computing,
cloud services,
cloud computing services,
cloud

Provision of distributed, network-based information processing services within a Service Oriented Architecture typically giving ‘access from anywhere’ (meaning users typically only need a compatible browser and network connection) and service elasticity or flexibility (adjusting performance by dynamically allocating capacity behind-the-scenes from pooled resources using the CSP’s automated systems- and network-management processes).  However, cloud computing can raise governance, ownership, compliance and other information security and privacy issues.

CloudCracker

This cloud-based commercial service offered to crack by brute force attack on the NT hash values used as part of the PPTP (Point to Point Tunnelling Protocol) and MS-CHAP cryptographic processes.

Cloud Smart

The common name of a US government federal strategy on cloud computing, including the commercial, information security and other aspects.  A 2018 update to Cloud First, the original strategy from 2010.

Cloud storage,
Web storage,
online storage

Facility to access remotely stored data through the Internet.  As with cloud computing, the geographical storage location is unknown to the user which can raise governance, ownership, compliance and other information security and privacy issues, while the involvement of external organisations and network communications may expose proprietary data to various risks including unauthorized access, corruption and denial of service.

Cluster

Two or more closely-coupled computer servers configured to appear as a single operating unit, sharing the processing load and (usually) disks.  Can provide higher availability/resilience and performance than a single computer, albeit with additional costs, complexity and associated constraints.

Cluster of PII

“PII which is processed for a consistent functional purpose.   Note: Clusters of PII are described independent from technical representation of data objects.  On a regular basis, the clusters of PII also include PII which is not stored electronically” (ISO/IEC 27555 draft).

CME
(Common Malware Enumeration)

Process run by MITRE to assign a common ID to new malware that may otherwise be identified/named independently by several antivirus companies or malware analysts, causing confusion.

CMMC
(Cybersecurity Maturity Model Certificate)

US Department of Defense cybersecurity assurance scheme for assessing/auditing and rating defense suppliers between “Basic Cybersecurity Hygiene” and “Advanced” levels, according to the nature and quality of the cybersecurity controls they are operating, in order to protect CUI as it is passed through supply chains.

CNSSI-4009

US Committee on National Security Systems Instruction № 4009: Glossary.  

Code,
coding,
decoding

The use of words, symbols, strings, phrases, sounds or images to represent and communicate messages.  A relatively crude application of (usually monoalphabetic) substitution, rendered somewhat more secure through the use of multiple code books, one-time pads, steganography etc.  For example, “Attack at dawn!” might be represented or signalled by the seemingly innocuous mention of, say, “native daffodils” at some point in an otherwise legitimate news broadcast, web page, press release, blog posting, tweet or private ad in the personal columns of a national newspaper.  Codes (such as Morse code, ASCII and ‘computer code’ meaning program instructions) and obscure languages (such as Navajo or Cockney) are not necessarily deliberately secretive, cryptic or covert but may appear so to non-experts.

Code book,
codebook

If the list of code words etc. is too long to remember and communicate reliably to those who need to code or decode messages, it may be necessary to prepare and distribute one or more lists from which to lookup codes and their plaintext equivalents.  The security issues are similar to those associated with the generation and distribution of encryption keys e.g. ensuring that code books do not fall into enemy hands and cannot simply be reconstructed by the enemy through educated guesswork or cryptanalysis.

Code injection

Hacking techniques to insert malicious content into programs during their execution, exploiting various operating system and application flaws and bugs, specifically injection flaws.  Used by some malware.  See also AtomBombing, XSS and HTML injection.

Code of ethics

A comprehensive set of rules, ideals, objectives, principles, practices and/or values deemed ethical by the organisation, culture or society.  Given that a written code cannot realistically cover all possible ethical issues, a substantial part inevitably remains unstated: however, workers are expected to interpret and apply the guidance sensibly when facing novel situations and dilemmas, acting in the best interests of the organisation, culture or society.

Code Red

A network worm that infected insecure unpatched Web servers running Microsoft IIS software in 2001. Websites were defaced with “HELLO! Welcome to http://www.worm.com! Hacked By Chinese!”

Coercion

Assertively or aggressively forcing someone to do something against their wishes (e.g.  pay a ransom to recover their data), typically through physically intimidating, threatening or blackmailing them, putting them under duress.

Coercivity

The magnetic force that will completely demagnetize a ferromagnetic material such when wiping the data stored on hard disk or mag-stripe bank card.  Measured in Teslas.  “A property of magnetic material, used as a measure of the amount of coercive force required to reduce the magnetic induction to zero from its remnant state” (NZ information Security Manual).

Cognitive systems

Advanced IT systems capable of artificial intelligence and/or machine learning, augmenting the intellectual capabilities of us humans.  While the information risks associated with cognitive systems may be challenging, they show promise in the cybersecurity field, for example intelligent network/system intrusion, malware and fraud detection, prevention and response. 

Coinhive

One of several species of cryptominer malware in the wild in 2018.  Infected systems mined Monero cryptocurrency for the VXers and criminals behind the attacks.

CoinVault

One of several nasty species of ransomware in the wild that surreptitiously and strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keys.  Uses 256-bit AES.

Cold site

Secondary location with a minimalist ICT facility that is little more than a vacant room provided with electrical power and air conditioning.  It may take days, perhaps weeks to bring the site fully into operation in the event of a disaster taking out the main site, assuming sufficient ICT equipment, data backups, people etc. are available or can be obtained.  This minimalist approach to disaster recovery may be somewhat faster and less risky than buying or renting suitable accommodation on the open market and may be appropriate for low-availability ICT services that are definitely not business-critical.  See also warm site, hot site and mirror site.

Collection

(a) A set or group of related or associated items, such as data in a database or stamps.  (b) The act or process of locating and retrieving or gathering materials such as forensic evidence, intelligence or, yes, stamps.  “Process of gathering the physical items that contain potential digital evidence” (ISO/IEC 27037).

Collector,
handler

Someone who gathers intelligence on/about or from certain targets, using OSINT, HUMINT, SIGINT, black bag ops, agents and other sources plus techniques such as deception, surveillance and subterfuge.  See also agent and spy.

Collusion

Conspiracy and collaboration between individuals or organisations to negate the division of responsibilities, breach Chinese walls, commit fraud etc.

Co-location

Shared use of commercial data centre facilities by multiple customers.  “Installation of telecommunications facilities on the premises of other telecommunications carriers” (ISO/IEC 27011).

Colossus

World’s first digital programmable computer, designed by Alan Turing, Max Newman, Tommy Flowers and colleagues at the UK Government Code and Cypher School at Bletchley Park North of London in 1943 during World War II.  Although it was programmed mechanically using patch cables and switches, its sole purpose was to break encrypted teleprinter messages by brute force attack on the keys used on the German Lorenz cryptographic machines, hence arguably it was not a general-purpose computer (cf. ENIAC) but possibly one of the first cyberweapons.

Combination,
combination code

See PIN code.

Combination lock

Physical lock that can be unlocked with the correct combination – normally a short alphanumeric sequence (a PIN code).

Command and Control
(C2, C&C)

Generally, systems and processes for directing and monitoring diverse operations.  In the hacking context, C2 normally refers to the covert remote direction and management of malware botnets through the Internet by a bot master.  In the military context, C&C refers to the command structure, lines of communication etc. used to monitor and direct operations.

Comfort zone

The domain within which we feel safe and secure, and beyond which we feel uncomfortable - possibly threatened and/or vulnerable, in other words at risk.

COMINT
(COMmunications INTelligence)

Spying on the content and nature of communications to gather useful intelligence information.  Part of SIGINT.

Commercially confidential,
commercial-in-confidence

A class of business information whose value to its owner relies in part on it being withheld from competitors, customers etc.  See also trade secret.

Commit point

Point at which one or more new, altered or deleted records is actually recorded in a database.  Well-designed database systems incorporate controls such as locks and control totals to detect and prevent certain data integrity incidents occurring before the commit point, plus journaling and checkpoints to recover from certain incidents that occur afterwards.

Common Controls Hub
(CCH)

Commercial service from the Unified Compliance Framework providing detailed information on compliance obligations and other information security, privacy, information risk management and governance-related practices (called “controls” within CCH) recommended or required by a wide variety of standards, laws and regulations (“authority documents”).  By systematically and painstakingly analysing the sources, they identify common/shared requirements.  CCH clients may potentially save money by implementing common controls as part of a suite (a security baseline) rather than individually and perhaps repeatedly to satisfy each compliance obligation separately.

Common Criteria
(CC),
Common Criteria for Information Technology Security Evaluation

A formal, internationally-recognized scheme (defined in ISO 15408) to specify, design, develop, test, evaluate and certify secure IT systems for government and defence customers, where ‘secure’ is explicitly and formally defined through TOE, PP, ST, SFRs, SARs and EALs.  The scheme distributes the substantial costs across participating organisations (product vendors and customers) while also improving quality, reducing duplication and facilitating use of common systems etc. by various nations, agencies etc.

Communication centre

“Building where facilities for providing telecommunications business are sited” (ISO/IEC 27011).

Communications security (COMSEC)

Arrangements to protect the information content of communications, and possibly associated metadata (e.g. who is communicating, when, by what routes/mechanisms, and how much information is exchanged), and to maintain communications routes and services (e.gnetworks and point-to-point links).  Concerns confidentiality, integrity and availability of information and services.  “The measures and controls taken to deny unauthorised personnel information derived from telecommunications and to ensure the authenticity of such telecommunications” (NZ information Security Manual).

Companion virus

Virus that takes advantage of the operating system’s prioritisation of file names with certain extensions e.g. a virus calling itself game.com may be executed in preference to game.exe, the program the user intended to run.  Companion viruses typically execute covertly then launch the intended program hoping that the user remains blissfully unaware of the subterfuge.

Compensating control

A control that is suboptimal but sufficient to mitigate a risk to some extent and/or achieve compliance with a security obligation where, for some reason, the ideal control cannot be used.  A workaround, substitute or compromise control that partially or completely addresses control gaps, weaknesses, failings or constraints elsewhere.

Competence,
competent

Capability of doing something properly, skilfully and expertly.  “Ability to apply knowledge and skills to achieve intended results” (ISO/IEC 27000).  Cfincompetent.

Competitive [or Competitor] Intelligence
(CI)

The term may be explicitly defined to distinguish authentic and ethical means of gathering information on competitors (such as collating details from their websites and social media) from more illicit ones (such as hacking, social engineering, physical site penetration and other industrial espionage techniques).  However, the term is usually undefined, referring implicitly to licit and/or illicit approaches.

Complexity

Risks relating to or arising from the sophistication and fragility of complicated technologies, systems, processes etc. generally constrains the level of information security achieved in practice, although paradoxically the converse applies in the case of certain controls such as passwords, cryptographic keys, cyphertext and locks.

Compliance

Assured conformance with information security objectives, controls etc. defined internally by the organisation in policies etc. and/or externally by third parties (e.g. laws, industry regulations, standards and contractual terms).  May be independently checked by competent and authorized third parties, for example a certification body.  Also, in some organisations, used as the name of the corporate department or function overseeing compliance-related activities.

Comprehensive National Cybersecurity Initiative
(CNCI)

US strategic program to improve the cybersecurity capabilities of government agencies and critical national infrastructure, initiated under George W. Bush in 2008.  See also the NIST Cybersecurity Framework.

Compromise

Generally, a deliberate attack that intentionally causes an event or incident.  Sometimes more loosely refers to any situation that bypasses or disables security controls, or that threatens or merely has the potential to harm or weaken an organisation or individual in some way.

Compromising emanation

US military term for stray electromagnetic radiation from devices that may inadvertently disclose sensitive information.  “Unintentional signal that, if intercepted and analyzed, would disclose the information transferred, received, handled, or otherwise processed by any telecommunications or automated information systems equipment.” (Air Force Air Intelligence, Surveillance and Reconnaissance Agency instruction 33-203, 2011).

Computationally infeasible

Refers to the likely inability of anyone solving an extremely tough mathematical challenge using any current or projected computing technologies, algorithms or approaches, within a stated timeframe.  Implies a risk-based decision since we have imperfect knowledge of current cryptanalytical methods, vulnerabilities in cryptosystems etc., while predicting future technological advances is notoriously difficult (aside from Moore’s Law until about 2025 anyway).

Computer forensics

See digital forensics.

Computer Misuse Act
(CMA)

UK law criminalizes unauthorized access to a computer, unauthorized computer access with intent to commit further crime and unauthorized modification of data – in other words hacking and cracking.  The law was enacted in 1990 after Prince Phillip’s mailbox on the Prestel system had been hacked but the authorities were unable to convict the hackers responsible under extant legislation (on appeal, they were acquitted of fraud since they did not profit from the hack).

Computer Network Attack (CNA)

US military term for offensive cyberwar capability.

Computer Network Defense (CND)

US military term for defensive cyberwar capability.  [In other contexts, CND refers to the Campaign for Nuclear Disarmament.]

Computer Network Exploitation (CNE)

US military term for cyberwar reconnaissance/espionage function.

Computer Network Operations (CNO)

US military term for cyberwar capability comprising Computer Network Exploitation, Computer Network Attack and Computer Network Defense, all within Information Operations.

Con

See fraud.

Concept

One of the first macro viruses dating back to 1995.

Conduit

Tube partially protecting data or power cabling against physical/mechanical damage, fire, fluid ingress etc.  “A tube, duct or pipe used to protect cables” (NZ information Security Manual).

Conficker

Very prolific network worm, released in 2008 and still in the wild in 2016.

Confidence trickster,
con-man,
con-artist

Someone who uses social engineering techniques such as pretexting and masquerading to establish false confidence in themselves in order to con, fool, cheat, scam or defraud victims.

CONFIDENTIAL

Commonplace label for a class of information that is sensitive and therefore needs to be protected against unauthorized or inappropriate access.  It is normally intended for limited distribution within the organisation or to specially designated third parties, on a default deny basis.  However, the label and its meaning vary between organisations.

Confidential Informant
(CI)

Law enforcement term for a spy or mole, either trained and placed within a target organisation as an undercover agent or recruited subsequently perhaps through coercion or other forms of social engineering.

Confidentiality,
confidential,
in confidence

One of the three core objectives of information security, along with availability and integrity (the CIA triad), confidentiality essentially concerns the secrecy, privacy or sensitivity of information“Property that information is not made available or disclosed to unauthorized individuals, entities, or processes” (ISO/IEC 27000).

Configuration Item
(CI)

A piece of technology (such as a particular document, piece of hardware, source code or compiled program) being managed through the organisation‘s configuration management system.

Configuration Management (CM)

A subset of change management activities specifically concerning control over the configuration of IT systems and infrastructure, including the parameters or settings and relationships (e.g. a certain combination of specific versions of the hardware, firmware, operating system and layered software might be tested thoroughly as a complete system, those test results potentially being invalidated if changes such as patches are made to any part).

Conflict of interest

Situation in which a person or organisation’s loyalty is (potentially or actually) divided between mutually exclusive responsibilities, for example where their obligations to a third party (e.g. to report a security incident) conflict with their self-interest (e.g. if disclosing the incident will cause adverse customer reactions or trigger enforcement actions for noncompliance).

Conformity,
conformance

A low-assurance form of compliance, typically asserted by the subject without independent verification“Fulfillment of a requirement.  Note: the term ‘conformance’ is synonymous but deprecated.” (ISO/IEC 27000).

Conformance tester, tester

“Individual assigned to perform test activities in accordance with a given conformance testing standard and associated testing methodology.  An example of such a standard is ISO/IEC 19790 and the testing methodology specified in ISO/IEC 24759” (ISO/IEC 19896-1:2018).

Congestion

Capacity constraint e.g. through an excessive volume of traffic on a network.  Typically reduces performance and increases latency and may lead to timeouts.  Whereas congestion is normally unintentional or accidental, hackers may deliberately inject spurious network traffic in order to conceal their nefarious activities or cause IT systems to delay/drop critical security event/alert/alarm messages.

Connection forwarding

“The use of network address translation to allow a port on a network node inside a local area network to be accessed from outside the network. Alternatively, using a Secure Shell server to forward a Transmission Control Protocol connection to an arbitrary port on the local host” (NZ information Security Manual).

ConOp
(Concept of Operation)

Describes the principles or mechanisms of operation of a system, control, process etc.

Consensus Assessment Initiative Questionnaire
(CAIQ)

Crude cloud computing security checklist from the CSA concerning compliance with the CCM, provided as “a set of questions a cloud consumer and cloud auditor may wish to ask of a cloud provider … a simplified distillation of the issues, best practices, and control specifications from [the CSA’s] Guidance and CCM, intended to help organisations build the necessary assessment processes for engaging with cloud providers.”  Anticipates simple binary yes/no answers to complex issues, hence (being cynical) respondents are likely to offer the most flattering responses (a systematic bias).

Consent
[of the data subject]

“Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (GDPR).  See also permission and informed consent.

Consequence

The net result or outcome of a cause-effect relationship when the cause materializes.  “Outcome of an event affecting objectives.  Note: an event can lead to a range of consequences; a consequence can be certain or uncertain and in the context of information security is usually negative; consequences can be expressed qualitatively or quantitatively; initial consequences can escalate through knock-on effects.” (ISO Guide 73).

Console

A specially-designated terminal device or port on a system intended for system management purposes such as displaying events, alerts and alarms, configuring the system etc.  Due to its privileged nature, the console should be physically secured, normally by being adjacent to the server, PABX etc. in a secure access-controlled area.  On some systems, users who have been automatically locked out of other terminals/ports (e.g. as a result of someone repeatedly trying and failing to enter their passwords) are still able to logon at the console, a control against that particular denial of service.

Conspicuous consumption

Without a credible explanation for their wealth, fraudsters and other criminals living the high life on their ill-gotten gains risk being noticed, reported and investigated by the authorities.

Contaminate

Taint or discredit forensic evidence, for example through gaps in the chain of custody or unexplained physical or logical changes.

Content filtering

“The process of monitoring communications such as email and web pages, analysing them for suspicious content, and preventing the delivery of suspicious content to users” (NIST SP800-114 rev1).

Content Security Policy

See CSP.

Contextual information, contextual data

Metadata that may provide additional context or supporting information enabling the nature of the associated data or information content to be guessed or interpreted more readily.

Contingency

Unanticipated and often inherently unpredictable situation or information security incident or disaster (e.g. a bomb, plane crash, flood or fire), logical/technical disaster (e.gmalware outbreak, equipment breakdown, software flaw/bug, hack or similar attack on a major business system or network), business disaster (e.g. a serious fraud or hostile takeover attempt), which other controls have failed to prevent.  The appropriate responses are contingent (dependent) on the exact nature of the incident and the situation in which it occurs. 

Contingency plan,
contingency management

Forward-thinking, flexible approach for preparing and marshalling the organisation’s people and other resources to cope as effectively as possible in a contingency situation such as a major incident or disaster.  Involves preparing and exercising general purpose plans or preparations (such as forming a crisis management team from competent, capable people still available), stocking up on tools and resources (such as duct tape, walkie-talkies and white boards) and building capabilities (such as resourcefulness, adaptability and a willingness to ‘go the extra mile’ and ‘do whatever it takes’) ahead of time.  Incidents that are expected or predictable should be covered by conventional risk management activities, resilience controls, disaster recovery plans etc.

Continual improvement

Determined, conscious effort to mature or get better at doing something (or at least not to get any worse!) in a systematic, gradual way.  “Recurring activity to enhance performance” (ISO/IEC 27000).

Continuous Development
(CD)

A software engineering approach involving making frequent small/incremental/evolutionary changes to a production system rather than infrequent large/revolutionary changes as in the traditional ‘waterfall’ SDLC.  See also DevOps.

Contract

Binding agreement between two or more parties, for various strengths of ‘binding’.  Formal contracts prepared by qualified lawyers and signed (‘executed’) by duly authorized representatives are normally legally binding on the parties but may be unenforceable (especially any terms deemed ‘unfair’ by the courts or overridden by laws such as the fair use provisions of copyright law).  Verbal, informal or presumed contracts may also be legally binding, although they are usually harder to prove and enforce.  If someone breaks the seal on shrink-wrapped software, for instance, they may be deemed to have accepted the license terms and conditions visible through the clear plastic film, implying a contractual commitment.  ‘Social contract’ refers to ethical commitments between the parties e.g. between worker and organisation.  Generally speaking, contracts may not be unilaterally imposed (e.gemail disclaimers), hence a signature and/or a ‘consideration’ (normally a payment) may be necessary to demonstrate someone’s willingness to commit.

Control,
safeguard,
measure,
countermeasure,
protection mechanism

[Noun] Something which prevents or reduces the probability of an information security incident, indicates that an incident may have occurred and/or mitigates the damage, harm, costs or other adverse consequences caused or triggered by or simply following on from an incident.  Some controls mitigate threats (e.g. deterrents) or impact (e.g. backups), although most mitigate vulnerabilities[Verb] To exert influence over a subordinate by an authority or assertive figure.  “Measure that is modifying risk.  Notes: controls include any process, policy, device, practice, or other actions which modify risk; controls may not always exert the intended or assumed modifying effect.” (ISO/IEC 27000).

Controller

“The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law” (GDPR).

Control objective

Describes in business terms the anticipated business purpose or benefit of an information security control, encapsulating the risk reduction requirement.  “Statement describing what is to be achieved as the result of implementing controls” (ISO/IEC 27000).

Control Self-Assessment
(CSA)

Typically, a regular management review process to assess the status of governance across the organisation, including information security and other forms of risk management and control.  May simply involve managers completing checklists, surveys or questionnaires, possibly then validated by further independent checks on a sample basis to ensure sufficient integrity in the responses.  Cf. Cloud Security Alliance.

Control total

A value (such as a grand total or count of the number of items) that can be used as a simple cross-check for integrity failures on a data set or process.  Used for example to confirm that all records transmitted through an interface were duly received and processed by a database, before committing the changes.

Cookie

Small text file sent by a website to your browser and later retrieved, normally to track or modify your web browsing habits (marketing, surveillance and ‘carry on where you left off’ functions).  If browser settings permit, different websites may share the information in cookies, raising privacy and other information security issues.

Copyleft

Movement using copyright law, in stark contrast to its normal application, to permit rather than prevent free access to and collaborative or community development of intellectual property with the express requirement that derivative works are covered by the same permissive conditions.  Denoted by an inverted copyright symbol    .  See also Creative Commons and GNU General Public License

Copy protection,
copy prevention

Technical controls typically involving encryption and dongles, intended to prevent or restrict the ability of users to copy or use software and other intellectual property except on the original authentic storage media used for legitimate distribution.

Copyright

Legal and moral protection giving the creators of original materials intellectual property rights over the copying, use and dissemination of the information by others with the ability to permit or prohibit various activities through licenses, contracts or agreements, for decades (typically 70 years).  Aside from being unethical and often illegal, the wanton or casual abuse of copyright (piracy and plagiarism) is a strong disincentive for creatives to continue investing in, creating and releasing intellectual property.  See also copyleft.

CORE IMPACT PRO

Costly but well-regarded commercial network security/penetration test tool from CORE SECURITY.  Automates hundreds of exploits against known vulnerabilities.

Core network

“Part of a mobile telecommunication network that connects the access network to the wider communication network.  The Internet and other public networks are examples of wider communication networks.” (ISO/IEC 27033-6).

Corporate fraud

Fraud committed against a corporation.

Corporate information security policy

Highest-level formal policy stating executive management’s overall position on information risk and security e.g. through a suite of generic principles and/or axioms“Document that describes management direction and support for information security in accordance with business requirements and relevant laws and regulations.  Note: The document describes the high-level information security requirements that have to be followed throughout the organisation.” (ISO/IEC 27033-1).

Correction

More or less complete reversal of an error“Action to eliminate a detected nonconformity (ISO/IEC 27000).

Corrective action

“Action to eliminate the cause of a nonconformity and to prevent recurrence” (ISO/IEC 27000).

Corrective control

Form of control intended to minimize, contain or reverse the damage caused by a security incident, for example restoring damaged or lost data from backups or putting out a fire.  See also preventive and detective control.

Corroborating evidence

Evidence supporting other evidence.  May not be directly related to the case e.g. an alibi supporting someone’s assertion that they were not present when a crime was committed.

Corruption, corrupt

Common form of integrity failure e.gdata corruption caused by malware, bugs and user errors, and human corruption involving coercion, bribery and dubious ethics.

COTS
(Commercial Off The Shelf [Software])

Refers to standardized as opposed to bespoke software, typically distributed to the general public in shrink-wrapped packages displaying generic and non-negotiable license agreements.

Counterfeit

Pirated, fake copy misrepresented as an original, authentic asset, thereby infringing the true owner’s intellectual property rights and defrauding the purchaser.  Numerous mass-produced counterfeit products and bank notes are in circulation, some of which are not merely passable but so authentic that even experts struggle to distinguish them from the genuine articles … although bargain-basement pricing may be a clue!

Counterfeiter

Fraudster who counterfeits.

Counter-Intelligence
(CI)

See spying.  See also competitive intelligence.

Countermeasure

See control.  “Actions, devices, procedures, or techniques that meet or oppose (i.e., counters) a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.” (CNSSI-4009).

Counterstrike,
counter-hack

Retaliatory attack directed against the alleged perpetrator of a prior attack.  Aside from escalating tensions and perhaps being illegal, a counterstrike may be misdirected for instance if the perpetrator was incorrectly identified, perhaps because the original attack involved spoofing or other covert, coercive or deceptive techniques.  A highly risky approach.

Counterterrorism

Government-sponsored activities such as propaganda, intelligence, surveillance and cybertage, intended to counteract, undermine, prevent or otherwise mitigate terrorism.

Cover, coverage

The scope, type or nature of insurance provided, normally defined in the policy in terms of events, perils or hazards, assets etc. included or excluded, limits of liability plus terms and conditions.

Covert

Covered.  Refers to secretive, hidden, surreptitious, undercover, quiet or silent activities or devices, generally unauthorized and malicious in nature, such as bugs used for surveillance or spying.  See also cryptic.

Covert channel,
back channel

Covert or cryptic mechanism allowing confidential information to be secretly extracted from a supposedly secure system, network or location (such as a SCIF) bypassing confidentiality controls, perhaps using steganography or out-of-band communications (e.g. manipulating a circuit’s current demand using specific operating sequences in order to pass information to an external current-monitoring device).  See also backdoorCf. side channel.

Coveware

Niche US company offering support services to organisations hit by ransomware, such as negotiating ransoms.

CPNI
(Centre for the Protection of National Infrastructure)

UK government security services body responsible for guidance and advice concerning physical, personnel and information (including cyber) security arrangements protecting critical national infrastructure.

CPTED
(Crime Prevention Through Environmental Design)

Physical architectural design philosophy that seeks to deter attacks by criminals against people innocently using shopping malls, railway stations, walkways between parking lots and buildings etc.  For example, even lighting and landscaped areas free of hidey-holes permit more effective surveillance monitoring and escape routes for potential victims, while barriers and visual cues distinguish private from public property.  Thorny bushes near windows and walls, and razor wire deter casual if not professional intruders.

Crack, cracker, cracking

Malicious hacker or criminal, generally motivated by the prospect of personal gain.  Passwords, cryptosystems and safes may be cracked, for example by brute force attacks.

Crash

Unplanned sudden computer system or device failure resulting from an unhandled exception/error condition triggered accidentally by a bug, power glitch etc. or deliberately by a hack or malware.

Crash dump

File containing a snapshot of the contents of main memory at the time of a crash.  Used by systems programmers to analyse the status of the stack, heap, registers, buffers, pointers etc. in an attempt to discover what caused the crash.  Used by hackers to find confidential information such as passwords and encryption keys that had been held temporarily in memory.  Used by malware analysts to identify cryptic malware.

Creative Commons
(CC)

A not-for-profit organisation promoting free access to and use of intellectual property as in copyleft.  Their standardized licenses cater for various situations ranging from placing information unencumbered into the public domain, through requiring attribution of the owner, to restrictions on commercial use and modification.

Credential

Something a person, system etc. presents to confirm (authenticate) their asserted identity (e.g. a passport, password, security token or digital certificate) or professional capabilities (e.grésumé or curriculum vitae plus the original, authentic education and training certificates).

Credential stuffing

Automated brute-force attack involving attempting to logon to multiple websites using lists of usernames, passwords and other credentials accumulated from other sources, such as previous hacks.  If a logon succeeds (proving the credentials valid), further information may be obtained from the compromised account, perhaps leading to direct exploitation and further compromises (identity fraud).

Credible

Believable.  Social engineers and fraudsters work hard to make their pretexts credible in order to fool their targets into trusting them inappropriately.

Crenelated

Classic ┐_┐_┐_┐_shaped tops to the battlements of Mediaeval castles.  Archers cowered behind the uprights for protection while raining down arrows upon the attackers below through the gaps.  An ancient physical security control.

CREST

UK-based government-supported not-for-profit organisation and scheme to test and accredit penetration testers.  Given the trusted, privileged nature of the work, testers must be competent in order for their clients to place any reliance on their assurance efforts, and must be trustworthy since they may gain access to valuable and/or confidential information assets if (when!) tested security controls fail.  See also CBEST.

Crib

Useful hint for a cryptanalyst, often consisting of some known plaintext that, for example, will reveal if the correct decryption key has been found by a brute force attack on the cyphertext.  Standard or routine parts of a message (such as a date/time stamp, predictable sequence number, message type or protocol identifier, greeting or signature) may be useful cribs.

Crimeware,
crimeware kit,
attack toolkit,
exploit kit

Software package used to generate and/or distribute malware using libraries of technical exploits, plus the infection and remote-control elements including functions to report statistics on the status of the exploitation process.  A few crimeware kits (such as Carberp and Zeus) have been released onto the Internet.  Some are traded commercially on the black market or hacker underground.  Most are jealously guarded by the hackers who created and maintain them and/or the criminals who pay for and exploit them. 

Criminal underground

See black market.  See also hacker underground.

Crisis

Chaotic situation immediately following a serious incident, characterized by disorder and panic.  Survival (of people if not the organisation) is generally the overriding priority in a crisis, hence all other considerations (including security) tend to be disregarded until the crisis subsides.

Crisis management

Management activities during a crisis such as evacuating buildings, calling the emergency services, triage and initiating incident management activities as order is gradually restored.

Critical National Infrastructure (CNI),
Critical Corporate Infrastructure (CCI),
Critical Infrastructure (CI)

Shared infrastructure services and supplies, such as electricity, water, fuel, food, telecommunications, government, law enforcement, armed services and the security services, that are considered vital for a nation (CNI) or organisation (CCI).  Significant failure of any of these, perhaps as a result of a physical or electronic attack on the ICT equipment, networks, things or people monitoring and controlling them, is likely to cause immediate disruption and substantial economic damage as well as perhaps causing injuries, deaths, environmental incidents etc., making these attractive targets in cyberwarfare.

Cross border processing

“Either (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State” (GDPR).

Cross Site Scripting,
“XSS”

Web hacking technique in which badly-designed websites (e.g. some bulletin-board systems) with inadequate data entry validation are made to return malicious URLs, HTML, JavaScript or other executable code (malware) to the user’s browser for execution (e.g. to manipulate or disclose their supposedly private cookies or other local data).  [Denoted “XSS” to avoid being confused with Cascading Style Sheets.]  A form of code injection.  See also XXE.

Crossover Error Rate
(CER)

In authentication systems, the tolerance or sensitivity configuration set point at which false rejections are just as likely as false acceptances.

Cryptanalysis,
cryptanalyst,
cryptanalytic

Study and practice of breaking cryptosystems by any means, normally through a combination of mathematics, language analysis, brilliant intuition, lots of time, powerful computers and sheer hard work.  The cryptanalyst may attempt to find and exploit mathematical or technical weaknesses in the algorithm and/or the system and processes that implement it, guess the key by brute force, or somehow disentangle the relationships between known plaintext such as a crib and the corresponding cyphertext.

Cryptic

Surreptitious, deliberately hidden, secretive, concealed or non-obvious, such as a fiendishly difficult crossword puzzle.  Not necessarily unauthorized or malicious.  See also covert.

Cryptocurrency

Tradeable virtual currency such as Bitcoin and Litecoin.  Protected against counterfeiting by cryptographic means including blockchain.  Generated by cryptomining.

Cryptogram

See cyphertext.

Cryptographic erase

With various important provisos concerning the level of risk, overall process, technology, algorithm, key length and complexity etc., encrypting data or perhaps overwriting it with cyphertext, and then destroying the key, may render confidential information ‘permanently’ irretrievable.  “Method of sanitization in which the encryption key for the encrypted target data is sanitized, making recovery of the decrypted target data infeasible” (ISO/IEC 27040).

Cryptographic module

Tamper-resistant computer subsystem consisting of data processing, storage and communications hardware and firmware, designed to perform cryptographic operations such as receiving, encrypting and returning a nonce using a private key in a challenge-response authentication scenario.

Cryptography,
cryptographic,
crypto

From the Greek words for “hidden” and “writing”, the science, study and practice of creating systems to hide information and to find and retrieve it when needed.  Involves the use of mathematical algorithms for encryption, hashing, authentication etc.

Cryptographic protocol

Specified algorithms, parameters (such as key length) and processes for establishing, using and managing cryptographic authentication, encryption etc.  “An agreed standard for secure communication between two or more entities” (NZ information Security Manual).

Cryptographic system

“A related set of hardware or software used for cryptographic communication, processing or storage, and the administrative framework in which it operates” (NZ information Security Manual).

Cryptographic system material

“Material that includes, but is not limited to, key, equipment, devices, documents and firmware or software that embodies or describes cryptographic logic” (NZ information Security Manual).

CryptoLocker

One of several nasty species of ransomware in the wild that surreptitiously and strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keys.

Cryptology,
crypto

Literally, the study of ‘hidden writing’ which encompasses both cryptography and cryptanalysis.  Confusingly also sometimes abbreviated to ‘crypto’.

Cryptominer,
cryptomining,
cryptojacking

Application that attempts to generate and/or validate new cryptocurrency, consuming significant computer resources (particularly the graphics processor) and power in the process.  Along with spyware, identity fraud, intellectual property theft and coercion (ransomware), cryptomining is a way for criminals to make money from malware-infected systems without their ownersknowledge and consent.

Cryptonym

An innocuous code-name assigned to a project, assignment, system, individual, organisation, incident etc. to reduce the possibility of disclosing sensitive information.

Cryptoperiod

“The useful life of the cryptographic key” (NZ information Security Manual).

Cryptoprimitive,
cryptographic primitive

See cryptographic algorithm.

Cryptorbit

A species of ransomware in the wild in 2016.

Cryptosystem

Computer system or device that employs cryptography.  Generally taken to include the cryptographic algorithm, the key management processes, external interfaces, software supporting operations and sometimes even the entire PKI.

Cryptovariable

See key.

Cryptowall

One of several nasty species of ransomware in the wild that surreptitiously and strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keys.

CryptXXX

A species of ransomware in the wildFlaws in the cryptosystem implementation substantially weakened this malware.

Cryzip

One of the earliest species of data-encrypting ransomware, in the wild in 2006.

CS
(Control Strength)

One of the parameters in the FAIR method, CS estimates the ability for controls to mitigate risks (actually, to ‘reduce vulnerabilities’ in FAIR terms) to information assets under analysis.  Strong controls are well designed, fully implemented, highly effective, robust/resilient, unlikely to be bypassed/disabled, used, managed, maintained etc.  See also PLM, LEF, TCap and TEF.

CSA
(Cloud Security Alliance)

Industry body for CSPs and their customers, promoting good practices in the information security, privacy and risk aspects of cloud computingCf. Control Self-Assessment.

CSE
(Communications Security Establishment)

Canada’s techno-spooks, whose mission is to “provide and protect information of [Canadian] national interest through leading-edge technology”.  Responsible for SIGINT, surveillance etc.

CSF
(Cyber Security Framework)

See NIST CSF.

CSIS
(Canadian Security Intelligence Service)

Canada’s national intelligence agency.

CSP
(Cloud Service Provider)

An organisation offering cloud computing services, usually on a commercial basis.

CSP
(Content Security Policy)

Instructions in the HTML header concerning what the browser should or should not do with content from an appropriately-coded web page – for example, not loading or interpreting third party files containing JavaScript, ActiveX, fonts etc. that might be used for XSS or other code injection attacks on the browser.  An exception allows browser plug-ins to override the CSP, though, which is a vulnerability.  However, the presence of malicious plug-ins on a system may indicate more significant issues.

CSR
(Corporate Social Responsibility),
corporate sustainability, conscience or citizenship, sustainable or responsible business,
conscious capitalism

An emerging form of organisational self-regulation intended for organisations to be seen to achieve wider social and ethical objectives, in addition to conventional (capitalist, competitive, profit-driven) business objectives.  In the information security context, CSR typically concerns privacy and integrity, for example not intrusively capturing and exploiting personal information about workers and third parties, and overtly supporting the Internet rather than merely using it.

CTB-locker

One of several nasty species of ransomware in the wild that surreptitiously and strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keys.

CTF (Capture The Flag)

Simulation of an attack, or a planned campaign consisting of multiple attacks, on an organisation or its sites, networks, IT systems or parts thereof, in which the side on the offensive (commonly called the red team) attempt to place markers (such as fake bombs) and/or retrieve pre-designated information (the flags) to prove that they largely or completely defeated the defenders (the blue team).  See also purple team.

CUI
(Controlled Unclassified Information)

US government term for unclassified information that nevertheless requires some degree of protection, typically for legal compliance reasons (e.gprivacy).  Structured into categories such as critical infrastructure; defense; export control; financial etc.  Intended to replace myriad similar terms (such as SBU and FOUO) now officially deprecated.

Custodian

Temporary/surrogate owner who takes possession of, and is reasonably expected to care for and protect, an information asset, acting on behalf and in the best interests of its true owner.  “Person or entity that has custody, ownership, control or possession of Electronically Stored Information” (ISO/IEC 27050-1).

CVE
(Common Vulnerabilities and Exposures)

MITRE’s original reference database of known software security vulnerabilities.  See cve.mitre.org and CWE.

CVV (Card Verification Value), CVV2 (2nd generation CVV),
CSC (Card Security Code),
CAV (Card Authentication Value), CAV2 (2nd generation CAV), CVC (Card Validation Code), CVC2 (2nd generation CVC), CID (Card Identification Number)

A value encoded on the magnetic stripe or a 3 or 4-digit decimal number normally printed rather than embossed on a credit/debit/bank card, that can be used to verify the card number.  According to PCI-DSS, the value must not be stored by a merchant: after it has been used to validate the card number, it should be erased from memory so that if the merchant’s systems are ever compromised by crackers, they will not gain the fullz … provided they haven’t installed their own data monitoring/logging software to capture the data in transit or during processing.

CWE
(Common Weakness Enumeration)

MITRE’s community-developed dictionary of commonplace types or classes of software security vulnerabilities.  Grew out of the CVE.  See cwe.mitre.org.

Cyber

Originally coined as a mathematical term, it evolved to mean governance and control, and latterly computing and related ICT, particularly the Internet.  A jargon prefix/buzz-word, much abused by marketers, journalists, politicians etc. and widely misinterpreted.  Inconsistently hyphenated-too.  Prefixed “cyber”, almost any term appears hi-tech and novel whereas in fact most are old hat.

Cyber-Armageddon, cybergeddon

A full-blown unrestrained cyberwar between highly capable and well-resourced nations or groups would undoubtedly inflict devastating economic damage with horrendous social consequences on a global scale, analogous to the nuclear weapons posturing and threats of MAD (Mutually-Assured Destruction) during the Cold War.

Cyberattack,
cyber attack,
cyber-attack

An attack staged primarily through electronic means, particularly through the Internet“An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information” (CNSSI-4009).  “Malicious attempts to exploit vulnerabilities in information systems or physical systems in cyberspace and to damage, disrupt or gain unauthorized access to these systems” (ISO/IEC 27100 [draft]).

Cyberbully

Someone who uses social media, email etc. to harass, intimidate, threaten, coerce and/or traumatize victims.

Cyber command

Military command center for cyber operations, such as the US Cyber Command reportedly based at Fort Meade, Maryland.

Cybercrime

The commission of criminal acts in cyberspace.  More informally, the use or exploitation of ICT and/or the Internet to commit crime.

Cybercrook,
cybercriminal

Someone who uses IT systems and networks (particularly the Internet) to commit crime.

Cyberespionage,
cyberspying

Use of IT systems and networks (particularly the Internet) to spy on targets.

Cyber-extortion

Criminal exploitation of illegitimate access to and control over sensitive and/or valuable information in order to coerce victims out of money etcAttacks typically involve the use of hacking, malware (e.gransomware), theft of data storage media or ICT devices, and/or social engineering.  See also extortion.

Cyber harassment

Harassment or coercion conducted through the Internet, generally, such as revenge porn and spam bombing.

Cyber incident

Information security incident involving ICT.  “Actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein. See incident.” (CNSSI-4009).

Cyberinfrastructure

The ICT elements of global, national or corporate infrastructures, especially automated systems interconnected through networks such as the Internet.

Cyberinsurance, cyber insurance, cyber risk insurance

Insurance against specified cyber-risks, a form of risk sharing.

Cyber persona

“Digital representation of an individual or organisation necessary to interact in cyberspace” (ISO/IEC 27101 draft).

Cyber-prepping

Preparing to survive cyberwar or extreme cyber incidents including post-apocalyptic social disorder and infrastructural collapse.

Cyberpunk

(a) A science fiction genre characterized by classic futuristic ICT works such as William Gibson’s Neuromancer. (b) A proudly nonconformist anti-establishment youth with a deep fascination for the cyber world and hacking plus, often, piercings, tattoos and a curious obsession with black clothing.

Cyber resilience

Resilience, robustness and stability of the cyberinfrastructure“The ability of an organisation to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing and rapidly recovering from cyber incidents” (Financial Stability Board Cyber Lexicon, November 2018).

Cyber-risk,
cyber risk,
cyberrisk

Potentially damaging or harmful situation involving data, ICT, networking etc., particularly deliberate attacks by hackers, extortionists, criminals, social engineersfraudsters, terrorists or other competent adversaries.

Cybersecurity,
cyber-security,
cyber security

Primarily refers to technical/ICT security controls protecting computer systems, networks and the associated data, in other words IT security.  However, the definition is sometimes widened to include information security as a whole, while some narrow it to refer to defensive measures within cyberwarfare, Internet security, critical [national] infrastructure security, and/or securing virtual worlds.  Caveat lector“The ability to protect or defend the use of cyberspace from cyber attacks” (CNSSI-4009).  “The process of protecting information by preventing, detecting, and responding to attacks” (NIST Cybersecurity Framework).  “Includes any processes, practices or technologies that organisations have in place to secure their networks, computers, programs or the data they hold from damage, attack or unauthorised access." (UK Government Department for Digital, Culture, Media and Sport, Cyber Security Breaches Survey 2018: Technical Annex).

Cybersecurity framework

“Basic set of concepts used to organise and communicate cybersecurity activities” (ISO/IEC 27101 draft).

Cyberspace

Vague term, not yet consistently defined, used and understood, typically referring vaguely to ICT, particularly the Internet, and sometimes Internet culture, virtual systems, virtual worlds, collaborative working, social media etc“A global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers” (CNSSI-4009).

Cybersquatting

Illicit exploitation and misappropriation of commercial trademarks in the cyber/ICT context, for example, using copycat or lookalike domain names or URLs for phishing, fraud or other attacks.  See also typosquatting.

Cyber stalking

Grooming or snooping on victims through the Internet, generally, typically continuing to contact and coerce them after being asked or told to desist.

Cyberstrike

An attack in, on or through cyberspace.

Cybertage

Sabotage in cyberspace that compromises IT systems/devices, databases, networks, data or information e.g. destroys or damages them, interrupts or delays business activities, or leads to the loss of valuable business or the inappropriate disclosure of confidential information.  Whereas sabotage usually implies inflicting physical damage (such as arson), cybertage often affects intangible information assets (e.g. using malware such as ransomware).

Cyberterrorism

The commission of terrorist acts in cyberspace.  More informally, the use or exploitation of ICT to commit terrorism.

Cyberteur

Person who commits cybertage, such as a mole.

Cyberthreat

Threat or threat agent active in the cybersecurity domain - particularly substantial, highly capable ones backed by governments and other resourceful and determined adversaries.

Cyber-vandalism

Computer-enabled wanton damage, or wanton damage of computers.

Cyber-vigilante

Person who uses hacking, malware, social engineering etc. to further a malicious personal agenda or obsession.

Cyberwar,
cyber-war,
cyber war,
cyberwarfare,
information warfare

The deliberate exploitation of vulnerabilities in an adversary’s computing and telecommunications capabilities, networks etc. by a nation state as an act of war intended to disrupt vital parts or the entirety of their critical [national] infrastructure, disable their national defences and offensive capabilities, inflict crippling economic damage etc.  Due to exclusions in the small print for ‘acts of war’, incidents classed as cyberwar attacks may not be covered by cyberinsurance.  See also cyber-Armageddon.

Cyberweapon

Tool or technique (such as a computer, malware, hacking, social engineering, cybertage, spying, coercion or EMP weapon) capable of being used offensively to attack an adversary’s critical infrastructure as part of cyberwar or a similar military mission, and/or to defend against such attacks.

CybOX
(Cyber Observable eXpression)

A schema for specifying, capturing, characterizing and communicating/sharing IT system and network events and properties for event management and logging, malware characterisation, intrusion detection/prevention, incident response and digital forensics.  See also STIX and TAXII.

Cylinder lock

The most common form of physical lock, used on many front doors.  When someone inserts the correct key into the keyway, internal pins are lifted to exactly the right positions to allow the plug to be rotated in the hull, thereby retracting the latch so the door can be opened.

Cynefin framework

A framework or conceptual model concerning situations or systems that are described as simple (stable and predictable), complicated (largely predictable through cause-and-effect relationships), complex (largely unpredictable, linkages rationalized only after the fact), chaotic (inherently unstable and unpredictable) or disordered (of unknown status).  Different modes of thinking, controlling or directing, planning and responding are appropriate in each case.

Cypher-

An archaic British spelling of cipher that, paradoxically, is used in some modern compound words concerning cryptography.  See algorithm.

Cyphertext,
cryptogram

Unintelligible string such as HbAaKhBsaao)X]*AX551&*S66 that makes no sense to a human reader but which can be transformed back into the corresponding plaintext using the correct cryptographic algorithm/s and encryption key/s.

Darknet, Darkweb,
dark Web, invisible Web, hidden Web

Covert and illicit part of the deep Web offering criminal/black market services and tools such as hacking, RaaS, money laundering and illegal drugs.  Aside from blocking or evading search engine spiders, Darkweb sites and apps may exploit novel protocols making them inaccessible to users who lack the requisite access authority, knowledge, keys and/or tools.

Dash[board] cam[era], dashcam

CCTV camera mounted in or on a vehicle (not necessarily literally on the dashboard) to record traffic incidents, bad driving, road rage, accidents etc.  A form of surveillance.  See also body cam.

DAST
(Dynamic Application
Security Testing)

In effect, penetration testing of an application, checking (from the network perspective) whether its exposed ports and services have known vulnerabilities.  See also SAST and IAST.

Data

Electronic representations of information within a computer system or network.  In digital computers, data (and indeed software) consists of sequences of logical ones and zeroes known as bits.  Strictly speaking, data is the plural of “datum” but it is widely used in the singular.  “Collection of values assigned to base measures, derived measures and/or indicators.  Note: this definition applies only within the context of ISO/IEC 27004:2009” (ISO/IEC 15939:2007).

Data Analytics
(DA)

Fancy marketing term for the common-or-garden study and analysis of data.  Typically involves the use of statistics to examine and glean useful information from large data sets, also known as big data.

Data at rest

Digital bits-n-bytes taking a well-earned break from the daily grind?  Alternatively, “Data stored on stable non-volatile storage” (ISO/IEC 27040).  “Information residing on media or a system that is not powered or is unauthenticated to” (NZ information Security Manual).

  Cf. data in motion.

Database
(db)

Structured and managed collection of data.  The structure and accumulation of data, along with the software functions to manage, manipulate and report them, usually make databases far more valuable than plain, unmanaged ‘flat files’ or simple lists and tables.  The most important computer systems often are databases, making database security controls such as those protecting data integrity a vital part of information security.

DataBase Administrator
(DBA)

Privileged user who administers (manages) databases.  Normally responsible for running the DBMS, configuring, maintaining and tuning databases e.g. setting up user rôles and defining their access rights to tables and cells, monitoring security logs etc.

Data breach

A breach involving data“Compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed” (ISO/IEC 27040).

Data concerning health

“Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status” (GDPR).  See also PHI.

Data controller

The organisation or person gathering, holding and using personal information, responsible for ensuring it is adequately secured in order to protect the data subjects’ privacyAccountable for securing the information, even if it is processed by a separate organisation (a data processor).

Data dictionary

Formal description of the data fields of records in a database, ideally including their information security characteristics.

Data in motion

Digital bits-n-bytes on the move, jiggling about, steadfastly refusing to stay still and be counted?  Alternatively, “Data being transferred from one location to another.  Note: These transfers typically involve interfaces that are accessible and do not include internal transfers (i.e., never exposed to outside of an interface, chip, or device)” (ISO/IEC 27040).  Cfdata at rest.

Data in transit

“Information that is being conveyed across a communication medium” (NZ information Security Manual).

  See also data in motion.

Data in use

Data currently being processed“Information that has been decrypted for processing by a system” (NZ information Security Manual).

Data miner

Form of malware that covertly collects information on web users, for example secretly recording personal information submitted by users of online forms.

Data objects

“Elements which contain PII.  Example: such elements are for instance files, documents, records or attributes. Concrete data objects may be e.g. invoices, contracts, personal files, visitor lists, personnel planning sheets, user accounts, log entries, consent documents, and so on.  Note: Data objects can be combined with other data objects in a cluster of PII. The individual data object can be of varying complexity.” (ISO/IEC 27555 draft).

Data spill

“An information security incident that occurs when information is transferred between two security domains by an unauthorised means.  This can include from a classified network to a less classified network or between two areas with different need-to-know requirements” (NZ information Security Manual).

Data Processing (DP)

Prehistoric term for what is now commonly known as the ICT function/department/team or simply “IT”.

Data processor

An organisation that processes personal information on behalf of another (the data controller).  Typically, an ICT or cloud computing services company.

Data protection

See information protection.

Data Protection Directive

“Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data” which sought to harmonize information protection or privacy laws across the European Union and further afield (e.g. Australia, Canada and New Zealand).  Being replaced by GDPR.

Data remanence

“Residual information remaining on a device or storage media after clearing or sanitising the device or media. Sometimes described as data persistence” (NZ information Security Manual).

  See also remanence.

Data security

See IT security.

Datasploit

Application supporting both offense using, and defences against, social engineering attacks.  Mines open source intelligence sources and correlates information on individuals, domains, email addresses, phone numbers etc.  An example of dual-use technology, popular with black-, grey- and white-hats.  See also Burp suite and Maltego.

Data stealing/thieving/theft malware

Malware that surreptitiously harvests and exfiltrates valuable proprietary information or personal information from infected systems and networks to be exploited directly or sold on the black market.

Data subject

The person whose personal information it is.

DBMS
(DataBase Management System)

Specialized software system supporting database applications.  Provides management functions to organise data (usually in the form of tables, matrices, lists or sets) and data security (e.g. enforcing referential integrity).  Provides a standardized interface or abstraction layer between the application and the underlying operating system and hardware.  Heavily optimized for performance and throughput, for example caching frequently-accessed data to reduce disk reads.  Cf. management system (in the ISO sense).

DCS
(Distributed [or
Digital] Control System)

Originally a term for a process control computer system that uses digital computer technology rather than analogue electro-mechanical controls.  Latterly used to denote SCADA-like ICS distributed around the plant and operating semi-autonomously.

DCU
(Data Collection Unit),
pod

Network node or thing that gathers data from other things such as distributed sensors, smart meters etc. and forwards it to a central system, passing commands in the opposite direction.  Used in ICS/SCADA, IIoT and IoT.

DDoS
(Distributed Denial of Service)

Type of DoS attack using numerous attacking systems (typically bots) to generate large volumes of network traffic, thereby flooding and possibly swamping (overloading) the target systems or network, causing them to stop providing ICT services.  See also DRDoS.

DEA
(Data Encryption Algorithm)

Symmetric encryption algorithm specified in FIPS PUB 46 in 1977 for the Data Encryption Standard DES.

Dead drop

See drop.

Dead Letter Box (DLB)

See drop.

Dead double

Identity thief who assumes the identity of a dead person.

Deception,
deceit

Lying, lie, fabrication or deliberate, manipulative concealment of the truth.

Deception technology

[Marketing] term for advanced honeypot systems designed to lure, divert, contain and gather information (intelligence) on hackers inside corporate networks, all the while deceiving them into believing they are genuinely gathering reconnaissance, exploiting vulnerabilities and capturing flags.  A potentially valuable approach in some circumstances, but potentially costly and risky too (e.g. distracting, diverting and misleading cybersecurity resources while engendering a false sense of security).

Decision criteria

“Thresholds, targets, or patterns used to determine the need for action or further investigation, or to describe the level of confidence in a given result” (ISO/IEC 15939:2007).

Declassification

The authorized removal or downgrading of classification level on information for which the current class is no longer appropriate (e.g. outdated, irrelevant or already disclosed), thereby increasing permitted access.  “A process whereby information is reduced to an unclassified state and an administrative decision is made to formally authorise its release into the public domain” (NZ information Security Manual).

  See also redaction.

Decode

Convert coded messages into their plaintext equivalents, if necessary using the correct section, page and entries in a code book

Decrypt,
decryption,
decipher, decipher

Reversal of the encryption process requiring the correct key to recover the original plaintext from the cyphertext (where possible).

Decryptor

Some early ransomware had cryptographic design flaws or coding bugs, allowing encrypted files to be decrypted using utilities released by antivirus companies without victims having to pay the ransom.  Most current ransomware is better designed and coded, making encrypted files useless without the necessary decryption key.

Deduplication

Reduction or elimination of redundant information“Method of reducing storage needs by eliminating redundant data, which is replaced with a pointer to the unique data copy.  Note: Deduplication is sometimes considered a form of compression” (ISO/IEC 27040).

Deep cover

Infiltrating a target organisation so effectively that the infiltrator becomes highly trusted and may gain privileged access to its innermost secrets, albeit increasing the risk of the agent being turned or going native.  See also mole and sleeper.

Deep fake

Advanced audio-visual techniques can ‘put words into the mouths’ of celebrities, politicians, activists and adversaries, making them appear to express something they did not.  Just as written materials can be edited or fabricated, small changes to genuine audio-visual content (such as deleting the word “not” or changing a frown into a smile) are relatively easy to make seamlessly, yet can dramatically affect the meaning or interpretation of, say, a political speech or public statement.  As the techniques advance through artificial intelligence, neural networks and deep learning, wholescale changes are becoming easier to make and harder to spot, potentially leading to de novo fabrication of lengthy video clips in fake settings with fake audiences.  There are serious implications for society through large-scale social engineering such as fake news, fraud, espionage, information warfare and cyberwar, threatening forensics, authority, accountability and trust.

Deep packet inspection

Third generation firewalls can examine the payloads (data content) of network packets, as well as the IP addresses and protocol information in the packet headers, in order to apply more granular security rules.  Their ability to access the content of network traffic raises privacy and confidentiality concerns: these are trusted devices.

Deep Web, Deepweb,
Deep net, Deepnet

Internet sites and services that are not readily accessible and searchable using conventional search engines such as Google.  Includes the Darknet, plus web pages and servers protected behind corporate firewalls

Defame,
defamation,
defamatory

Stating or implying something false that unduly harms the image and reputation of another person.  Note that a true i.e. factually accurate statement, by definition, is not defamatory though it may be distinctly uncomplimentary.  See also libel and slander.

Default

Pre-set configuration.  Straight out of the box, newly-installed software and hardware typically has standardized and convenient but relatively weak security settings, for example passwords that are widely known in the hacker community, and pass-all settings.

Default deny,
need-to-know

Access control principle stating that information should only be released to authenticated individuals if they have a legitimate purpose or reason for using the information, and are authorized to do so.

Default permit,
need-to-withhold

Access control principle stating that information should normally be released or disclosed unless such access needs to be explicitly denied for some specific, legitimate reason.

Defect

An identified bug, flaw or other inherent issue with a system, process, person, organisation etc.

Defence-in-depth

Control principle whereby multiple overlapping or complementary ‘layers’ of protection are applied, all of which would have to be breached, overcome, disabled or bypassed in order to impact or compromise the protected information assets.  This is a structured, systematic approach, more than simply increasing the number of controls.  “A layered combination of complementary countermeasures” (Official ISC2 Guide to the CISSP CBK, 2007, page 282).

Defensive security,
passive security,
reactive security

Security practices that deter, prevent, react or respond to attacks and other incidents, generally by minimizing vulnerabilities and/or impacts for instance using silent alarms, tell-tales or whistleblower’s hotlines coupled with highly efficient incident response practices to react quickly and decisively to the very earliest signs of trouble.  Cf. offensive security.

Defraud

To commit or perpetrate fraud.

Degauss

Secure erasure process that applies an extremely strong magnetic field to magnetic data storage media such as computer disks or tapes to destroy the stored data.  In addition to concerns over the equipment and operating procedures, the extremely high density of modern magnetic storage methods, high coercivity of the materials, and use of RAID and similar redundant storage/error correction techniques makes degaussing less reliable in practice than it may appear, although subsequent physical destruction of degaussed media increases assurance“Render data unreadable by applying a strong magnetic field to the media” (ISO/IEC 27040).

Degausser

A device that degausses“An electrical device or permanent magnet assembly which generates a coercive magnetic force to destroy magnetic storage patterns in order to sanitise magnetic media.” (NZ information Security Manual).

Delegated authority,
delegation

Refers to someone passing some of their responsibility and power to a subordinate within specified parameters, for example giving them the ability to sign-off (authorize) expenses claims or procurement orders up to a certain dollar value.  Implies a level of trust in the subordinate, often supported by additional controls.  While the authorized person is personally accountable for any incidents arising from their actions and inactions, the more senior person generally shares some of the accountability since he/she made the decision to delegate.

Deletion,
disposition mechanism, erasure,
destruction,
destruction of data storage media,
anonymisation of data

“Process by which PII is changed in an irreversible manner so that it is no longer present or recognizable and cannot be used or reconstructed after the process.  Notes: (1) As a rule, “secure deletion” is required. Secure deletion means that reconstruction of the data is either impossible or requires substantial effort (in human resources, means, time). For selecting the deletion methods, the need for protection of the data concerned is to be taken into account; (2) Equally, an alternative way to reach the goal of deletion is anonymisation. Further guidance on anonymisation (as a de-identification technique) can be found in ISO/IEC 20889:2018-11 (1st edition) — Privacy enhancing data de-identification terminology and classification of techniques; (3) the term ‘deletion’ covers all such synonyms: disposition mechanism, erasure, destruction, destruction of data storage media, anonymization of data.” (ISO/IEC 27555 draft).

Deletion class

“Combination of a standard deletion period and an abstract starting point for the period run.  Note: All clusters of PII which are subject to the same deletion period and the same abstract starting point are combined in a deletion class. As opposed to the (specific) deletion rule for a cluster of PII, the (abstract) deletion class relates only to the abstract starting point and not to a specific condition for the start of the period run (see also [clause] 8).” (ISO/IEC 27555 draft).

Deletion framework

“Policy documents and implementation mechanisms by means of which a PII controller ensures that its pools of personally identifiable information are deleted in accordance with the applicable legislation and/or regulation.” (ISO/IEC 27555 draft).

Deletion period

“Time period after which a specific cluster of PII should be deleted.  Note: As a generic term, the deletion period comprises all deletion periods. This includes the →standard deletion periods and the →regular deletion periods, which form special groups. However, the term also includes, for instance, the specific deletion periods for some clusters of PII or deletion periods in special cases. For details see Clause 7.” (ISO/IEC 27555 draft).

Deletion rule

“Combination of deletion period and specific condition for the starting point of the period run” (ISO/IEC 27555 draft).

Demand letter

See cease and desist letter.

De-militarized zone

See DMZ.

DEP
(Data Execution Prevention)

Operating system security feature intended to prevent pages in memory that happen to contain executable code from actually being executed unless they have been explicitly designated executable by resetting the NX (No eXecute) bit.  Helps prevent buffer overflow and similar attacks.

Dependable,
dependability

Measure of the extent to which a system, network, person, team, organisation etc. can be relied upon or trusted to perform as expected under all anticipated and ideally unanticipated circumstances.  Implies a level of assurance as to the suitability and effectiveness of its resilience, recoverability and contingency preparations, and clarity of the requirements.

Deposition

Legal process requiring someone in court under oath to provide immediate verbal answers to verbal questions.  A form of discovery.  See also interrogatory.

Deprecated

Withdrawn and no longer recommended for use.  If significant flaws are discovered in cryptosystems, for instance, the corresponding standards, algorithms, protocols etc. are, at some point, removed from service and superseded – hopefully – by better ones.

Derived measure

Measure that is defined as a function of two or more values of base measures” (ISO/IEC 15939:2007).

DES
(Data Encryption Standard)

Standard specifying a cryptographic algorithm (DEA - Data Encryption Algorithm) for US government use in 1977, published in FIPS PUB 46.  Still used by legacy systems, albeit normally in the somewhat more secure form of triple-DESVulnerable to brute-force attacks with a key length constrained by the standard to 56 bits rather than the maximum of 64, hence DES is deprecated

Design

(a) Distinctive physical expression, shape or other characteristics of a product that is typically associated with a particular brand or trademark.  (b) Systematic process of analysing requirements, then creating and documenting something to satisfy those requirements.  (c) A structured and documented architecture.

Destruct,
destroy

Physically and/or logically obliterate information such that it is no longer recoverable in usable form, even using forensic techniques.  In some circumstances, the process may further involve erasing any trace of its prior existence (e.g. deleting associated metadata).  “Sanitize using physical techniques that make recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of data.  Note: Disintegrate, incinerate, melt, pulverize, and shred are destruct forms of sanitization” (ISO/IEC 27040).  Note: “destroy” is the correct English verb form, whereas “destruct” is an Americanism derived from “destruction”.  See also purge.

Destruction

The act of destroying“Result of actions taken to ensure that media cannot be reused as originally intended and that information is virtually impossible or prohibitively expensive to recover” (ISO/IEC 27040).

Detect

“Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.  The Detect Function enables timely discovery of cybersecurity events.” (NIST Cybersecurity Framework).  A core function within NIST’s cybersecurity framework along with identify, protect, respond and recover.

Detective control

Form of security control intended to detect an incident in progress, log the details and/or raise an alert or alarm to trigger the appropriate response.  See also preventive and corrective control.

Deterrent

Form of preventive control such as warnings and penalties intended to deter (that is, reduce the threat) of compromise or attack.

Development environment

Computer environment comprising systems, networks, devices, data and supporting processes that are used by software developers for developing new application systems.  Cf. production or test environments.

Device

An item of computing or networking equipment, a piece of ICT hardware or electronic technology, or more generally a machine or method with a specific purpose.  Many devices also qualify as things or small systems.

Device access control software

Program restricting the use of communications ports and/or equipment (e.g. USB flash memory sticks) on a system.  “Software that can be installed on a system to restrict access to communications ports on workstations. Device access control software can either block all access to a communications port or allow access using a whitelisting approach based on device types, manufacturer’s identification, or even unique device identifiers” (NZ information Security Manual).

DevOps
(Development – Operations integration)

Software engineering approach integrates application development, testing and ICT operations functions/teams and automates processes primarily to cut cycle times for software updates from months to hours.  A practical extension of Agile development, a form of RAD, and other continuous development methods.  See also DevSecOps.

DevSecOps
(Development – Security Operations integration)

Extension of DevOps to integrate software development, testing, software/infrastructure security and ICT operations teams.  Extensive process automation speeds things up, improves repeatability and is well suited to cloud computing (e.g. automatically provisioning virtual systems, installing and configuring applications, and validating the installations including the security aspects).

Dexter

One of several species of memory-scraping Point-of-Sale system malware discovered in the wild in 2012

Dharma

One of several species of ransomware in the wild in 2019 that strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keysTargets small organisations, demanding ransoms of about $1k.

DHS
(Department of Homeland Security)

Spooky US government agency responsible for intelligence and surveillance in support of defense, counter-terrorism, critical national infrastructure protection etc.  See also FBI and CIA.

Dialler

Old-skool form of malware which silently calls a premium rate phone number on the victim’s modem, committing toll fraud.  See also war dialler.

Dictionary attack

Cryptanalytic attempt to guess or crack a password using words from the dictionary, in various combinations (e.g. forwards, backwards, with numbers prepended or appended, with punctuation).  A more sophisticated form of brute force attack.

Dieselgate

An assurance and ethics scandal involving the deliberate programming of VW diesel cars to detect and respond to emissions testing in progress, cutting exhaust emissions to ace the test but increasing emissions under normal operating conditions.  A sign of things to come, perhaps, as everyday objects are smartened-up, becoming things capable of evading dumb checks and controls.

Differential backup

A backup of all the files created or changed since the last image backup.  In contrast to incremental backups, a system can be recovered simply by restoring the most recent image and differential backups.  However, differentials contain more data, hence they take longer to write and use more storage, than most incrementals.

Diffie-Hellman groups

“A method used for specifying the modulus size used in the hashed message authentication code algorithms. Each DH group represents a specific modulus size.  For example, group 2 represents a modulus size of 1024 bits” (NZ information Security Manual).

Digest

See hash.

Digital certificate

File containing information about a user or system along with their public key plus a digital signature from the Certification Authority to authenticate the certificate itself and to some extent (according to the nature and extent of the checks performed) the user or system to whom it was issued.

Digital device

“Electronic equipment used to process or store digital data” (ISO/IEC 27037).

Digital evidence

Forensic evidence in the form of data (e.g. the contents of a hard drive, tablet, smartphone or USB memory stick) gathered in connection with investigating, proving or disproving a crime.  “Information or data, stored or transmitted in binary form, that may be relied on as evidence” (ISO/IEC 27037).

Digital evidence copy

In order to guarantee the integrity of digital evidence, forensic analysis is performed on evidential copies that have been produced by appropriate methods and can be verified correct.  “Copy of the digital evidence that has been produced to maintain the reliability of the evidence by including both the digital evidence and verification means where the method of verifying it can be either embedded in or independent from the tools used in doing the verification” (ISO/IEC 27037).

Digital Evidence First Responder (DEFR)

“Individual who is authorized, trained and qualified to act first at an incident scene in performing digital evidence collection and acquisition with the responsibility for handling that evidence. Note: Authority, training and qualification are the expected requirements necessary to produce reliable digital evidence, but individual circumstances may result in an individual not adhering to all three requirements.  In this case, the local law, organisational policy and individual circumstances should be considered” (ISO/IEC 27037).

Digital Evidence Specialist
(DES)

“Individual who can carry out the tasks of a DEFR and has specialized knowledge, skills and abilities to handle a wide range of technical issues.  Note: A DES may have additional niche skills, for example, network acquisition, RAM acquisition, Linux or Mainframe knowledge.” (ISO/IEC 27037).

Digital forensics,
cyber forensics,
computer forensics

The forensic analysis of digital evidence.  Strictly speaking, evidence may be obtained from various devices and things besides computers, while computing is usually - but not necessarily - digital.

Digital investigation

“Use of scientifically derived and proven methods towards the identification, collection, transportation, storage, analysis, interpretation, presentation, distribution, return, and/or destruction of digital evidence derived from digital sources, while obtaining proper authorizations for all activities, properly documenting all activities, interacting with the physical investigation, preserving digital evidence, and maintaining the chain of custody, for the purpose of facilitating or furthering the reconstruction of events found to be incidents requiring a digital investigation, whether of criminal nature or not” (ISO/IEC 27043).  Wow!  See also digital forensics.

Digital signature

Cryptographic hash of a message or file, constructed with the sender’s private key, used to ‘seal’ the message/file thus enabling any subsequent changes to be identified and so authenticate both the message and the sender (giving non-repudiation).

Digital storage medium

“Device on which digital data may be recorded” (ISO/IEC 27037, adapted from ISO/IEC 10027).

[Data] Diode

“A device that allows data to flow in only one direction” (NZ information Security Manual).

Dip

Momentary/transient reduction in supply voltage, lasting a few micro- or milliseconds.  Most dips pass without incident, but electronic systems with insufficient voltage regulation may fail.  See also brownout, spike, surge and blackout.

Direct evidence

Forensic evidence that derives from or is closely related to an incidentCf. circumstantial evidence.

Disaster

A terrible incident such as a major fire, flood, fraud or hack.  Distinguished from ordinary events, incidents or crises by its severity, scale and impact.

[IT] Disaster Recovery
(DR)

Fallback arrangements to restore IT systems, data and services supporting critical business functions from backups, often at an alternative location using cloud-based or mobile IT facilities, following a major incident affecting the primary ICT production facilities.

Disaster Recovery Plan (DRP)

Documentation of an organisation’s DR arrangements.

Disclaimer

Attempt to share risk by explicitly and expressly denying responsibility for something.  Often used in an attempt to limit legal liabilities.  See also notification.

Disclosure

Revelation of confidential information.  May be deliberate or accidental, forced (e.g. by coercion, blackmail or social engineering) or voluntary, whether authorized and permitted or unauthorized and forbidden.  See also discovery.

Discovery,
disclosure

Forensics term for the enforced disclosure of evidence to the counterparty in an official investigation or court case.  A strong reason to limit the collection and storage of information whose very existence might prove embarrassing or damaging to the organisation or individuals concerned (e.grisk assessment results or audit recommendations that were not taken seriously).  “Process by which each party obtains information held by another party or non-party concerning a matter.  Note: Discovery is applicable more broadly than to parties in adversarial disputes. Discovery is also the disclosure of hardcopy documents, Electronically Stored Information and tangible objects by an adverse party.  In some jurisdictions the term disclosure is used interchangeably with discovery.” (ISO/IEC 27050-1).  See also disclosure, deposition, interrogatory and subpoena.

Discretionary

Optional i.e. provided, used or configured according to someone’s discretion, choice or freewill.  Usually refers to IT security controls that are not mandatory.

Discretionary Access Control
(DAC)

Decisions on whether and how to control access to data can be made by the users of a DAC system using their discretion, as opposed to being coded irrevocably into a MAC system as an inherent part of its technical architecture.

Discussion forum, forum,
discussion group, group,
email reflector

Social networking discussion facility.  Messages sent to the group by a member through email or the website are automatically ‘reflected’ back to all members by email and (usually) archived on the website allowing them to be searched.  Messages containing sensitive or inappropriate content (e.g. intended for a specific group member or someone else entirely) or spam may be circulated in exactly the same way, while shared information may be exploited by social engineers.

Dishonest

Someone ‘ethically challenged’ who lies, deceives, cheats or defrauds others for their own benefit.  They cannot be relied upon, making them untrustworthy and probably unworthy of or unsuitable for various privileges and responsibilities.

Disinfect

Eliminate a malware infection from a system, normally by deleting the malicious software from wherever it is stored and (hopefully!) improving the security controls to prevent re-infection.  “To remove malware from within a file” (NIST SP800-114 rev1).

Disinformation

See misinformation.

Disintegrate

Fall to pieces or rip asunder.  “Destruct by separating media into its component parts” (ISO/IEC 27040).

Disk image

(a) Copy of the data on a disk, typically created by an image backup.  (b) In computer forensics, a bit-copy of the entire contents of a disk or other storage medium using approved hardware, software and processes.  (c) In virtualisation, a virtual disk made available to a guest operating system by the hypervisor.

Disk mirroring,
RAID
(Redundant Array of
Inexpensive Devices)

Technique in which data are simultaneously written to and read from multiple disks, usually for resilience and/or performance reasons.  Various technical configurations are possible with different advantages, disadvantages, capabilities and information risks.

Disposition

Eventual outcome or result of something.  “Range of processes associated with implementing records retention, destruction or transfer decisions which are documented in disposition authorities or other instruments” (ISO 30300:2011). 

Diversity

Use of, or at least ready access to, alternative, independent services, sources, vendors, pieces of equipment, power sources, communications routes etc. in order to reduce the risk of failure of any one.  A resilience control.  Unanticipated dependencies between apparently diverse resources can create single points of failure and hence additional risks.  See also redundancy and mirror site.

Division of responsibilities, separation of duties,
segregation of duties

Control requiring the involvement of more than one individual or organisation to complete a business process e.g. a member of staff enters data but someone else, normally a supervisor or manager, must review and authorize it for processing.  Normally reinforced by controlled access to the corresponding system functions.  Reduces the possibility of fraud, barring collusion between the individuals or coercion, and data entry errors“Practice of dividing steps in a function among different individuals so as to keep a single individual from being able to subvert the process.” (PCI Card Production and Provisioning Physical Security Requirements, v2.0 January 2017).

DLP
(Data Leakage [or Loss] Prevention)

Security technology designed to monitor, identify, log/alert and if appropriate block the inappropriate transfer of confidential information through a network port or firewall, for example to prevent workers, malware or hackers disclosing or passing personal information, credit card numbers, trade secrets or other intellectual property to third parties through the Internet, whether by accident or on purpose.  Conceptually similar to IDS/IPS but concerns extrusion rather than intrusion.

DMCA
(Digital Millennium
Copyright Act)

US law prohibiting technologies/devices that may be used to bypass or defeat software/hardware copy protection mechanisms.

DMZ
(De-Militarized Zone),
screened subnet

Special network segment between external networks such as the Internet and internal corporate networks, within which proxy servers and firewalls are intended to identify and restrict unauthorized traffic while passing legitimate traffic.  Systems that need to connect to the Internet (such as Web servers, DNS servers, application servers or front-ends, and email servers) are typically located in the DMZ, and are hardenedPerimeter network (also known as a screened sub-net) inserted as a ‘neutral zone’ between networks” (ISO/IEC 27033-1).  “A small network with one or more servers that is kept separate from an agency’s core network, either on the outside of the agency’s firewall, or as a separate network protected by the agency’s firewall. Demilitarised zones usually provide public domain information to less trusted networks, such as the Internet” (NZ information Security Manual).

  See also zone.

DNS
(Domain Name System)

Network protocols and systems let us refer to Internet nodes by memorable domain names (such as Amazon.com) rather than their numeric IP addresses (such as 13.32.145.86).

DNSpionage

Species of RAT malware in the wild in 2019.  Uses DNS tunnelling to communicate with the attacker’s C&C systems.

DNS [cache] poisoning

Attack that subverts DNS systems or records to direct victims covertly to a malicious domain, phishing or infectious website etc. instead of the benign one they anticipated e.g. by ‘poisoning’ cached DNS data with false linkages or by exploiting the ‘zone transfer’ process used to pass data between DNS servers.  See also pharming.

Document,
documented,
documentation

Implies that something (such as a policy, process or plan) is sufficiently stable and understood that it can be written down (‘captured’), and if appropriate then reviewed and approved by other stakeholders.  To have any value and avoid becoming shelfware, documents must be accessed, read and implemented or used, which is where awareness, training, compliance, reinforcement and/or enforcement activities come into play, along with quality factors such as the reading level, clarity, interest etc.  Changes to important documentation also need to be managed to ensure it remains aligned with the subject, relevant, complete and accurate (an integrity control).

Documented information

See document“Information required to be controlled and maintained by an organisation and the medium on which it is contained.  Notes: documented information can be in any format and media and from any source; documented information can refer to the management system, including related processes, information created in order for the organisation to operate (documentation), [and/or] evidence of results achieved (records).” (ISO/IEC 27000).

Domain owner

“A domain owner is responsible for the secure configuration of the security domain throughout its life-cycle, including all connections to/from the domain” (NZ information Security Manual).

Domain slamming

An unethical and barely legal social engineering scam to trick the registered owners of domains into transferring their registrations to a different fee-charging registrar, believing they are merely renewing. 

Domotics

Neologism derived from domus (Latin for home) and robotics or informatics, meaning home automation, IoT and smart homes in particular.

Dongle

Copy protection hardware device used to ‘unlock’ (i.epermit access to and use of) software on the particular computer into which it is physically plugged.  Also, a hardware authentication token.  Both forms normally use cryptography and tamper resistance to prevent the devices being illicitly duplicated or fabricated, but the corresponding applications may be vulnerable to hacking, bypassing or negating the protection.

Door open alarm

Physical security arrangement that monitors an access-controlled door, triggering an alarm if it is opened (e.g. opening an emergency fire exit may sound the fire alarm to evacuate the building) or held open much longer than it would take even the slowest person to pass through (e.g. a card access controlled office door propped open for some reason may sound an annoying local ‘peeper’ and/or a silent/remote alarm in the security guard house).  Electronic door open alarms may be manually overridden or silenced for authorized purposes such as office moves or refits, but such overrides should preferably trigger indicators (such as a flashing warning light), automated reminders or cancellation/time-outs to prevent them being forgotten and left in effect beyond the allotted time.

Dorkbot

Windows malware in the wild from 2011 to 2016.  RAT spread via infectious websites (including Jamie Oliver’s), social networks, IM and USB devices, delivering various payloads including bank Trojans, keyloggers and DDoS engines.  The botnet’s command-and-control structure was disrupted by the authorities with assistance from technology companies in 2016.

DoS
(Denial of Service)

Type of information security incident in which availability is impacted, for example by deliberately or accidentally overloading the system or network, thereby interfering with legitimate business use.  “Prevention of authorized access to a system resource or the delaying of system operations and functions, with resultant loss of availability to authorized users” (ISO/IEC 27033-1).  See also DDoS and DRDoS.

Double agent

An agent who surreptitiously remains loyal to and acts in the interests of one party while giving the appearance of loyalty towards another.  A form of sabotage or cybertage.

Double extension

Operating systems and applications often determine a file’s type according to the final extension on its name, preceded by a period (e.g. files containing executable programs often end with .exe).  Systems may not display the extension for known file types.  Additional periods and characters preceding the final extension (such as .txt.exe) may be treated as part of the file name.  Some malware uses this and other social engineering techniques to fool victims, for instance an email might entreat the user to “open the attached text file containing a disputed invoice”, whereas the attachment is actually a malicious program that executes when the victim opens it.

Double-entry bookkeeping

Accountancy process used since Roman times in which every transaction is recorded as a complementary pair of credits and debits (equal in value but opposite in sign) in the relevant accounts.  Any discrepancy between the running totals of the paired accounts when they are reconciled generally indicates a simple data-entry or calculation error but could point to fraud or theft.

Downloader

Form or component of malware which downloads additional code (usually the payload) from the Internet.  This arrangement allows criminals to change the malware dynamically, for example to evade antivirus software, attack specific new targets or extend previous attacks.  See also fileless malware.

Downstream

“Handling processes and movements of products and services that occur after an entity in the supply chain takes custody of the products and responsibility for services” (ISO/IEC 27036-1).

Dox, DoX,
doxing, DoXing

Leet terms derived from “docs” (documents), referring to the process of illicitly gathering and perhaps disclosing personal information on targets by researching their presence on social media and other sources such as hacked personnel databases.  Has harassing, bullying or threatening overtones of coercion, similar to stalking, grooming, snooping, spying and other forms of social engineering.

DoXware, doxware

See leakware.

DP

See data processing.

DR

See disaster recovery.

Dragonfly

See SAE.

Draining,
infiltration

The ‘urban sport’ of exploring insecure drains, service ducts and other voids as a means of bypassing physical perimeter controls in order to gain unauthorized access to sites and buildings.  A risky, dangerous form of trespass and a significant though underappreciated risk for many otherwise secure places.

DRDoS
(Distributed Reflective
Denial of Service)

Some DDoS attacks use UDP rather than TCP, taking advantage of UDP servers (such as DNS servers) to amplify the volume of traffic, and IP address spoofing to forward the amplified responses to a victim’s system rather than back to the originator.  It is nothing to do with DR-DOS, a PC operating system from Digital Research.

Dridex,
Bugat,
Cridex

A multifunctional evolving antivirus-evading malware with botnet, bank Trojan and ransomware capabilities.  The FBI tried to disrupt the Dridex infrastructure by blackholing C2 traffic in 2016 but it remained active in the wild in 2019.  In December 2019, two alleged Russian members of Evil Corp (the cybercriminal gang behind Dridex), were indicted for their part in stealing ~$70m from organisations around the globe.

Drive-by download,
Web-inject malware

Mode of malware infection involving the user merely browsing to an infectious website where vulnerabilities in the browser software are silently exploited, usually without the user even being aware of the compromise.

Driver pins

In most physical locks, these standard-length metal cylinders are pushed back against springs into the hull by the variable-length key pins when a key is inserted into the keyway.  Provided the key pins and driver pins meet along a straight shear line due to the correct key having been inserted, the plug can be rotated at the shear line to open or close the lock.

DRM
(Digital Rights Management or Digital Restriction Measures)

Cryptographically-based access controls used to permit or deny certain types of use of intellectual property according to the owner’s wishes, potentially exceeding the constraints available under copyright law (e.gfair use can be prevented through technical means).

Drone,
UAV
(Unmanned Autonomous Vehicle)

Unmanned aircraft, normally used for remote surveillance.  Basic drones (toys) are controlled by human operators nearby, while sophisticated military versions (UAVs) may operate semi-autonomously using GPS and intelligent control systems to complete surveillance or attack missions across immense distances.  Raises safety and privacy concerns.

Drop,
dead drop,
Dead Letter Box
(DLB)

Physical or electronic location where messages, parcels, files etc. may be safely (anonymously, secretly and asynchronously) delivered to a collector, competitor, spy or criminal hacker/cracker.  Modern day spies may use anonymous Internet services, encryption, steganography and covert channels to pass information but still rely on dead drops to pass physical assets such as One Time Pads, goods purchased with stolen credit card numbers, and good ol’ fashioned cash.  See also live drop.

Dropper

Malware which delivers/contains, unpacks and installs other malware on an infected system.  See also downloader.

DROWN
(Decrypting RSA with Obsolete and Weakened eNcryption)

Contrived name for a hack that compromises TLS sessions by exploiting a vulnerability in the deprecated SSL v2 protocol, exposing RSA private keys.  See also POODLE and Heartbleed.

DTSA
(Defend Trade Secrets Act)

US federal law provides some legal protection for confidential proprietary information classed as trade secrets, supplementing state laws and harmonizing the approach.

Dual-control

Form of control requiring the actions of more than one person, for example when two soldiers have to insert and turn their keys at the same moment into locks placed several meters apart in order to launch a missile.

Dual stack device

“A product that implements both IP version 4 and 6 protocol stacks” (NZ information Security Manual).

Dual-use

Technology that can be used for both offensive and defensive security purposes, to wage war and to secure peace.  Strong encryption, for instance, protects information and communications regardless of the nature of the information and the communicating parties: it is valued and used by criminals, terrorists, the authorities including governments, militia and law enforcement, and the public alike.

Due care

Obligation or expectation that fiduciary officers/executives of an organisation duly protect its assets and act in its best interests, just as a prudent person would be expected to do. “The responsibility that managers and their organisations have a duty to provide for information security to ensure that the type of control, the cost of control, and the deployment of control are appropriate for the system being managed” (NIST SP 800-30).  See also negligenceCf. due diligence and duty of care

Due diligence

Assurance activities in preparation for important corporate activities such as mergers, acquisitions and the execution of major contracts.  Also compliance e.g. enforcing policies and ensuring that security controls are effectively protecting valuable information assetsCf. due care and duty of care.

Dump

Data file containing authentication credentials such as usernames and passwords or credit/bank card numbers and related information such as the cardholder’s name and the CVV, possibly fullz, stolen by a hacker or carder then made available on the hacker underground.

Duqu

APT worm similar to and perhaps derived from Stuxnet.

Duress alarm,
duress button

Type of silent alarm that can be triggered by a worker to signal that they are experiencing some form of duress (coercion, threat, hold-up, robbery etc.), typically by hitting a concealed ‘panic button’, releasing a dead-mans-handle or entering a particular combination of keys (such as their normal password or PIN code immediately preceded or followed by, say, the hash symbol) into a system that has been specifically designed and configured to incorporate this facility (such as a bank teller’s workstation or security guard station).

Duty of care

A responsibility, obligation, duty, requirement or expectation to ensure that others are not harmed by one’s action or inaction.  Cf. due care, due diligence.

Dyre

A bank Trojan capable of man-in-the-middle attacks, monitoring online banking sessions to capture browser snapshots and logon credentials.  Discovered in 2014.

EAL
(Evaluation Assurance Level)

An assurance metric indicating the depth and rigor to which secure ICT products are evaluated against the Common Criteria.  EAL 1 is the simplest, most basic level, EAL 7 the most advanced.  “Set of assurance requirements that represent a point on the Common Criteria predefined assurance scale” (CNSSI-4009).  “A level of assurance in the security functionality of a product gained from undertaking a Common Criteria evaluation.  Each EAL comprises a number of assurance components, covering aspects of a product’s design, development and operation” (NZ information Security Manual).

EAM
(Enterprise Asset Management)

Structured and often software-assisted processes to manage corporate assets (generally just physical assets such as buildings, machinery/plant, vehicles and infrastructure) from acquisition to disposal, including preventive maintenance and repair activities.

EAP
(Emergency Action Plan)

A plan to help people survive life-threatening emergency situations or crises such as active shooters, holdups, attacks by terrorists or criminal gangs, bomb threats or blasts, or natural disasters.  Such events may occur suddenly without warning, hence the EAP and associated exercises aim to help by preparing people for the possibility and practicing their responses (e.g. evacuate, hide or defend yourself).

Easter egg

A Trojan horse function hidden within an otherwise legitimate program.  Although normally benign (such as a simple computer game or audio-visual tribute to the programmers), the fact that a covert function has been coded and passed through program testing hints at a possible governance issue with the SDLC, begging the question “What else might be going on in there?”.  “Hidden functionality within an application program, which becomes activated when an undocumented, and often convoluted, set of commands and keystrokes are entered. Easter eggs are typically used to display the credits for the development team and are intended to be nonthreatening” (NIST SP 800-28).

Eavesdrop

To listen-in or snoop on someone or something covertly.  May involve literally listening and watching from nearby, or remotely using surveillance equipment such as binoculars, bugs, cameras, spyware, keyloggers and backdoors, network analysers, passive reflectors modulating infrared laser beams, wiretaps etc., with obvious privacy implications.

ECC
(Elliptic Curve Cryptography)

Form of public key encryption that relies on the unique mathematical properties of elliptic curves to generate pairs of related keys.

ECCM
(Electronic Counter-CounterMeasures),
ECP
(EleCtronic Protective measures)

Defensive techniques to avoid electronic communications or systems being compromised by an adversary – or indeed by friendly forces – using ECM, for example using spread-spectrum, burst, covert and/or spoof transmissions, and TEMPEST.

Echelon

NSA-led global mass surveillance program launched in the 1960s in conjunction with what became the Five Eyes.  France has a similar program dubbed ‘Frenchelon’ with satellite ground stations (‘spy stations’) located in mainland France and some of its overseas territories.

ECM
(Electronic CounterMeasures)

Offensive techniques to disrupt an adversary’s electronic communications or systems, for instance by jamming their radio links, transmitting false beacons or misleading their automated target-acquisition systems.  The electronic equivalent of chaff (metallic strips dispensed in large numbers by a moving vehicle to confuse radar systems).  See also ECCM.

Economic espionage

Euphemism for state-sponsored industrial espionage (surveillance, spying) directed against foreign corporations and (usually) their intellectual assets.

Eco-warrior

Activist or extremist who may sabotage organisations they believe to be exploiting and wantonly harming the natural environment through their operations (e.g. mining and oil companies destroying the rain forests, or ‘scientific’ whaling).

[Information security] Education

General knowledge and expertise in relation to recognizing and minimizing information risks through appropriate security controls.  Achieved initially through the school/education system, advice from parents and teachers etc. and then extended through security training and awareness activities during employment, supplementing work and general life experience.  [In general] “Process of receiving or giving systematic instruction, especially at a school or university” (ISO/IEC 19896-1:2018).

Effectiveness

Measure of the quality or suitability of something for some purpose.  “Extent to which planned activities are realized and planned results achieved” (ISO/IEC 27000).  “Ability to apply knowledge and skills in a productive manner, characterized by attributes of behaviour such as aptitude, initiative, enthusiasm, willingness, communication skills, team participation, and leadership” (ISO/IEC 19896-1:2018).

Efficiency

Measure of the consumption of resources by something.  “Relationship between the results achieved and resources used” (ISO 9000).

Egress filtering

Blocking of traffic as it exits a network, for example to prevent malware-infected or hacked computers on corporate networks from sending spam or attacking systems on external networks, or to block highly classified information from passing onto an unclassified network.  Cf. ingress filtering.

EINSTEIN

Covert US government network security monitoring/intrusion detection capability originally developed by US-CERT and deployed in 2004.  The current incarnation, EINSTEIN 3, is being developed by the NSA.  It reportedly monitors traffic flowing through authorized gateways between the internal government network/s and the outside world, while a cloud-based distributed sensor version is (also) under consideration, presumably to counter threats arising from the Internet of Things and proliferating Internet connectivity.

Electronic archive

A long-term data store (see archive).  “Long-term repository of Electronically Stored Information.  Notes: Electronic archives can be on-line, and therefore accessible, or off-line and not easily accessible.  Backup systems (e.g., tape, virtual tape, etc.) are not intended to be electronic archives, but rather data protection systems (i.e., recovery mechanisms for disaster recovery and business continuity).” (ISO/IEC 27050-1).

Electronic discovery,
eDiscovery

Discovery that includes the identification, preservation, collection, processing, review, analysis, or production of Electronically Stored Information.  Note: Although electronic discovery is often considered a legal process, its use is not limited to the legal domain.” (ISO/IEC 27050-1).

Elevation or escalation [of privileges]

A multi-stage attack (on a castle, building, system, application, person, organisation etc.) in which an outsider (e.g. an intruder, hacker or malware) first gains entry or a foothold innocuously through an inadequately secured entry-point to a general access level, then exploits internal vulnerabilities to gain further access to and compromise assets that are not directly accessible from outside.  Hackers commonly gain unprivileged access to target systems first (e.g. by registering as a basic user with limited rights), then use commands (often scripted in the form of malware) to exploit technical vulnerabilities, gain privileged or unrestricted access and hence pwn the systems.

Elicitation

Social engineering technique whereby, during an apparently innocuous conversation, someone is surreptitiously probed for additional information.  For example, the question “Was John there with Alan?” might prompt the answer “No, John wasn’t there”.  The respondent’s lack of reference to Alan implies that he was there, hinting at what have been the true purpose of the question.

ELINT
(ELectronic INTelligence)

Gleaning useful information from the characteristics of electronic signals, aside from any intended communications content, using electronic sensors.  Spectrum analysis and direction-finding techniques, for instance, can be used to characterize and perhaps identify a specific source of radiated electronic signals (not necessarily a radio transmitter as such).  Part of SIGINT.

Electronic Warfare
(EW)

See cyberwar.

Email
(Electronic mail)

Popular communications mechanism that originally used private commercial networks (such as AOL, CompuServe and internal corporate networks) then transitioned to the Internet in the 1990s.  Emails are sent and received asynchronously, meaning they wait in the recipient’s mailbox until being opened and read, as opposed to real-time and near-real-time online chat systems such as IMVulnerable to numerous information security threats and incidents such as malware, spam, 419s and other frauds, coercion, social engineering, unpredictable delays and occasional non-delivery or mis-delivery of messages, interception or inappropriate and unauthorized disclosure of confidential information, hacking of email servers/systems, spoofing of email headers and message content etc.

Email bomb,
spam bomb

Attempt to fill or overload a victim’s email system by sending huge quantities of spam to it e.g. by deliberately disclosing their email address to known spammers and high-volume mailing lists, causing frustration, cyber harassment and denial of service.

Emanation security

“The counter-measure employed to reduce classified emanations from a facility and its systems to an acceptable level. Emanations can be in the form of RF energy, sound waves or optical signals” (NZ information Security Manual).

  See also TEMPEST and SCIF.

Embedded malware

Malware (such as APTs) hidden so deeply within a system (possibly in the hardware, microcode, firmware, device drivers or operating system kernel) that only competent forensic analysis (possibly involving access to the source code, compilers and specialist tools) may reveal its presence.

Embedded system

Usually a physically small computer system or subsystem, perhaps a thing, encased entirely within a piece of electrical, electronic or mechanical equipment (such as a computerized item of industrial plant, an ICS, used to monitor and control the equipment.  Often based on a pared-down version of the Linux operating system, designed to perform specific functions very efficiently, as opposed to multipurpose computers.  May interface to a SCADA system or the Internet of Things.

Embezzlement

Theft of assets entrusted to a fraudster by the victim e.g. deposits stolen by a dishonest fund manager.  See also malfeasance.

Emergency access

Route in to an access-controlled site, building, room, system etc. for use in emergency conditions.  “The process of a system user accessing a system that they do not hold appropriate security clearances for due to an immediate and critical emergency requirement” (NZ information Security Manual).

  See also emergency intervention.

Emergency intervention

Situation in which a competent support person is specifically authorized by management to modify a system directly, typically through a privileged emergency user ID, bypassing or overriding the normal system access controls and code migration processes in order to diagnose and resolve an urgent production issue.

Emergency situation

“A situation requiring the evacuation of a site.  Examples include fires and bomb threats” (NZ information Security Manual).

Emotet

Multifunctional malware that has evolved from a bank Trojan in 2014 to a loader for various forms of malware today.  In the wild in 2019.

EMP (Electro-Magnetic Pulse) weapon,
e-bomb,
HERF (High Energy Radio Frequency) gun

Most electrical and electronic devices are inherently highly vulnerable to extremely strong electromagnetic fields and high voltages (such as those produced by nearby lightning strikes, nuclear explosions or, at close range, Taser-type devices), and/or to the accompanying power surges, unless they are sufficiently well designed, engineered, shielded and protected to be resilient.  EMP-based cyberweapons (missiles, bombs, hand-deployed devices etc.) are intended for cybertage, cyberwar or cyberterrorism, perhaps physically damaging critical parts of the enemy’s cyberinfrastructure, for example CHAMP.

EMS
(Enterprise Mobile Security, Enterprise Mobility Suite)

See MDM.

EMSEC
(EMissions SECurity)

Securing systems against compromising emanations e.g. using TEMPEST and Faraday cages. “The protection resulting from all measures taken to deny unauthorized persons information of value that might be derived from communications systems and cryptographic equipment intercepts and the interception and analysis of compromising emanations from cryptographic—equipment, information systems, and telecommunications systems.” (Air Force Air Intelligence, Surveillance and Reconnaissance Agency instruction 33-203, 2011)

Encapsulating security payload

Network security protocol, part of IPsec. “A protocol used for encryption and authentication within IPSec” (NZ information Security Manual).

EnCase

The first widely-accepted digital forensics support tool-suite, used to examine (acquire, analyse and report) digital evidence.  A commercial product from opentext.

Enclave

“Collection of information systems connected by one or more internal networks under the control of a single authority and security policy. The systems may be structured by physical proximity or by function, independent of location.” (CNSSI-4009).

Enclave boundary

“Point at which an enclave’s internal network service layer connects to an external network’s service layer, i.e., to another enclave or to a Wide Area Network (WAN)” (CNSSI-4009).

Encryption,
encrypt,
encipherment

Application of cryptography to maintain the confidentiality of information by preventing anyone without the correct decryption key/s gaining access to or surmising the plaintext content.

End user,
user

Term used by snooty ICT professionals to refer (often dismissively or disparagingly) to the people who use IT systems, networks, devices, services etc.

End User Computing
(EUC)

The practice of software development, implementation and/or support by citizen programmers.

Enforce,
 enforcement

The use of sanctions to discourage and penalize noncompliance or non-fulfilment of one or more obligations, expectations etc.  Has distinctly negative, demotivational connotations, as opposed to reinforcement.

ENIAC
(Electronic Numerical Integrator And Calculator)

The first Turing-complete (general purpose) electronic computer.  Designed at the University of Pennsylvania by Mauchly and Eckert, ENIAC was delivered to the US Army in 1946 to calculate ballistics tables.  It used 17,500 electronic valves (vacuum tubes) and 1,500 relays, weighed 30 tons and consumed 150kW.  It was programmed mechanically over several days using patch leads and switches.  50 years on, ENIAC was replicated as a single integrated circuit approximately 3½ cm square, similar to a Pentium CPU chip.  See also Colossus.

Enrolment

Process whereby, for example, the physical characteristics of people whose identities have been authenticated by some other means are measured by and registered on biometric security devices, thus associating biometric characteristics with user IDs.

Enterprise

“A natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity” (GDPR).

Enterprise Risk Management (ERM)

High level corporate governance activity for systematically identifying, assessing, treating and monitoring/tracking risks that are significant to the enterprise or organisation as a whole (sometimes known as ‘bet the farm’ risks), involving aspects such as business/commerce, strategy, politics, health-and-safety, finance, currency, products, markets, environment, people, compliance, technology, information, infrastructure etc.

Enticement

Inducing or permitting someone to commit a crime that they would have committed anyway (e.g. the police using closely-monitored ‘bait cars’ to entice vehicle thieves) then prosecuting them for so doing.  Cf. entrapment.

Entrapment

Inducing someone to commit a crime they would not otherwise have committed.  Prosecution is likely to fail if the court accepts this as a legitimate defence.  Cf. enticement“Deliberate planting of apparent flaws in an information system for the purpose of detecting attempted penetrations” (CNSSI-4009).

Entropy

A measure of randomness or disorder.  A high degree of entropy in encryption keys is vital to prevent cryptanalysts directly guessing the keys by brute force, while high entropy in the cyphertext reduces the possibility of revealing useful information through discernible patterns.  Keys generated pseudo-randomly have marginally less entropy than those of the same length generated randomly, a small difference that weakens them.

EPIC
(Electronic Privacy
Information Center)

Privacy advocacy and activist group, describing itself as a “public interest research center in Washington, DC”.  EPIC website.

EpicShelter

Secret US surveillance system allegedly developed by Ed Snowden according to Oliver Stone’s biographical film Snowden.

Equation Group

Hacker group allegedly associated with the NSA.

Error

Mistake, accident, unintended discrepancy etc.  A breakdown or failure of integrity.  Although errors cause a far greater number of information security incidents than deliberate attacks, the effects are usually relatively minor.  Furthermore, errors are often noticed and corrected by the people, systems or devices that caused them, with next to no consequential impact.  Rarely, however, unnoticed/uncorrected errors (such as software bugs and the inappropriate use of statistics) can have extremely serious or grave consequences such as corrupting business- or safety-critical data or leading to bad decisions.

Escape

In virtualisation, refers to making an unauthorized connection from a guest system into the hypervisor, host operating system or another guest.  Allows hacking and data leakage between virtual systems, or access from a sandbox to the host.

Escort

“A person who ensures that when maintenance or repairs are undertaken to IT equipment that uncleared personnel are not exposed to information” (NZ information Security Manual).

Escrow

The safekeeping or custodianship of an asset by a trusted person or organisation (the ‘escrow agent’), enabling its release to one or more third parties if certain conditions (usually specified formally in a contract) are met.  Examples include key escrow and source code escrow.  The control hinges on the trustworthiness and competence of the agent.

Escrow fraud

Type of fraud in which an escrow agent betrays the trust placed in them by the owner of assets placed in their care, normally embezzling the assets.

ESI
(Electronically Stored Information)

Data“Data or information of any kind and from any source, whose temporal existence is evidenced by being stored in or on any electronic medium.  Notes: ESI includes traditional e-mail, memos, letters, spreadsheets, databases, office documents, presentations and other electronic formats commonly found on a computer. ESI also includes system, application and file-associated metadata such as timestamps, revision history, file type, etc.  Electronic medium can take the form of, but is not limited to, storage devices and storage elements.” (ISO/IEC 27040).

ESI analysis

Forensic examination/study of ESI“Element of an electronic discovery process focused on evaluating Electronically Stored Information for content and context to identify facts, relationships, key patterns, and other features that can lead to improved understanding of an ESI corpus.  Note: Content and context can include key patterns, topics, people and discussions.” (ISO/IEC 27050-1).

ESI collection

Seizure or collection of ESI, usually from a crime scene.  “Element of an electronic discovery process focused on gathering Electronically Stored Information and other related material” (ISO/IEC 27050-1).

ESI identification

“Element of an electronic discovery process focused on locating potential sources and the criteria for selecting potentially relevant Electronically Stored Information” (ISO/IEC 27050-1).

ESI preservation

“Element of an electronic discovery process focused on ensuring that Electronically Stored Information is protected against inappropriate alteration or destruction.  Note: In some matters or jurisdictions, there can be requirements to prevent spoliation of Electronically Stored Information” (ISO/IEC 27050-1).

ESI processing

Extraction of ESI from storage media etc.  “Element of an electronic discovery process focused on extracting Electronically Stored Information and converting it, if necessary, to forms more suitable for ESI review and ESI analysis” (ISO/IEC 27050-1).

ESI production

Providing, revealing or presenting ESI e.g. in court. “Element of an electronic discovery process focused on delivering or making available Electronically Stored Information.  Notes: ESI production can also include getting Electronically Stored Information in appropriate forms and using appropriate delivery mechanisms. ESI production can be to any person or organisation” (ISO/IEC 27050-1).

ESI review

“Element of an electronic discovery process focused on screening Electronically Stored Information based on specific criteria.  Note: In some matters or jurisdictions, Electronically Stored Information that is considered privileged can be excluded from production” (ISO/IEC 27050-1).

Espionage

See spying.

Essential communications

“Communications whose contents are necessary for the prevention of or relief from disasters and for the maintenance of public order in adverse conditions” (ISO/IEC 27011).

EternalBlue

NSA hacking tool exploits a zero-day vulnerability in Windows SMB (Server Message Block).  A month prior to hacker group Shadow Brokers disclosing this and other tools in April 2017, the NSA notified Microsoft who issued a critical patchNetworked systems that were not patched in time (including old Windows systems no longer fully supported) were vulnerable to the Petya, WannaCry and other ransomware outbreaks.

Ethereal

See Wireshark.

Ethics, ethical

Behaviour broadly accepted as appropriate, right and proper, at least within the culture or organisation in which it occurs.  Ethical beliefs and standards vary, however.  A practice considered ethical within the hacker underground, for example, may be entirely unacceptable and inappropriate (unethical) to society at large including information security and law enforcement professionals.

Ethical dilemma

Situation in which ethical constraints, objectives, rules, laws, regulations, directives etc. come into conflict, requiring a worker either to make a difficult personal decision regarding how to resolve the dilemma and achieve the most beneficial or least damaging net outcome, or to seek further guidance from management, trustworthy colleagues etc.

Ethical hacking

Hacking or penetration testing of ICT networks and systems etc. by white hats that is explicitly sanctioned, authorized, permitted or commissioned by their owners for the purposes of identifying known security vulnerabilities.  Normally covered by an explicit contract defining the scope, nature of tests permitted and forbidden, constraints, confidentiality of the results etc.

Ettercap

Hacking/penetration testing tool, capable of mounting MITM attacks on LAN traffic.

European Data Protection Board

European Union body tasked with supervising and coordinating data protection (privacy) arrangements under GDPR across Europe, for instance liaising with and guiding national privacy ombudsmen or supervisory authorities.

EV
(Extended Validation)

Certification authorities may conduct additional checks on applicants for their digital certificates, typically offering the resulting ‘EV’ certificates at a higher price reflecting the additional costs and trustworthiness.  They typically confirm the identity and legal status of the applicant organisation with the relevant national authorities – a kind of corporate background check – as required by the CA/Browser Forum, an industry body.  Several inappropriate certification incidents (mis-issuance) call into question the value of voluntary compliance with an industry code in this area, leading to calls for stronger oversight, tighter regulation and accreditation, if not a complete overhaul of the certification business.

Evaluator

Person who evaluates (checks, tests and compares) something against expectations, requirements or criteria.  “Individual assigned to perform evaluations in accordance with a given evaluation standard and associated evaluation methodology. Note: An example of an evaluation standard is ISO/IEC 15408 with the associated evaluation methodology given in ISO/IEC 18045” (ISO/IEC 19896-1:2018).

Event

Generally, a trivial or benign form of incident, possibly just a small part of a developing situation (perhaps a symptom, indicator, flag or forewarning).  For example, while an event such as single logon failure may simply result from someone forgetting or mistyping their password, it could be the first indication of a determined brute force attack by hackers“Occurrence or change of a particular set of circumstances.  Notes: an event can be one or more occurrences, and can have several causes; an event can consist of something not happening; an event can sometimes be referred to as an ‘incident’ or ‘accident’” (ISO/IEC 27000).  See also information security event.

Evidence

Information which proves or disproves something.  See also digital evidence and forensic evidence.

Evidence preservation facility

Typically a firesafe, vault, evidence room or similar secure storage facility providing excellent physical protection for forensic evidence“Secure environment or a location where collected or acquired evidence is stored.  Note: An evidence preservation facility should not be exposed to magnetic fields, dust, vibration, moisture or any other environmental elements (such as extreme temperature or humidity) that may damage the potential digital evidence within the facility.” (ISO/IEC 27037).

Evil twin

Network hack using a fake/spoofed public Wi-Fi hotspot that forwards traffic from connected devices to a genuine public Wi-Fi hotspot or otherwise to the Internet.  The evil twin silently intercepts/monitors the traffic and has full access to any unencrypted content.  It may also perform man-in-the-middle attacks, surreptitiously manipulating the traffic en route.

Exculpatory

Forensic evidence allegedly demonstrating that someone or something was not involved in an incident, clearing them of blame.  Cf. inculpatory.

Exception

An extraordinary occurrence, such as an unusual event, an unanticipated (and therefore potentially unhandled) state, condition, data value or unauthorized noncomplianceCf. exemption“The formal acknowledgement that a requirement of the NZISM cannot be met and that a dispensation from the particular compliance requirement is granted by the Accreditation Authority.  This exception is valid for the term of the Accreditation Certificate or some lesser time as determined by the Accreditation Authority” (NZ information Security Manual).

Exceptions and waivers

“An exception is NOT the same as a waiver.  An exception means that the requirement need not be followed.  A waiver means that some alternative controls or conditions are implemented” (NZ information Security Manual).

Execution

(a) Formal signing demonstrating commitment to a legally-binding contract or agreement by duly authorized signatories. (b) Running a computer program. (c) Capital punishment.

Executive management,
executives, ‘the Execs’,
senior management,
top management,
C-suite,
mahogany row etc.

The most senior managers running the organisation (in conjunction with lower management tiers) on a day-to-day basis who are ultimately accountable to stakeholders for protecting and exploiting the organisation’s information assets.  On behalf of the organisation’s legal owners and other external stakeholders, the governing body (normally the Board of Directors) gives executives both the obligation or responsibility and the authority or control over the organisation’s resources, for example ensuring that information risks are identified, assessed and treated in accordance with the organisation’s business objectives, through diligence and due care.  In short, the buck stops here“Person or group of people who have delegated responsibility from the governing body for implementation of strategies and policies to accomplish the purpose of the organisation.  Note: executive management is sometimes called top management and can include Chief Executive Officers, Chief Information Officers, Chief Financial Officers, Chief Information Officers, and similar roles” (ISO/IEC 27000).

Exemption,
waiver

Noncompliance explicitly authorized by the relevant authority after due consideration and consultation with information risk and security experts.  Normally limited in duration as well as scope, and compensating controls may be mandated.  The person requesting an exemption, normally the Information Asset Owner or Risk Owner remains personally accountable for the residual risk and any consequential incidentsCf. exception.

Exfiltration,
exfiltrate

Covert extraction of sensitive/valuable information assets from a supposedly secure system, device, network or organisation.  Normally implies that the information is being ‘pushed out’ or ‘carried out’ by an agent within (a person or malware), but it may also be ‘pulled out’ by someone on the outside (a social engineer, hacker etc.).  Cf. infiltration.

Exit strategy

Whereas normally we consider the risks when going into a new situation, there may also be substantial risks involved in staying there and/or in getting out.  With cloud computing for example, a breakdown in the relationship with the CSP may lead to problems for the organisation in retrieving its information and transferring the service to another CSP or in-house.  Preparing a strategy for exiting the relationship gracefully is a form of business continuity management, part of risk management.

Experience

The intangible knowledge, wisdom, competence and/or skill that accumulates as one does something repeatedly.  A valuable information asset“Involvement at a practical level with projects related to the field of competence” (ISO/IEC 19896-1:2018).

Expert witness

Person acknowledged to have extensive experience and skill in specialized subjects such as information security or forensics, capable of analysing, presenting and interpreting the facts objectively for the court.  Offers an informed, dispassionate, unbiased opinion on complex forensic evidence.

Exploit,
“sploit”

Verb: to take advantage of or use.  Although in the information security domain the term usually implies a negative, unethical, unwelcome, inappropriate, unauthorized or harmful activity, it can also be positive (e.g. an organisation legitimately exploits its assets and capabilities to achieve its business objectives).  Noun: the hacking program, malware payload, script, tool and/or process used by a threat agent to take advantage of a security vulnerability.  “Sploit” is a leet form.

Exploit kit

See crimeware.

Exposure

The degree to which a vulnerability could be exploited by a threat.  For example, security vulnerabilities caused by bugs in Internet-facing web servers tend to be far more exposed to hacking than those affecting internal corporate systems, with several layers of protection between them and external hackers.

External

Outside the organisation’s physical, organisational and network boundary.  Cf. internal.

External context

“External environment in which the organisation seeks to achieve its objectives.  Notes: external context can include the following: the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local; key drivers and trends having impact on the objectives of the organisation; and relationships with, and perceptions and values of, external stakeholders.” (ISO Guide 73).

External party

Term used in the ISO27k standards as a synonym for ‘third party’.  External implies either a separate organisation or a part of the same organisation that is outside the scope of its ISMS

Extinguisher

Manual or automated device for putting out fires using an extinguishant gas (such as carbon dioxide, nitrogen or FM-200), liquid (such as water), foam, powder or cloth (fire blanket).  May be portable/hand-held, mounted to a vehicle, or permanently installed within a facility.  A corrective control.

Extortion

The use of coercion (typically involving threats of cybertage, disclosure of confidential information or denial of service through ransomware, or physical harm) to obtain assets (generally money) from a target individual or organisation.

Extranet

“Extension of an organisation's Intranet, especially over the public network infrastructure, enabling resource sharing between the organisation and other organisations and individuals that it deals with by providing limited access to its Intranet.  Note: For example, an organisation's customers can be provided access to some part of its Intranet, creating an extranet, but the customers cannot be considered ‘trusted’ from a security standpoint.” (ISO/IEC 27033-1).

Extraterritoriality

A legal principle that potentially gives the authorities powers over foreigners outside their normal jurisdiction, for example prosecuting and penalizing non-European organisations for failing to comply with GDPR by protecting the privacy rights of EU citizens whose personal information they obtain.

Extremist,
extremism

Someone whose views or ideology are way out of line with the general population.  Between activist and terrorist on a notional threat scale.

Extrusion

Unauthorized transfer of information from the internal to external environments, typically using network connections and/or various covert channels or methods such as a dropCf. intrusion.

Facility

Site, installation, building, room etc“An area that facilitates government business.  For example, a facility can be a building, a floor of a building or a designated area on the floor of a building” (NZ information Security Manual).

Failover, fail-over

Manual or automated process for transferring resilient ICT services between redundant equipment, campuses and/or network routes, providing high availability, hopefully averting more serious incidents“The capability to switch over automatically (typically without human intervention or warning) to a redundant or standby information system upon the failure or abnormal termination of the previously active system” (CNSSI-4009).

Failsafe,
fail-safe,
fail-secure,
fail-closed

Engineering concept used heavily in safety-critical or other high-security system and process designs whereby a control failure or adverse situation leaves the system/process in an inherently safe or secure – albeit perhaps only partially functional – state or condition.

Fail-soft,
fail-gracefully

Resilience arrangement.  See also load-shedding“Selective termination of affected nonessential processing when hardware or software failure is determined to be imminent” (CNSSI-4009).

Fail-unsafe,
fail-unsecure,
fail-open

Undesirable state for systems and processes that have not been explicitly designed to be safe and secure (i.efailsafe) under all conditions, and hence are ‘fragile’.  For example, an access control that fails spontaneously or is actively disabled or bypassed in an attack, may permit inappropriate access that it was supposed to have prevented or at least detected.  In the absence of compensating controls, security by obscurity can fail spectacularly if details of a supposedly obscure vulnerability are widely disclosed.

FAIR
(Factor Analysis of
Information Risk)

Open Group’s structured risk analysis method examines various parameters (factors) to estimate the magnitude and probability of losses and hence risk.

Fair use

Copyright laws generally permit limited use of copyright materials without the intellectual property owner’s explicit permission.  Such fair use exemptions typically allow reproduction (such as quoting and summarizing) of non-substantial or inconsequential parts of copyright materials for limited research and educational purposes, or to create backup/archive copies.

Faith

Sometimes described as ‘blind trust’ or ‘wishful thinking’, faithful people believe in something without evidence of its validity and veracity, sometimes to the point of ignoring or flatly and irrationally denying credible evidence to the contrary.  Faith is not a control but a potentially harmful form of delusion, manipulation, coercion or social engineering.

Fake

Spoofed item that misrepresents the genuine article.  See also counterfeit.

Fake news

Propaganda in the form of fabricated ‘news’ stories circulated online through websites and social media, with the specific aim of misleading and influencing (coercing) the general population.  Fake news stories are also used as clickbait.

Fallback

Use of robustness, resilience, redundancy and/or failover features in a system or process to continue to deliver limited critical services under emergency conditions when the primary mechanisms have been compromised in an incident.  A form of contingency planning.  See also failover.

False acceptance,
type I error

Authentication failure in which an impostor is incorrectly associated with someone else’s identityCf. false rejection.

False Acceptance Rate
(FAR)

Commonplace metric for a biometric system, measuring the proportion of authentications that exhibit type 1 errors“The measure of the likelihood that the biometric security system will incorrectly accept an access attempt by an unauthorized user.  A system’s false acceptance rate typically is stated as the ratio of the number of false acceptances divided by the number of identification attempts.” (CNSSI-4009).  See also False Rejection Rate.

False flag

An attempt to get an attack attributed to an innocent party, deflecting blame from the perpetrator while denigrating the accused.

False rejection,
type II error

Authentication failure in which the system denies or fails to confirm a person’s true identityCf. false acceptance.

False Rejection Rate
(FRR)

Commonplace metric for a biometric system, measuring the proportion of authentications that exhibit type II errors.  “The measure of the likelihood that the biometric security system will incorrectly reject an access attempt by an authorized user.  A system’s false rejection rate typically is stated as the ratio of the number of false rejections divided by the number of identification attempts.” (CNSSI-4009).  See also False Acceptance Rate.

False sense of security

Vulnerability involving an unwarranted and inappropriate faith in the security/control arrangements stemming from inadequate assurance and naïveté – for example, believing that antivirus software totally prevents malware incidents.

Fast-flux DNS,
fast-flux botnet

Black hat high-availability and concealment technique uses proxy servers or DNS changes to redirect botnet traffic (commands and/or data) dynamically to any of a set of distributed servers so that, even if individual servers in the set are shut down by the authorities, others remain reachable. 

Fault

Problem with information processing or communications systems including a security incident, complete or partial system failure (outage), program error/bug, virus, or some other generally unanticipated and undesirable mode of operation etc.

Fault tolerance

High-availability design goal that systems should survive faults and other incidents that would otherwise cause failures or unplanned outages.  A strong but highly specific form of resilience.

Fax machine

“A device that allows copies of documents to be sent over a telephone network” (NZ information Security Manual).

  No kidding!

FBI
(Federal Bureau of Investigation)

Spooky US government agency responsible for domestic intelligence and surveillance deliberately targeting US citizens.  Founded by J Edgar Hoover.  See also CIA and DHS.

FedRAMP
(Federal Risk and Authorization Management Program)

US program imposing good practice security standards (principally NIST SP800-53) on the suppliers of cloud computing services for government use.

Femto cell,
home cell,
small cell

A cellphone repeater or base station providing cellular service in a limited local area, typically within a building, where the conventional cellular coverage is limited or non-existent.  “Small, low-power cellular base station.  Note: A femto cell is typically designed for use in a home or small businesses” (ISO/IEC 27033-6).

Fibre channel,
fiber channel

“Serial I/O interconnect capable of supporting multiple protocols, including access to open system storage, access to mainframe storage, and networking.  Note: Fibre Channel supports point to point, arbitrated loop, and switched topologies with a variety of copper and optical links running at speeds from 1 gigabit per second to over 10 gigabits per second” (ISO/IEC 27040).

Fibre channel interconnect

“Serial Small Computer System Interface (SCSI) transport protocol used on Fibre Channel interconnects” (ISO/IEC 27040).

Fidelity insurance,
fidelity bond

Insurance against the costs and losses to an organisation arising from incidents involving deliberate acts of disloyalty or dishonesty by its workers or agents (e.g. advisors and other service providers).

Fiduciary

A responsibility based on trust and ethics, for example officers of an organisation are legally and morally required, obliged or bound to act in the best interests of the organisation’s owners and other stakeholders, even if doing so conflicts with their personal interests.  See also malfeasance, due care and fidelity insurance.

Fileless malware

Cloud-based malware that executes in RAM, exploiting apps and utilities such as web browsers, PowerShell and WMI supposedly without leaving behind distinctive files on an infected system’s disks.  Powersploit’s obfuscated PowerShell scripts, for instance, may not be detected reliably by antivirus packages and, even if they remain on the disk, may escape forensic analysis.  Malware may be located using registry entries and hidden inside other files or in obscure directories.

Filing system

Structured, systematic, organised and usually indexed or catalogued arrangement for information storage, search, retrieval and referencing.  “Any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis” (GDPR).

Filter

“A device that controls the flow of data in accordance with a security policy” (NZ information Security Manual).

Filtering

“Process of accepting or rejecting data flows through a network, according to specified criteria” (ISO/IEC 27033-1).

Fingerprint

Literally, the print mark left behind on a surface by a finger, a biometric.  Often used figuratively to indicate characteristics that uniquely identify a person (e.g. using DNA profiling), system or data.  Despite theoretical claims as to their uniqueness, gathering and analysing any kind of fingerprint creates practical constraints on the scientific accuracy, hence there is a small but finite possibility that fingerprints from different individuals, systems or data may fail to be distinguished in practice.  Furthermore, being biometrics, confidentiality is a challenge for the owner and they cannot be changed if compromised.  See also hash.

FIPS 197 (Federal Information Processing Standard № 197)

Standard published by NIST in 2001 specifying AES.  See http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

Fire

Along with smoke, one of many physical security threats, whether caused by accident or intentionally (arson).  See also flood, intruder and malicious damage.

Fireball

One of several nasty species of malware in the wild in 2018.  A browser hijacker and downloader.

Firewall

Specialized network router specifically configured as a security gateway monitoring, controlling and filtering traffic between network segments, nodes and devices according to a set of access control rules“Type of security barrier placed between network environments -- consisting of a dedicated device or a composite of several components and techniques -- through which all traffic from one network environment traverses to another, and vice versa, and only authorized traffic, as defined by the local security policy, is allowed to pass” (ISO/IEC 27033-1).  A network protection device that filters incoming and outgoing network data, based on a series of rules” (NZ information Security Manual).

  See also packet filter, stateful firewall and deep packet inspection.

Firmware

Software loaded into a memory chip or similar hardware device, normally embedded in hardware interfaces to control and communicate with specialist devices such as plant controllers, disk drives or network cards.  The BIOS on a computer motherboard is an example.  “Software embedded in a hardware device” (NZ information Security Manual).

FISA
(Foreign Intelligence Surveillance Act)

US law unilaterally permitting the US government to snoop on foreigners’ information for US intelligence, counterterrorism and (presumably) cyberwarfare, economic, political or other purposes.  Became law in 1978, amended in 2008.  Established the Foreign Intelligence Surveillance Court as a SECRET oversight body to mediate official access requests by the NSA, CIA, FBI or other agencies/authorities.

FISMA
(Federal Information Security Management Act)

US law imposing information risk-based security and privacy obligations on government agencies and, to some extent, their suppliers.  “A statute (Title III, P.L. 107-347) that requires agencies to assess risk to information systems and provide information security protections commensurate with the risk.  FISMA also requires that agencies integrate information security into their capital planning and enterprise architecture processes, conduct annual information systems security reviews of all programs and systems, and report the results of those reviews to OMB.” (CNSSI-4009).

Five Eyes

A strategic alliance/collaboration between the governments of the USA, Canada, UK, Australia and New Zealand to share intelligence capabilities and information.  Evolved from the UKUSA bilateral ‘special arrangement’ that had in effect been in place since WWII or before.  Whereas the security agencies are not supposed to snoop on their own citizens, they can do so via their Five Eyes partners – a convenient means of bypassing the governance control.

Flash memory [media]

Data storage device using a silicon chip as the media, in a manner that retains the data indefinitely without consuming power, such as a USB memory stick.  “A specific type of EEPROM” (NZ information Security Manual).

Flaw

A fundamental and inherent vulnerability, weakness or failing.  In the context of software security, flaws are generally errors in the system design or architecture that create or expose information security vulnerabilities.  Flaws in corporate governance, risk management, information security management, business continuity management etc. can result in an organisation’s abject failure to characterize and treat reasonably foreseeable (let alone unforeseeable) risks.

Flood

(a) A surprisingly common physical security threat.  Due to global warming, the number of natural disasters involving flooding has increased markedly in recent years, while leaking pipes, blocked sewers and sprinkler systems remain as prevalent as ever.  See also fire, intruder and malicious damage. (b) Accidentally overwhelm an IT system or network with a high volume of traffic, for example an abnormally high peak load on a heavily-promoted website or a tsunami of spurious packets generated by a hardware error on a network node. (c) Deliberately overwhelm an IT system or network with large volumes of generated traffic in an attempt to cause a denial of service or to slip a covert attack past failing security controls.

Fly lead

“A lead that connects IT equipment to the fixed infrastructure of the facility. For example, the lead that connects a workstation to a network wall socket” (NZ information Security Manual).

FM-200

Fire suppressant or extinguishant chemical from DuPont popular in automated fire control systems.

FMEA
(Failure Mode Effects Analysis)

Structured bottom-up engineering method, pioneered by NASA, to analyse potential reliability, safety or security risks or issues early in the system development lifecycle, identifying how the system might possibly fail (e.g. due to single points of failure).  Used to design more resilient, robust, secure and safe systems.

Foothold,
launch pad
stepping stone,
pivot point

The system initially compromised on a hacked network, from which further probes and attacks may be launched.  May be any vulnerable networked system, including things, multifunction devices, desktops, portables, servers etc.

Forbid

Explicitly prohibit i.e. withhold consent, authorisation or permission for someone to do something, go somewhere etc. or face the consequences.

Forensic, forensics

Relating to the law courts.  See also digital forensics“The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data” (CNSSI-4009).

Forensic copy

More than just a copy of an item of forensic evidence, a forensic copy has been produced by a specific, forensically-sound method that gives an extremely high level of assurance that the copy is an authentic and complete duplicate of the original – for example, a bitwise image of a computer disk, created using a particular set of forensic tools, with a cryptographic hash value identical to the original.

Forensic evidence

Evidence destined to be used in court.  The legal system imposes strict integrity requirements on evidence, requiring strong assurance measures such as a valid and unbroken chain of custody.

Forger

The fraudster who commits forgery.

Forgery

Fraudulent counterfeiting of items such as negotiable instruments (e.g. banknotes),  credentials etc.

Fork bomb,
wabbit

Malware that spawns one or more copies of itself and starts those copies running, thus exponentially increasing in number until it exhausts finite system resources and thus, generally, brings the entire system to a halt i.e. a denial of service attack.

Form grabber, grabber,
form jacking

Malware that captures data entered by the system user into online forms, particularly credentials used for authentication.

FOSS
(Free Open Source Software)

Software source code that its owner deliberately publishes and permits or encourages others to use, change and ideally improve as a collaborative public effort.  ‘Free’ refers to liberty, not necessarily price: some FOSS suppliers, for example, provide additional chargeable services such as professional support and patching.

FOUO
(For Official Use Only)

Deprecated US government label applied to unclassified information containing content that may have been exempt from mandatory disclosure under the Freedom of Information Act.  Replaced by CUI.

Frame

(a) Falsely yet credibly accuse someone of something untoward, such as a crime, or deflect the blame their way in such a way that they appear guilty whereas the guilty party appears innocent.  An integrity failure.  A form of social engineering.  (b) Permanent wooden or metal structure into which a door or window may be fixed by hinges, catches and locks.  The strength of the frame and its fixture to the surrounding wall are critical to the ability of the door or window to resist brute force attacks, fires, floods etc.  The entire structure, plus the associated processes (such as architecture and design, operation and maintenance), constitutes a physical security control system.

Framework

A conceptual or physical structure or skeleton linking related items together, providing a logical basis or foundation for further construction, understanding and use.   May involve models, blueprints, architecture and design specifications, nodes and linkages, systems (such as management systems), methods, approaches, standards, policies, guidelines etc.  May be theoretical or practical.  Information security frameworks typically concern governance, information risk, compliance, privacy and related matters, in whole or in part.

Fraud, con

Theft, misappropriation or similar crime involving deliberate deception or misrepresentation of the target by a fraudster, usually for unfair advantage or illegal gain.  Many forms of fraud are known e.g. assuming someone else’s name and masquerading as them (identity fraud); promising victims a large payout on receipt of an advance fee; causing victims unwittingly to call a premium-rate phone number and so rack-up a large bill (toll fraud); tricking victims into downloading malware or visiting unsavoury/undesirable websites (click bait); falsifying or inflating expenses claimed (expenses fraud); falsifying financial records (accounting or tax fraud); substituting bank account numbers (payment fraud).  See also scam.

Fraud recovery fraud

Follow-on fraud in which fraudsters typically claiming to be lawyers, barristers, police officers etc. promise to help victims of prior frauds recover their losses, prosecute the original fraudsters etc.  Fraud victims have, in effect, already demonstrated their naïveté, gullibility and susceptibility in the earlier incidents and may still be ignorant or in a psychological state of denial, hence being relatively vulnerable to subsequent frauds by selfish heartless exploitative low-life pond scum totally devoid of compassion.

Fraudster,
con artist

Deceitful, deceptive person who commits or perpetrates fraud.  Sometimes incorrectly called ‘the fraud’ which, strictly speaking, is the incident not the perpetrator.

Freedom Of Information Act (FOIA)

Laws in many jurisdictions require public bodies to disclose potentially sensitive information under certain conditions, typically for public interest reasons, on request by a member of the public following the prescribed procedures.  When entire documents or data sets are to be disclosed under FOIA, it may be necessary to redact parts e.g. to safeguard ongoing covert operations and operatives (typically informers, moles and spies) or to protect privacy or national security.

Freeware

Software that is legitimately and legally free of usage restrictions, typically as a result of having been released intentionally into the public domain by its owner.

Freezer spray

Hardware hacking or IT forensics tool.  Deep-freezing RAM chips using a freezer spray makes them retain their contents even when the system is powered off, perhaps long enough to enable the data to be recovered using specialist equipment.

Frequency analysis

Basic cryptanalytic technique using the distribution of individual characters, character sequences or words in typical plaintext to guess at possible substitutions in cyphertext or codes.  For example, e and i are the most frequent letters in most English texts, while an, in, on, to and of are very common two-, three- or four-character sequences (allowing for the usual leading and trailing spaces).

Frequency-hopping

Transmissions on a radio that automatically follows a rapidly-changing cryptographically-determined sequence of spot frequencies, making it harder or impossible for unauthorized listeners using basic radio receivers to reconstruct the complete transmission as opposed to authorized listeners using receivers programmed to follow the same frequency sequence.  “Repeated switching of frequencies during radio transmission according to a specified algorithm, to minimize unauthorized interception or jamming of telecommunications” (CNSSI-4009).

FSB
(Federal'naya Sluzhba Bezopasnosti)

Russian secret service equivalent to the US FBI, succeeded the Soviet KGB.  Responsible for domestic state and border security, ‘economic security’ (industrial espionage) and for countering spying, organised crime and terrorism.

Fullz

Leet term for dumps containing full payment card details including the card numbers, CVV, cardholder’s name and expiry date, and sometimes other personal information.

Functional segregation

“Functional segregation is segregation based on the device function or intended function” (NZ information Security Manual).

GameOver Zeus

Malware species in the wild from 2011.  A variant of the Zeus family using a botnet with a distributed (peer-to-peer) rather than centralized command-and-control structure.

GandCrab

Ransomware species in the wild, offered as an online service (MaaS) with regular updates and technical support to help victims pay the ransom (typically $1k-$8k) and decrypt their data.

Gap analysis

Examination of the differences or discrepancies between two states, such as the current or as-is state versus the desired or to-be state (part of change management), or the gap between expectations, requirements or obligations imposed or suggested by laws, standards, policies, contracts etc. and the actual situation in reality (part of compliance management).

Gardening leave

Workers in the course of leaving an organisation’s employment or assignment may be explicitly excluded by management from the premises and ICT networks/systems etc. This enforced paid leave mitigates unacceptable risks, particularly if they were in privileged/trusted positions with extensive access to information and other valuable corporate assets and/or if their loyalty or trustworthiness is in doubt (e.g. dismissals).  ‘Sending them home to do the gardening’ may be deemed less risky/costly than allowing them to work normally during their notice periods.

Gate

Physical access control intended to restrict access to a controlled area or zone to those with permission to enter.  The physical nature, strength and integrity of a gate and any locks (along with the associated usage, guarding, monitoring, key management and maintenance activities) governs the ability of intruders to slip or break through, while the nature, strength and integrity of the associated fences, walls and other physical barriers determines whether intruders can simply bypass it.

Gateway

Logical security analogue of a gate, restricting access to a controlled network zone or device.  See firewall.  Alternatively, “Device that converts a protocol to another protocol” (ISO/IEC 27040) or “Interface providing compatibility between networks by converting transmission speeds, protocols, codes, or security measures” (CNSSI-4009).  “Gateways connect two or more systems from different security domains to allow access to or transfer of information according to defined security policies.  Some gateways can be automated through a combination of physical or software mechanisms.  Gateways are typically grouped into three categories: access gateways, multilevel gateways and transfer gateways (NZ information Security Manual).

GCHQ
(Government Communications HeadQuarters)

The UK’s techno-spooks, responsible for SIGINT and other intelligence, surveillance and governmental technical support activities.  Evolved from the Government Code and Cypher School, established during the first World War.

GDPR
(General Data Protection Regulation)

Virtually identical privacy laws were adopted across the EU in 2018.  GDPR introduced the right to be forgotten and other new requirements plus potentially massive ($billions) fines for noncompliance.

General user

“A system user who can, with their normal privileges, make only limited changes to a system and generally cannot bypass system security” (NZ information Security Manual).

Genetic data

“Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question” (GDPR).

[Electrical] Generator,
generating set,
emergency generator

An alternator turned by an engine to generate electricity.  Typically used to restore power to essential equipment during a grid blackout for business continuity purposes.  Whereas small portable gasoline-powered generators for home use may generate about a kilowatt, large permanently-installed diesel-powered industrial generators typically generate hundreds of kilowatts, sometimes a few megawatts.

GENIE

A secret US intelligence program systematically compromising ICT devices (‘end-points’) with spyware, extending the interception performed on communications links and Internet Service Providers (‘mid-points’).

Gentleman’s agreement

An ‘understanding’, an informal arrangement or weak form of contract between individuals who trust each other.  Based on the principle that “a gentleman’s word is his bond”, which of course hinges on the meanings of ‘gentleman’ and ‘bond’.

Geolocation

Some portable ICT devices and things use GPS, cell-sites, Wi-Fi services or other means to identify their locations, and by implication the whereabouts of the corresponding users.  Locational information can be sensitive, for instance allowing high-value targets (such as executives, politicians and celebrities) to be physically tracked.  It can also be very valuable, for example to track a lost/stolen thing, pet … or Alzheimer’s sufferer.

Gh0st

RAT malware gives its master full remote control of infected devices.

GIG
(Global Information Grid)

“The globally interconnected, end-to-end set of information capabilities for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policy makers, and support personnel.  The GIG includes owned and leased communications and computing systems and services, software (including applications), data, security services, other associated services, and National Security Systems.  Non-GIG IT includes stand-alone, self-contained, or embedded IT that is not, and will not be, connected to the enterprise network.” (CNSSI-4009).

GII
(Global Information Infrastructure)

“Worldwide interconnections of the information systems of all countries, international and multinational organisations, and international commercial communications” (CNSSI-4009).  In practice, this includes but extends beyond the Internet.

GPG, GNUPG
(GNU Privacy Guard)

An OpenPGP-compliant cryptographic email application developed by the GNU Project.

GNU General Public License

A copyleft style of permissive license adopted by the GNU Project to encourage collaborative sharing by the community.

Going native,
being turned

Deep cover agents, moles or sleepers may become so tightly ensconced into the organisation that they build a strong affinity to it and to their work colleagues/associates, ultimately supplanting their loyalty towards the agency that originally placed them, perhaps even becoming double agents

GoldenEye

One of several nasty species of ransomware in the wild that surreptitiously and strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keys.  A variant of Petya.  In 2017, GoldenEye was used to target German HR departments, arriving in the guise of a spreadsheet with malicious macros, attached to a job application email.

Good practice

Generally acknowledged as broadly adequate or recommended, in a generic sense.  See also best practice.

Governance

Strategic frameworks, organisational structures, policies and processes used to guide/direct, oversee/monitor and to some extent control the organisation, ensuring that it fulfils its strategic objectives and complies with internal and external obligations etc.  Includes concepts such as corporate governance (enterprise-wide), project governance and information security governance, plus accountability.  Arguably the broadest form of integrity control.

Governance of information security,
information security governance

Strategic guidance and oversight of information security“System by which an organisation’s information security activities are directed and controlled” (ISO/IEC 27000).

Governing body

The most senior body which governs (i.e. guides and oversees at a strategic level) an organisation, as distinct from its management“Person or group of people who are accountable for the performance and conformance of the organisation.  Note: governing body can in some jurisdictions be a board of directors” (ISO/IEC 27000).

GPS
(Global Positioning System)

Global geolocation service using a network of orbiting radio satellites and ground stations running extremely accurate clocks, allowing a GPS receiver to calculate its three-dimensional position (latitude, longitude and altitude) to within a few meters.  A GPS unit in a vehicle, for example, may be used to track the vehicle’s position remotely if coupled with a radio transmitter, such as a mobile phone, creating surveillance capabilities and raising privacy implications.  Potentially vulnerable to interference caused by physical obstructions, electrical noise, solar flares etc., or to deliberate spoofing or jamming.  Potentially a useful way of tracking valuable portable information assets such as backup tape carriers, executives and things, as well as criminals and terrorists.

GQM
(Goal, Question, Metric)

Straightforward technique for systematically determining the goals, objectives or expected outcomes of some business activity, posing rhetorical questions concerning their efficacy, efficiency, suitability etc. (the kinds of things that management might like to know), and finally designing or selecting suitable metrics to address those questions.

Gray hat,
grey hat

Hacker having characteristics of both white and black hats, or indeterminate.  Black hats seldom openly acknowledge their true motivations, dubious ethics and self-serving nature, normally claiming to be legitimate white hats (e.g. “security researchers” and “penetration testers”) while concealing or denying their black hat tendencies and activities.

Grayware,
greyware

See Potentially Unwanted Program (PUP).

GRC
(Governance, Risk and Compliance)

The primary management activities, objectives or purposes for information security.

Grieving curve

Psychiatrist Elisabeth Kübler-Ross described five emotional states that people suffering deep personal loss (such as death of a close friend or relative) tend to experience in sequence, namely: denial, anger, bargaining, depression and finally acceptance.  While seldom literally life-changing, individual workers and organisations may experience a similar roller-coaster ride when dealing with major challenges, changes or incidents.

Group

Most computer systems allow security administrators to configure and manage common permissions for entire groups of users performing similar rôles (e.g. staff, managers or administrators), rather than having to configure and manage the rights and privileges individually for each person (although this is also possible e.g. through ACLs).  See also discussion forum.

Group of undertakings

“A controlling undertaking and its controlled undertakings” (GDPR).

GSI
(Government Secure Internet)

Relatively secure UK government internal/private network, implemented in 1997.

Gpcode

One of the earliest species of data-encrypting ransomware, in the wild in 2006.

Guard tour,
site security patrol system

Physical security arrangement that tags/logs/records and perhaps tracks in real time the security guards as they patrol the facilities routinely, especially lone guards working out-of-hours (nightshifts and weekends), in order to identify and perhaps raise the alarm and trigger a suitable response if a guard fails to complete his round (e.g. if he is absent, asleep, lost/taking shortcuts, injured or even kidnapped, killed or substituted en route).  Typically involves guards authenticating themselves (‘checking-in’ or ‘tagging’) at strategically positioned points on a pre-planned tour using mechanical time-stampers, access cards, keys, barcode readers, GPS, CCTV cameras, radios, biometric scanners etc. that record the dates and times of check-ins.  May be combined with duress alarms.

Guest [operating] system

Operating system for a single VM provided, managed and to a large extent secured by the hypervisor.

Guideline

Written guidance explaining how certain information security controls operate.  Despite the name, many of the controls noted in guidelines relate to obligations defined in laws, regulations, axioms, policy statements etc. and are therefore mandatory.  Guidelines also contain supplementary information and advice to help workers utilize the controls properly.  “Description that clarifies what should be done and how, to achieve the objectives set out in policies” (ISO/IEC 27000).

Hack,
hacking

At MIT in the late 1950’s, ‘hack’ originally meant an ingenious, quick, inelegant and superficial modification to a system that accomplishes the desired goal without changing its design.  Later it came to mean a benign and obsessive fascination with technology.  Now ’hacking’ normally refers to accessing, exploring and often exploiting vulnerable ICT systems, networks and things without the ownersauthorisation, knowledge and/or permission, hence unethical and often both malicious and illegal, although cracking is technically the better term.

Hacker,
haxxor, haxx0r

Someone who hacks.  “Haxxor”, plus variants such as “haxx0r”, are Leet versions.  “Unauthorized user who attempts to or gains access to an information system” (CNSSI-4009).  See also cracker

Hacker underground

A somewhat covert social network or community of individuals and groups of hackers, crackers, malware authors (VXers), script kiddies, bot masters etc. linked through Internet websites, chat rooms, bulletin boards, conferences and club meetings etc.  Increasingly linked to criminal gangs, criminal activities (e.g. the use of crimeware) and the black market.

Hacktivism,
hacktivist,
hactivism,
hactivist

Use of hacking/cracking techniques to further the aims of ideological activist/extremist groups promoting human rights, anarchy, religious/national bigotry etc., for example through website defacement.  May be a part of, or provide a cover for, more sinister attacks such as terrorism, sabotage, cybertage, industrial espionage, spying or information warfare.

Hajime

A worm, similar to Mirai in that it infects things through their Telnet ports using default userIDs and passwords, recruiting them to a botnetIn the wild in 2017.

Ham

Email which the recipient considers legitimate and welcome i.e. not spam.  Also, a radio amateur, amateur actor, or pig meat.

Handler

See collector.

Hanlon’s razor

“Never attribute to malice that which can be adequately explained by stupidity” [Robert J. Hanlon].  Naturally risk-averse information security professionals tend to assume that most incidents are caused intentionally by malicious adversaries, whereas many are simple accidents, coincidences and ‘misfortune’/’bad luck’ (meaning random factors).  Stupidity may involve ignorance and/or incompetence.

Hardening

The process of making something more robust or secure by proactively reducing its vulnerabilities e.g. by configuring a server according to applicable security standards, removing unnecessary software and applying relevant security patches“Process of securing a system by reducing its surface of vulnerability.  Note: Hardening typically includes the removal of unnecessary software, unnecessary usernames or logins and the disabling or removal of unnecessary services.” (ISO/IEC 27033-6).

Hardware

Tangible ICT asset, such as a computer systemCf. software, firmware, wetware, data and information.  “A generic term for any physical component of information and communication technology, including peripheral equipment and media used to process information (NZ information Security Manual).

Hardware hack

Deliberate manipulation of hardware to compromise, defeat/disable or bypass physical or electronic security controls built-in to devices, such as access controlled functions and data.

Hardware security module

See HSM.

Harass, harassment

Relatively minor form of bullying, intimidation, pestering or coercion, generally bothersome and annoying rather than hurtful or violent but it’s a matter of degree and perception by the victim.

Heartbleed

Cryptographic hacking attack that exploits vulnerable OpenSSL implementations, compromising X.509 digital certificates to steal confidential data (such as passwords) passed over SSL.  Thanks in part to Heartbleed, SSL is deprecated in favour of TLS.

Harvesting

Systematic collection of personal information such as names, email addresses etc. from databases, websites, forums, contact lists etc., typically for the purpose of sending spam.

Hash,
hash value,
digest,
message digest

Characteristic output value produced by passing a string, message or file through a so-called ‘one-way encryptioncryptographic hashing function such as SHA-2.  Although the original content may not be reliably recreated from the hash value, its validity and integrity can be verified by recalculating and comparing the hash against one calculated previously and stored securely.  Used to validate passwords, digital certificates, digital evidence, plus electronic files, messages and transactions.

Hash collision

It is possible, although unlikely, for two different input strings or files to produce the same hash due to the finite number of possible hash values that hash algorithms generate (the hash-space).  Relatively weak hash algorithms such as MD5 with small hash-spaces are more likely to suffer collisions and are deprecated in favour of stronger algorithms with much larger hash-spaces such as the SHA-2 or SHA-3 families.

Hash value

“String of bits which is the output of a hash-function” (ISO/IEC 10118-1).  See hash.

Hashed Message Authentication Code (HMAC) algorithms

“The SHA-1 hashing algorithm, combined with additional cryptographic functions, forms the HMAC algorithms of HMAC-SHA-1-96” (NZ information Security Manual).

Hazard

Health and safety or insurance term functionally equivalent to danger, threat, threat agent or risk depending on context and interpretation.

Health and Safety
(H&S)

Risk management techniques, approaches and controls designed to reduce the risk of personal injury or death of workers facing hazardous conditions, such as operating a smartphone while driving or crossing a road.

Heap

Extensive area of memory in which the data values of program variables are stored as a program executes.  Each heap must be actively managed by its program e.g. releasing space after use to avoid the heap growing and perhaps overflowing.  See also stack.

Heap overflow
memory leak

Class of software vulnerability similar to buffer overflow in which conditions such as inadequate type or bounds checking and exception handling in programs lead to variable values exceeding their allocated space on the heap and issues such as program or system crashes, and unauthorized disclosure of confidential data such as passwords and cryptographic keys.  See also stack overflow.

Hearsay

Rumours e.g. unsubstantiated statements, claims or assertions by a third party about someone involved in a court case, e.g. “Kevin Mitnick is a well-known hacker”.  Normally inadmissible as forensic evidence unless it satisfies specific rules.  A form of circumstantial (indirect) evidence.

Heatmap

A notional two-dimensional graphical representation of the organisation using colours to indicate trouble-spots or problem areas (normally in red), areas of lesser concern (amber) and regions of strength (green).  A security metric.  See also attack surface, risk profile, risk universe and security landscape.

Heuristic

Method involving learning from experience, such as a rule-of-thumb.  Some antivirus software uses heuristic techniques to identify possible malware by its unusual patterns of behaviour, while Bayesian anti-spam methods learn from user selections to differentiate spam from ham.

Hiddad

One of several nasty species of malware that infects Android mobiles, in the wild in 2018.  Repackages legitimate apps with malware.

HIDS
(Host-based
Intrusion Detection System)

Intrusion detection system involving software running on systems/nodes and monitoring the network traffic as it arrives at and/or departs from those systems/nodes, as opposed to directly monitoring traffic flowing on the network (see NIDS).

High assurance

“A generic term encompassing EAL levels 5, 6 and 7” (NZ information Security Manual).

High grade cryptographic equipment

“The equivalent to United States Type 1 cryptographic equipment” (NZ information Security Manual).

HIPAA
(Health Insurance Portability
and
Accountability Act)

A US law concerning privacy and security of medical information, principally Electronic Health Records associated with health insurance“An Act To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purpose” (HIPAA long title).

HMI
(Human Machine Interface)

A screen, annunciator/mimic panel etc. presenting plant operators with information from the SCADA/ICS systems and a keyboard, switch panel or some other way for them to interact with the distributed systems.

Hoax

A deliberate false alarm.  Triggering the fire alarm may, for instance, allow an intruder to access a controlled facility.  See also virus hoax.

Hold file,
suspense file

Transactions or data items that fail integrity or other checks are commonly flagged or placed in this special holding area pending manual inspection and release, instead of being processed

Home Area Network
(HAN)

Wireless network in a residential property, using one or more networking protocols such as Wi-Fi, Bluetooth or ZigBee, often linking things to each other and the Internet.

Honest

Does not (knowingly) lie or deceive.  An honest person has personal integrity and is straightforward, ethical, open and trustworthy.

Honeypot,
honeynet

Networked computers deliberately configured as decoys to lure hackers or malware for forensic investigation, or more simply as a security alerting/early-warning mechanism.

Honeytoken

File, object or token in a networked computer system intended as a decoy to lure or reveal hackers, fraudsters and insider threats at work e.g. a fake entry in a customer database with a PO Box, email address, telephone number or file access alert monitored by the Information Security Manager to check for unauthorized disclosure or inappropriate use of the database.

Honour,
honour system,
code of honour

Social factors constrain ethical people to behave in accordance with the expectations of their peer groups.  Along with trust, this weak control is decreasingly effective overall due to declining social values and an evident lack of social responsibility by some members of many groups, societies and cultures.  Cheating and selfishness is a way of life for some, to the detriment of society.

Host

See system.

Host-based intrusion prevention system

See intrusion prevention system.  “A security device, resident on a specific host, which monitors system activities for malicious or unwanted behaviour and can react in real-time to block or prevent those activities” (NZ information Security Manual).

Host operating system

Operating system running on bare metal on which the hypervisor runs guest systems for each of the virtual systems.  An integral part of some hypervisor software.

Hot site

Secondary, fallback location with an ICT facility that, following a disaster affecting the primary (main, operational) location, can be made fully operational within a short period (typically just a few hours at most), due to having been pre-fitted with all essential hardware, power supplies, air conditioners, network connections and physical access controls, and having ready access to data backups from the main site.  “Backup site that includes phone systems with the phone lines already connected. Networks will also be in place, with any necessary routers and switches plugged in and turned on. Desks will have desktop PCs installed and waiting, and server areas will be replete with the necessary hardware to support business-critical functions. Within a few hours, a hot site can become a fully functioning element of an organisation.” (CNSSI-4009).  See also cold site, warm site and mirror site.

HSM
(Hardware Security Module)

Physically secure cryptographic subsystem comprising a trusted environment within which private keys can be safely stored and cryptographic operations can safely be performed.  “A device, cards or appliance usually installed inside of a PC or server which provides cryptographic functions” (NZ information Security Manual).

  See also TPM.  [HSM can also mean Hierarchical Storage Management].

HSTS
(HTTP Strict Transport Security)

In its HTTP headers, a website can request that clients only use HTTPS, not HTTP, reducing the risk of site spoofing, Man-In-The-Middle attacks etc.  To secure communications from the very outset, browsers may be pre-loaded by the browser vendors with known HSTS sites.

HPKP
(HTTP Public Key Pinning)

By checking a website’s cryptographic hashes of the public keys of its certificate authorities, a client can reduce the risk of HTTPS certificate spoofing, Man-In-The-Middle attacks etc.

HTML injection

Web hacking technique exploiting inadequate data validation to manipulate HTML messages sent between a web browser and web server, for example to reveal or spoof cookies or send a user’s logon credentials to the hacker.  An example of code injection.  See also XSS.

Hub

Literal or notional centre or focal point of something.  “Network device that functions at layer 1 of the OSI reference model.  Note: There is no real intelligence in network hubs; they only provide physical attachment points for networked systems or resources.” (ISO/IEC 27033-1).

Hull

The body of a mechanical lock or padlock housing the mechanism.

Human factors

All aspects of information security depend to some extent on the actions or inactions of human beings, hence behavioural, sociological and psychological factors influence the level of information security achieved in practice.  For example, we struggle to recall and type random strings of characters, limiting the strength of memorized passwords.

HUMINT
(HUMan INTelligence)

The military practice of gathering intelligence primarily from or using people.  See also SIGINT and OSINT.

Hybrid cloud

Provision of cloud services through the Internet on equipment belonging partly to a CSP and partly to the user of those services.  See also public and private cloud.

Hybrid hard drive

“Non-volatile magnetic media that use a cache to increase read and write speeds and reduce boot time.  The cache is normally flash memory media or battery backed RAM” (NZ information Security Manual).

Hydra

See THC Hydra.

Hyper-online

Variously termed a cult, subculture or global community, these are people who use social media obsessively, a compulsion that can cause stress, anxiety and other mental health or social issues.

Hypervisor,
Virtual Machine Monitor
(VMM)

Program that mediates interactions between virtual systems and the underlying hardware platform.  Some malware covertly installs a hypervisor in order to manipulate the operating system’s access to disk and memory resources and conceal its presence from antivirus software.  Security vulnerabilities in hypervisor programs may result in inappropriate interactions such as escape.

IaaS
(Infrastructure as a Service)

Form of cloud computing service providing customers with access to Internet-based virtual systems on which they can load guest systems, middleware and applications.  The service provider’s responsibilities, including the information security aspects, are limited to the bare metal, hypervisor and network access.  See also PaaS and SaaS.

IANAL
(I Am Not A Lawyer)

… and therefore none of this is, or should be construed as, legal advice.  Don’t take my word for anything. 

IAST
(Interactive Application
Security Testing)

Combines DAST with RASP – in other words, penetration testing of an application combined with security monitoring and reporting functions embedded within the application.  Through automation and regression testing, supports RAD and DevOps.

ICS
(Industrial Control System)

Low-level embedded system and related equipment (things) controlling industrial plant (valves, pumps, motors, machine tools, ovens etc.).  See also SCADA.

IcedID

Multifunctional malware, primarily a bank Trojan, sharing the same distribution mechanism as Emotet. Can intercept (proxy)  VPN traffic and perform HTML injection and URL redirection attacks.  In the wild in 2019.

ICT (Information and Communications Technology)

Generally synonymous with IT, the term explicitly includes (data and voice) communications and networking as well as computing (formerly known as data processing).  “Includes: information management; technology infrastructure; and technology-enabled business processes and services” (NZ information Security Manual).

IDEA
(International Data
Encryption Algorithm)

Symmetric block cipher with 128-bit keys used, for instance, in PGP.

Identification

Assertion by a person, system, organisation etc. of their identity, usually (but not necessarily) verified by subsequent authentication“Process involving the search for, recognition, and documentation of potential digital evidence” (ISO/IEC 27037).

Identification and Authentication
(I&A)

The process of verifying whether a person etc. legitimately holds the identity they claim, in order to reduce the risk of masquerading, identity theft, unauthorized access etc.  See also AAA.

Identify

“Develop an organisational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.  The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organisation to focus and prioritize its efforts, consistent with its risk management strategy and business needs.” (NIST Cybersecurity Framework).  A core function within NIST’s cybersecurity framework along with protect, detect, respond and recover.

Identity,
identifier,
ID

Label used to indicate a specific user of a system (user ID), system (IP address, system ID), network (IP address, network ID), account holder (e.gPAN) etc.  Also, a person’s name.

Identity fraud,
identity theft

Type of fraud in which the fraudster masquerades as, impersonates or falsely assumes the victim’s identity, typically as a prelude to stealing or misappropriating financial or other assets such as confidential information.  Often involves theft, falsification (counterfeiting or faking) or guessing of credentials used to authenticate the holder’s claimed identity, exploiting I&A vulnerabilities, and misrepresentation.

Identity Management
(IdM)

Suite of processes and systems used to manage (assign/allocate, issue, change, revoke …) user IDs.

Identity theft

See identity fraud.

IEC 62443

A series of standards published by the International Electrotechnical Commission concerning the security of industrial automation and control systems.  Supersedes the ISA 99 series from the International Society of Automation.

IIN

See BIN.

Illegitimate

Literally, not legitimate with connotations of inappropriateness, unethicality etc.

ILOVEU,
Love letter

Well-known worm from the year 2000 that used social engineering to spread via email to the first 50 addresses found in Outlook, fooling victims into thinking they had received a love letter from a friend.

Image, image copy,
image backup

Copy of all the data files from a device, normally onto a different device and/or storage media.  See also incremental backup, differential backup and bitwise image.

Imaging

“Process of creating a bitwise copy of digital storage media.  Note: The bitwise copy is also called a physical copy.  Example: When imaging a hard drive, the DEFR would also copy data that has been deleted.” (ISO/IEC 27037).

IMAP
(Internet Message
Access Protocol)

Protocol for synchronizing one or more email clients with a mail server.  In contrast to POP3, a user’s emails normally remain on the mail server with IMAP while the email client has a ‘view’ of them, hence the user sees the same emails and directory structure from any logged-on device; also IMAP connections between email client and mail server (including the user’s mail server logon credentials) can be encrypted.  See also SMTP.

Impact

The adverse outcome or consequences caused by or arising from an information security incident, leading to direct and/or indirect (consequential) losses/costs to the organisations and/or individuals concerned.  “Adverse change to the level of business objectives achieved” (ISO/IEC 27000).

Impersonation

Masquerading as another person i.eidentity fraud.

Implant

“Electronic device or electronic equipment modification designed to gain unauthorized interception of information-bearing emanations” (CNSSI-4009).  See also bug and mole.

IMSI-catcher

Device to capture IMSIs (International Mobile Subscriber Identities) uniquely identifying nearby cellphones, by masquerading as a cellphone base station and spoofing the authentication.  See also Stingray.

In-band

“Communication or transmission that occurs within a previously established communication method or channel.  Note: The communications or transmissions often take the form of a separate protocol, such as a management protocol over the same medium as the primary data protocol” (ISO/IEC 27040).  Cf. out-of-band.

[Information security] Incident

Situation in which an information risk materializes i.e. one or more threats exploit one or more vulnerabilities (typically exposed or inadequately protected by weak or missing information security controls) causing material impacts on the organisation and stakeholders.  Includes the result of deliberate breaches plus accidents and natural events.  Provided adequate detective controls are in place, incidents typically generate alarms or alerts and log entries, ideally early in the process allowing the organisation to respond promptly, thus minimizing the impacts.  See also event and information security incident“Single or a series of unwanted or unexpected information security breaches or events, whether of criminal nature or not, that have a significant probability of compromising business operations or threatening information security” (ISO/IEC 27043).

Incident coordinators

“[The professionals who] manage and coordinate cross-government response to significant incidents and engage with victims” (UK NCSC).

Incident detection

Until an information security incident has been noticed by the affected parties, it cannot be characterized and no specific response can be triggered.  This is a critical step in incident management with implications for detective controls, alarms, alerts, logging etc. and, of course, information risks.

Incident handlers

“[The professionals who] manage and respond to incidents, engage with victims and where necessary support coordinators on significant incidents” (UK NCSC).

Incident handling

Actions undertaken by incident handlers and other experts to address incidents“Actions of detecting, reporting, assessing, responding to, dealing with, and learning from information security incidents” (ISO/IEC 27035-1).

Incident management

The rational direction of activities to bring an incident under control, assess the situation and respond accordingly.  Follows on from crisis management and leads into contingency management.

Incident reporters

“[The professionals who] produce professional products on incidents to ensure all relevant government partners and agencies are updated on developments” (UK NCSC).

Incident response

What the Incident Response Team does i.e. investigate, assess, react appropriately to, and in time resolve and help the organisation learn from, information security incidents“Action taken to protect and restore the normal operational conditions of an information system and the information stored in it when an information security incident occurs [SOURCE: ISO/IEC 27039, 2.24, Modified — The phrase "when an attack or intrusion occurs" was replaced by "when an information security incident occurs"]” (cited by ISO/IEC 27035-1).

Incident Response Plan
(IRP)

Procedure enabling the organisation to deal promptly, efficiently and effectively with one or more information security incidents“The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of an incident against an organisation’s IT system(s)” (CNSSI-4009).  “A plan for responding to information security incidents as defined by the individual agency” (NZ information Security Manual).

Incident Response Team
(IRT)

The person or people who are readied to respond promptly, efficiently and effectively to information security incidents“Team of appropriately skilled and trusted members of the organisation that handles incidents during their lifecycle.  Note: CERT (Computer Emergency Response Team) and CSIRT (Computer Security Incident Response Team) are commonly used terms for IRT.” (ISO/IEC 27035-1).  See also CERT.

Incinerate

Destroy by burning, a technique used to prevent further disclosure of information on storage media.  “Destruct by burning media completely to ashes” (ISO/IEC 27040).

Incompetent,
incompetence

Literally, not sufficiently competent, skilled, experienced and capable to perform an activity, duty, task or rôle to the required level.  Often used pejoratively as a personal criticism, implying idiocy, carelessness etc.

Incremental backup

A backup of files that have been created or changed since the previous incremental or image backup.  In order to restore a system, it is generally necessary to restore the entire sequence of incremental backups subsequent to the most recent full backup.  See also differential backup.

Incriminate,
incriminating,
incrimination

Provision of information indicating someone’s guilt or involvement in an illegal or otherwise inappropriate, unauthorized or forbidden activity.

Inculpatory

Forensic evidence allegedly demonstrating that someone or something was involved in an incident hence that they are culpable.  Cf. exculpatory.

Indicator

Something that gives ‘an indication’ i.e. an indirect, approximate, vague and/or imprecise measure of something.  The indicator may not be directly associated or strongly correlated with the thing.  For example, the wetness of a dog’s nose is said to indicate its health but could just be the result of sniffing at puddles.  Measure that provides an estimate or evaluation of something” (ISO/IEC 27000).

Industrial espionage

The use of unethical, illicit, surreptitious and often illegal surveillance, spying and similar techniques to gather sensitive and valuable information from competitors, either directly (e.g. by physical site penetration or coercing insiders) or via common business partners or other third parties such as private detectives or information brokers.

Industrial Internet of Things
(IIoT)

Internet of Things used for industrial (e.g. manufacturing shop floor automation) and commercial purposes (e.g. reading and controlling electricity, gas or water meters), as opposed to consumer/home/personal devices.  Industrial things include robots, most ICS/SCADA devices, modern smart vehicles and machine tools, and some older, dumber ones fitted with bolt-on ICS interfaces.  See also mesh network.

Infect,
infection,
infectious

By analogy to the biological process, malware is said to ‘infect’ vulnerable systems when it spreads to, executes on and compromises them.

Inference

(a) Type of cryptanalytic attack that relies on inferring certain properties or values to break the cryptosystem.  (b) Type of database attack in which certain combinations of queries, perhaps in conjunction with information obtained separately, can be used to surmise or deduce additional, often sensitive information that is not directly available (e.g. queries that report results quickly are probably working with smaller datasets or samples than equivalent queries of similar complexity that take much longer to execute).

Infiltrator,
infiltration

An outsider who somehow manages to work their way into a privileged position of trust within the organisation or penetrate its systems and networks, gaining internal/insider access to corporate assets typically with the intent of stealing proprietary information (industrial espionage), sabotaging critical business processes, committing cybertage and/or recruiting insiders.  Long-term physical infiltration by moles and sleepers is popular in spy novels but uncommon in the commercial world due to the high costs and risks compared to, say, employing, bribing or coercing insiders, social engineering, short-term physical site penetration (e.g. trespassdraining), deploying malware, hacking etcCf. exfiltration.

INFOCON
(INFormation Operations CONdition)

US military indicator of cyberwar status, ranging from 5 (normal) up to 1 (maximum readiness).

Information

The expression of knowledge that has meaning and hence value.  Knowledge itself is intangible, although it may be represented, stored, communicated and processed in more or less tangible forms of information such as writing, diagrams, speech, expressions, mime, sign language, Morse code, semaphore, smoke signals … and computer data“Any communication or representation of knowledge such as facts, data, and opinions in any medium or form, electronic as well as physical.  Information includes any text, numerical, graphic, cartographic, narrative, or any audio or visual representation” (NZ information security manual).

Information asset

Valuable information and, in some interpretations, the system, storage media or person that holds and/or processes it.  Vulnerable to various risks.  Depending partly on the jurisdiction, an information asset held by the organisation may legally belong to the organisation, to an individual (e.gpersonal information) or to a third party who revealed or entrusted it to another (thereby creating a custodial responsibility, whether explicit or implicit).  “Any information or related equipment has value to an organisation. This includes equipment, facilities, patents, intellectual property, software and hardware. Information Assets also include services, information, and people, and characteristics such as reputation, brand, image, skills, capability and knowledge” (NZ information Security Manual).

Information Asset Owner
(IAO),
Information Owner
(IO)

Someone held personally accountable by management or some other authority for the proper protection of one or more information assets such as an IT system, database or trade secret.  They normally sponsor information risk analyses, approve and fund appropriate risk treatments including  controls, define access policies, authorize access, review and monitor the effectiveness of the controls and accept responsibility for the residual risks.  Not necessarily an owner in the literal/legal sense.  See also Risk Owner.

Information Assurance
(IA)

The practice of assessing and gaining confidence in the suitability and adequacy of arrangements protecting valuable information“Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.” (CNSSI-4009).

Information broker

Someone who trades commercially in information.  While the consulting, publishing, news and other industries trade legitimately in information, unethical brokers trade in information that has been obtained illegally (stolen), compromised or disclosed inappropriately (e.g. obtained under false pretences through social engineering).

Information need

A strong desire, requirement or demand for information.  “Insight necessary to manage objectives, goals, risks and problems” (ISO/IEC 15939:2007).

Information Operations
(IO)

“The integrated employment of the core capabilities of electronic warfare, computer network operations, psychological operations, military deception, and operations security, in concert with specified supporting and related capabilities, to influence, disrupt, corrupt, or usurp adversarial human and automated decision-making process, information, and information systems while protecting our own.” (CNSSI-4009).

Information processing facilities

“Any information processing system, service or infrastructure, or the physical location housing it” (ISO/IEC 27000).  [Note: ‘information processing’ is an archaic term, long since superseded by ‘computing’, ‘IT’, ‘ICT’ or ‘cyber’, outside the arcane world of ISO27k at least!]

Information protection,
data protection

Whereas privacy is the primary concern of information protection laws, they also require information accuracy, informed consent, usage only for stated purposes and destruction once the purpose is achieved, extending the remit beyond confidentiality and control or ownership.

Information risk

Risk involving or affecting information.  See also information security risk.

Information security,
infosec

The act of securing, guarding or protecting information, while enabling its legitimate exploitation.  In more detail, the risk management and assurance activities involving the specification, design, implementation, operation, measurement, management, monitoring and maintenance of controls and other risk treatments  in order to satisfy requirements for confidentiality, integrity and availability of information by constraining the number and/or severity of incidents.  Encompasses but goes beyond IT security or cybersecurity. “Preservation of confidentiality, integrity and availability of information.  Note: in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved” (ISO/IEC 27000).  “Measures relating to the confidentiality, availability and integrity of information that is processed, stored and communicated by electronic or similar means” (NZ information Security Manual).

Information security architecture

High level architectural blueprint concerning the organisation’s information security, linking even higher-level information security, information, risk, compliance and business strategies through to security designs for individual IT systems and business processes.

Information security continuity

Business continuity arrangements for any business-critical parts or functions of the information security department.  Processes and procedures for ensuring continued information security operations” (ISO/IEC 27000).

Information security design

Document/s describing the key information security risks, control objectives and controls required in a system or process.  May comprise one or more dedicated security design documents or may be distributed across various system architecture, design, development and operations documents, policies, procedures, change records etc.  Should reflect broad or more specific architectural requirements and guidance.

Information security event

“Identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant” (ISO/IEC 27000).  “Occurrence indicating a possible breach of information security or failure of controls” (ISO/IEC 27035-1).  See event.

Information security incident

“Single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security” (ISO/IEC 27000).  One or multiple related and identified information security events that can harm an organisation's assets or compromise its operations” (ISO/IEC 27035-1).  “An occurrence or activity that may threaten the confidentiality, integrity or availability of a system or the information stored, processed or communicated by it”  (NZ information Security Manual).

  See incident.

Information security incident management

Processes for detecting, reporting, assessing, responding to, dealing with, and learning from information security incidents” (ISO/IEC 27000).  “Exercise of a consistent and effective approach to the handling of information security incidents” (ISO/IEC 27035-1).

Information security investigation

“Application of examinations, analysis and interpretation to aid understanding of an information security incident.  [SOURCE: ISO/IEC 27042, modified — The words “an incident” was replaced by “an information security incident”.]” (ISO/IEC 27035-1).

Information Security Management

The corporate function responsible for day-to-day management of information security, managing technical, procedural and physical controls, systems, processes, standards etc.  Led by the ISM.

Information Security Management System

See ISMS.

Information Security Management System (ISMS) professional

“Person who establishes, implements, maintains and continuously improves one or more information security management system processes” (ISO/IEC 27000).

Information Security Manager

See ISM.

Information security policy

“A high-level document that describes how an agency protects its systems.  The CSP is normally developed to cover all systems and can exist as a single document or as a set of related documents” (NZ information Security Manual).

Information security
policy manual or suite

The organisation’s collection of policies relating to information risk and information security.  May incorporate or reference policies in related areas such as physical security, privacy, governance, compliance, incident management and business continuity management.

Information security risk

The coincidence of [one or more] information security threats acting on [one or more] exposed vulnerabilities relating to [one or more] information assets, causing [one or more] impacts.  A kind of information risk, generally but not necessarily implying deliberate, intentional, malicious acts.  “Potential that a threat will exploit a vulnerability of an asset or group of assets and thereby cause harm to an organisation” (ISO/IEC 27000).

Information sharing community

“Group of organisations that agree to share information.  Note: an organisation can be an individual” (ISO/IEC 27000).

Information society service

“A service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council” (GDPR).

Information superiority

Given the strategic importance of obtaining an adversary’s information and its asset value, spooks generally aim to be even better than their peers and opponents at gathering, interpreting and making use of foreign intelligence while, at the same time, protecting domestic intelligence from disclosure, interception, surveillance, spying etc.

Information system

See system.  “Applications, services, information technology assets, or other information handling components” (ISO/IEC 27000).

Information System Security Officer (ISSO)

Term used by some US government agencies for an Information Asset Owner or Risk Owner in the ICT context.

IT (Information Technology [department]),
Computing, Systems,
Data Processing

Corporate function typically responsible for providing computing and telecommunications services to the organisation through a shared IT/network infrastructure, or more generally the field of computing.  See also ICT.

Information Technology Security Manager (ITSM)

“Executive within an agency that acts as a conduit between the strategic directions provided by the CISO and the technical efforts of systems administrators.  The main responsibility of ITSMs is the administrative controls relating to information security within the agency” (NZ information Security Manual).

Information Warfare
(IW),
infowar

Unethical and often illegal activities to obtain trade secrets or other proprietary or confidential information from a competitor or other adversary, or to mislead and manipulate them through social engineering e.g. using fake news and propaganda.

Informed consent

Just as patients are required to consent to (permit) surgical procedures after having been informed of the associated risks and benefits, data subjects (under most circumstances) are required to be informed about how their personal information will be used and protected at the time it is collected from them, giving them the choice to opt-out.

Infringement notification, infringement letter

See cease and desist letter.

Inherent risk,
raw risk,
untreated risk,
baseline risk

The amount of risk that is believed to exist without taking account of any treatments intended to reduce or mitigate it – essentially the starting point for risk management activities, and the backstop risk level if treatments are not effective or fail in service.  Various terms are commonly used for this concept although precise definitions and interpretations vary in practice.

Injection flaw

A category of software design flaws that allow attackers to manipulate input data in such a way that vulnerable applications mistakenly interpret and act upon malicious commands within user-supplied data.  Normally mitigated by validation routines that explicitly check input data for invalid characters (such as escape characters signalling embedded commands and end-of-string markers) prior to passing them to the application: clearly, the validation routines must themselves be resistant to injection attacks.  See also code injection, HTML injection and XSS.

Ingress filtering

Selective blocking of traffic on its arrival onto a network, for example to prevent recognized inbound hacking attacks or spamCf. egress filtering.

Insecure

An emotional condition - lacking in self-confidence, nervous and prone to self-doubt.  Cf. unsecure.

Insider

See worker.

Insider threat

Information security threat arising from or relating to workers or their associates, who typically are more trusted, have greater access to protected information assets, and are monitored less assiduously, than outsiders.

Insider trading

Illegally trading a company’s stocks and shares, or manipulating the markets, with the benefit of confidential internal information e.g. a company director or advisor who pre-emptively sells the company’s stock (either in person or through a friend, family member, broker or another intermediary/agent) in anticipation of a corporate announcement or disclosure of an adverse incident or unexpectedly poor performance.

Instance

A single occurrence of something, such as a database system or VM.

Instant Messaging
(IM)

A form of real-time person-to-person communication originally using typed messages like SMS, but gradually expanded to include audio and video modes.  Used for online chatting, such as conversations between customers and technical support functions.  Vulnerable to malware, disclosure of confidential information, social engineering, SPIM and various other information security threats.

Insurance

Risk-sharing financial service whereby insurers guarantee to compensate customers to a specified extent for certain losses caused by ‘insured events’, as defined by reams of small-print, arcane legal interpretations and practices, in return for regular payments (premiums).

Intangible asset

“Identifiable non-financial asset with no physical substance” (ISO 10668).

Integrity

Completeness, authenticity, accuracy and trustworthiness of data, systems, people, organisations etc., protected through controls such as cryptographic hashes, referential integrity, data entry validation, honesty and ethics, plus policies and procedures (e.g. allowing data subjects to check and correct their own personal information).  One of the three core objectives of information security, equally as important as confidentiality and availability (the CIA triad).  “Property of accuracy and completeness” (ISO/IEC 27000).

Intellectual asset

Intangible, largely undocumented information assets such as knowledge, experience and mental/conceptual models within workers’ heads, that accompany, support and enable understanding, intellect, intelligence, skills, abilities, creativity, expertise, innovation and so forth.

Intellectual capital

Synonymous with intellectual asset.  ‘Capital’ refers to the inherent commercial value of some knowledge.

Intellectual Property
(IP)

Valuable information that legally belongs to someone and is protected by intellectual property rights.  [Note: the IP in TCP/IP is short for Internetworking Protocol.]

Intellectual Property Rights
(IPR)

Morally and potentially legally-enforceable rights of the legal owner of intellectual property to determine how the information is used and/or copied or disseminated by others, for example through software licensing/copyright, patent, trademark or contract laws.

Intelligence,
INTEL

Information gathered and exploited by the intelligence community.  Not all intelligence is necessarily confidential since published or open source information, such as that obtained by profiling targets using social media may be just as useful as information obtained from covert sources by spying, hacking and surveillance.

Intelligence community

Spies, analysts, collectors, managers, strategists, cryptographers and cryptanalysts, hackers, language and cultural specialists, politicians, diplomats, couriers etc. collectively engaged in law enforcement, counter-terrorism, national security (defence and offense), cyberwarfare etc.

Intercept

An item or piece of intelligence in its raw (as originally intercepted) or processed (e.gdecrypted) state.  Mostly data but may include metadata.

Interdiction

A physical security threat that compromises electronic products at some point in the supply chains linking their designers and manufacturers to the consumers, for example substituting firmware or inserting tiny surveillance chips on circuit boards.

Interested party

More than simply having a casual interest in something, someone or some organisation that is materially involved with or directly affected by it.  “Person or organisation that can affect, be affected by, or perceive themselves to be affected by a decision or activity” (ISO/IEC 27000).  See also third party.

Interference

Preventing or degrading reception of a wanted radio signal through RF transmissions, whether intentionally (e.g. jamming) or accidentally (e.g. intermodulation, spurii and static).  See also MIJI.

Interlock

Safety-critical mechanical, electro-mechanical or electronic control device, for example a relay that removes power to the air conditioning fans if the fire system enters an alarm condition upon detecting heat or smoke, in order not to fan the flames (literally!).

Interpretation

An attempt to make sense of, understand or explain information.  “Synthesis of an explanation, within agreed limits, for the factual information about evidence resulting from the set of examinations and analysis making up the investigation” (ISO/IEC 27042).

Internal

Within the organisation’s physical, organisational and/or network boundary.  Cf. external.

Internal context

The situation and circumstances within an organisation, group, system etc“Internal environment in which the organisation seeks to achieve its objectives.  Notes: internal context can include: governance, organisational structure, roles and accountabilities; policies, objectives, and the strategies that are in place to achieve them; the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies); information systems, information flows and decision-making processes (both formal and informal); relationships with, and perceptions and values of, internal stakeholders; the organisation’s culture; standards, guidelines and models adopted by the organisation; and form and extent of contractual relationships.” (ISO Guide 73).

Internal controls

The enterprise-wide system of governance and management processes intended to ensure that the organisation achieves its objectives in a controlled and systematic manner (i.e. overcoming risks by design rather than by sheer luck).  Includes elements of direction (e.g. strategies, plans, policies), control (e.gdelegated authorities, divisions of responsibilities, compliance activities), monitoring (e.g. logsaudits, reviews, metrics), incident response and corrective action (e.g. escalation, enforcement).

INTERNAL USE

Class of information that is intended for general use by workers and, if necessary and appropriate, by selected third parties such as clients, suppliers or contractors.

International organisation

“An organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries” (GDPR).

[An] internet [lower case i]

Generic network-of-networks, such as (but not necessarily) the Internet as we know it, plus interconnections between private networks in some industries e.g. Interpol.  “Collection of interconnected networks called an internetwork or just an internet” (ISO/IEC 27033-1).

[The] Internet [capital i]

Global public network-of-networks.  The presence of substantial threats, vulnerabilities and impacts associated with the Internet constitute an extraordinarily risky environment in information security terms, yet substantial commercial, social and political benefits make Internet connectivity a no-brainer just so long as the risks are contained and the party continues … See also cyberwar.

Internet Key Exchange Extended Authentication

“Used for providing an additional level of authentication by allowing IPSec gateways to request additional authentication information from remote users.  As a result, users are forced to respond with credentials before being allowed access to the connection” (NZ information Security Manual).

Internet of Things (IoT),
Internet of everything,
pervasive computing,
ubiquitous computing (ubicomp),
ambient intelligence,
ambient media,
everyware,
Insecurity of Things,
Internet of Threats etc.

The rapidly expanding universe of small electronic devices (‘things’), typically used for remote monitoring and control through wireless networks and (often) Internet connections.  Some things communicate directly with each other.  Associated with significant information risks, especially in the case of cheap consumer goods designed to appeal to the naïve mass market in the short term.  At the current early stage of IoT technology, product and market development, information security is unlikely to be duly considered, let alone a priority.  See also Industrial Internet of Things and mesh network.

Interrogatory

Legal process requiring someone to provide sworn written answers to written questions.  A form of discovery.  See also deposition.

In the wild

Malware or other forms of exploit that are ‘at large’, circulating and causing real-world impacts, as opposed to those which have only ever been seen in laboratories or in the fertile imaginations of malware analysts.

Intranet

“Private computer network that uses Internet protocols and network connectivity to securely share part of an organisation's information or operations with its employees” (ISO/IEC 27033-1).

Intruder

Person lacking the requisite authority and permission who gains unauthorized physical access to a controlled area, or logical access to a controlled ICT network, system, device etc.

Intrusion,
penetration

(a) Hacking attack on a network or system originating externally.  Alternatively, an unauthorized access to or infiltration of a physical site/location, for example by an industrial spy, saboteur, burglar or other outsider, or indeed by an insider.  “Unauthorized access to a network or a network-connected system, i.e. deliberate or accidental unauthorized access to an information system, to include malicious activity against an information system, or unauthorized use of resources within an information system” (ISO/IEC 27033-1).  Cf. extrusion.  (b) A form of attack on communications systems involving the injection of modified or fabricated messages to confuse and deceive.  See also MIJI.

Intrusion detection

Process to identify and log the presence of unauthorized visitors or users on a computer system, network node or physical location and (normally) raise an alert or alarm, triggering the appropriate incident response.  A particular form of incident detection“Formal process of detecting intrusions, generally characterized by gathering knowledge about abnormal usage patterns as well as what, how, and which vulnerability has been exploited so as to include how and when it occurred” (ISO/IEC 27039).

Intrusion Detection System
(IDS)

Electronic (e.gHIDS or NIDS) or physical controls (e.g. infra-red detectors, microswitches or vibration detectors on doors and windows and pressure pads under access routes) to detect intruders as part of intrusion detection.  IDS typically works either generically by detecting anomalies (such as movement within an office in the dead of night – prone to false positives), or specifically by detecting the signatures or characteristics of known types of attack (such as the distinctive sound of breaking glass – prone to false negatives).  A form of defensive security“Technical system that is used to identify that an intrusion has been attempted, is occurring, or has occurred and possibly respond to intrusions in information systems and networks” (ISO/IEC 27039).  “An automated system used to identify an infringement of security policy” (NZ information Security Manual).

  See also IPS, SIEM, NTA and UBA.

Intrusion prevention

Process to identify the presence of unauthorized visitors or users, and, where appropriate, automatically take the necessary action to deny them further access (e.gblocking or diverting suspicious network traffic emanating from presumably compromised systems or networks).  “Formal process of actively responding to prevent intrusions” (ISO/IEC 27033-1).

Intrusion Prevention System
(IPS)

Computer system to automate or support intrusion prevention – the next logical step from IDS.  “Variant on intrusion detection systems that are specifically designed to provide an active response capability” (ISO/IEC 27039).  See also SIEM, UBA and NTA.

Intumescent strip

Special material affixed to gaps around doors that swells in the heat of a fire, thereby sealing the gaps and so limiting both the egress of heat and smoke and the ingress of air.  A physical security control.

Investigation

The act or systematic process of gathering information on and analysing a situation, occurrence or non-occurrence, event or incident“Systematic or formal process of inquiring into or researching, and examining facts or materials associated with a matter.  Note: Materials can take the form of hardcopy documents or ES” (ISO/IEC 27050-1).  “Application of examinations, analysis, and interpretation to aid understanding of an incident” (ISO/IEC 27042).

Invulnerable

Literally, not vulnerable.  Paradoxically, the supreme confidence stemming from the belief that one is invulnerable to something itself constitutes a vulnerability to unanticipated modes of attack or compromise, as well as control failures and mistaken risk analysis.  Absolute security is literally unattainable, an oxymoron.

IOA
(Indicator Of Attack)

Incident response term for the characteristic clues indicating that systems are currently in the process of being compromised by hackers or malware e.g. malicious network probes used to enumerate devices, map the network and search for exploitable vulnerabilities.  See also IOC.

IOC
(Indicator Of Compromise)

Incident response term for the characteristic clues indicating that systems have previously been compromised by hackers or malware.  Artefacts such as log entries, executable files, scripts, running processes, network services and ports may provide useful clues about the existence and nature of even covert incidents (e.g. spyware and rootkits).  See also IOA.

IP camera,
network camera

Digital CCTV camera thing that transmits streaming video across a TCP/IP network (usually) rather than through a dedicated point-to-point connection.  Networked video traffic may be routed to local and/or remote monitoring stations.  Unencrypted data and metadata may be viewed and modified by hackers and snoops, while network capacity constraints, DOS attacks, hacks and physical damage to the cabling or equipment may interrupt or compromise the service (e.g. replaying previously recorded footage in place of the real time video stream to conceal an intrusion in progress).

IPA
(Investigatory Powers Act), “Snoopers’ Charter”

A 2016 UK law gave spooks, the police, Inland Revenue and other authorities powerful rights to gather evidence (including both data and metadata) of serious crime through surveillance.  The right to intercept communications sent by or to individuals overseas, in bulk (mass surveillance), raised substantial concerns over civil liberties and privacy, leading to the Data Retention and Acquisition Regulations 2018 which aligned the Act with European laws.

IPR

See Intellectual Property Rights.

IPsec

(Internetworking Protocol security)

“A suite of protocols for secure IP communications through authentication or encryption of IP packets as well as including protocols for cryptographic key establishment” (NZ information Security Manual).

IP telephony

Commonly known as VOIP (Voice Over IP).  “The transport of telephone calls over IP networks” (NZ information Security Manual).

IrDA
(Infrared Data Association)

Trade body that defined a short-range (literally line-of-sight) data communications standard using infrared light.  Largely superseded by Bluetooth and other RF network technologies.

ISAKMP aggressive mode

“An IPSec protocol that uses half the exchanges of main mode to establish an IPSec connection” (NZ information Security Manual).

ISAKMP main mode

“An IPSec protocol that offers optimal security using six packets to establish an IPSec connection” (NZ information Security Manual).

ISAKMP quick mode

“An IPSec protocol that is used for refreshing security association information” (NZ information Security Manual).

ISF
(Information Security Forum)

Professional body that conducts original research and develops information security standards, guidelines, methods, tools and services (such as security benchmarking) for its corporate members.  Its conferences are highly regarded and free for members.

ISIRT (Information Security Incident Response Team)

One or more information security experts who deal with information security incidents.

ISM
(Information Security Manager)

Manager of the Information Security Management function.  Typically reports to a CISO.

ISMS
(Information Security Management System)

The management system comprising governance, policies, procedures etc. through which information security operations are directed and information risks are treated“The policies, procedures, guidelines, and associated resources and activities, collectively managed by an organisation, in the pursuit of protecting its information assets … a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation’s information security to achieve business objectives … based upon a risk assessment and the organisation’s risk acceptance levels designed to effectively treat and manage risks … analysing requirements for the protection of information assets and applying appropriate controls to ensure the protection of these information assets, as required, contributes to the successful implementation of an ISMS …” (ISO/IEC 27000).  Note: although ISMS itself is not defined in the glossary section of ISO/IEC 27000, both information security and management system are separately defined, the abbreviation ISMS is expanded in section 0.1 “Overview” and an ISMS is described in section 3.2 “What is an ISMS?”.

ISMS project

“Structured activities undertaken by an organisation to implement an ISMS” (ISO/IEC 27000).

ISO 22301:2012

International standard formally specifying a Business Continuity Management System against which organisations may be certified compliant.  Accompanied by ISO 22313.  Replaced British Standard BS 25999-2.

ISO 22313:2012

International standard accompanies and expands on ISO 22301, providing additional guidance on the practice of business continuity management.  Replaced British Standard BS 25999-1.

ISO/IEC 27000 standards,
(ISO27k)

A set of international ISMS standards produced by a committee of experts representing their national standards bodies through ISO/IEC Joint Technical Committee 1, Sub-Committee 27 (JTC1 SC 27).

ISO/IEC 27000:2018

International standardInformation security management systems — overview and vocabulary”.  Introduces ISO27k plus a glossary of information security terms used in the standards.  Free download from the ITTF website.  See also Guide 73 and SD6.

ISO/IEC 27001:2013

International standardInformation Security Management Systems - Requirements”. Formal management system specification standard against which organisations may opt to have their ISMS certified compliant by accredited certification bodies.  Evolved from BS 7799 part 2.  Currently being revised.

ISO/IEC 27002:2013

International standardCode of Practice for Information Security Controls”, derived from BS 7799 Part 1 and initially known as ISO/IEC 17799 when first released by ISO/IEC.  Describes a fairly comprehensive set of information security control objectives and controls generally accepted as good practice.  Currently in the process of being extensively revised and updated – rewritten in fact.

ISO/IEC 27003:2017

International standard “Information security management system - Guidance” providing guidance to those implementing the ISO27k standards.

ISO/IEC 27004:2016

International standardInformation security management — Monitoring, measurement, analysis and evaluation” describing how to design a metrics system for measuring and hence systematically improving the ISMS.  Second edition.

ISO/IEC 27005:2018

International standard on “Information security risk management”.  Describes risk analysis, risk assessment and other risk management practices in general terms, advising organisations to choose methods that suit their purposes.  Major revision in progress.

ISO/IEC 27006:2015

International standardRequirements for bodies providing audit and certification of information security management systems”.  Guides accredited certification bodies on the formal processes for certifying other organisationsISMSs.  New version imminent.

ISO/IEC TS 27006-2

Draft Technical Specification/standardRequirements for bodies providing audit and certification of privacy information management systems according to ISO/IEC 27701 in combination with ISO/IEC 27001” will be used to accredit certificate bodies offering PIMS certificates.

ISO/IEC 27007:2020

International standardGuidelines for information security management systems auditing”.  Covers audits of the management system aspects specified by ISO/IEC 27001.

ISO/IEC TS 27008:2019

International standard (actually a “technical specification”) “Guidelines for the assessment of information security controls”.  Guide for IT audits against ISO/IEC 27002.

ISO/IEC 27009:2020

International standardSector-specific application of ISO/IEC 27001 – Requirements”.  In effect, an internal guide for ISO/IEC JTC 1 SC27 on how to write ISO27k standards for particular industries.

ISO/IEC 27010:2015

International standard “Information security management for inter-sector and inter-organisational communications” offering guidance on sharing information about information security risks, controls, events/issues and/or incidents that span the boundaries between organisations, industry sectors and/or nations, particularly those affecting critical national infrastructure or involving serious organised crime, terrorism, money laundering, drug trafficking etc.

ISO/IEC 27011:2016,
X.1051

International standard “Information security management guidelines for telecommunications organisations based on ISO/IEC 27002”, giving implementation advice tailored to the telecoms industry.  The identical standard was published by ISO/IEC as ISO/IEC 27011 and by the ITU-T as X.1051.

ISO/IEC 27013:2015

International standardGuidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1”, concerning the joint implementation of management systems for both information security and IT services.

ISO/IEC 27014:2020

International standard “Governance of information security” concerns <ahem> governance of information security.

ISO/IEC TR 27016:2014

International standard (Technical Report) “Information security management - organisational economics” concerns the application of economic theory to information security.

ISO/IEC 27017:2015,
X.1631

International standard “Code of practice for information security controls based on ISO/IEC 27002 for cloud services”, offering information security advice to the providers and acquirers of cloud computing services. The identical standard was published by ISO/IEC as ISO/IEC 27017 and by the ITU-T as X.1631.

ISO/IEC 27018:2019

International standard “Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors” concerns cloud computing privacy.

ISO/IEC 27019:2017

International standard “Information security controls for the energy utility industry” is more widely applicable than its title suggests in covering information security for ICS/SCADA, but it explicitly excludes nuclear power.  It should be read and applied in conjunction with ISO/IEC 27002 and other ISO27k standards.

ISO/IEC 27021:2017

International standard “Competence requirements for information security management professionals”.  Essentially comprises a standardized syllabus for ISO27k training courses.

ISO/IEC 27022

Draft international standard “Guidance on information security management system processes” will describe an ISMS as a suite of processes.

ISO/IEC 27031:2011

International standard “Guidelines for information and communications technology readiness for business continuity” covering the ICT aspects of business continuity and disaster recovery management.

ISO/IEC 27032:2012

International standard “Guidelines for cybersecurity”.  A confusing information security standard with an unclear scope and obscure purpose.  ‘A racehorse designed by committee …’

ISO/IEC 27033-1:2015

International standard “Network security overview and concepts”.  The first of a multi-part network security standard, gives a general introduction to the remaining parts.

ISO/IEC 27033-2:2012

International standard “Guidelines for the design and implementation of network security” offers generic guidance on network security architectural design and implementation.

ISO/IEC 27033-3:2010

International standard “Reference networking scenarios -- threats, design techniques and control issues” provides worked examples demonstrating how the ISO/IEC 27033 standards are intended to be interpreted and applied to address a range of network security threats.

ISO/IEC 27033-4:2014

International standard “Securing communications between networks using security gateways” is about firewalls.

ISO/IEC 27033-5:2013

International standard “Securing communications across networks using Virtual Private Networks (VPNs)” concerns, yes, VPNs.

ISO/IEC 27033-6:2016

International standard “Securing wireless IP network access”.  Primarily addresses information security for Wi-Fi and 3G cellular networks.

ISO/IEC 27033-7

DRAFT International standard “Guidelines for network virtualization security” will offer guidance on securing virtual networks,

ISO/IEC 27034-1:2011

International standardApplication security - overview and concepts”.  Introduces a multi-part standard concerning the information security aspects of application software.  A technical corrigendum, published in 2014, made minor corrections.

ISO/IEC 27034-2:2015

International standardApplication security - organisational normative framework”.  Explains the structure and relationships between policies, procedures, rôles, tools and techniques relating to application security.

ISO/IEC 27034-3:2018

International standard “Application security management process”.  Describes the overall process for managing application security.

ISO/IEC 27034-4

Draft international standard “Application security validation” will describe how application systems can be validated and certified compliant with their defined information security requirements.

ISO/IEC 27034-5:2017
ISO/IEC 27034-5-1:2018

International standard “Protocols and application security control data structure”Organisations can define a library of security controls for use by multiple applications, and potentially share them with other organisations.  The XML schemas were published separately.

ISO/IEC 27034-6:2016

International standardApplication security – case studies” provides examples illustrating the use of application security controls during software development.

ISO/IEC 27034-7:2018

International standard “Application security assurance prediction framework”.  Establishes a framework allowing programs to trust each other under defined conditions.

ISO/IEC 27035-1:2016

International standard “Information security incident management – Part 1: Principles of incident management”. The concepts and principles underlying incident management.

ISO/IEC 27035-2:2016

International standard “Information security incident management – Part 2: Guidelines to plan and prepare for incident response”.  Concerns assurance that the organisation is in fact ready to respond appropriately to information security incidents that may occur.

ISO/IEC 27035-3

Draft international standard “Information security incident management – Part 3: Guidelines for ICT incident response operations” will concern the organisation and processes necessary for the information security function to prepare for and respond to active, deliberate attacks against ICT systems and networks.

ISO/IEC 27035-4

Draft international standard “Information security incident management – Part 4: coordination” will concern the need to coordinate information security incident responses among multiple organisations affected or otherwise involved.

ISO/IEC 27036-1:2014

International standard “Information security for supplier relationships — Part 1: Overview and concepts” introduces the ISO/IEC 27036 standardsThis part can be downloaded for free from the ITTF site.

ISO/IEC 27036-2:2014

International standardInformation security for supplier relationships — Part 2: Requirements” specifies fundamental information security requirements pertaining to business relationships to help both suppliers and acquirers of various products (goods and services) understand and treat the associated information risks.  Despite ‘requirements’ in the title, this is not a certifiable standard.

ISO/IEC 27036-3:2013

International standard “Information security for supplier relationships — Part 3: Guidelines for ICT supply chain security” guides both suppliers and buyers of ICT products, specifically, on the management of supply chain information risks such as malware and counterfeit products, and the integration of risk management into system/software lifecycle processes.

ISO/IEC 27036-4:2016

International standard “Information security for supplier relationships — Part 4: Guidelines for security of cloud services”.  Addresses specified information risks associated with the use of cloud services, for cloud service providers and consumers.

ISO/IEC 27037:2012

International standard “Guidelines for identification, collection, acquisition, and preservation of digital evidence”, covering the early stages of digital forensics work.

ISO/IEC 27038:2014

International standard “Specification for digital redaction” covers some of the information risks relating to the redaction of sensitive content from documents that have to be disclosed for some reason (such as under the Freedom of Information Act or a court order).

ISO/IEC 27039:2015

International standard “Selection, deployment and operation of intrusion detection and prevention systems (IDPS)”.  Does what it says on the tin.

ISO/IEC 27040:2015

International standard “Storage security” concerns the IT security aspects of data storage.

ISO/IEC 27041:2015

International standard “Guidance on assuring suitability and adequacy of incident investigative methods” is another digital forensics standard.

ISO/IEC 27042:2015

International standard “Guidelines for the analysis and interpretation of digital evidence” is another digital forensics standard.

ISO/IEC 27043:2015

International standard “Incident investigation principles and processes” is yet another digital forensics standard.

ISO/IEC 27045

Draft international standard “Big data security and privacy  — Processes” aims to improve organisations’ capabilities for security and privacy around big data, whatever that means (currently it is undefined and ill-described).

ISO/IEC 27046

Draft international standard “Big data security and privacy — Implementation guidelines” will advise how to go about implementing the processes described in ISO/IEC 27045.

ISO/IEC 27050-1:2019

International standard  “Electronic discovery — Part 1: Overview and concepts” sets the scene for the other electronic discovery and digital forensics standards in ISO27k.

ISO/IEC 27050-2:2018

International standard  “Electronic discovery — Part 2: Guidance for governance and management of electronic discovery”.  Guidance on identifying and treating the information risks associated with the eDiscovery and forensics processes.

ISO/IEC 27050-3:2020

International standard  “Electronic discovery — Part 3: Code of practice for electronic discovery”.  A basic, generic, how-to-do-it guide to eDiscovery.

ISO/IEC 27050-4

Draft international standard  “Electronic discovery — Part 4: ICT readiness for electronic discovery” will offer guidance on the technology/tools and systems supporting eDiscovery and forensics.

ISO/IEC 27070

Draft international standard “Security requirements for virtualized roots of trust” will concern the provision of critically important cryptographic functions from the cloud rather than a physically secure Hardware Security Module.

ISO/IEC 27071

Draft international standard “Security recommendations for establishing trusted connection between device and service” will concern mutual authentication between devices and services using Public Key Infrastructure and Hardware Security Modules.

ISO/IEC 27099

Draft international standard “Public key infrastructure – Practices and policy framework” will concern information security management requirements for PKI Trust Service Providers (essentially, Certification Authorities) through one or more Certificate Policies, Certificate Practice Statements and (if applicable) ISMSs, according to the information risks.

ISO/IEC TS 27100:2021

Technical Specification/standard “Cybersecurity — Overview and Concepts” attempts (unsatisfactorily!) to distinguish cybersecurity from information security.

ISO/IEC 27102:2019

International standard  “Guidelines for cyber-insurance”.  A useful guide to what cyberinsurance is and how it works.

ISO/IEC TR 27103:2018

Technical Report/standard   on “Cybersecurity and ISO and IEC standards”.  Background on the concepts and practices involved in proactively managing cyber risks using ISO27k.

ISO/IEC TS 27110:2021

Technical Specification/standard  “Cybersecurity framework development guidelines” offers guidance to organisations developing cybersecurity frameworks.  See also ISO/IEC 27103.

ISO/IEC 27400

Draft international standard “Cybersecurity — IoT security and privacy — Guidelines” will offer guidance on the principles, information and privacy risks, and the controls applicable to IoT

ISO/IEC 27402

Draft international standard Cybersecurity — IoT security and privacy — Device baseline requirements” will describe basic security and privacy controls for IoT things.

ISO/IEC TR 27550:2019

Technical Report/standard “Privacy engineering” offers guidance to organisations on engineering privacy in to their IT systems and business processes.

ISO/IEC 27551

Draft international standard “Requirements for attribute-based unlinkable entity authentication” will specify how to authenticate people anonymously without compromising their privacy using ABUEA.

ISO/IEC 27553

Draft international standard “Security requirements for authentication using biometrics on mobile devices” will do what it says on the tin.

ISO/IEC 27554

Draft international standard “Application of ISO 31000 for assessment of identity management-related risk” will advise on using the ISO 31000 approach to risk management for identity management.

ISO/IEC 27555

Draft international standard “Establishing a PII deletion concept in organisations” will be about how to delete personal information to a sufficient level of assurance.

ISO/IEC 27556

Draft international standard “User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences” will lay out a an architecture to handle personal information in a controlled manner in accordance with privacy-by-design and other requirements.

ISO/IEC 27557

Draft international standard “Organisational privacy risk management” will guide organisations on managing privacy risks as an integral part of the organisation’s overall risk management.

ISO/IEC 27559

Draft international standard “Privacy-enhancing data de-identification framework” will provide a framework for mitigating the privacy risks associated with anonymisation of personal information.

ISO/IEC 27560

Draft international standard “Consent record information structure” will specify a standardised way to record data subjects' consent to data processing.

ISO/IEC TS 27570:2021

Technical Specification/standard “Privacy guidelines for smart cities” addresses privacy concerns arising from smart cities, showing remarkable foresight.

ISO/IEC 27701:2019

International standard “Extension to ISO/IEC 27001 and to ISO/IEC 27002 for privacy information management — Requirements and guidelines” formally specifies a Privacy Information Management System that builds on an ISO27k ISMS to cater for privacy.  See also ISO/IEC TS 27006-2.

ISO 27799:2016

International standard “Information security management in health using ISO/IEC 27002” advises on the implementation of ISO/IEC 27002 in the healthcare industry.

ISO 31000:2018

International standard on “Risk management – Guidelines” explains the principles underlying a framework and process for managing all manner of risks, not just information risks.

ISO/IEC Guide 73:2009

ISO/IEC guideline “Risk management – Vocabulary – Guidelines for use in standards”.  Although originally intended for internal use by the committees developing various ISO/IEC standards, it became a de facto set of definitions relating to risk (see also ISO/IEC 27000 and SD6).

ISO/IEC JTC1/SC27 Standing Document 6 (SD6)

ISO/IEC working documentGlossary of IT Security Terminology” is a detailed glossary of information security terms used by SC27, the committee developing ISO27k and other information security standards.  Available free through the DIN website.  See also ISO/IEC 27000 and Guide 73.

Isolation

“May include disconnection from other systems and any external connections.  In some cases system isolation may not be possible for architectural or operational reasons” (NZ information Security Manual).

IT security,
ICT security
data security,
technology security

Strictly speaking, that part of information security concerned with protecting information stored, processed and communicated as data by computer systems and networks.  Often in practice vaguely interpreted to mean any/all of information security.  See also cybersecurity.

IV
(Initialisation Vector)

“A vector used in defining the starting point of an encryption process within a cryptographic algorithm” (FIPS 140-2).

IV&V
(Independent Verification
and
Validation)

“A comprehensive review, analysis, and testing (software and/or hardware) performed by an objective third party to confirm (i.e., verify) that the requirements are correctly defined, and to confirm (i.e., validate) that the system correctly implements the required functionality and security requirements.” (CNSSI-4009).

Jackpotting

Attack on a bank Automated Teller Machine that causes it to spew out cash like hitting the jackpot on a Las Vegas fruit machine.  Various techniques are used, mostly by overcoming the physical security controls to manipulate the cash dispenser mechanism directly and/or to compromise its control circuits and software.

Jail

See sandbox.

Jailbroken,
jailbreak

Operating system security functions intended to restrict apps to a ‘jail’ or sandbox in order to limit privileged access to many ICT devices, primarily for information security or commercial reasons (e.g. to prevent the installation of apps not authorized and sold through the official app store).  Can be (partially) overridden by users, hackers, spyware or other malware.

Jamming

Using a transmitter or RF noise source to block the reception of radio signals, for example interfering with and so preventing legitimate use of a wireless network, GPS, radar, cellphone, wireless CCTV camera or a security guard’s walkie-talkie.  “An attack in which a device is used to emit electromagnetic energy on a wireless network’s frequency to make it unusable” (NIST SP 800-48).  See also MIJI.

Jerusalem,
Black Box

One of the earliest computer viruses, first discovered in Jerusalem in 1987.  This DOS virus repeatedly inserted itself into programs when they were executed but since it was only ~1800 bytes, the infection often remained unnoticed unless it broke those programs or, on Friday 13th, it displayed a black box while deleting files.

Jigsaw

One of several species of ransomware in the wild that surreptitiously encrypts victimsdata, coercing them into paying a ransom for the decryption keys

John the Ripper,
“John”

Hacking/penetration testing tool used to perform brute-force attacks against hashed passwords.

Journal, journaling

Database security/control method in which steps leading up to a commit point are saved temporarily (cached) until the commit successfully completes, enabling the sequence to be reversed or reapplied if interrupted by an incident, for instance a power, system or network failure, bug or data collision (simultaneous attempted changes to the same data item).

JTAC
(Joint Terrorism Analysis Centre)

UK intelligence unit responsible for coordinating activities and sharing information pertaining to terrorism.  Based within MI5 but collaborates with GCHQ, SIS and other British and foreign intelligence agencies.

Jurisdiction

Physical or logical domain within which a person, court or other body has the (legal) authority to act.

KAISER

See KPTI.

Kali Linux,
BackTrack

A Debian-based Linux distribution popular with penetration testers, digital forensics and network security analysts, hackers and the like.  Includes numerous tools such as Metasploit, nmap, Wireshark and Aircrack ng.  Previously called BackTrack.

KASLR
(Kernel Address Space
Layout Randomisation)

Security control that randomizes the addresses of privileged operating system kernel functions, making it harder for malware and hackers to call or manipulate them.  See also ASLR and KPTI.

Kedi

A species of RAT malware, in the wild in 2017.  Exploits vulnerabilities in the Citrix remote access system.

Keep

Strong, well-protected building of last resort within the castle in which the owners lived and secured their most valuable assets, not least themselves.  The Mediaeval equivalent of a panic or safe room, without Jodie Foster.

Kerberos

Cryptographic identification and authentication protocol or architecture developed by MIT.  “A means of verifying the identities of principals on an open network. It accomplishes this without relying on the authentication, trustworthiness, or physical security of hosts while assuming all packets can be read, modified and inserted at will. It uses a trust broker model and symmetric cryptography to provide authentication and authorization of users and systems on the network.” (NIST SP 800-95).

Kerckhoffs' principle

“The design of a system should not require secrecy and compromise of the system should not inconvenience the correspondents”, in other words it should be irrelevant whether a cryptographic algorithm or cryptosystem (as distinct from the key) is disclosed or published.  Sometimes confused with Shannon's Maxim (“the enemy knows the system”).  In fact, competent professional scrutiny of a cryptosystem (which implies its disclosure) is an important assurance measure since “Anyone can invent a security system that he himself cannot break” (Schneier’s law).

Kernel

The sweet core protected by the hard outer shell of a nut.  Operating system kernels handle critical functions, including many low-level privileged security functions such as mediating access to memory pages, storage and peripheral devices, plus security logging and alerting.  If the kernel protection is compromised (e.g. by malware or hackers), system security is largely if not totally negated.

Key,
cryptovariable

(a) The value used to transform data in a cryptographic operation by controlling the algorithm in a particular manner, for example to decrypt a message previously encrypted with the same key in a symmetric cryptosystem.  ‘Cryptovariable’ may be the correct technical term but almost nobody except über-crypto-geeks use it: ‘key’ is so much simpler and more widely understood.  (b) In physical security, the mechanical device or electronic code that unlocks a mechanical or electromechanical lock.  (c) In ICT, any one of the switch pads on a keyboard used to type a character into a device.

Key escrow

Secure safekeeping of cryptographic keys by an escrow agent in case there is a legitimate need to decrypt encrypted material later despite, for example, the keys being lost or corrupted, or the holder forgetting or refusing to disclose them.  If the escrow agent is untrustworthy, incompetent or careless, or is subject to extreme coercion (e.g. by the government or terrorists), there is obviously a risk of key disclosure or loss.

Key exchange

Process for passing cryptographic keys between two parties, for example prior to establishing an encrypted HTTPS connection.  “Process of exchanging public keys (and other information) in order to establish secure communications” (CNSSI-4009).

Key loader,
key injector

Physically secure, tamper-resistant key management hardware device used to transport and install cryptographic keys to cryptosystems in the field.  “A self-contained unit that is capable of storing at least one plaintext or encrypted cryptographic key or a component of a key that can be transferred, upon request, into a cryptographic module” (CNSSI-4009).

Keylogger

Malware that covertly records the user’s keystrokes.  Hardware keyloggers may be devices inserted into the keyboard cable or connector where they may appear to be ferrite RF interference suppressors, or fitted within the keyboard, PC or wireless keyboard receiver.  Software keyloggers are typically Trojans.

Key management

(a) Processes and often associated computers/hardware, data communications systems etc. for securely distributing cryptographic keys to authorized users, and handling activities such as revocation and replacement of lapsed or compromised keys, key escrow etc“The use and management of cryptographic keys and associated hardware and software.  It includes their generation, registration, distribution, installation, usage, protection, storage, access, recovery and destruction” (NZ information Security Manual).

  (b) The processes for handling and controlling the fabrication, circulation/distribution, protected storage and use of physical keys, especially master keys.

Key management plan

“A plan that describes how cryptographic services are securely deployed within an agency.  It documents critical key management controls to protect keys and associated material during their life cycle, along with other controls to provide confidentiality, integrity and availability of keys” (NZ information Security Manual).

Key pin

Inside most physical locks, a series of variable-length key pins are displaced by the cut edge of the key when it is inserted into the keyway, pressing the driver pins up into the hull against their springs.  Provided the correctly-shaped key is inserted, the junctions between the key pins and driver pins align along a shear line, allowing the plug to be rotated to open or close the lock.

Key space

Essentially, the maximum total number of possible key values.  Strong modern cryptosystems have such large key spaces that brute force attacks are very unlikely to succeed using currently available technology (they are ‘computationally infeasible’). 

Keyway

The slot in a cylinder lock into which the key can be inserted.  In addition to its overall dimensions, wards in the keyway prevent the insertion of grossly mis-fitting keys (e.g. from other manufacturers) and thick/crude lock picks or screwdrivers, levers or wrenches that might otherwise be used to force the lock open.

[Cyber] Kill chain

Pretentious military-derived term for the sequence of an attack from reconnaissance and identification of targets through to exploitation and escape, a concept now applied in the cybersecurity context to hacks and malware infections etc.

Kimsuky

Hacker group believed to be sponsored by the North Korean government, targeting governmental/military information concerning the Korean peninsula using social engineering (principally spear phishing), APT and BabyShark malware.

Kismet

Wireless network analysis tool/NIDS, used for both defensive and offensive purposes (a dual-use technology).

Knowledge

Something ‘known’ i.e. an intangible form of information that has meaning and value.  See also intellectual asset“Facts, information, truths, principles or understanding acquired through experience or education.  Note: An example of knowledge is the ability to describe the various parts of an information assurance standard” (ISO/IEC 17027).

Known plaintext

Cryptanalysts often stand a better chance of breaking a cryptosystem if they can examine both the cyphertext and the corresponding plaintext.  See also crib.

Kompromat

Sensitive and potentially compromising information on an individual, the threatened disclosure of which is used to blackmail them.  The Russian-style word reflects the popularity of this technique with the Russian intelligence services … but it is in fact a commonplace technique globally, not even limited to the intelligence world.

Kovter

Malware family in the wild in 2019.  Originally it was scareware, then click fraud code injection malware, then fileless malware.

KPTI
(Kernel Page Table Isolation), KAISER

Low-level operating system or CPU firmware microcode security technique to keep kernel memory entirely separate from user processes, rather than (for performance reasons) sharing the same memory areas (which increases the possibility of malicious exploitation such as Meltdown).

Krack
(Key Re-installation Attack)

A family of exploits against flawed cryptographic protocols and implementations in which encrypted nonces are captured during the key exchange and replayed to generate valid session keys.  A proof-of-concept demonstration allows wireless hackers to eavesdrop on supposedly secure WPA2-encrypted Wi-Fi connections as if they were open/unencrypted connections, and perhaps to modify or inject malicious packets.  Other key exchanges may be similarly vulnerable to replay attacks.

Krotten

One of the earliest species of data-encrypting ransomware, in the wild in 2006.

Laboratory, lab

Purpose-built facility in which research is performed, typically by conducting scientific experiments under controlled conditions.  “Organisation with a management system providing evaluation and or testing work in accordance with a defined set of policies and procedures and utilizing a defined methodology for testing or evaluating the security functionality of IT products Note 1 to entry: to entry: These organisations are often given alternative names by various approval authorities. For example, IT Security Evaluation Facility (ITSEF), Common Criteria Testing Laboratory (CCTL), Commercial Evaluation Facility (CLEF)” (ISO/IEC 19896-1:2018).

Launch pad

See foothold.

Lazarus

A North Korean hacker group, allegedly responsible for the Sony hack, WannaCry ransomware incident and an audacious and partially-successful cyberheist on the Bangladesh central bank.

Leakware,
DoXware, doxware

Uncommon form of ransomware that threatens to disclose the victim’s confidential information as a means of extortion.

Least privilege

Information security principle involving restricting the privileges or rights assigned to an individual person, function or system, consistent with their authorized and intended purpose.  “The principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function” (CNSSI-4009).

Least trust

“The principle that a security architecture should be designed in a way that minimizes 1) the number of components that require trust, and 2) the extent to which each component is trusted” (CNSSI-4009).

Leet,
1337

Adolescent hacker slang like pig-Latin, in which letters or syllables are replaced by phonetically or visually similar letters, numbers or punctuation characters.  Effectively a low-integrity substitution coding algorithm.  “Leet” (normally written as “1337”) is a contraction and deliberate misspelling of “elite”, referring to the inflated egos and arrogance of hackers who perceive themselves as higher life forms with a deep understanding of complex technologies that are way beyond most mere mortals.  See also pwn, n00b, warez and pr0n.

LEF
(Loss Event Frequency)

One of the risk parameters in the FAIR method, LEF is an estimate of the probability of harmful incidents.  See also CS, PLM, TCap and TEF.

Legacy stash

Arrangement to disclose one’s passwords, PIN codes, financial and other important information to one’s survivors or executors of one’s will in the event of one’s death.

Legal hold, hold,
hold order, hold notice,
preservation order,
suspension order,
freeze notice

Court order prohibiting further processing/use, modification or destruction of information. “Process of suspending the normal disposition or processing of records and Electronically Stored Information as a result of current or anticipated litigation, audit, government investigation or other such matters (ISO/IEC 27050-1).

Legal retention period

“Time period within which the data objects of a cluster of PII are available in the PII controller’s organisation as required by legal provisions” (ISO/IEC 27555 draft).

Legion of Doom

A hacker group, named after a cartoon series, that achieved notoriety in the 1980s.  Members socialized and planned activities through an invitation-only bulletin board system.

Legitimate

Right and proper, appropriate, authorised, sanctioned, legal etcCf. illegitimate.

Level of risk

Measure of the relative importance of a risk“Magnitude of a risk expressed in terms of the combination of consequences and their likelihood” (ISO Guide 73).

Lewin change model

Psychologist Kurt Lewin developed a theoretical 3-stage model of changes i.e. unfreeze (thaw), change, then (re-)freeze.  This simplistic approach remains widely used today, for example when a ‘change freeze’ is imposed on IT systems during critical periods.

LFI

See Local File Inclusion.

Libel, libellous

Defaming or falsely accusing someone of something in a written or otherwise permanently recorded form such as a published article, web page, letter, email, IM or SMS message.  Cf. slander.

License

Permission optionally granted by the legal owner of copyright materials (including software, data and other information assets), patented inventions or trademarks for someone to copy, use and exploit them within certain constraints, often on payment of a royalty.  A type of permit.

Licensee

Person or organisation granted certain permissions to copy, use or exploit intellectual property by the licensor through a license, agreement or contract.

Licensor

Owner of intellectual property that grants one or more licensees certain permissions to copy, use or exploit their intellectual property through licenses, agreements or contracts.

Life cycle, lifecycle, life-cycle

A chronological sequence of events from start to finish, ‘cradle to grave’ as it were.  “Mutual acknowledgement of terms and conditions under which a working relationship is conducted” (ISO/IEC 27036-1).

Lightning

Electrical storms and strikes can cause electrical surges, spikes, blackouts, fires etc., damaging sensitive electronics due to the powerful discharge of static electricity and occasionally wiping magnetic storage media due to the intense magnetic fields.

Likejacking

Hack that substitutes malware in place of legitimate JavaScript or other code that runs in the browser when someone clicks a ‘like’ button on social media.

Likelihood

Probability, possibility, chance or potential.  “Chance of something happening” (ISO Guide 73).

Limited higher access

“The process of a system user accessing a system that they do not hold appropriate security clearances for, for a limited non-ongoing period of time” (NZ information Security Manual).

Live CD

Bootable disk image on CD-ROM, DVD, USB memory stick or other storage medium, containing an operating system and other software such as forensics tools.  Used to exploit the network and other resources on a computer system without leaving traces on the system’s hard drives, or for forensic analysis, hardware hacking or data recovery purposes.

Live drop

Covert arrangement for a spy to meet his/her collector in person in order to exchange assets such as information and cash.  See also dead drop.

Live forensics

Forensic analysis on a running computer system, typically to capture volatile evidence that would be lost if the system was shut down.

Load-shedding

Fail-soft resilience arrangement whereby a heavily-loaded and highly-stressed system (such as a firewall) selectively sheds or de-prioritizes relatively unessential activities, services, functions or capabilities as it approaches its capacity and performance limits in order to continue providing more essential or higher-priority ones for as long as possible.  De-prioritizing security relative to business functions can have serious consequences if the loading/stressing can be caused deliberately, or simply exploited serendipitously, by hackers.

Local File Inclusion
(LFI)

A popular type of app hack that exploits the capability to ‘include’ (call and execute) files on the server, similar to subroutines.  If an app’s file inclusion function does not properly validate and sanitize user input, hackers may call known vulnerable scripts or files containing sensitive information, then exploit them.  See also Remote File Inclusion and SQL injection.

Local Security Committee
(LSC)

Committee responsible for directing and coordinating physical and information security within an individual business unit, site or location.

Lock

(a) Physical security device typically requiring the correct physical key, access card or combination (PIN code) to open a locked door, safe etc.  (b) Database integrity control which temporarily grants exclusive access to one computer process or user, preventing potentially conflicting data changes being made simultaneously on the same records or data items by others.

Lockable commercial cabinet

“A cabinet that is commercially available, of robust construction and is fitted with a commercial lock” (NZ information Security Manual).

LockerGoga

One of several nasty species of ransomware in the wild in 2019 that surreptitiously and strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keys.  Caused serious incidents at several industrial firms.

Locky

One of several nasty species of ransomware in the wild in 2016 that surreptitiously and strongly encrypted victimsdata, coercing them into paying a ransom for the decryption keysDozens of Locky variants were in circulation.

Lockpick,
lock pick

The person attempting, or the tool often used, to open a physical lock without the correct key, often without access authority and permission to enter unless the owner has simply lost their key.

Log

[Noun] An historical record of events, errors, alarms, conditions, activities, transactions, changes, visitors etc., recorded in a (preferably well-controlled, tamper-resistant) data file, book, database etc. for subsequent review and analysis (for accounting or security reasons).  [Verb] To record information that is - or might turn out to be - significant.  See also security log and audit trail.

Logging facility

“A facility that includes the software component which generates the event and associated details, the transmission (if necessary) of these logs and how they are stored” (NZ information Security Manual).

Logic bomb

Form of malware designed to lay dormant but self-activate at some point e.g. at a certain time (i.e. a time bomb), when a certain user logs on, or when a particular event or combination of events occurs on the system (e.g. the programmer is removed from the payroll), leading to some malicious action (e.g. shutdown the system, modify or delete data, disable security controls, make a fraudulent payment to the programmer’s Swiss bank account).  A form of cybertage.  See also wiper.

Logical access control

Automated information security control protecting electronic information assets (data/software, directories, disks, tapes etc.) against access by unauthorized users, programs or systems.

Logical security

Computerized/automated security controls, as opposed to physical, manual or other types.

Logoff,
logout

The process of someone signing off, normally by pressing keys or clicking buttons to end an active session on a computer system or network, relinquishing their access rights until they next logon.  A logged-on computer left unlocked and unattended may be exploited by a passer-by, taking advantage of the logged-on user’s permissions, with consequences than may range from nil (e.g. a kind person simply logs them off) through pranks and mischief (e.g. sending a spoof email inviting colleagues to a night on the town at the logged-on user’s expense) to serious (e.gcybertage, information theft or fraud).

Logon,
login

The process whereby a user identifies and authenticates to a computer system or network in order to pick up the permissions associated with their user ID.  During the session (i.e. until they logoff), activities, rights and permissions, and security events are associated with their user ID, may trigger alarms and alerts, and may be recorded in audit trails and security logs for accountability and auditing purposes.

Lokibot

One of several species of Android malware in the wild in 2018.  Multifunctional with bank Trojan, spyware and ransomware capabilities.

LoRa (Long Range)

Wireless networking standard with a range of about 10 miles, used for IoT, IIoT and other purposes.

LOTO
(Lock Out Tag Out)

Type of health and safety control in which, for example, maintenance workers attach their personal locks or tags to safety shrouds on the main power switch or circuit breaker, physically preventing out-of-service electrical equipment being re-energized until everybody has completed the work and removed all their locks/tags.  A failsafe physical control.

LOVEINT
(lover intelligence)

Using national security machinery to gather intelligence on lovers and partners, potentially for blackmail purposes or for background checks.

Love letter

See ILOVEU.

Low Orbit Ion Cannon
(LOIC)

Cyberweapon that ‘fires’ multiple TCP or UDP requests at a web server in order to consume its resources, causing it to slow down and perhaps crash or expose exploitable vulnerabilities i.e. a DOS attack.  A simple JavaScript version can execute in a web browser, while more sophisticated standalone variants can participate in botnets for coordinated DDoS attacks.

Luck

Misfortune is often ascribed to ‘bad luck’ just as good fortune is ascribed to ‘good luck’, whereas the outcome is often wholly or largely a matter of probability, risk and randomness.

Ludd,
Luddite

Ned Ludd used sabotage to frustrate the progress of mechanisation and industrialisation.  In 1779 in central England, Ludd smashed two knitting machines in a “fit of passion”, leading to him being blamed jokingly for similar incidents subsequently.  Activists and saboteurs with a grudge against the machines and their owners are still called Luddites, more than two centuries on.

Lulz, lolz

Leet for “laughs”, derived from LOL (Laugh Out Loud), an abbreviation common in SMS/TXT messaging. 

LulzSec
(Lulz Security)

Hacker group, related to Anonymous, which achieved global notoriety in 2011 through hacks on Sony and other high-profile targets.

MaaS
(Malware as a Service)

Illicit black market sellers offer various forms of malware to rent, along with associated services such as money laundering.

Machine ethics

An academic field of study into the measures appropriate and necessary to direct, control or constrain machines (such as robots, autonomous vehicles and cyberweapons) that utilize advanced artificial intelligence, hopefully without negating the potential advantages they bring to humankind.

Machine to machine [M2M]

“Technologies that allow both wireless and wired systems to communicate with other devices of the same type” (ISO/IEC 27033-6).

Macro metric

High level overview metric supporting big-picture thinking and strategic decisions.  Cf. micro metric.

Macro virus

Form of malware that infects data files used by word processing, spreadsheet and other programs that have a sufficiently powerful and yet insecure built-in scripting or command language.

MAD
(Maximum Acceptable Downtime)

See MTD.

Magstripe (magnetic stripe)

Magnetic storage strip once common on bank cards, credit/debit cards etc. prior to the introduction of chip-n-pin.  Machine-readable tracks on the strip contain standing data relating to the card number, expiry date etc. along with integrity check values.  A relatively basic and cheap security measure, highly vulnerable to duplication and forgery using readily-available card readers/writers, hence deprecated.

Main establishment

(a) As regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; (b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation” (GDPR).

[Corporate] Malfeasance

Deliberate commission of inappropriate, unethical or illegal acts, such as failing in fiduciary duties, embezzlement, bribery and extortion, particularly by public officials or officers of an organisation (‘corporate malfeasance’).

Malicious

With malice, mean and nasty, intending to cause or knowingly causing harm to another.  Cf. benign.

Malicious code

Malware“Any software that attempts to subvert the confidentiality, integrity or availability of a system.  Types of malicious code include logic bombs, trapdoors, Trojans, viruses and worms” (NZ information Security Manual).

Malicious code infection

“An information security incident that occurs when malicious code is used to infect a system.  Example methods of malicious code infection include viruses, worms and Trojans” (NZ information Security Manual).

Malicious damage

Deliberate or wilful damage to (usually) physical assets, such as arson, vandalism or sabotage.  One of many physical security threats.  See also fire, flood, intruder and cybertage.

Maltego

Application supporting both offense using, and defences against, social engineering attacks.  Identifies and displays relationships (social networks) between people, organisations, websites, email addresses, technologies etc. using open source intelligence sources such as social media and search engines.  An example of dual-use technology, popular with black-, grey- and white-hats.  See also Datasploit.

Malvertising

Online advertisement that attempts to exploit vulnerabilities in visitors’ browsers to infect their systems with malware.  Often placed on otherwise benign and normally trustworthy websites without the website owner even being aware of the threat, but sometimes on blatantly malicious sites using various deceptive tricks to lure victims.

Malware
(malicious software)

Programs  designed and written with malicious intent or purposes (such as damaging, deleting, corrupting or preventing access to computer systems, data, networks etc. and/or harming their users’ interests) including computer viruses, network worms, Trojan horses, rootkits, logic bombs, time bombs, ransomware, spyware, scareware etc“Malicious software designed specifically to damage or disrupt a system, attacking confidentiality, integrity, or availability.  Note: Viruses and Trojan horses are examples of malware” (ISO/IEC 27033-1).  “A computer program that is covertly placed onto a computer with the intent of compromising the privacy, accuracy, or reliability of the computer’s data, applications, or OS” (NIST SP800-114 rev1).

MAM
(Mobile Application Management)

See MDM.

Man-trap, man trap

See mantrap.

Management

Noun: those collectively who manage (direct, oversee, motivate, align, monitor and control) the organisationVerb: the act of managing.  “Coordinated activities to direct and control an organisation” (ISO 9000).

Management control,
supervisory control,
administrative control

Information security control involving or performed by a manager, supervisor or similar competent, authorized, trusted and diligent person.  Audits, reviews, inspections and other forms of oversight are commonplace examples, plus policy-making, compliance, authorisation and attestation.  See also internal controls and governance.

Management system

Coherent framework or structured suite of management activities and controls, such as an ISMS“Set of interrelated or interacting elements of an organisation to establish policies and objectives and processes to achieve those objectives.  Notes: a management system can address a single discipline or several disciplines; the system elements include the organisation’s structure, roles and responsibilities, planning, operation; the scope of a management system may include the whole of the organisation, specific and identified functions of the organisation, specific and identified sections of the organisation, or one or more functions across a group of organisations” (ISO/IEC 27000).

Management traffic

“Traffic generated by system administrators and processes over a network in order to control a device.  This traffic includes standard management protocols, but also includes traffic that contains information relating to the management of the network” (NZ information Security Manual).

Manager

Line manager for one or more members of staff.  The executives delegate responsibility for implementation of the organisation’s information security principles, axioms and the Policy Manual via the Security Committee and CSO, through Information Security Management and the ISM, to managers, and through them, to their subordinates.  In this manner, information security is everyone’s responsibility (itself one of the fundamental security principles).

Manchester Mark I

One of the first digital computers to use programs stored on magnetic drums and cathode ray tubes.  Constructed at Manchester University in 1949, it used 4,200 thermionic valves (vacuum tubes) as digital switches in racks that filled a sizeable room.  Modern-day electronic hand-held calculators contain a similar number of transistor switches on a piece of silicon just a few square millimetres in size.

Mandatory

Systems and workers must (that is, they are obliged or compelled to) comply with mandatory policies, laws, regulations, contracts, agreements or other applicable requirements unless they have been granted a legitimate exemption by the relevant authority, or if compliance would conflict with some higher obligation or principle (such as human safety).  Cf. discretionary.  See MAC and DAC.

Mandatory Access Control
(MAC)

Whether access is or is not permitted to information, and if so the type of access, is determined by the physical design and coding of a MAC system, as opposed to a DAC system where the users and administrators have discretion.  Typically involves the use of cryptographic authentication and encryption and other strong security controls implementing the Bell-LaPadula model.  Used by governments and the military to enforce (i.emandate) restrictions reflecting the classification of data.  “A means of restricting access to objects based on the sensitivity (as represented by a security label) of the information contained in the objects and the formal authorization (i.e., clearance, formal access approvals, and need-to-know) of subjects to access information of such sensitivity.” (CNSSI-4009).

Mandatory leave,
enforced vacation

As a matter of policy, workers in trusted or privileged rôles may be required to take leave in blocks of a defined minimum length (e.g. a week or two) as a control against fraud and impropriety.  The hope is that whoever fills-in for the person on vacation has the chance to identify/reveal and investigate tell-tale discrepancies or indicators that the fraudster would normally have concealed.  Proactively preparing and training them for this tricky task should make the control more effective, but such foresight is vanishingly rare in practice.

Man-In-The-Browser
(MITB)

Man-In-The-Middle attack involving a keylogger that hijacks the user’s privileged online session, intercepting and manipulating his keystrokes through the browser, typically injecting/altering transactions and tricking the user into unknowingly authenticating fraudulent transactions using his password and/or security token.  See also bank Trojan.

Man-In-The-Email
(MITE)

See Business Email Compromise.

Man-In-The-Middle
(MITM),
session hijack

Attack in which the attacker intercepts and compromises messages passing between two parties, generally using masquerading to fool each party into believing that the attacker is the legitimate counterparty.  May involve stolen, faked or genuine digital certificates obtained under false pretences, and/or malware (malware-in-the-middle).  Exploits the trust placed in connections that communicating parties believe are direct and secure.  See also proxy.

Man trap, man-trap, mantrap,
air lock, air-lock, airlock

Secure cubicle in which a person is physically detained pending their identification and authentication to proceed.  A physical access control.  Sophisticated versions may include CCTV monitoring, body scanners (for concealed weapons, recording devices etc.), weighing scales to prevent multiple occupancy, plus anti-pass-back controls“The secured space between doors operating on an electronic interlocking basis that may be accessed by a card-reader access system or a remote-control device, provided that all movement and activity is monitored” (PCI Card Production and Provisioning Physical Security Requirements, v2.0 January 2017).

Manual control,
administrative control,
procedural control

Control that involves one or more people performing an activity or process, for example managing information risk, respond to an alarm, or checking and authorizing a transaction. Cf. automated control.  See also management control.

MAO
(Maximum Acceptable Outage)

See MTD.

Mark

“Legally registered trade mark or otherwise protected symbol which is issued under the rules of an accreditation body or of a certification body, indicating that adequate confidence in the systems operated by a body has been demonstrated or that relevant products or individuals conform to the requirements of a specified standard” (ISO/IEC 27006).  See also target.

Masque attack

Family of security vulnerabilities and exploits on Apple iOS.

Masquerade

Form of attack in which the attacker impersonates (pretends to be) someone or something else.  Normally foiled by authentication mechanisms such as a challenge-response to determine whether they have the correct credentials.  May involve spoofing or social engineering“A type of threat action whereby an unauthorized entity gains access to a system or performs a malicious act by illegitimately posing as an authorized entity” (CNSSI-4009).

Mass surveillance

A dark, foreboding term with strongly Orwellian overtones concerning the widespread, systematic, intrusive and largely indiscriminate surveillance of the public by government agencies, ostensibly for the purposes of crime and threat detection, counter-terrorism etc.  From the authorities’ perspective, a legitimate and necessary public safety/security mechanism.  From other perspectives, potentially a substantial threat to privacy, human rights, liberty and democracy, made worse by the resources and sheer power of the authorities operating under a cloak of secrecy with dubious regulatory oversight and accountability

Master key

Whereas normally a physical lock can only be opened by change keys with the correct pattern for that lock, locks can be designed as a set that can be opened using either master keys with special patterns that work across the entire set or with the individual change keys.  Janitors and security guards often use master keys to clean, check and lock multiple offices, stores, buildings etc., making them the physical security equivalent of the root password.

MBSA
(Microsoft Baseline Security Analyzer)

Free Microsoft tool to scan Windows systems for missing security patches (in much the same way as Windows Update) plus some other known vulnerabilities such as network shares and enabled guest accounts.

MD5
(Message Digest № 5)

Hash algorithm developed by Ron Rivest of RSA fame.  Generates a 128-bit digest.  Due to excessive hash collisions, now deprecated in favour of the SHA-2 family of algorithms.

MDM
(Mobile Device Management), EMS
(Enterprise Mobile Security, Enterprise Mobility Suite),
MAM
(Mobile Application Management)

RAT software installed on PODs used for BYOD, or on things, allowing privileged, trusted, authorized administrators to access and manage the mobile devices and apps remotely and securely, ensuring that the organisation’s information is adequately secured and its interests are protected.  Administration, monitoring and security capabilities, and information risks, vary between products.

ME
(Management Engine)

Intel x86 CPUs have an additional CPU management subsystem embedded in the Northbridge, apparently intended to support big enterprise deployments.  Since it interacts with the CPU at such a low level, vulnerabilities in the ME could, if exploited, compromise the CPU in much the same way as a rootkit.  The ME cannot be disabled, making this a concern in high security situations (e.g. government, defence and national infrastructure).

Meaconing

Interception and rebroadcast or fabrication of navigation signals in order to mislead, misdirect or confuse the enemy through inaccurate or missing bearings.  Cryptographically signing and authenticating beacon signals is a possible control against this.  See also MIJI.

Measure

[Verb] To determine one or more parameters of something.  [Noun] A measurement or a countermeasure (i.e. a control).  “Variable to which a value is assigned as the result of measurement” (ISO/IEC 15939:2007).

Measurement

The value of a parameter, ideally expressed in defined, standardized units with an appropriate degree of precision e.g. “the height measurement of the door is 2.22 meters”.  Process to determine a value” (ISO/IEC 27000).

Measurement function

“Algorithm or calculation performed to combine two or more base measures” (ISO/IEC 15939:2007).

Measurement method

“Logical sequence of operations, described generically, used in quantifying an attribute with respect to a specified scale.  Note: the type of measurement method depends on the nature of the operations used to quantify an attribute. Two types can be distinguished as follows: subjective - quantification involving human judgment; [and] objective - quantification based on numerical rules” (ISO/IEC 15939:2007).

[The] Media

Plural of medium.  Commonly refers to storage media or the news media (journalists and broadcasting), sometimes social media“A generic term for hardware that is used to store information” (NZ information Security Manual).

Media destruction

“The process of physically damaging the media with the objective of making the data stored on it inaccessible.  To destroy media effectively, only the actual material in which the data is stored needs to be destroyed” (NZ information Security Manual).

Media disposal

“The process of relinquishing control of media when no longer required, in a manner that ensures that no data can be recovered from the media” (NZ information Security Manual).

Media sanitisation

“The process of erasing or overwriting data stored on media” (NZ information Security Manual).

Melissa

Macro virus dating back to 1999, spread via email.

Melt

The fate of a bar of chocolate left on a sunny dashboard … “Destruct by changing media from a solid to a liquid state generally by the application of heat” (ISO/IEC 27040).

Meltdown,
Spectre,
Chipzilla,
Foreshadow,
Fallout

Design flaws in some CPU chips relating to pre-emptive execution allows malicious user-mode programs to read and perhaps modify memory supposedly reserved for trusted functions, thereby negating (melting down) a fundamental security control vital to protecting the operating system.  Although operating systems can be patched as a workaround (at the cost of slower code execution), malware probably exists to exploit unpatched systems.  This is an area of active research.  See also ZombieLoad.

Memory leak

See heap overflow.

Memory-scraping malware,
RAM-scraper

Type of malware that monitors and captures confidential data in working memory in the course of processing.  While such malware commonly infects point-of-sale systems implying a criminal motive, the technique has broader application for national and industrial espionage and other nefarious purposes such as stealing valuable intellectual assets such as cryptographic keys and passwords (e.gkeyloggers), for surveillance or cybertage.  See also Meltdown.

Merkle tree

A cryptographic architecture patented by Ralph Merkle in 1979 in which hash values for two or more data blocks are themselves hashed, and so on ‘up the tree’, thus ensuring integrity of the entire data structure.  See also blockchain.

Mesh network

Ad-hoc wireless networking architecture with which ICT devices communicate with others within range, passing-on messages including commands and data.  Used in some Internet of Things applications such as smart metering.

Message Authentication Code (MAC)

See hash and MAC.

Message digest

See hash.

Metadata

Information or data about, or parameters of, data (such as details of the senders and recipients of phone calls and emails or the dates and times or sizes of messages, and the PRAGMATIC characteristics of security metrics) that may be sensitive and/or valuable in its own right.  “Data that defines and describes other data” (ISO/IEC 11179-1:2004).  See also traffic analysis.

Metasploit [Framework]

Hacking/penetration testing tool, originally open source but now also commercial products with additional features.  Automates hundreds of well-known exploits.  An example of dual-use technology, popular with black-, grey- and white-hats.

Method,
methodology

The specified means and/or procedure for doing something, such as performing a scientific or forensic investigation“Definition of an operation which can be used to produce data or derive information as an output from specified inputs.  Note: Ideally, a method should be atomic (i.e. it should not perform more than one function) in order to promote re-use of methods and the processes derived from them and to reduce the amount of work required to validate processes.” (ISO/IEC 27041).

Metric

A parameter or characteristic that characterizes or describes something of interest (such as a security control or risk), used to measure it, normally in order to inform decisions concerning it (e.g. to determine whether the control adequately mitigates the risk or needs to be improved).

MI5
(Military Intelligence
branch 5),
Secret Service

UK national (domestic) intelligence service, dedicated to protecting the interests of British citizens, both within the UK and abroad.  Originally the fifth branch of the Directorate for Military Intelligence, part of the War Office in the First World War.  See also SIS.

MI6

See SIS.

Michelangelo

Well known virus from 1992, widely hyped by the news media but negligible in impact since most infected systems had been successfully disinfected prior to the payload being triggered on Michelangelo’s birthday, March 6th.  Based on Stoned

Micro-fraud

Fully automated form of salami fraud in which the amounts stolen tend to be extremely small, possibly fractions of the smallest discrete unit of currency (e.g. tenths of a cent).  Such fractional amounts are normally subject to rounding rules designed to avoid systematic bias but successful micro-fraudsters subvert the process and the associated checks and balances.

Micro metric

Low-level fine-grained metric concerning a detailed point of interest or concern for operational reasons.  Cf. macro metric.

MIJI
(Meaconing, Intrusion,
Jamming, and Interference)

US military communications security term.  See meaconing, intrusion, jamming and interference.

Mimic panel

SCADA HMI device that presents a graphical representation of industrial plant to the operators, like a wiring diagram embedded with lights and meters showing the status of important machinery, services etc.

Mimikatz

Open source hacking/penetration testing tool, developed in 2007, that exploits a vulnerability in Windows lsass (local security authority subsystem service) to grab passwords and other digital credentials from memory in plaintext.

Minting

The generation of cookies containing falsified authentication credentials, enabling hackers to commit identity fraud by purporting to be authenticated users of the corresponding websites.

Mirai

Malware in the wild in 2019 uses a list of default user IDs and passwords to infect insecure IoT things, recruiting them to a botnet for DDoS and perhaps other attacks.  The source code for Mirai was published in 2016, leading to a string of copycat variants.

Mirror site,
dual-live site

The costly provision of ICT services simultaneously from multiple facilities at physically separated/diverse locations, increasing resilience against certain classes of disaster affecting any individual site while paradoxically increasing some risks (primarily due to the added complexity and reliance on networks).  Generally involves near-real-time replication of data and synchronisation of transaction commit points between sites, load-balancing etc.  See also hot site, warm site and cold site.  See also disk mirroring.

Misappropriation

Fraud involving the misuse of assets belonging an organisation by workers e.g. expenses fraud.  See also embezzlement.

Mischa

One of several nasty species of ransomware in the wild that surreptitiously and strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keys.  Often distributed with Petya.

Misinformation,
disinformation

Information that is intended deliberately to mislead, deceive, coerce or manipulate (such as propaganda or obfuscation), or that is inaccurate, incomplete, outdated or otherwise misleading by accident.  Propaganda is sometimes known as disinformation, emphasizing its deliberately misleading nature.

Misinterpretation

The risk of a recipient accidentally misunderstanding, or perhaps intentionally misreading, something such as an SMS/TXT message, email, instruction, permission or prohibition.  Who could resist a button mysteriously labelled “Do not press!”?

Mis-issuance

A failure of the validation process leading to the inappropriate issue of a digital certificate.

Misrepresentation

Lying, exaggerating or misleading, giving a false account of something, typically to trick or coerce the victim into doing something inappropriate.  A commonplace fraud and social engineering technique.

Mission-critical

See business-critical.

Mitigate

Reduce the probability (likelihood) of occurrence and/or the impact (adverse consequences) of a risk.

Mix network

Data communications method (design, system or protocol) designed to pool and transmit messages from multiple participants in an anonymous, untraceable fashion.  Tor is an example.

Moat

Deep ditch around a Mediaeval castle, sometimes filled with water, designed to make it difficult for attackers to scale or breach the castle walls, slowing them down and thereby increasing their exposure to counterattack (e.g. spears, arrows and boiling oil).  Today’s equivalents include ‘sterile areas’ around important facilities and the DMZ.

Mobile code

Programs capable of executing on different types of system, for example well-designed Java programs can be executed on any operating system which hosts a compliant Java virtual machine.  While such portability can be tremendously convenient for programmers and users, malware such as network worms may exploit security vulnerabilities in the technical architecture (e.g. breaking out of the sandbox) to spread far and wide, while malware written in Java may infect multiple platforms.

Mobile device

Portable computing and telecommunications device such as a smartphone or tablet PC.  Thanks to innovative technologies, modern mobile devices are effective ICT platforms but constraints such as miniaturisation, portability, wireless connections, battery power and price limit the processing and memory capacity, which in turn makes them hard to secure against malware and hacks, plus plain old theft and loss.  On top of that, naïve users don’t always appreciate and use security features properly, sometimes ill-advisedly disabling important controls e.gjailbreaking“A small mobile computer such as a smartphone or tablet” (NIST SP800-114 rev1).

Mobistealth

Commercial surveillance software for smartphones including various iOS and Android devices.  Ostensibly for ‘parental control’, this powerful spyware allows someone secretly to compromise the device, access its stored data (e.g. stored contacts, photos, videos, SMS messages and emails) and metadata (e.g. details of phone calls made and websites visited), and surreptitiously monitor its user (e.g. location tracking, keylogging and bugging/audio recording), regardless of their ethical and legal privacy rights.

Modbus

Commonplace SCADA/ICS network communications protocol, used to pass readings and control signals between devices.

Mole

An agent who has infiltrated, been implanted, or been recruited from within an organisation by an adversary.  An example of a cyberteur.

Monetize

Steal or misappropriate money, for example malware that causes smartphones to call or send text messages to a premium rate number (toll fraud).  See also cashing-out.

Money laundering

Criminal processes to convert stolen or fraudulently obtained and traceable assets into untraceable cash, typically by successively passing them through money mules, fences and dubious financial transactions intended to ‘wash them clean of’, and obscure, their origin and nature.  Thanks to proactive monitoring, mandatory reporting and other relatively strong controls within the financial industry, cashing out is one of the highest-risk parts of any criminal or terrorist activity involving substantial amounts of money.

Money mule, mule

Person handling or laundering criminal proceeds.  Money mules are often the unwitting and naïve victims of fraud or coercion, who nevertheless commit criminal acts rendering them liable to prosecution, particularly if a motivation such as greed can be surmised.

Money Transfer Agent
(MTA)

Financial services such as Western Union and MoneyGram that receive funds at one location and pay out, often in cash, at another.  The anonymity offered by such services has often been used to launder money, attracting the attentions of both the criminal underground and regulatory authorities.

Monitoring,
monitor

Observing, overseeing or watching over something such as an organisation, system, network or process, looking for and ideally acting appropriately on discovering anomalies, particularly indications of security incidents, errors/discrepancies etc.  May also be a form of surveillance“Determining the status of a system, a process or an activity.  Note: to determine the status there may be a need to check, supervise or critically observe” (ISO/IEC 27000).

Monkeywrenching

Sabotage.  Alludes to the idea of a saboteur using a monkey wrench to damage industrial machinery.  See also Luddite.

Monoalphabetic

Cryptographic substitution process (such as Caesar’s cipher) that substitutes letters or characters in the plaintext with letters from a single alphabet or character set.  Cf. polyalphabetic.

Moral hazard

Believing themselves adequately protected by controls such as insurance, people may accept more risk than otherwise – and why not?  This may need to be taken into account when implementing controls, for example by adjusting insurance premiums to reflect the anticipated risks after insurance is in effect, rather than before, and specifying expected controls.

Motion detector,
shock detector,
vibration detector

Physical security device monitoring an area or a device for movement, typically using passive infrared radiation, CCTV or tremblers to detect movement and trigger an alarm.

Motte

The hill or mound of earth and rubble on which many Mediaeval castles were constructed, giving defenders a vantage point while forcing attackers into an uphill battle (literally).

MOV
(Metal Oxide Varistor)

Cheap electronic component designed to absorb the energy and limit the maximum voltage caused by typical power line spikes but not necessarily surges or multiple/more extreme spikes.  MOVs are physically degraded by each spike and, since under-rated or exhausted MOVs may catch fire, they ought to be replaced periodically.

MPLS
(Multi-Protocol Label Switching)

“Technique, developed for use in inter-network routing, whereby labels are assigned to individual data paths or flows, and used to switch connections, underneath and in addition to normal routing protocol mechanisms.  Note: Label switching can be used as one method of creating tunnels.” (ISO/IEC 27033-1).

MTD (Maximum Tolerable Downtime),
MAD (Maximum Acceptable Downtime),
MTO (Maximum Tolerable Outage),
MAO (Maximum Acceptable Outage)

Parameters used for business continuity and disaster recovery planning, typically being defined as the longest period that a given information asset can be out of action before the costs become untenable and/or the organisation’s very survival is genuinely threatened.  Some organisations define and use these terms distinctly but usually they are synonymous.  See also RPO and RTO.

MTO
(Maximum Tolerable Outage)

See MTD.

MTTD
(Mean Time To Detect)

Security metric measuring the time lags between incidents occurring or starting and being detected.  Superficially attractive means to drive down detection lag, but of limited value in practice since the start point is often unknown or arbitrary.  Easily gamed by manipulating the start point, perhaps also the detection point. 

MTTR
(Mean Time To Respond)

Security metric measuring the time lags between incidents being detected or reported and being resolved.  Sounds good in theory as a means to speed up incident response and resolution, but of limited value in practice since the end point is somewhat arbitrary.  Easily gamed by prematurely declaring incidents resolved.

Muieblackcat

Botnet in the wild in 2015, based on a PHP bot or vulnerability scanner that has been in use since at least 2011.

MultiFactor Authentication
(MFA)

Form of user authentication in which different types of credential are required (e.g. a secret password plus a security token plus a biometric).  Multiple passwords recalled and entered by a single person do not qualify as multifactor authentication, whereas multiple passwords recalled and entered by different people do (an example of dual-control).

Multifunction device

Modern networked printers (particularly those that also offer scanning and FAXing) are typically built around embedded microprocessors running Linux-based operating systems with minimal security.  As such, they are often vulnerable to hackers and malware on the network, in addition to user and configuration errors, physical attacks/damage/accidents, software bugs etc.  Many contain significant data storage capacity, potentially exposing cached copies of printed/scanned/FAXed documents etc.  “The class of devices that combines printing, scanning, copying, faxing or voice messaging functionality within the one device.  These devices are often designed to connect to computer and telephone networks simultaneously” (NZ information Security Manual).

Multifunctional malware

Malware that has the capability for multiple functions or modes of operation (e.g. having the characteristics of, or being able to switch between, a network worm, Trojan, spyware and ransomware), generally achieved by downloading modules, exploits and parameters from the Internet over a command and control channel.

Multilevel gateway

“A gateway that enables access, based on authorisation, to data at many classification and releasability levels where each data unit is individually marked according to its domain” (NZ information Security Manual).

MultiLevel Marketing (MLM)

Marketing strategy or compensation structure in which profits from sales are distributed among participants.  Whereas genuine MLM schemes are generally legal, they can be indistinguishable from fraudulent and illegal pyramid/Ponzi schemes, even by the specialists, authorities and courts, let alone naïve investors.

NaaS
(Network as a Service)

As if PaaS, IaaS and SaaS weren’t enough, Fujitsu coined this term for the provision of network services.  In relation to cloud computing, it is taken to include virtual networks using VPNs, flexible network capacity etc.

Nagware

Neologism referring to software that repeatedly displays annoying reminders to do something (such as upgrade to Windows 10), regardless of user preferences.  Whether it qualifies as adware, malware or a PUP is a moot point: nobody enjoys being nagged.  It is an unwelcome diversion, at best.

Nanocore

Multifunctional RAT malware spread via spam as an Excel spreadsheet.  In the wild in 2019.

NAT
(Network Address Translation)

Relatively simple firewall or router function to spoof public IP addresses externally on packets originating within a private internal network, without breaking various network protocols.  Keeping internal IP addresses confidential makes it slightly harder for Internet hackers to discover and map the internal network architecture, and allows additional security (e.g. raising the alarm if packets with internal IP addresses appear on the public side of the NAT server, indicating a possible breach/incident, or a firewall or other network configuration failure).

National security

Broad term encompassing defence of the realm and protection of the populace and other national interests against foreign adversaries and threats.

National Security Letter
(NSL)

An order from the FBI relating to protecting America against spying, terrorism or other threats to national security, for example mandating the disclosure of confidential information pertinent to an investigation by an organisation.  May also impose a nondisclosure obligation under circumstances specified in law, forbidding recipients from disclosing the fact that they are subject to an NSL.  See also warrant canary

Native file

File sporting a grass skirt and a bone through its nose?  No: “Electronic document in a native format.  Note: Native files are frequently proprietary” (ISO/IEC 27050-1).

Native format

Raw information-rich data storage file format (such as .docx for MS Word documents, containing the printable text and image content plus markup, comments and other metadata).  “Organisation and representation of data and metadata that an operating system or application uses when data is stored.  Notes: Native formats typically contain the most complete representation of the data.  While it is often possible to convert this data to other formats, there can be a loss of information (e.g., metadata is stripped) or modification of the information.  In many circumstances or jurisdictions native format is that format in which a hardcopy document or ESI is stored or used in the normal course of its use/business” (ISO/IEC 27050-1).

NBC
(Nuclear, Biological, Chemical)

Thankfully most of us do not have to worry about extreme terrorist or state-sponsored attacks, but those who do are concerned about ‘dirty bombs’ spreading radioactive material, genetically engineered bacteria/viruses etc. and Sarin-type chemical incidents, as well as attacks using more conventional methods, plus cyberwarfare.

NCCIC
(National Cybersecurity and Communications Integration Center)

Part of the DHS responsible for coordinating cybersecurity and communications protection efforts by the US government (e.g. US-CERT), plus commercial organisations and foreign governments.  Information concerning active threats and exploits is analysed and shared with the community, and the response, mitigation and recovery efforts are coordinated.

NCP
(Network Control Protocol)

Deprecated networking protocol used for remote access, file transfer, email etc. on ARPANET prior to the adoption of TCP/IP.

[US] NCSC
(National Counterintelligence and Security Center)

US government body under the Office of the Director of National Intelligence (DNI), mission “To lead and support the counterintelligence and security activities of the US Government, the US Intelligence Community, and US private sector entities who are at risk of intelligence collection, penetration or attack by foreign and other adversaries” (NCSC website).   See also the next entry.

[UK] NCSC
(National Cyber Security Centre)

UK government body under GCHQ focused on national security threats in cyberspace as the UK’s ‘authority on cyber security’ (whatever that means!), fostering liaison between the public and private sectors and dealing with state-level incidents.  Formed in 2016 from the CCA (Centre for Cyber Assessment), UK-CERT (Computer Emergency Response Team), CESG (Communications Electronics Security Group i.e. GCHQ’s information security arm), plus the ‘cyber-related responsibilities’ of the CPNI (Centre for the Protection of National Infrastructure).  See also the preceding entry – an acronym collision.

Near miss, near-miss,
near hit, near-hit,
close call,
close shave

Term adapted from the aviation industry where it refers to the close physical approach of aircraft that could easily have led to an accident.  In information security, it means a situation or event that could easily have led to an incident if it weren’t for a stroke of good luck.  Near misses can be valuable learning and improvement opportunities, and hence should be reported, evaluated and responded-to as if they were actual security incidents.

Need-to-know

See default deny“The principle of telling a person only the information that they require to fulfil their role” (NZ information Security Manual).

  Cf. default permit.

Need-to-withhold

See default permitCf. default deny.

Negligence, negligent

Failing to exercise due care.  Implies more than simply carelessness e.g. incompetence, possibly even recklessness, sabotage or cybertage.

Nessus

Vulnerability scanning tool, now a commercial product while the original open source version became OpenVAS.

Netcat

Network security and hacking tool capable of listening for and transmitting packets.

Network

Collection of data communications links or connections, plus the nodes or devices and the networked services they provide. 

Network access control

“Policies used to control access to a network and actions on a network, including authentication checks and authorisation controls” (NZ information Security Manual).

Network administration,
Network Admin

Corporate function performing routine technical operations and management of networks.  “Day-to-day operation and management of network processes, and assets using networks” (ISO/IEC 27033-1).

Network analyser

Network node that monitors, logs, analyses and perhaps acts upon, passing traffic e.g. raising security alerts. “Device or software used to observe and analyze information flowing in networks.  Note: Prior to the information flow analysis, information should be gathered in a specific way such as by using a network sniffer.” (ISO/IEC 27033-1).  See also sniffer.

Network attached storage

Disk, tape or similar data storage devices connected to the network“Storage device or system that connects to a network and provide file access services to computer systems” (ISO/IEC 27040).

Network device

See network node“Any device designed to facilitate the communication of information destined for multiple system users.  For example: cryptographic devices, firewalls, routers, switches and hubs” (NZ information Security Manual).

Network element

Networked node, device or system“Information system that is connected to a network” (ISO/IEC 27033-1).

Network infrastructure

“The infrastructure used to carry information between workstations and servers or other network devices.  For example: cabling, junction boxes, patch panels, fibre distribution panels and structured wiring enclosures” (NZ information Security Manual).

Network management

“Process of planning, designing, implementing, operating, monitoring and maintaining a network” (ISO/IEC 27033-1).

Network monitoring

A form of surveillance focusing on data traffic and activities on a computer network.  “Process of continuously observing and reviewing data recorded on network activity and operations, including audit logs and alerts, and related analysis” (ISO/IEC 27033-1).

Network node,
network device

Computing/networking equipment with one or more network connections.  Examples include routers, firewalls, networked application systems, file servers, web servers, email servers, workstations, things, PCs, laptops, tablet PCs and smartphones.

Network protection device

“A sub-class of network device used specifically to protect a network. For example, a firewall” (NZ information Security Manual).

Network security policy

Policy concerning network security.  “Set of statements, rules and practices that explain an organisation‘s approach to the use of its network resources, and specify how its network infrastructure and services should be protected” (ISO/IEC 27033-1).

Network service

Application or service running on a server, thing or other network node/device that is offered over the network e.gemail, cloud storage, cloud computing.

NFC
(Near-Field Communications)

Short-range wireless networking technologies such as Bluetooth  designed to link nearby ICT devices over a few tens of meters at most.

NFV
(Network Function Virtualisation)

Virtualisation software mediates between individual network functions or services (e.g. routing, content delivery, NAT, VPNs, load balancing, IDS/IPS and firewalls) and real networks.  Being virtual, the functions can be dynamically enabled/disabled (blackholed) and allocated different resources, for example to cope with the overload caused by a massive influx of requests to a popular website or a DDoS attack.

NIDS
(Network-based Intrusion Detection System)

Intrusion detection system involving monitoring network traffic, as opposed to monitoring network traffic on particular systems (see HIDS).

Nikto

Open source tool for penetration testing/hacker attacks on web servers.

Nimda

Network worm derived from Code Red in 2001.  Used multiple modes of infection to spread widely and quickly.  ‘Nimda’ is ‘admin’ spelt backwards, hinting at the VXer’s geeky sense of humour.

NIPRnet
(Nonclassified Internet Protocol Router network)

US Department of Defense data network for nonclassified but not for SECRET or higher classes of information.  See also SIPRnet.

NIST CSF
(National Institute of Standards and Technology CyberSecurity Framework)

NIST’s Framework for Improving Critical Infrastructure Cybersecurity, first released in 2014, reflects the timeline of an incident and the need for appropriate information security controls that precede, accompany or follow an incident through the identify, protect, detect, respond and recover phase (called “functions” within CSF).  The Cybersecurity Enhancement Act of 2014 required NIST to develop “a prioritized, flexible, repeatable, performance based, and cost-effective approach, including information security measures and controls that may be voluntarily adopted by owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks.”  It is essentially a risk and incident management approach to help protect the US critical [national] infrastructure against cyber risks (“cybersecurity risks” within CSF).

NIST (National Institute of Standards and Technology) SP (Special Publication) 800 series

NIST’s well-regarded public domain SP800-series standards document and promote good practices in information and IT security, privacy, cryptography etc.  See the NIST Computer Security Division – Computer Security Resource Center for further information.

NIST SP800-171

NIST standard Protecting Controlled Unclassified Information in Nonfederal Systems and Organisations

NIST IR 7298

NIST’s Glossary of Information Security Terms is a useful 200+ page compilation of definitions from various SP 800 and FIPS standards, plus CNSSI-4009 and other cited references.

NIT
(Network Investigative Technique)

FBI term for a tool or method used to investigate and gather forensic evidence from computer networks and systems.

NLP
(Neuro-Linguistic Programming)

Unscientific and discredited theory touted by some social engineers concerning their supposed ability to exploit interactions between neurology and linguistics to ‘program’ behaviour.  Pure snake oil.  It only works in the sense that NLP proponents believe they have superpowers, giving them self-confidence. 

nmap

Network administration/security/penetration testing/hacking tool originally developed by an old-school hacker called Fyodor.  Capable of port scanning and much more.  Uses custom IP packets to characterize network links and devices.

NOC

(a) Non-Official Cover: intelligence term for a mole, a spy working undercover as an ordinary, innocuous employee while, perhaps, conducting surveillance within a bank or ICT company.  (b) Network Operations Center: a corporate facility monitoring and managing multiple networks, for example in a bank or ICT company.

No-Lone Zone
(NLZ)

Physical security policy, procedure and protocol that prohibits workers from unaccompanied/sole access to designated secure areas (zones).  “Area, room, or space that, when staffed, must be occupied by two or more appropriately cleared individuals who remain within sight of each other” (CNSSI-4009).  “An area in which personnel are not permitted to be left alone such that all actions are witnessed by at least one other person” (NZ information Security Manual).

Nomenclator

The most widely used form of encryption from the 16th until the early 20th Centuries, using a combination of codes and substitution.

Non-affirmative cyber risk, silent cyber risk

Potentially ambiguous insurance policies neither include nor exclude cyber incidents.

Nonce

Cryptographic term for a “number used once”, a random number often used as part of the challenge in challenge-response protocols with the intention of preventing replay attacks (but see Krack).  “A random or non-repeating value that is included in data exchanged by a protocol, usually for the purpose of guaranteeing the transmittal of live data rather than replayed data, thus detecting and protecting against replay attacks” (CNSSI-4009).

Noncompliance

Failure to comply with or fulfil an obligation.  If revealed or discovered, the responsible parties may be held to account, perhaps leading to enforcement penalties.

Nonconformity

A failure to comply with a specified requirement such as the mandatory terms of ISO/IEC 27001, or laws or regulations or contracts.  “Non-fulfilment of a requirement” (ISO/IEC 27000).

Non-Disclosure Agreement
(NDA)

Understanding, perhaps contractual and legally binding, between two or more parties to share confidential information (proprietary, personal or official) between themselves but not to disclose it to third parties except by mutual authorisation, or unless legally obliged to do so.  May not expressly prohibit the recipient from exploiting the information themselves, although most Westerners would consider that unethical and inappropriate.

Non-disclosure of communications

“Requirement not to disclose the existence, the content, the source, the destination and the date and time of communicated information” (ISO/IEC 27011).  Note that the definition encompasses both data content and (at least some) metadata.

Non-interactive user ID

Type of user ID intended for automated system logons and file ownership by computers and applications, rather than by people.

Non-repudiation

Having sufficient evidence to prove that something (such as a certain business transaction or activity by a specific individual) did or did not take place.  A form of integrity“Ability to prove the occurrence of a claimed event or action and its originating entities” (ISO/IEC 27000).  Cf. plausible deniability.

Non-verbal communication, non-vocal communication,
body language

Animals, including humans, communicate in many ways besides spoken language – and even then, the way words are expressed usually conveys additional information beyond the literal meaning.  Examples include gestures, postures, intonation, volume, cadence and pace.  This increases the possibility of information leakage or side-channel communications since we are often both unaware of, and less able to control how we say, things than what we say.

Non-volatile storage

Disk, tape, flash memory or other storage medium that does not require a power supply to store data indefinitely.  “Storage that retains its contents even after power is removed” (ISO/IEC 27040).

Non-volatile media

“A type of media which retains its information when power is removed” (NZ information Security Manual).

N00b, noob

Leet term for a “newbie”, someone relatively new to hacking, implying a degree of naïveté, innocence, inexperience and/or incompetence.

Notification

Formalized disclosure of an event or incident such as a privacy breach to stakeholders such as relevant authorities and the victims (data subjects), generally to satisfy legal compliance obligations (including those imposed by contracts with other organisations).

NotPetya

One of several nasty species of ransomware in the wild that surreptitiously and strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keys which, unfortunately for them, don’t work.  A broken variant of Petya.  In 2017, tens of thousands of Maersk computers had to be rebuilt and restored from backups after a NotPetya outbreak.

NSA
(National Security Agency,
No Such Agency,
No Secrets Agency,
Novel Security Algorithms,
Neutered Security Arrangements …)

Powerful, highly secretive arm of the US Department of Defense responsible for various global SIGINT, counter-terrorism, foreign intelligence, counter-intelligence, national and commercial espionage and related surveillance activities, including massive bulk data collection programs and Stuxnet.  Bradley Manning and Ed Snowden’s disclosures of top secret information from the NSA indicating the sheer breadth and depth of the NSA’s mass surveillance activities, penetration and coercion of powerful commercial and government organisations, and subsequent revelations concerning the lack of effective oversight and accountability, caused uproar among proponents of human rights, civil liberty, privacy and democracy, as well as adverse social, political and commercial repercussions for the US and its allies.  There is a distinct possibility that, under cover of ‘the war against [communism, drugs, terrorism or whatever]’, the NSA has amassed sufficient information and power to manipulate, coerce and control the US government that is supposedly its master, thereby ensuring its continued funding and at least partial immunity to the laws of the land, leaving both the NSA and the US government with the thorny problem of re-establishing their credibility and restoring public confidence.  [Note: the US Navy sometimes uses NSA to mean Naval Support Activity.]

NSFW
(Not Safe For Work)

Generally refers to adult/pornographic content.  In addition to its offensiveness, it may be illegal or conflict with corporate policies to access or communicate such material at work, and doing so may create information security issues such as introducing malware into the corporate networks.

NTA
(Network Traffic Analysis)

A cluster of techniques to identify meaningful events and incidents of concern in the flow of traffic on a typically busy data network.  See also SIEM, UBA and IDS/IPS.

Nuclear

A crimeware kit.

NZ Government Information Security Manual

“National security policy that aims to provide a common approach to ensure that the implementation of information security reduces both agency specific, and whole of government, security risks to an acceptable level” (NZ information Security Manual).

O-day, ‘oh-day’

See zero-day.

OAuth2
(Open Authentication
version
2.0),
OAuth

User authentication standard (also termed a framework i.e. a system and protocol) in which Resource Owners (IT users) need to be authorized by trusted Authorisation Servers and granted a token in order for their Clients to gain access to their resources hosted by Resource Servers over HTTP.  Specified in RFC 6749.  See also OpenID Connect.

Obfuscation

Deliberately hiding or concealing the true nature or extent of something, such as a hacker’s location, the fact that an attack is taking place, malware code or other confidential content.  See also steganography and redaction.

Object

Something.  Item characterized through the measurement of its attributes” (ISO/IEC 27000).

Objective

Intended goal, purpose or outcome.  “Result to be achieved.  Notes: an objective can be strategic, tactical, or operational; objectives can relate to different disciplines (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organisation-wide, project, product and process); an objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, as an information security objective or by the use of other words with similar meaning (e.g. aim, goal, or target); in the context of information security management systems, information security objectives are set by the organisation, consistent with the information security policy, to achieve specific results” (ISO/IEC 27000).

Obligation

Something one is obliged (obligated) or required to do or not to do, for example to comply with a relevant law, regulation, standard, contract term, policy or code of ethics.  See also responsibility.

Occupational fraud

Fraud committed by a worker against the organisation for which they work.  Strictly speaking the definition excludes fraud committed by workers against third parties by means of the organisation’s facilities (e.g. its phone and email services, company letterhead etc.), although that may constitute a failure to comply with corporate regulations, policies, codes of ethics etc.

Offensive security,
proactive security

Whereas most information security controls are passive and/or reactive in nature, offensive or proactive security involves ‘taking the fight to the attacker’, for example by disrupting criminal organisations or deliberately goading, provoking or enticing hackers to attack honeypot systems.  Focuses on the threat or threat agent components of riskCf. defensive security.

Off-hook audio protection

“A method of mitigating the possibility of an active, but temporarily unattended handset inadvertently allowing discussions being undertaken in the vicinity of the handset to be heard by the remote party.  This could be achieved through the use of a hold feature, mute feature, push-to-talk handset or equivalent” (NZ information Security Manual).

Official information

Class of information typically relating to governmental administration, national secrecy etc.

One Time Pad
(OTP)

Theoretically unbreakable cryptosystem which uses a randomly generated shared key at least as long as the plaintext.  While the algorithm may be as simple and efficient as a bit-wise exclusive-OR (XOR) operation, the encryption key must be truly random and must never be re-used (other than for decryption!), creating key generation and distribution problems in addition to the need to restrict knowledge of the key to the authorized parties.  Implementation flaws (such as pseudo-random key generation) and procedural issues (such as users disclosing or re-using the key) limit the security achievable in practice.  See also One Time Password and Vernam cipher.

One Time Password
(OTP)

A password generated and used just once, using a pseudo-random method of generation that can be replicated by the authenticating system.  Usually implemented in a dedicated hardware security token such as RSA’s SecureID.  Although theoretically strong, implementation flaws (such as pseudo-random key generation and unlimited attempts to guess the password) and procedural issues (such as Man-In-The-Middle attacks) limit the security achievable in practice.  See also One Time Pad and nonce.

Online chat

Electronic messaging services (such as IM, SMS and email) and social media used for person-to-person communications through the Internet or other networksVulnerable to malware, disclosure of confidential information, social engineering, spam/SPIM, misinformation, misinterpretation and various other information security threats.

Open door policy

Notional if not literal term for someone (generally a manager) making the effort to be approachable, open, willing to listen to, and deal appropriately with, concerns expressed informally by workers, and consciously encouraging them to communicate or interact.

OpenDNS

Operators of Phishtank.  See www.opendns.com.

OpenID Connect

User identification standard building on the user authentication provided by OAuth2.  A Client verifies the identity of the user and obtains his/her profile.  Specified by Microsoft, Google and others at OpenID.net.

Openness

See transparency.

OpenPGP

An email cryptosystem that complies with relevant IETF standards.  Whereas the original PGP incorporated licensed intellectual property, OpenPGP is open source freeware, unencumbered by license restrictions.  See also GPG and S/MIME.

Open relay

Email server that does not properly authenticate email senders, allowing unauthorized parties to send email – typically spam.

Open source

Software source code that is intentionally disclosed to the public by its owner, whether as a purely benevolent act, to facilitate independent review, or to encourage others to collaborate on or continue the development.  See also FOSS and source available.  [Note: releasing or disclosing intellectual property per se does not necessarily mean that the owner surrenders all their intellectual property rights unless they explicitly place it into the public domain.]

OpenSSH

Popular UNIX client and server application for SSH.

OpenVAS

Open source network security/penetration testing/hacking tool derived from Nessus before it became a commercial tool.

Operating System
(OS)

Privileged software and/or firmware that operates (directs, monitors and controls) the hardware of a computer system (sometimes through a hypervisor), providing services through which software applications interact with the hardware.  Along with physical security controls, the operating system is primarily responsible for securing the system as a whole.  Microsoft Windows, MacOS and UNIX are typical examples.

Operational resilience

See resilience.

Operative

Someone who recruits agents to obtain confidential information for them from target organisations.  Usually works undercover, for example posing as a journalist, tourist or entrepreneur with a seemingly legitimate and innocuous use for the information.

OPSEC
(OPerations SECurity)

“Systematic and proven process by which potential adversaries can be denied information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities. The process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures” (CNSSI-4009).

Opt-in

Giving someone the option to provide and permit their personal information to be used or communicated for some purpose only if they explicitly permit or consent to do so – in other words, the default assumption (in the absence of a valid positive response) is that they do not so consent.  Cf. opt-out.

Opt-out

Giving someone the option to indicate that they do not wish their personal information to be used or communicated for some purpose, the default assumption (in the absence of a valid response) being that they do so permitCf. opt-in.

Organisation,
corporation,
enterprise,
business,
[commercial] entity,
group

Deliberately vague terms for a body of people to some extent structured, directed, aligned and governed/controlled as one, typically referring to a conventional commercial company or corporation but may also mean partnerships, charities and not-for-profits, (parts of) governments and agencies, groups, clubs, teams etc.  “Person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives.  Note: the concept of organisation includes but is not limited to sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private” (ISO/IEC 27000).

OSINT
(Open Source INTelligence), OSIG
(Open Source Intelligence Gathering)

Prior to attacking, hackers, social engineers and pentesters can often obtain pertinent information concerning a target from public domain sources, such as web pages, social media and other materials openly and innocently published by the target, plus official records.  See also HUMINT, SIGINT, COMINT and ELINT.

OT
(Operational Technology)

IT (principally SCADA/ICS) used to operate, manage, monitor and control the operation of industrial plant and machinery, as opposed to IT used for business and commercial administration (accounting, email etc.).  Uptime (availability, resilience, capacity and performance) is a major concern, plus health and safety.  See also IIoT.

OTA
(Online Trust Alliance)

Industry body representing the commercial interests of a group of vendors of things.  The name of the group is somewhat ironic given the appalling lack of security in IoT at present, and widespread distrust of the vendors responsible.

Outage

ICT or information service interruption caused either by a planned activity (such as scheduled maintenance) or an unplanned incident (such as a blackout, DDoS attack, bug or equipment failure).

Outbreak

A rapidly-spreading malware incident, analogous to an escalating biological viral or bacterial infection that puts the authorities on high alert.  See also Warhol worm.

Out-of-band

A distinct, alternative or unconventional communication path, channel, vehicle or mechanism pre-arranged between the parties that can be used as a secure, trustworthy route e.g. to exchange cryptographic keys, PIN codes or passwords, or to validate exceptional instructions.  Alternatively, a means to maintain or re-establish contact under emergency conditions when the primary in-band communications are down, to coordinate responses to a serious incident or disaster“Communication or transmission that occurs outside of a previously established communication method or channel” (ISO/IEC 27040).

Outsider

Anyone other than the organisation’s employees such as third party employees, members of the public, suppliers, customers etc.  Generally considered less trustworthy than employees, although arguably that is the information security equivalent of xenophobia.

Outsource, outsourcing

Using services provided by another organisation rather than the organisation’s own employees and resources, generally for cost reasons but specialist outsourcers tend to be more competent and capable as well as efficient.  “[Verb] Make an arrangement where an external organisation performs part of an organisation’s function or process.  Note: an external organisation is outside the scope of the management system, although the outsourced function or process is within the scope” (ISO/IEC 27000).  “Acquisition of services (with or without products) in support of a business function for performing activities using supplier’s resources rather than the acquirer’s” (ISO/IEC 27036-1).

Overpayment fraud

The fraudster plausibly claims to have accidentally paid or overpaid the victim, asking them to repay or forward the amount less a percentage for themselves as an inducement.  However, when the original payment is subsequently found to have been fraudulent and is retracted or nullified by the bank (perhaps weeks or months later), the victim is left out of pocket.

Over provisioning

“Technique used by storage elements and storage devices in which a subset of the available media is exposed through the interface.  Note: Storage media is used internally and independently by the storage element to improve performance, endurance, or reliability” (ISO/IEC 27040).

Oversight

(a) Various forms of supervision and inspection used to ensure that important information security activities and controls are operating properly, and to identify any anomalies.  (b) Forgetfulness, carelessness, neglect or incompetence, typically leading to errors, omissions and other information security incidents.

Own, owner, ownership

Beyond mere possession, ownership of something generally confers legal and social rights and expectations on its owner, for example the right to control and restrict its use, and to benefit from its value.

PaaS
(Platform as a Service)

Form of cloud computing service providing customers with access to Internet-based virtual systems pre-loaded with operating systems and middleware managed by the service provider, on which they can load customer applications.  The service provider’s responsibilities, including the information security aspects, cover everything except the customer applications (e.gguest system security patching).  See also IaaS and SaaS.

Packet

Network datagram or message, normally containing data, addressing/routing information and control information used to protect its integrity in transit.

Packet filter

First generation firewalls examined network packets individually to decide whether to block them.  Simply fragmenting unauthorized content across multiple packets was often sufficient to bypass such crude security checks.  Cf. stateful firewall.

Packing, packer

Hacker or VXer term for a code obfuscation technique or tool which encodes executable code within a program that is decoded at runtime, thereby making simple pattern-matching signature detection against the packed file ineffective as an antivirus technique.

Padcrypt

One of several nasty species of ransomware in the wild that surreptitiously and strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keys.

Padlock

Physical lock where the shackle can be displaced and rotated away from the hull when unlocked with the correct key or lock-picked e.g. using a shim.

PAN
(Primary Account Number)

Finance industry term for a credit card number – the ~16 digit identifier normally embossed on a payment card that identifies both the card issuer (the BIN) and the cardholder’s account.

Pandemic

A global epidemic, such as COVID19 – one of a class of major incidents with serious repercussions for the entire global economy.

Paper wall

See Chinese wall.

Parkerian hexad

In 1998, information security guru Donn Parker extended the classic CIA triad with three additional concepts, namely possession/control, authenticity and utility.

Partitioning

(a) Separation of bare metal and host operating system resources between guest systems in virtualisation.  (b) Separation of networks, physical areas etc. into segments or zones with differing risks and controls, an application of the information security principles of classification and access control.

PAS 1192
(Publicly Accessible Specification № 1192)

Multi-part UK standard concerning (in part) the security of information concerning the design and construction of smart buildings and other physical facilities.  Freely downloadable from the BSI Shop.

Passable

A forged, fake or counterfeit item that resembles the genuine article closely enough to be accepted as original, hence allowing it to be ‘passed’ (e.g. passable counterfeit banknotes are likely to be accepted by shopkeepers).

Pass card

See access card.

Passphrase

A confidential phrase, sentence, saying, song, poem etc. that is either used directly as a long and hence strong password, or is used as a prompt to recall one (e.g. forming a nonsense password from the initial letters of the words in a memorable song or poem) or to open a password vault.

Pass The Hash

Hacking technique that exploits vulnerabilities in authentication mechanism to accept password hashes directly, avoiding the need first to determine the corresponding passwords e.g. by brute force attack on a stolen password file.

Password

A confidential string of characters (ideally not a recognizable word or phrase) which can authenticate a person or system as a response to a challenge.  A type of credentialVulnerable to dictionary and brute force guessing attacks, especially if too short or obvious, and to being disclosed inappropriately (e.g. due to ignorance, carelessness, social engineering or coercion).

Password synchronisation

A crude way to reduce the burden of having to recall numerous passwords for different systems is to set an identical password on them all, but naturally if the password is compromised, all the systems are at risk of being accessed improperly.  Deprecated in favour of more sophisticated Single Sign On or password vaults.

Password vault

Trusted program and/or hardware designed to store passwords, cryptographic keys, PIN codes, user IDs and other credentials  or highly confidential pieces of information securely (meaning encrypted using a key derived from the one strong password that the user must remember), and regurgitate them on demand by the authorized user when logging-on to the relevant systems or websites.  Good password vaults help the user generate much stronger (i.e. longer and more complex) passwords or passphrases than anyone other than a memory freak can manage and store reliably in their heads, limited only by the constraints of the target systems.  Bad password vaults may be rogue software, Trojans or spyware, and may have design flaws and bugs creating security vulnerabilities.

Patch, patching

Implementation of piecemeal changes to computer programs, for example to fix bugs or design flaws causing security vulnerabilities.  A patch may replace one or more broken parts within executable software (such as subroutines, functions or single lines of code) or may replace complete programs within a software package.  However, unlike version updates, patches seldom offer additional functionality.  Occasionally as a result of inadequate quality assurance, they may even cause additional problems, requiring further corrections (more patches!) or workarounds.

Patch cable

“A metallic (copper) or fibre optic cable used for routing signals between two components in an enclosed container or rack” (NZ information Security Manual).

Patch panel

“A group of sockets or connectors that allow manual configuration changes, generally by means of connecting cables to the appropriate connector.  Cables could be metallic (copper) or fibre optic” (NZ information Security Manual).

Patent

Legal protection for novel inventions that have been properly registered with the relevant patent authorities.  A form of intellectual property right.  Patent laws typically offer protection for 15-30 years depending on the jurisdiction and the type of invention (e.g. the US treats design, utility and plant patents separately).

Patent troll

An organisation that assertively threatens legal action as a means to coerce other organisations into paying weighty fees for the right to continue using designs and methods for which it holds the patents or other intellectual property rights.  Depending on one’s perspective, they are either legitimately exercising their ownership rights, or warty sleaze balls covered in putrid slime.

Patsy

See target.

Payload

Destructive function (the ‘business end’) of malware that performs unauthorized functions such as deleting or modifying files, stealing secrets etc.

Paywall

Some commercial information providers restrict access to their intellectual property through the Internet, requiring visitors to register and pay for the information.  Visitors seeking the information are generally stonewalled by a user logon/registration screen requiring them to identify and authenticate themselves, while some sites offer sneak previews of the information to entice visitors to register and pay up for access permission.

PCI DSS
(Payment Card Industry
Data Security Standard)

IT security standard imposed on card issuers and merchants by the major credit card companies through contractual obligations plus compliance and enforcement actions to limit their liabilities, protect the global credit card infrastructure and (perhaps) improve security.

PDB
(President’s Daily Brief)

An US intelligence/security services online briefing to keep the President and close aides informed.  Or possibly a policy about regularly changing one’s underwear, who knows?

PDoS
(Permanent Denial of Service)

See bricking.

Pen register,
trap and trace

Originally, an electro-mechanical device used by the authorities to monitor a phone line, recording on paper the electrical pulses denoting the number when someone makes or receives a call.  Although the term is still used, electromechanical plotters have long since been superseded by covert electronic recording devices (which generally store both the addressing information and the audio stream) and by direct access to the telephone companies’ call routing/charging systems.

Penetration

See intrusion.

Penetration test,
pentest

Officially authorized/sanctioned/requested and hence legitimate test of an organisation’s information security controls by competent and trustworthy experts.  A form of risk identification, analysis and evaluation.  The scope of a given pentest may include or exclude checks of network, physical, procedural and/or other information security controls and specific systems, locations etc

Peripheral

“Device attached to a digital device in order to expand its functionality” (ISO/IEC 27037).

Perfect forward security

“Additional security for security associations in that if one security association is compromised subsequent security associations will not be compromised” (NZ information Security Manual).

Performance

(a) The speed at which a computer system, network, team etc. operates, affecting the services delivered.  ICT equipment with insufficient capacity for the load performs badly, affecting availability (e.g. partially or completely failing) and perhaps exposing other information security vulnerabilities when under extreme stress.  “Measurable result.  Notes: performance can relate either to quantitative or qualitative findings; performance can relate to the management of activities, processes, products (including services), systems or organisations” (ISO/IEC 27000).  (b) The plausible scenario played out by a social engineer in order to fool a victim into falling for their pretext.

Perimeter

The outermost physical and/or logical boundary around a collection of assets, such as the outer edge of a site or facility, or a network boundary partitioning or dividing the organisation’s internal network from the Internet and other external networks.  May or may not be demarcated.

Peripheral switch

“A device used to share a set of peripherals between a number of computers” (NZ information Security Manual).

Permission

Authorisation to do something.  For example, a data subject may give or withhold their permission to a third party to use their personal information for stated or unstated purposes.  A program may or may not have permission to access protected areas of memory.  See also access right and privilege.

Permit,
consent

[Verb] To allow or authorize[Noun] Document or credential from an authority confirming that someone has their permission, authorizing them to do something, go somewhere etcCf. forbid.

Permutation

See transposition.

Perpetrator, “perp”

Person who (allegedly or actually) commits a crime.

Persirai

A species of IoT malware that infects particular web cameras, recruiting them to a botnetIn the wild in 2017.

Persistence,
persistent

(a) Digital forensics term describing the way that data often remain accessible (meaning readable using the appropriate utilities or forensic tools) even after they have been deleted, due to the way they are stored on disk, tape or random access memory.  (b) A distinctive characteristic of successful hackers, spies, information security professionals and business people generally, who refuse to let minor setbacks prevent them from achieving their objectives.

Personal data breach

“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (GDPR).

Personal information,
PII
(Personally Identifiable Information),
personal data

Information or data associated with an identifiable human that is considered valuable and/or sensitive/confidential, creating privacy implications.  [Note: specific terms are explicitly defined in laws and regulations with some significant differences between jurisdictions.  Data relating to dead people is classed as personal information in some but not all places, for instance, while certain types or items of personal information (such as sexual orientation) are deemed particularly confidential in some jurisdictions – see PHI for instance.]  “Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (GDPR).

Personal firewall

Firewall application protecting an individual system or device against some network attacks.  Typically less sophisticated and capable than dedicated firewall appliances but can be tightly integrated with the operating system and hardware.  Adds another layer of protection“A software program that monitors communications between a computer and other computers and blocks communications that are unwanted” (NIST SP800-114 rev1).

Petya

An unusual species of ransomware in the wild that exploits vulnerable systems using EternalBlue, then surreptitiously rewrites the master boot record.  Often distributed with Mischa.  Although flaws in the cryptosystem implementation substantially weakened this malware, variants were derived such as NotPetya and GoldenEye.

PGP
(Pretty Good Privacy)

Email cryptosystem published by Phil Zimmerman to the consternation of the US government.  Used the IDEA encryption algorithm and a distributed trust/reputation architecture that established a shared ‘web of trust’ between individuals rather than relying on Certification Authorities.  Evolved into OpenPGP.  See also S/MIME.

Pharming

Phishing-like fraud involving the manipulation of DNS or other network addressing (such as the hosts file) to redirect users silently to fake websites that appear legitimate.  See also DNS poisoning.

PHI
(Protected Health Information)

Legally-defined US term for sensitive personal information relating to health.

Phishing

Fraud involving a combination of social engineering with technology (such as hyperlinks in plausible emails leading to fake user authentication web pages that resemble the logon screens of legitimate websites used as lures), normally used to harvest victims credentials (personal information, credit card numbers, passwords etc.) for identity theft and extortion, or to infect their systems with malware.  See also spear phishing, whaling and vishing“Deceptive computer-based means to trick individuals into disclosing sensitive personal information” (NIST SP800-114 rev1).

Phishing kit

A set of web pages and other tools used to perpetrate and manage phishing attacks.

PhishTank

A crowdsourced (community) service run by OpenDNS collates suspected and confirmed phishing URLs suitable for blackholing.

Phrack

A popular magazine by and for the hacking community, sharing information about hacking techniques and exploits.  Originally printed and circulated on paper, later online.

Physical information security

Security controls designed to mitigate physical risks to tangible information assets, such as IT systems and data storage media, aiding the protection of the intangible information content. 

Physical (site) intrusion

Gaining unauthorized physical access to a site, premises, buildings, offices etc. by various means such as tailgating, social engineering of the receptionists/guards, masquerading as a legitimate worker or visitor, draining or breaking-and-entering (burglary or trespass).

Physical security

Protection of physical assets, locations, information storage media etc. by means of security controls such as locks, chains, walls, barriers, boundaries, perimeters, bollards, security guards, CCTV systems, intruder alarms, heat/smoke detectors and fire alarms, flood/water alarms, UPS, armour etc.

Physical security system

A managed suite of controls designed to address a number of physical security risks as a coherent and effective whole.

Piggybacking

See tailgating.

PIMS
(Privacy Information Management System)

An ISO management system or governance and management framework to control and protect personal information for privacy reasons.  See ISO/IEC 27701.

PIN
(Personal Identification Number),
PIN code,
combination

Weak numeric password or authentication code typically used by systems or locks with small numeric keypads or dials rather than full alphanumeric keyboards.  Having very low entropy, PINs in isolation are highly vulnerable to brute force attacks unless compensating controls (such as multifactor authentication and throttling) are applied.  Commonly used to authenticate the holder of security tokens such as bank cards and access cards, reducing the risk of someone simply using a lost or stolen card.

PIN mailer

Physical security arrangement to post initial PIN codes to customers in a tamper-evident form that reduces the possibility of them being illicitly viewed or copied en route.  Typically involves an opaque covering layer through which the PIN is printed by an impact printer.

PIR
(Passive Infra-Red detector)

Detector device that identifies the presence of people and other warm-blooded animals or machinery (such as motor vehicles) by the infra-red radiation they emit.  Commonly used to turn on lights when someone enters the room, trigger CCTV recording, or for intruder alarms.

Pirate

Someone who commits piracy e.g. by making, using, selling or otherwise distributing illegal copies of copyright material, whether deliberately or inadvertently.  May not have a wooden leg, eye-patch, parrot and/or hook.  May never have set sail, yo-ho-ho.  Might not even enjoy a tot of rum and sea-shanties but talks like a pirate every day.

Pivot point

See foothold.

PKI
(Public Key Infrastructure)

Asymmetric cryptographic system using public and private keysThe framework and services that provide for the generation, production, distribution, control, accounting and destruction of public key certificates. Components include the personnel, policies, processes, server platforms, software, and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, recover and revoke public key certificates” (CNSSI-4009).

Plagiarism,
plagiarist,
pond scum

Theft of information by copying, using or disseminating another person’s intellectual property, passing it off as the plagiarist’s own work without properly acknowledging, crediting or attributing it to the legitimate owner, let alone requesting their permission.  See also pirate.

Plaintext,
cleartext

Intelligible, readable and meaningful text, such as this sentence, or in fact other forms of informationCf. cyphertext“The original, intelligible text, as it was before encipherment, revealed after successful decoding or cryptanalysis” (source: A Lexicon of Cryptography, Bletchley Park, 1943)

Plausible deniability

Situation that allows a culprit to repudiate or deny knowledge of something untoward they have done or been involved in, in such a way that their denial is credible.  Some cryptosystems distribute encrypted data among random junk and sections of separately-encrypted sacrificial text, allowing the user under pressure to disclose the key needed to decrypt the sacrificial text while maintaining innocence of the remainder which remains encrypted with a different key.  Cf. non-repudiation.

Playfair system

Encryption algorithm invented in 1854 by Sir Charles Wheatstone (of Wheatstone bridge fame – clever bloke!) and demonstrated to Baron Playfair.  A block cypher.

Plenum

Pressurized void used as a duct to direct conditioned air into an office, computer room etc.  The possibility of smoke and flames spreading rapidly through the plenum emphasizes the need for fire safety (e.g. “low smoke” plenum cables, sensitive smoke detectors and interlocks).

PLM
(Probable Loss Magnitude)

One of the risk parameters in the FAIR method, PLM is an estimate of the impact of incidents affecting the information assets under analysis.  See also CS, LEF, TCap and TEF.

Plug

The cylindrical core of a cylinder lock which can rotate when the correct key in inserted into the keyway.

POD
(Personally Owned Device)

ICT equipment that legally belongs to an individual (as opposed to being owned by the organisation) but is used for work purposes under BYOD.  Laptops, tablet PCs and cellphones are typical examples.

Point of Contact
(POC)

“Defined organisational function or role serving as the coordinator or focal point of information concerning incident management activities” (ISO/IEC 27035-1 DRAFT).

Point of encryption

Location within the Information and Communications Technology (ICT) infrastructure where data are encrypted on its way to storage and, conversely, where data are decrypted when accessed from storage.  Note 1: The point of encryption is only applicable for data at rest” (ISO/IEC 27040).

Policy

(a) Overriding statement of authority by management defining high level expectations such as what workers must or must not do under certain circumstances.  Clarifies business and/or control objectives through broad statements of intent (axioms).  Normally supported by more detailed standards, procedures and guidelines that explain how the objectives are to be fulfilled.  “Intentions and direction of an organisation as formally expressed by its top management” (ISO/IEC 27000).  (b) Insurance contract defining the coverage, insured amounts, terms and conditions, and the premium.

Polyalphabetic

Cryptographic substitution algorithm that draws on substitute characters from more than one alphabet/sequence, frustrating simple frequency analysis.

Polymorphic

Type of malware which changes its code (morphs or mutates) as it infects successive systems/files, making reliable detection by signature identification, and disinfection, somewhat challenging.

Polyransom

Highly polymorphic species of ransomware, in the wild in 2015. 

Pony

A family of Remote Access Trojan malware, in the wild since 2013 when the source code was released.  Typically propagated using social engineering as a downloader to deliver further malware.

POODLE
(Padding Oracle On Downgrade Legacy Encryption)

Contrived name of an MITM attack on encrypted web connections that forces vulnerable systems to downgrade to SSL 3.0, an insecure deprecated cryptosystem.  See also DROWN and Heartbleed.

POP3
(Post Office Protocol 3)

Third generation protocol for collecting email from a mail server.  By default, POP3 sends userslogon credentials to the mail server in plaintext, making them vulnerable to interception as they transit the network (unless TLS is used) or while on the client or server systemsDeprecated in favour of IMAP.

Port

Notional point of origin or destination of network traffic, like a doorway onto the network.  “Endpoint to a connection.  Note: In the context of the Internet protocol a port is a logical channel endpoint of a TCP connection or UDP messages.  Application protocols which are based on TCP or UDP have typically assigned default port numbers, e.g. port 80 for HTTP.” (ISO/IEC 27033-1).

Port scan,
port scanning

Systematic process for identifying and characterizing open network ports.

PoSeidon

Species of POS memory-scraping malware in the wild in 2016.  Includes keylogging and other capabilities.

Positive vetting,
Positively Vetted
(PV)

Even more stringent, in-depth, high-assurance and potentially intrusive form of background checks than ordinary security clearance, typically required for people appointed to highly trusted secret service positions and others with access to highly classified information.  May involve polygraph tests or discreet surveillance on the person and similar in-depth checks on their family members, social networks, personal ICT equipment etc.

POS memory-scraping malware

Type of Trojan that covertly captures, encrypts and stores plaintext payment card information from the working memory of infected Point Of Sale systems as sales are processed.  The encrypted data files may then be sent through the Internet to be exploited by criminals through identity fraud etc.  A specific application of memory-scraping malware.

Possibility

A low but non-zero value of probability.  Generally something considered unlikely but conceivable, as opposed to literally impossible or inconceivable.  A remote possibility is even less likely to occur but it still cannot be totally discounted.  A distinct possibility is more likely to occur and hence ought to be addressed.

Potential digital evidence

“Information or data, stored or transmitted in binary form, which has not yet been determined, through the process of examination and analysis, to be relevant to the investigation. Note: The process of analysis determines which of the potential digital evidence is digital evidence” (ISO/IEC 27042).

Potentially Unwanted Program (PUP),
Potentially Unwanted Software (PUS),
Potentially Unwanted Application (PUA),
grayware, greyware

Software of dubious value, potentially a threat to the person using the computer, such as adwareAntivirus companies use such politically-correct term mostly to avoid overtly accusing the authors and distributors of having malicious intent as implied by terms such as malware, spyware etc., and partly to acknowledge that some users presumably find the software worthwhile.

Power cut

See blackout.

Power ratio,
Signal to Noise Ratio
(SNR)

“Measure that compares the level of a desired signal to the level of background noise.  Note: It is defined as the ratio of signal power to the noise power” (ISO/IEC 27033-6).

PowerGhost

Species of cryptominer malware, in the wild in 2018, based on PowerShell scripts.

PowerShell

Powerful scripting function built-in to the Microsoft Windows operating system, intended to automate systems management tasks.  Built on .NET.  Due to flaws in its security architecture, PowerShell may be exploited locally or remotely for malicious purposes, however, like built-in malwareSee also fileless malware, PowerGhost, Powersploit and WMI.

Powersploit

Hacking/penetration testing tool comprised of PowerShell scripts.

Power Worm

A species of ransomware in the wild that evidently contains a bug or flaw which corrupts as well as encrypts the victim’s data, making the information irretrievable even if the ransom is paid.  Nasty.

PQC (Post-Quantum Cryptography)

Most forms of cryptography in use today (plus encrypted  messages and digital signatures currently circulating) will become vulnerable to novel cryptanalytical techniques once quantum computing technology is fully developed and reliable (anticipated within the next 10-15 years).  PQC techniques will run on classical computers but will be resistant to quantum computer cryptanalysis.  NIST is expected to release PQC standards in 202-2024, allowing for a planned migration.

PRAGMATIC
(Predictive, Relevant, Actionable, Genuine, Meaningful, Accurate, Timely, Independently verifiable,
Cost-effective)

Mnemonic for nine valuable characteristics of metrics, providing a rational basis on which to assess, score, compare, select and improve them.  See SecurityMetametrics.com.

Pre-action

Type of dry-pipe sprinkler system that delays the release of water after a fire is detected, giving people a chance to evacuate and perhaps fight the fire manually.

Predictive text

Some devices ‘guess’ your words as you are typing SMS/TXT messages but often make errors (integrity failures) which can be confusing, amusing and/or embarrassing if you don’t spot and correct them in time (e.g. homonyms and Spoonerisms).

Preservation

Keeping something in good condition, such as securing and protecting the integrity of forensic evidence, for example by analysing forensic disk image bit-copies made under tightly-defined and strictly-controlled circumstances (e.g. using  write-blockers) rather than directly examining the original disks (best evidence).  “Process to maintain and safeguard the integrity and/or original condition of the potential digital evidence” (ISO/IEC 27037).

Pretext,
pretexting

An invented but plausible scenario, justification or lie such as that used by a social engineer to persuade or coerce a victim to do their bidding, or a cover story for an act of vandalism, sabotage or cybertage.

Preventive action

“Action to eliminate the cause of a potential non-conformity or other undesirable potential situation” (ISO 9000).

Preventive control

Form of security control intended to block or prevent incidents from occurring, normally by reducing vulnerabilities (e.gpatching) but sometimes by reducing threats (e.gdeterrent controls).  See also detective and corrective control.

Principle

Fundamental philosophical basis for various information security axioms and controls.  Encapsulated in phrases such as default deny, defence in depth, shared responsibility and least privilege

Principles of separation
and segregation

“Systems architecture and design incorporating separation and segregation in order to establish trust zones, define security domains and enforce boundaries” (NZ information Security Manual).

Priority call

“Telecommunications made by specific terminals in the event of emergencies which should be handled with priority by restricting public calls. Note: the specific terminals may span different services (VoIP, PSTN, voice, IP data traffic, etc.) for wired and wireless networks” (ISO/IEC 27011).

PRISM

SECRET NSA electronic mass surveillance program, disclosed by whistleblower Ed Snowden.  Exploits legal rights of access to data held by Internet Service Providers such as Google, Yahoo!, Microsoft and Facebook.  See also BULLRUN.

Privacy

Under information protection laws, privacy may be defined narrowly in relation to a data subject’s legal right to control (permit or forbid) the release, disclosure, use, accuracy and retention of their personal information.  In common usage, however, privacy is a broader concept also encompassing freedom of expression, personal choice, personal space, ethics and morality, anonymity, trust, freedom from surveillance and state interference etc.

Privacy breech

Underwear designed to conceal the privates, maybe?   More likely a mis-spelling of privacy breach.

Privacy by default

Requirement being introduced by the GDPR that privacy and security (primarily confidentiality) should be the preferred, automatic state or option in systems,  services and processes handling personal information.  For example, the most restrictive privacy settings should apply unless a user explicitly relaxes them.  An expression of opt-in.  See also privacy by design.

Privacy by design

Requirement being introduced by the GDPR that privacy should be an integral or inherent part of the design of new systems, services and processes handling personal information.  See also privacy by default.

Privacy Impact Assessment
(PIA)

An information risk assessment evaluating privacy breaches or incidents, emphasizing potential effects on the data subjects.

Privacy marking

“Used to indicate that official information has a special handling requirement or a distribution that is restricted to a particular audience” (NZ information Security Manual).

[EU-US] Privacy Shield

Privacy arrangements replacing Safe Harbor under which US organisations are permitted to gather and process personal information from Europe provided they formally commit to privacy.  Whereas this merely involves self-certification, the commitment is binding under US law.  It still falls short of GDPR though.

Private cloud

Cloud services provided through the Internet exclusively to a single organisation.  See also public and hybrid cloud.

Private key,
secret key

The secret member of a public-private key pair in an asymmetric cryptography system or PKI.  Unlike a shared key, once allocated a private key should never be disclosed to others.

Private network

“A private network is a network and infrastructure owned, managed and controlled by a single entity for its exclusive use.  This term includes networks used by private organisations, nongovernment organisations, state owner enterprises, or government department, agencies and ministries.  If any part of the transmission path utilises any element of a public network, such as telecommunications or data services from a service provider that utilise any component of local, regional or national infrastructure, then the network is defined as a public network” (NZ information Security Manual).

Private property

Asset/s belonging to an individual person or organisationCf. public property.  Despite the name, this has more to do with legal ownership rights than privacy.

Privilege

Attribute of certain user IDs, applications, functions etc. that allows certain logical access controls to be bypassed in order to execute functions that are normally forbidden to ordinary (non-privileged) users, for example data backups need to copy all the files to be backed up, even if those files do not belong to the user running the backup utility.

Privilege escalation

See elevation of privilege.

Privileged user [rôle]

Whereas nonprivileged user rôles grant minimal rights of access to networks, systems and data for most users, privileged user rôles grant more powerful access rights that can bypass normal security controls and should therefore only be allocated to highly trustworthy workers with additional procedural and/or technical controls.  “A user that is authorized (and, therefore, trusted) to perform security relevant functions that ordinary users are not authorized to perform” (NIST Cybersecurity Framework).  “A system user who can alter or circumvent system security protections. This can also apply to system users who could have only limited privileges, such as software developers, who can still bypass security precautions.  A privileged user can have the capability to modify system configurations, account privileges, audit logs, data files or applications” (NZ information Security Manual).

Proactive security

See offensive security.

Probability,
chance

The chances of something such as an incident occurring, ranging between zero (meaning there is absolutely no possibility whatsoever) and one (it is absolutely certain).  Whereas probability is precisely defined in mathematics (e.g. occurrence within a defined timescale), vague terms such as likelihood, possibility, chance and luck are used informally in everyday language in reference to uncertainty, unpredictability, often implying the speaker’s inability to influence or determine the outcome (‘fate’).

Probe

Metaphorically poking at something to find out about it.  Hackers compose specific sequences of carefully-crafted packets hoping to reveal the network architecture, operating systems, application software and perhaps even software versions installed on target networks.  Social engineers use phone calls and emails to probe target organisations for naïve and vulnerable victims.  Prison, police and immigration officers don latex gloves to probe suspects for concealed contraband …

Probity

A person’s strong sense of ethics, honesty and trustworthiness.  An aspect of personal integrity.

Procedural control

See manual control.

Procedure

Description of a process.  Procedures are normally documented to explain processes to those who perform them, and are usually formalized through some form of management review, approval, endorsement and/or mandate to ensure suitability and improve control and repeatability of the processes. “Specified way to carry out an activity or a process” (ISO 9000).

Process, processing
[of information in general], execution

(a) A sequence of manual and/or automated activities intended to achieve a specific objective, function or outcome, normally as described in a procedure or protocol“Set of interrelated or interacting activities which transforms inputs into outputs” (ISO/IEC 27000).  “Set of activities that have a common goal and last for a limited period of time” (ISO/IEC 27043).  (b) A particular instance of a program currently running (executing) on a computer.

Processing
[of personal data]

“Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (GDPR).

Processor
[of personal data]

“A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller” (GDPR).

Production environment, operational environment,
live systems

Operational ICT environment comprising ICT systems, networks, devices, data and associated processes supporting the business.  Cf. development or test environments.

Production file format

Required, usable file format for producing ESI“Organisation and representation of data and metadata that is presented to a requesting party” (ISO/IEC 27050-1).

Profiling

Process of researching, compiling, collating, cross-referencing and analysing information on a target to establish a profile, a set of characteristics.  “Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.” (GDPR).

Program library

Controlled directory or database containing machine-readable executable programs.  Cf. program source library.

Program Source Library
(PSL)

Controlled directory or database containing human-readable source code files.  Cf. program library.

Program-to-program

Type of balancing control used to ensure integrity of information passed between programs, for example if one program outputs a data file containing 1,000 records and records that figure as an additional piece of information, the next program should read the check value and count the records to confirm receipt of precisely 1,000 data records, or halt further processing and flag an error.

Programmable Logic Controller (PLC)

Embeddable ICS subsystem that can be programmed to respond to certain signals from plant with sophisticated sequences of control signals, alarms, alerts etc.

Promiscuous mode

Networking devices such as Ethernet and Wi-Fi cards routinely ignore passing packets that are not addressed to their unique MAC addresses, and are not broadcast or multicast packets, discarding them at a low level.  When configured in promiscuous mode, however, even packets destined for other devices are passed up the network stack, for example to a sniffer.

Pr0n

Leet form of “porn” i.e. pornography.

Propaganda

Biased, inaccurate, false and/or incomplete information deliberately disclosed/circulated to mislead and influence the intended audience for strategic or political purposes.  The content may be purely fictional (e.gfake news) but usually elaborates or exaggerates on a germ of truth for credibility.  Similar in principle to marketing materials/advertisements, political rhetoric, manipulative teaching or ‘brainwashing’.  A form of social engineering.

Proprietary

Commercial information, including highly valuable and sensitive information such as trade secrets, customer lists and corporate strategies.

Protect,
protection

Synonymous with secure/security but often used in the sense of benevolent oversight by a parent who looks after and cares about the wellbeing of the protected asset as if it were their child.  “Develop and implement appropriate safeguards to ensure delivery of critical services.  The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.” (NIST Cybersecurity Framework).  A core function within NIST’s cybersecurity framework along with identify, detect, respond and recover.

Protection mechanism

See control.

Protection Profile
(PP)

A generic, standardized, documented set of security requirements for a class or type of ICT products (e.gfirewalls) that are to be formally evaluated and certified under Common Criteria.

Protection racket

Illicit and often illegal scheme to coerce money out of people or organisations in return for allegedly protecting them against threatened attacks.

Protective marking

“A marking that is applied to unclassified or classified information to indicate the security measures and handling requirements that are to be applied to the information to ensure that it is appropriately protected” (NZ information Security Manual).

Protective Security Requirements (PSR)

New Zealand government’s policy framework detailing security requirements to protect its people, information and assets.  Replaced the NZ Government Protective Security Manual and the Security in Government Sector Manual. “Outlines the Government’s expectations for managing personnel, physical and information security” (NZ information Security Manual).

Protective Security Requirements Framework (PSRF)

“A four-tier hierarchical approach to protective security.  Strategic Security Directive (tier one); Core policies, strategic security objectives and the mandatory requirements (tier two); Protocols, standards and best practice requirements (tier three); Agency-specific policies and procedures (tier four)” (NZ information Security Manual).

Protocol

Defined process, ordered sequence of activities or ways of doing something, such as authenticating and exchanging symmetric cryptographic keys with a counterparty in a secure manner, or simply communicating.

Provenance

Assured high-integrity information concerning the source, disposition and custody of forensic evidence or other information assets, potentially also critical data, software, hardware and firmware from manufacture to installation if supply chain compromise (e.g. substitution by fake parts) presents unacceptable risks.  Background and qualification checks prior to appointing new recruits are, in effect, confirming their provenance.  “Information that documents the origin or source of Electronically Stored Information, any changes that may have taken place since it was originated, and who has had custody of it since it was originated” (ISO/IEC 27050-1).

Proximity

Closeness in distance, time, form etc.  In risk management, potential incidents that are anticipated to occur soon or frequently tend to be emphasized relative to those thought unlikely to occur for some time if at all, but the impacts should also be considered (e.g. a “hundred year flood” or tsunami may seem unlikely but could devastate unprepared organisations located in the flood zone should it occur, while climate change is materially increasing the probability).

Proximity card

See access card.

Proxy

Someone or something that stands in for another to pass their information to a third party, such as the chairman of a meeting voting on behalf of stakeholders who cannot attend (proxy voting), or a network node (proxy server).  Requires trust in the proxy from both sides, making it vulnerable to untrustworthy people, compromised devices, coercion etc.

Proxy server

Network server running software that dissembles packets arriving at one network interface to analyse the data content, applies security rules according to the nature of the content, source, destination, protocol, ports etc. and optionally repackages them for onward transmission through other network interfaces.  To each of the communicating systems, the server stands in for (proxies) the other, in effect being an authorized and trusted man-in-the-middle.  A type of deep packet inspection firewall.

Pry

(a) Intrude into someone’s privacy or personal space.  (b) Physically force open a locked enclosure, window, door etc.

Pseudonymity, pseudonymisation, pseudonymisation

The use of a fictitious pseudonym, token or code word (such as “Witness A”) in place of the real name or other identifier of a person, usually for privacy reasons.  “The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” (GDPR).  See also anonymisation and tokenisation.

Pseudo-random, pseudorandom,
pseudorandom number generator

Software algorithms used to generate supposedly random strings on computers are only capable of approximating true randomness.  Given the same inputs and conditions, two identical instances of a pseudo-random number generation algorithm running in parallel will normally generate the same output sequences.  Consequently, pseudo-random values used as encryption keys, TCP/IP sequence numbers etc. may conceivably be predicted to some extent, a feature that weakens some cryptosystems but is exploited by others (e.g. in security tokens generating codes that can be validated by the corresponding software but cannot be guessed by an attacker without additional knowledge).

PSK
(Pre-Shared Key)

Cryptographic protocol used by WPA2 to initialize keys that will be used subsequently by Wi-Fi devices for encrypted communications.

PTZ
(Pan, Tilt, Zoom)

Capability of CCTV cameras that can be remotely repositioned to observe and track various subjects of interest.  With the appropriate electronic controls, otherwise dormant PTZ cameras may be moved randomly, making it harder for onlookers to determine whether they are being actively monitored by the camera operators at the time (a deterrent control).

PUBLIC

Class of information that has been authorized for external publication to select groups or the general public (e.g. press releases, marketing materials) or is already in the public domain (e.g. newspapers, Internet websites).

Public cloud

Cloud services provided through the Internet on equipment owned by a CSP.  See also private and hybrid cloud.

Public Domain
(PD) software

Legally-defined term for software over which its owner has formally relinquished all intellectual property rights.  Anyone can copy, use, modify, and even sell PD software without reference, consideration or payment to the original owner.  Also known as freeware.  However, IANAL.

Public domain information

Official information authorised for unlimited public access or circulation, such as agency publications and websites” (NZ information Security Manual).

Public Interest Disclosure Act (1998)

UK law prohibits an employer from dismissing or victimizing a whistleblower i.e. a worker who makes a protected disclosure of information concerning a criminal offence, noncompliance with legal or regulatory obligations, miscarriage of justice, health and safety or environmental danger, or deliberate concealment of such things, to the organisation, a prescribed person/body (e.g. an industry regulator), the general public or a lawyer etc. providing legal advice.

Public key

The non-secret member of a public-private key pair in an asymmetric cryptography system or PKI, normally published or freely disclosed in some form of digital certificate or simply as a text string.

Public network

“Contains components that are outside the control of the user organisation.  These components may include telecommunications or data services from a service provider that utilise any component of local, regional or national infrastructure” (NZ information Security Manual).

Public property

Communal asset/s owned by the public or belonging to nobody in particular.  Cf. private property.

Public Switched Telephone Network (PSTN)

“A public network where voice is communicated using analogue communications” (NZ information Security Manual).

Pulverize

Beat to a pulp.  “Destruct by grinding media to a powder or dust” (ISO/IEC 27040).

Purge

Forcibly expel or cleanse.  “Sanitize using physical techniques that make recovery infeasible using state of the art laboratory techniques, but which preserves the storage media in a potentially reusable state” (ISO/IEC 27040).  See also destruct.

Purple team

A group of people combining the capabilities, methods and knowledge of both blue and red teams.  For example, while a vulnerability is being identified and exploited, the blue teamers learn about it from their red team colleagues and get to work on the security controls necessary to avoid, prevent or mitigate it.  A more collaborative and contemporaneous if constrained version of classical red vs. blue team penetration testing.  See also white team.

Pushdo,
Cutwail,
Pandex

A Trojan downloader botnet active since 2007, in the wild in 2019, distributing spam and other malware.  Assembles and executes itself in RAM leaving little detectable code on disk.

Push To Talk (PTT)

“Handsets that have a button which must be pressed by the user before audio can be communicated, thus providing fail-safe offhook audio protection” (NZ information Security Manual).

PVLAN
(Private Virtual Local Area Network)

VLAN that is isolated from others to some extent using traffic encryption.  ‘To some extent’ hints at known vulnerabilities in some implementations.

PVR
(Plant Variety Right)

Intellectual property right allowing plant breeders to protect their interests in new varieties (produced by conventional selective breeding and/or genetic engineering) for up to 30 years.  Similar in concept to patents.

Pwn,
pwnage,
pwned

Leet references to hackersowning” (as in having full control of, not in the legal sense of property ownership) the systems, networks, people, organisations etc. they have compromised and exploited, thereby defeating or making fools of their true owners.

Pyramid scheme,
Ponzi scheme,
bubble

Form of fraud that employs social engineering techniques to persuade victims to both part with their own money on the promise of eventually making a fortune, and recruit additional victims on the same basis.  The only winners of such schemes – if any – are those fraudsters who originate and/or promote them (such as Charles Ponzi in the eponymous scheme) and manage to stay one step ahead of the authorities and their angry victims.

Quality of Service (QoS)

Network protocol allows priority time-critical traffic to be fast-tracked past routine traffic.  “A process to prioritise network traffic based on availability requirements” (NZ information Security Manual).

Quarantine

Safe holding area on a system to which suspected malware is diverted by antivirus software pending further investigation. “To store files containing malware in isolation for future disinfection or examination” (NIST SP800-114 rev1).

Quasar,
xRAT

Open-source RAT intended for legitimate remote Windows system management and support, now customized for use in APT attacks.  Originally named xRAT.

RaaS

See Ransomware as a Service.

Race condition

Design flaw or bug in software applications that, under unusual or abnormal conditions (e.g. under heavy processing loads), results in parallel threads becoming incorrectly sequenced.  Sometimes exposes exploitable security vulnerabilities.

RAD
(Rapid Application Development)

An approach supported by a family of software development tools and techniques aimed at speeding up the process of developing applications, typically through frequent small changes (evolutionary) as opposed to infrequent major changes (revolutionary).

Radio access network

“Part of a mobile telecommunication system that implements a radio access technology such as WCDMA or LTE to provide access for end-user devices to the core network.  Notes: The radio access network resides between the end-user device and the core network.  A mobile phone is an example of an end-user device.” (ISO/IEC 27033-6).

Radio Frequency (RF) device

“Devices including mobile phones, wireless enabled personal devices and laptops” (NZ information Security Manual).

Radio network controller

“Network element in a 3G mobile network which controls the base stations, interface to the core network and carries out the radio resource management and mobility management functions of the network.” (ISO/IEC 27033-6).

RAID
(Redundant Array of Inexpensive Disks [or Devices])

See disk mirroring.

Rainbow tables

Cryptanalysts’ tool to speed up the brute-force cracking of passwords on certain systems by pre-compiling and accumulating the hashes for a large number of potential passwords.  Generally foiled by salting the hashes on each system, making the rainbow tables too large to generate, store and search.

RAM-scraper

See memory-scraping malware.

Random

A series of digital bits in which it is literally impossible to predict future values accurately (i.e. with greater than a 50% probability of guessing each binary bit) regardless of how many prior values one may have observed.  See also pseudo-random and entropy.

Ransom

Coercive and extortionate demand for money for the return of valuables such as people or data.

Ransomware,
crypto-ransomware,
lock-screen ransomware

Malware that restricts access to information on an IT system (e.g. by encrypting the data i.e. crypto-ransomware) and/or to the system itself (e.g. by damaging or replacing essential operating system files such as the master boot record i.e. lock-screen ransomware), or simply presents a scary warning message, in order to coerce the victim into paying a ransom to regain access.  A lucrative and low risk criminal tool.  Ransom payments are typically demanded via anonymous services such as Ukash, PaySafeCard, MoneyPAK or Bitcoin. ‘Proof of life’ involves the victim organisation selecting and sending a few encrypted files to the criminals to confirm that they can be decrypted.  Ransomware species in the wild include BadRabbit, CryptoLocker, Cryptowall, Locky, Samas, Cryptorbit, Petya, Padcrypt, TeslaCrypt, Xorist and others.  Some of them can be defeated without paying the ransom using white-hat tools (e.g. see NoMoreRansom.org).  However, using data from a captured C2 server, Symantec estimated that 2.9% of victims pay the ransom, enough to make this a profitable enterprise given the low costs and risks of mounting attacks. See also scareware and crimeware.

Ransomware as a Service
(RaaS)

Just as botnets can be rented on the darknet, so too can ransomware variants such as Cerber (typically paid for through a commission on ransoms received), along with other forms of malware, spamming, money laundering and other illicit services.  A form of MaaS.

RASP
(Runtime Application
Self-Protection)

Security-related instrumentation of application programs, such that they monitor themselves for exceptions or conditions indicating security issues, logging alerts or triggering alarms and perhaps responding proactively if hacked etc.  See also SAST and IAST.

RAT
(Remote Administration Tool)

Software that allows privileged remote control of a system, normally for legitimate system administration purposes unless a hacker somehow gains access to the facility (e.g. by socially engineering the user into launching a RAT session) or a user’s system is infected with RAT malware

Razor wire

Like barbed wire on steroids, a well-positioned bundle of razor-edged metal ribbon is a strong deterrent to intruders intent on scrambling over a protected fence or wall.  A physical security control.

RBAC
(Realm Based Access Control)

Access control scheme whereby users are granted certain system, application and/or data access rights according to the domain.

RBAC
(Rôle Based Access Control)

Access control scheme whereby users are granted certain system, application and/or data access rights according to the particular rôles they are required to perform for the organisation and the access policy for the information assets.  Rôles and job descriptions generally change less often than the people who perform them.  Typically implemented through some combination of group and individual access rights e.g. using ACLs“Access control based on user roles (i.e., a collection of access authorizations a user receives based on an explicit or implicit assumption of a given role). Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an organisation. A given role may apply to a single individual or to several individuals.” (CNSSI-4009).

RBAC
(Rule Based Access Control)

Access control scheme implemented by the reference monitor applying access control rules reflecting the combination of access permissions for the subjects doing the accessing and access constraints or restrictions on the objects being accessed.

RBL
(Realtime Blackhole List)

Proactively maintained list of email servers apparently being used by spammers.  Used to block emails sent via suspect servers on the basis that they are probably spam.  See also blackhole and blacklist.

RC-4
(Rivest Cipher № 4)

Quick and efficient stream cipher used in SSL, SYSKEY etcDesigned by Ron Rivest in 1987.  Flaws in the way RC-4 shared keys and nonces are generated/exchanged have seriously weakened common implementations such as WEP.  Further cryptographic attacks on RC-4 have since been described, so this algorithm is well past its ‘best before’ date and deprecated.

Reaccreditation

“A procedure by which an authoritative body gives formal recognition, approval and acceptance of the associated residual security risk with the continued operation of a system” (NZ information Security Manual).

Readiness

“Process of being prepared for a digital investigation before an incident has occurred” (ISO/IEC 27043).

Real estate/rental fraud

Type of fraud involving real estate, rental or similar large transactions e.g. the fraudster poses as an agent or advisor of a property vendor (e.g. their lawyer, lender or bank), tricking the buyer into paying to the fraudster’s rather than the vendor’s bank account.

Recipient
[of personal data]

“A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.” (GDPR).

Recklessness

Acting with gay abandon.  More severe than carelessness and negligence, and yet (normally) without truly malicious intent.

Reclassification

“A change to the security measures afforded to information based on a reassessment of the potential impact of its unauthorised disclosure.  The lowering of the security measures for media containing classified information often requires sanitisation or destruction processes to be undertaken prior to a formal decision to lower the security measures protecting the information” (NZ information Security Manual).

Record

[Verb:] To capture information about some activity in a form that can be stored for later use, such as a log[Noun:] Row in a data table, or a computer file, or a physical document containing information“Document stating results achieved or providing evidence of activities performed” (ISO 9000).

Reconciliation,
reconciling

Investigative process to explore and determine the reasons for any discrepancies between things that are supposed to be identical e.g. differences between the hash values of forensic copies or the totals of credit and debit accounts in double-entry bookkeeping.

Reconnaissance

Systematically exploring and amassing useful information about potential targets, such as sites, systems, information assets, vulnerabilities and security controls – whether to attack or defend them.  Can involve Internet research, social media, social engineering, surveillance, malware (e.gspyware), network probes and/or physical site penetration.

Recover

“Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.  The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident.” (NIST Cybersecurity Framework).  A core function within NIST’s cybersecurity framework along with identify, protect, detect and respond.

Recovery

Restoration of information processes following a serious incident or disaster that interrupted them, typically involving someone restoring system and data backups onto new ICT hardware.  See also resilience and business continuity.

Recoverability

The ability to get back some semblance of normality following a serious incident, for example through disaster recovery.  Part of survivability, along with resilience.  Highly recoverable organisations have the resources, skills, means and will or determination to bounce back more effectively and efficiently from incidents than most.

Redaction

Process of systematically identifying and then removing, replacing or concealing sensitive parts of information in a document or data in a data file or database prior to its publication or disclosure in order to maintain privacy or confidentiality, rather than withholding the entire item.  A fail-unsafe control, prone to human errors and technical failures in the redaction process (e.g. overlaid opaque blocks may simply be removed), plus various inference attacks (e.g. the semantic context and length of a redacted word or phrase can be clues).

Red team

The offensive group tasked by management with compromising one or more targets in simulated attacks on an organisation (or site, IT system, network etc. thereof) typically involving physical site intrusion, network hacking, IT systems penetration and capturing the flags, in order to test, exercise and hopefully improve both the defensive and the offensive capabilities.  A deadly serious form of penetration testing that is also great fun.  “A group of people authorized and organised to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. The Red Team’s objective is to improve enterprise Information Assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment.” (CNSSI-4009). See also blue, purple and white team.

Redundant,
redundancy

Resilience technique in which vital systems, communications routes, network links, rôles, power sources etc. are duplicated and diversified, such that failure in any one will not jeopardize the entire business process.  See also diversity.

Reference monitor

Privileged access control function in the kernel of an operating system that mediates programmatic access to data, devices, memory space etc. in a consistent and verifiable manner.  Fundamental basis for system permissions (rights and privileges).  “Concept of an abstract machine that enforces Target of Evaluation (TOE) access control policies” (CNSSI-4009).

Referential integrity

Set of integrity controls incorporated into a relational database management system (RDBMS) to help prevent inconsistencies, for example enforcing links between related tables that disallow deleting or modifying a data value that is used as a key to another table.

Reflection attack

See amplification attack.

Regular deletion period

“Maximum time period after which the data objects of a cluster of PII should be deleted if used in regular processing in the processes of the PII controller.” (ISO/IEC 27555 draft).

ROCU
(Regional Organised Crime Unit)

Ten specialist police units across England and Wales working to identify, disrupt and dismantle organised crime (including cybercrime), coordinated through the UK NCSC.

Regression test

Test intended to confirm that a system still meets requirements met by previous versions (i.e. it has not regressed but hopefully has moved forward).  A standardized bank of tests is performed, generally using scripts and automation to reduce delays, costs and inconsistencies.

Reinforce, reinforcement

Proactive encouragement to fulfil obligations and expectations, for example by offering some sort of benefit, reward or bonus (even something as trivial as a ‘thank you’) to recognize and show appreciation for their compliance.  Sadly, an oft-neglected but highly motivational and hence effective compliance mechanism.  Cf. enforcement.

Release management

See version control.

Relevant

Forensic evidence must be relevant to the matter at issue to be admissible to the court, preventing one side trying to obscure important details and overwhelm the counterparty or court with an avalanche of irrelevant material.

Relevant and reasoned objection

“An objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union” (GDPR).

Reliability

An indication of the extent to which something (such as a system, network, person or control) can be trusted to perform as expected and/or as required. “Property of consistent intended behaviour and results” (ISO/IEC 27000).

Remanence,
magnetic remanence

Residual magnetisation, such as the traces of magnetism left behind on disk or tape after data has supposedly been deleted.  It may be possible to reconstitute some or all the data using specialist forensic techniques such as electron microscopy.  “Magnetic representation of residual information remaining on a magnetic medium after the medium has been cleared” (CNSSI-4009).  See also remnants.

Remediate

Apply a remedy intended to mitigate or eliminate one or more known vulnerabilities, for example by patching a system or uninstalling vulnerable software.

Remnants

When a computer process or system exits (stops executing), it can leave behind residual data that may provide forensic evidence or lead to a security incident.  Fragments of confidential personal or proprietary data (potentially including passwords, plaintext and cryptographic keys) may be left in memory or on disk, for example if a program has not been correctly coded to erase confidential data in its working files when it exits normally, if the program or system crashes or shuts down abnormally leaving the swap file on disk, if a disk controller marks a disk segment containing confidential data unusable, or due to remanenceControls such as file highwatermarking reduce the risk somewhat.  See also memory leakage and remanence.

Remote access

A facility for users and/or administrators to use and/or administer a system, device or thing from a distant location, normally via the Internet or another network or point-to-point link.  “Process of accessing network resources from another network, or from a terminal device which is not permanently connected, physically or logically, to the network it is accessing” (ISO/IEC 27033-1).  “Access to a system from a location not within the physical control of the system owner” (NZ information Security Manual).  “The ability for an organisation’s users to access its non-public computing resources from external locations other than the organisation’s facilities” (NIST SP800-114 rev1).

Remote Code Execution
(RCE)

The capability to send instructions (i.e. individual commands, scripts, macros and/or complete programs) to a distant system, normally through a network such as the Internet, and have the system run or perform them.  If the system’s security is inadequate, hackers and malware may exploit the facility, leading to alternative expansions such as Remote Code or Computer Exploit.

Remote Diagnostic Port
(RDP)

Dedicated console port giving privileged access to a device such as a telephone exchange (PABX), system/server, storage subsystem, router, firewall etc. intended for authorized technical support, fault diagnosis, systems management and configuration purposes, whether locally or remotely via a network (such as the Internet) or a dedicated point-to-point link.

Remote File Inclusion
(RFI)

Hacking technique used to attack vulnerable web apps with inadequate validation controls by manipulating their client-side scripts to ‘include’ (call and execute) malicious files from the client.  See also Local File Inclusion and SQL injection.

Remote system control,
remote-control

Remote use or administration of a system, typically through the Internet or some other network or point-to-point link (such as radio).  “Remotely using a computer at an organisation from a telework computer” (NIST SP800-114 rev1).

Remote Terminal Unit
(RTU)

Basic ICS data collection/control device or subunit located in, on or near the equipment it monitors and controls.  Proximity allows monitoring and controlling equipment to be tightly coupled, cutting down on time delays and hysteresis effects, while network connections to SCADA systems permit remote monitoring and control of tags and multi-unit coordination.

Remote user

“User at a site other than the one at which the network resources being used are located” (ISO/IEC 27033-1).

Removable media

“Storage media that can be easily removed from a system and is designed for removal” (NZ information Security Manual).

Repeatability

The ability to replay an activity in the same manner with the same inputs achieving the same outputs, either precisely identical or substantially equivalent depending on circumstances.  “Property of a process conducted to get the same test results on the same testing environment (same computer, hard drive, mode of operation, etc.)” (ISO/IEC 27037).  See also reproducibility.

Replay attack

Type of attack on challenge-response authentication processes, electronic business transactions etc. whereby information from legitimate exchanges is recorded then replayed by an unauthorized party.  Normally foiled by integrity controls, such as including a time-stamp, random sequence number or nonce in the challenge, coupled with cryptography but low-level attacks (such as Krack) may undermine the controls by exploiting packet retransmission capabilities.  “An attack that involves the capture of transmitted authentication or access control information and its subsequent retransmission with the intent of producing an unauthorized effect or gaining unauthorized access” (CNSSI-4009).

Representative

“A natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation” (GDPR).

Reproducibility

The ability to replicate an activity and achieve substantially the same result in a different situation or location such as a different laboratory.  “Property of a process to get the same test results on a different testing environment (different computer, hard drive, operator, etc.)” (ISO/IEC 27037).  See also repeatability.

Reputation

Opinions and feelings of third parties concerning a person, organisation, product etc.  Both an information asset and an integrity property.  Corporate reputations and brands are intimately associated, highly valuable and yet vulnerable and difficult/costly to influence and protect.  On a smaller scale, personal reputations can also be devastated by scandal and defamation.

Requirement

Something that is desired, wanted, demanded or needed.  It may or may not be explicitly and formally specified.  “Need or expectation that is stated, generally implied or obligatory.  Note: ‘generally implied’ means that it is custom or common practice for the organisation and interested parties that the need or expectation under consideration is implied; a specified requirement is one that is stated, for example in documented information” (ISO/IEC 27000).

Residual risk,
retained risk,
net risk,
controlled risk

The risk that remains despite any and all risk treatments applied, for example the possibility that security controls might fail in service, unrecognized/unresolved vulnerabilities might be exploited, new threats might emerge and unanticipated impacts may occur.  Errors and omissions in the risk analysis process are always possible, along with black swan events, hence some amount of residual risk is inevitable no matter how much effort is expended on the risk management process, emphasizing the value of contingency planningRisk remaining after risk treatment.  Notes: residual risk can contain unidentified risk; residual risk can also be known as ‘retained risk’” (ISO/IEC 27000).  “Portion of risk remaining after security measures have been applied” (CNSSI-4009).  “The risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to a risk (Institute of Internal Auditors). Also sometimes referred to as ‘net risk’ or ‘controlled risk’” (NZ information Security Manual).

Residue

See remnants and remanence.

Resilience

Robustness, stability, dependability.  The ability for systems, networks, processes, people, functions, departments, business units, business operations, organisations, business relationships, even entire nations to continue operating more-or-less unaffected by security incidents, thereby ensuring availability and hence business continuity.  Can involve a wide range of techniques such as competent security design, hardening, multiple redundant or mirrored facilities with automated or manual failover, fault tolerance and ‘over-engineering’, the minimisation of and special protective arrangements for single points of failure, contractual obligation and liabilities, training and support for critical workers, and various assurance measures.  See also FMEACf. recovery.

Respond

“Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.  The Respond Function supports the ability to contain the impact of a potential cybersecurity incident.” (NIST Cybersecurity Framework).  A core function within NIST’s cybersecurity framework along with identify, protect, detect and recover.

Responsibility

An obligation placed on an individual person or organisation by an authority e.g. to ensure that an  asset is properly protected i.e. a duty of care.  In contrast to accountability, responsibility can be delegated from one person, function, team, company etc. to another.

Restore point

Through the system protection function, Microsoft Windows systems automatically backup their system settings (critical operating system files, programs, and registry settings) weekly by default, and manually at any time, to the “System Volume Information” hidden system folder on the root drive.  Provided a backup is available and not corrupted, overwritten or lost, the user can restore it in order to revert subsequent changes and hopefully correct problems created by, for instance, a failed software installation, malware infection or some types of user error (principally configuration errors).

Restriction of processing

“The marking of stored personal data with the aim of limiting their processing in the future” (GDPR).

Retention

Continued storage of information, potentially beyond the period for which it was originally collected.  Under information protection laws, personal information must not be retained indefinitely but must be securely destroyed, unless specific exemptions apply.  See also archive.

Retention period

“Time period within which the data objects of cluster of PII is required to be available in the PII controller’s organisation because of the functional use or legal retention obligations.  Notes: (1) A specific cluster of PII typically has the same retention period; (2) For the boundary conditions of period specifications see [clauses] 5.4.3 and 7.” (ISO/IEC 27555 draft).

Revenge porn[ography]

The posting of revealing/embarrassing/explicit personal photographs, videos etc. of a former lover or sex partner on the Internet as a spiteful and callous attack on the victim’s privacy or as a means of coercion/blackmail.

Reverse engineering

Working out the internals of a device, program, malware, system, process etc. through painstaking analysis without access to its original design, source code, documentation etc.  Generally performed without the owner’s permission and/or knowledge, for example to steal intellectual property, identify exploitable vulnerabilities in software or cryptographic processes, to understand how malware operates or to hack.

Review

Literally, to view again.  Encompasses various assurance checks and inspections that are not usually as formal and do not usually offer the same level of assurance as independent audits“Activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives” (ISO Guide 73).

Review object

Item, issue, risk, system, control, process, organisation, function, department, building, person, relationship, entity etc. within the scope of a review hence subject to inspection, possibly but not necessarily the main focus.  “Specific item being reviewed” (ISO/IEC 27000).

Review objective

Aim or purpose of a review“Statement describing what is to be achieved as a result of a review” (ISO/IEC 27000).

REvil

See Sodinokibi.

Revision management

See version control.

Right

(a) Correct, proper, appropriate etc.  (b) Something that a person or organisation is reasonably and perhaps legally permitted or allowed to do if they so choose.  See also access right, permission and privilege.

Right to be forgotten,
right to erasure

The controversial right to have certain types of damaging or embarrassing personal information about oneself erased from the Web including search engines, plus cached and archived copies.  Partly supported by privacy and human rights laws such as GDPR.  Intended to nullify revenge porn and other embarrassing disclosures of a personal nature, such as old police reports concerning minor incidents and false/unproven accusations.  The right is tricky to define, administer and facilitate in practice, especially given the global and decentralized nature of the Internet (making it hard to put the genie back in the bottle), plus there are concerns about the right being misused for unethical/inappropriate reasons including political motivations, propaganda and fraud.

Risk

The predicted or projected frequency and magnitude of future loss if a threat exploits an exposed vulnerability to cause an adverse business and/or personal impact.  A relative term, implying degrees or levels of risk, or absolute value if the frequency and magnitude are calculated credibly, with some precision.  Information security controls normally mitigate but seldom eliminate information risks, hence other, additional forms of risk treatment may be applicable.  “Effect of uncertainty on objectives.  Notes: an effect is a deviation from the expected — positive or negative; uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or  likelihood; risk is often characterized by reference to potential events and consequences, or a combination of these; risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence; in the context of information security management systems, information security risks can be expressed as effect of uncertainty on information security objectives; information security risk is associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets and thereby cause harm to an organisation” (ISO Guide 73).  “A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence” (NIST Cybersecurity Framework).

Risk acceptance

Management or personal decision to live with rather than mitigate, share or avoid a risk.  A form of risk treatment.  Ideally such a decision should be made explicitly (consciously and deliberately) by a competent and responsible person who truly appreciates the risk, but risks are often accepted implicitly (without thinking) and/or without being fully understood, which itself constitutes a further risk.  “Informed decision to take a particular risk.  Notes: risk acceptance can occur without risk treatment or during the process of risk treatment; accepted risks are subject to monitoring and review” (ISO Guide 73).

Risk analysis

Generally, an in-depth form of risk assessment“Process to comprehend the nature of risk and to determine the level of risk.  Notes: risk analysis provides the basis for risk evaluation and decisions about risk treatment; risk analysis includes risk estimation” (ISO Guide 73)“Examination of information to identify the risk to an information system” (CNSSI-4009).

Risk appetite

Expresses management’s willingness or desire to take (accept) a certain quantity or level of risk, provided the anticipated business benefits make it advantageous to do so.  Cf. risk tolerance.

Risk assessment

Structured process for systematically examining information security threats, vulnerabilities and impacts relating to a given system, process, activity or situation, prior to determining whether additional controls or other forms of risk treatment might be required.  “Overall process of risk identification, risk analysis and risk evaluation” (ISO Guide 73).  “The process of identifying, prioritizing, and estimating risks. This includes determining the extent to which adverse circumstances or events could impact an enterprise. Uses the results of threat and vulnerability assessments to identify risk to organisational operations and evaluates those risks in terms of likelihood of occurrence and impacts if they occur. The product of a risk assessment is a list of estimated potential impacts and unmitigated vulnerabilities. Risk assessment is part of risk management and is conducted throughout the Risk Management Framework (RMF)” (CNSSI-4009).

Risk avoidance

Form of risk treatment.  Rather than mitigating risks using controls, it is sometimes more appropriate not to enter into risky situations in the first place (e.g. not deploying a risky new computer system or not entering into a risky relationship with a third party) or to pull out (e.g. prematurely halting a risky business activity or process).  “Decision not to become involved in, or action to withdraw from, a risk situation” (ISO/IEC Guide 73).

Risk catalogue

See risk register.

Risk communication and consultation

“Continual and iterative processes that an organisation conducts to provide, share or obtain information, and to engage in dialogue with stakeholders regarding the management of risk.  Notes: the information can relate to the existence, nature, form, likelihood, significance, evaluation, acceptability and treatment of risk; consultation is a two-way process of informed communication between an organisation and its stakeholders on an issue prior to making a decision or determining a direction on that issue; consultation is: a process which impacts on a decision through influence rather than power; and an input to decision making, not joint decision making” (ISO/IEC 27000).

Risk criteria

“Terms of reference against which the significance of risk is evaluated.  Notes: risk criteria are based on organisational objectives, and external and internal context; risk criteria can be derived from standards, laws, policies and other requirements” (ISO Guide 73).

Risk estimation

Risk concerns probabilities not certainties, hence it can only ever be estimated with degrees of confidence ranging between near certainty and sheer guesswork.

Risk evaluation

The evaluation of identified risks, part of deciding what (if anything) to do about them.  “Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable.  Note: risk evaluation assists in the decision about risk treatment” (ISO Guide 73).

Risk identification

The initial recognition, appreciation or acknowledgement of the possible existence of a risk“Process of finding, recognizing and describing risks.  Notes: risk identification involves the identification of risk sources, events, their causes and their potential consequences; risk identification can involve historical data, theoretical analysis, informed and expert opinions, and stakeholders’ needs” (ISO Guide 73).

Risk inventory

See risk register.

Risk landscape

See risk profile and risk universe.

Risk management

Overall process for identifying, assessing and addressing information security threats, vulnerabilities and/or impacts through risk treatments.  Also used as the name of a corporate department/function responsible for promoting good practices in the management of all forms of risk“Coordinated activities to direct and control an organisation with regard to risk” (ISO Guide 73).  “The process of managing risks to organisational operations (including mission, functions, image, or reputation), organisational assets, individuals, other organisations, or the nation resulting from the operation or use of an information system, and includes: (1) the conduct of a risk assessment; (2) the implementation of a risk mitigation strategy; (3) employment of techniques and procedures for the continuous monitoring of the security state of the information system; and (4) documenting the overall risk management program.” (CNSSI-4009).

Risk management framework

“A structured approach used to oversee and manage risk for an enterprise” (CNSSI-4009).

Risk management process

See risk management“Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context and identifying, analyzing, evaluating, treating, monitoring and reviewing risk.  Note: ISO/IEC 27005 uses the term ‘process’ to describe risk management overall; the elements within the risk management process are termed ‘activities’” (ISO Guide 73).

Risk mitigation

Unacceptable risks generally need to be mitigated (i.e. reduced), normally by improving the controls but sometimes by sharing or avoiding them. “Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.” (CNSSI-4009).

Risk owner

Person, department, organisation etc. that may be held to account if a risk eventuates and causes unacceptable impacts, on the basis that they patently failed to ensure it was properly treated“Person or entity with the accountability and authority to manage a risk” (ISO Guide 73). See also Information Asset Owner

Risk profile,
risk landscape

A conceptual three-dimensional view of the organisation’s risks relative to each other.  In practice, most risks are difficult to quantify, many change dynamically, and it is tough to compare markedly different kinds of risk, hence this is a subjective perspective.  A security metric.  See also security landscape, risk universe, attack surface and heatmap.

Risk register,
risk inventory,
risk catalogue

Essentially a list or database of identified risks, normally with additional details resulting from some form of risk analysis giving users the ability to sort or prioritize the list on criteria such as impact or likelihood.  The scope of the register may include all risks to the organisation, all ‘significant’ risks (howsoever determined and specified), or one or more subsets or categories of risk such as information risks, compliance risks, market and product risks, health and safety risks, financial risks, currency risks, strategic risks etc.

Risk share,
risk transfer

Passing some if not all of a risk to a third party, such as an insurer, stakeholder or business partner.  To some extent, the third party accepts and indemnifies the directly impacted organisation against the consequences of certain incidents, typically by accepting liabilities.  A form of risk treatment.

Risk tolerance

Although often used loosely as a synonym for risk appetite, risk tolerance relates to the mathematical concept of tolerance limits or bounds within which range values (of risk in this case) are deemed acceptable.  It is another way of defining criteria for treating risks.

Risk transfer

See risk share.

Risk treatment

A way of dealing with (i.e. mitigating, sharing, avoiding or accepting) one or more identified risksProcess to modify risk.  Notes: risk treatment can involve: avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; taking or increasing risk in order to pursue an opportunity; removing the risk source; changing the likelihood; changing the consequences; sharing the risk with another party or parties (including contracts and risk financing); and retaining the risk by informed choice; risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.  Risk treatment can create new risks or modify existing risks” (ISO Guide 73).

Risk Treatment Plan
(RTP)

Documented approach to address identified risks by resourcing, designing/selecting, implementing, monitoring and maintaining suitable risk treatments.

Risk universe,
risk landscape

A high-level broad perspective on all kinds of risks facing the organisation, that being the full scope of Enterprise Risk Management.

Robustness

Form of resilience characterized by the inherent strength of a system, network, service, process, lock, wall, barrier, organisation, team, person etc., rendering it invulnerable to incidents that would damage or cause weaker ones to fail or falter.  Conceptually and practically different to the capability to failover, failsafe or recover, robust systems etc. are less likely to fail and need to be restored to service: they simply carry on working, albeit perhaps with reduced performance and/or functionality (fallback).  “The ability of an Information Assurance entity to operate correctly and reliably across a wide range of operational conditions, and to fail gracefully outside of that operational range” (CNSSI-4009).

Rogue

Someone or something at the boundaries of acceptability in some way, pushing or exceeding the limits, often unauthorized and potentially or actually malicious (e.g. rogue devices or things that somehow manage to connect to a network).

Rogue software

Free or cheap software that is advertised and appears to be legitimate software, often security-related (e.gantivirus programs, anti-spyware software and password vaults), but is itself a Trojan, spyware or other malware.  See also PUP.

Rogue system

Unauthorized computer system or thing connected illicitly to the network, perhaps a POD not approved for BYOD, or a system installed by a spy to monitor or intercept network traffic, perhaps to launch hacking attacks on authorized network systems.

Rogue wireless access point

Unauthorized Wi-Fi access point connected to a network, typically installed on corporate networks by well-meaning but naïve workers who fail to appreciate the additional information risks created by the wireless coverage.  “An unauthorised Wireless Access Point operating outside of the control of an agency” (NZ information Security Manual).

ROI

(a) Return On Investment – an estimate of the anticipated future income from an investment over a given period, net of the costs associated with the investment itself. (b) Risk Of Incarceration – slang for the possibility of someone being sent to prison for breaking the law.

ROOT, root

Default user ID for the fully-privileged system administrator on UNIX systems.

Root cause

Fundamental issue/s or failure/s that could have and perhaps did lead to an incident.  Failing to identify and deal with the root cause is a common reason for recurring incidents, but it is easier said than done.

Rooting

(a) The process of gaining unauthorized ROOT access to a computer system, normally by hacking it or installing a rootkit.  (b) Vulgar term for sexual intercourse.

Rootkit

Hacker toolset typically containing malware such as Trojans used to take and retain control of a compromised computer system.  Often includes hacked variants of normal operating system or utility programs with backdoors and other covert functions.  May be surreptitiously installed at any stage of the system lifecycle, including during manufacture (perhaps inserted by the authorities for national security reasons).  Usually hidden deep in the system kernel, device drivers, firmware or microcode and may actively evade detection (e.g. by manipulating the system calls and functions used for directory listings), hence very hard to identify and eradicate.

ROT13

Trivial, extremely weak substitution function that simply ‘rotates’ each character in the plaintext 13 character positions through the normal English alphabet.  Since there are 26 letters in the alphabet, ROT13 has the equally trivial advantage of being reversible simply by repeating the same substitution.  Barely adequate to conceal rude words from teenagers’ parents.

Round

Most cryptographic algorithms repeat steps such as transposition and substitution several times in a specific sequence: each repeat is called a round.

Router

Network node that sends network traffic to specified ports and hence network segments.  “Network device that is used to establish and control the flow of data between different networks by selecting paths or routes based upon routing protocol mechanisms and algorithms.  Notes: The networks can themselves be based on different protocols.  The routing information is kept in a routing table.” (ISO/IEC 27033-1).

Rowhammer

An exploit that flips bits in memory directly using electrical properties of high density DDR3 memory chips: if particular areas (rows) of RAM are repeatedly accessed (hammered) by malware, physically adjacent memory bits may be flipped due to leakage currents in the silicon, even if those bits are in supposedly protected memory that cannot be accessed through applications or more conventional malware.  The flipped bits, in turn, may affect system security, for example granting additional privileges, permissions or rights.

Royalty

Fee payable by licensees to licensors in return for the opportunity to use or exploit the licensors’ intellectual property according to the terms of copyright, trademarks, patents or other rights, restrictions, licenses, agreements and contracts.

RPO
(Recovery Point Objective)

Following a serious incident requiring the invocation of disaster recovery arrangements, defines the point up to which all data should have been restored (e.g. previous hour, previous working day, previous week etc.).

RTO
(Recovery Time Objective)

Defines the absolute maximum (‘worst case’) acceptable duration of non-availability of systems due to incidents, which therefore determines the corresponding need for suitable resilience, disaster recovery and/or other contingency arrangements.

RSA

Asymmetric cryptosystem described in 1978 by Ron Rivest, Adi Shamir and Leonard Adleman.  Provided sufficiently long keys are used (at least 1024 bits, preferably 2048 or 4096) and there are no design, implementation, process or protocol flaws, RSA-based systems are currently considered sufficiently secure for general use, although the NSA’s involvement is of concern for high security situations.

Rubber hose cryptanalysis

Alludes to the use of coercion, violence or torture to pressure someone into disclosing decryption keys.  A very physical form of brute force attack.

Rule

Constraint on acceptable, permitted, authorized activity in a specific situation or context, whether formally defined and documented or not.

Ruleset

A coherent suite of rules, for example security rules on a firewall or server defining permissible and forbidden network protocols/ports, access rights, event logging etc. “A table of instructions used by a controlled interface to determine what data is allowable and how the data is handled between interconnected systems” (CNSSI-4009).

Run-to-run

Type of balancing control used to ensure integrity of information saved between executions of a particular program (e.g. the sequential identifier for the last transaction processed on the previous run of a batch process is recorded and checked when the next run starts to ensure that no transactions have been missed or inserted between runs).

Ryuk

One of several nasty species of ransomware in the wild in 2018 and 2019 that strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keys.  Typically distributed through Emotet botnets, targeting compromise medium to large organisations such as municipalities, with substantial ransom demands ($5.3m in the case of the City of New Bedford).

SaaS
(Software as a Service)

Form of cloud computing service providing customers with access to Internet-based applications.  The cloud service provider’s responsibilities, including the information security aspects, cover almost the entire service provision.  See also IaaS and PaaS.

Sabotage

Deliberate, wilful and unauthorized damage to, or destruction of, assets such as information, physical facilities, machinery/equipment, business processes, commercial prospects, reputation, brand etc.  See also cybertage, Luddite and arson.

Saboteur

Person who commits sabotage.

SAE
(Simultaneous Authentication
of
Equals),
Dragonfly

Flawed cryptographic protocol used in WPA3 to authenticate Wi-Fi devices to each other, prior to establishing encrypted communications between them.

Safe,
vault

Physically or logically secure space designed to reduce the risk of unauthorized access, removal or damage to stored assets.  Fire safes and bank vaults are well-known examples, along with key lockers/key rings, virtual vaults, password vaults, TPMs and HSMs.

Safeguard

See control.

Safe Harbor

US privacy laws are so different from the information protection laws in Europe and elsewhere that many non-US organisations may be legally forbidden from sending personal information to the US without additional information security.  The Safe Harbor scheme was introduced as a way for US organisations to assert or self-certify their compliance on a voluntary basis.  Widely discredited and distrusted due to poor design, limited compliance and especially the obvious conflicts of interest, the scheme finally collapsed in October 2015 when ruled invalid by the European Court of Justice.  It was replaced by Privacy Shield in 2016.

Safety critical, safety-critical

Class of information asset that is vitally important to the health and safety of individuals, particularly in respect of its integrity.  A serious information security incident affecting such an asset would probably cause grave impacts e.g. injury or death, often in short order.  See also Tier 1, 2 or 3 and business-critical.

Salami fraud

Fraud in which the fraudster steals small amounts of money through lots of separate transactions (like slices of salami), each individual theft being so insignificant as to escape the victim’s notice or concern while accumulating a tidy sum for the fraudster.  If it even comes to their attention, a victim will typically assume the deficit or debit is simply a consequence of legitimate rounding or measuring errors.

Sality

Species of malware in the wild since 2010, forming large botnets in 2015.

Salt, salting

Technique for adding in a unique string or sequence specific to the system when hashing passwords etc., such that the hash values for identical passwords etc. differ between systems.  Unless the salt is also compromised along with the hash file, salting frustrates attacks using rainbow tables.

SAM
(Security Accounts Manager)

An operating system security database on Windows systems containing information such as user IDs, hashed passwords etc.

Samas,
SamSam

One of several species of ransomware in the wild in 2019 that surreptitiously encrypts victimsdata, coercing them into paying a ransom for the decryption keys.

SAML
(Security Assertion
Markup Language)

XML standard for Web Single Sign On, used to exchange authentication and authorisation data between identity providers and service providers.  “A protocol consisting of XML-based request and response message formats for exchanging security information, expressed in the form of assertions about subjects, between online business partners” (CNSSI-4009).

Sandbox,
jail,
walled garden

System partition and other security controls designed to prevent apps from accessing unauthorized resources, particularly privileged operating system function calls and address spaces beyond the restricted range.  Analogous to keeping the kids occupied in a play-pen: unfortunately, they may escape and cause havoc with crayons.  See also jailbroken.

Sanitisation

“Process or method to sanitize” (ISO/IEC 27040).

Sanitize

The process of securely overwriting and/or deleting sensitive data such as personal information, passwords and encryption keys from computer storage media such that the information cannot later be recovered even by thorough forensic means.  Theoretically unnecessary if the data are strongly encrypted but in practice safer than relying indefinitely on the strength of the encryption and secrecy of the key.  See also zeroize and secure destruction“Process to remove information from media such that data recovery is not possible at a given level of effort.  Note: Clear, purge, and destruct are actions that can be taken to sanitize storage media” (ISO/IEC 27040 and ISO/IEC 27050-1).

SAR
(Security Assurance Requirement)

Formal descriptions of the testing and other measures (such as version control) taken to ensure that certified ICT products truly satisfy their security requirements under Common Criteria.

SAS 70 (Statement on Auditing Standards № 70 – Service Organisations)

Deprecated financial services audit standard, replaced by SSAE16.

SAST
(Static Application
Security Testing)

Hunting through application program source code for flaws and bugs that create security vulnerabilities.  See also DAST and IAST.

SBU
(Sensitive But Unclassified)

Deprecated US government term, officially superseded by CUI.

SCADA
(Supervisory Control And
Data Acquisition)

Management control system that monitors and responds in real time to the state of industrial plant or machinery such as machine tools, conveyor belts, pumps, electrical systems and elevators through the associated ICS.  ‘Supervisory’ reflects the way that many modern monitoring/controlling devices on an industrial plant or facility (things) are largely autonomous, reacting rapidly to local conditions without external control.  However, the SCADA system communicates with distributed devices, showing operators what is going on through a mimic panel and allowing them to alter tags on the distributed devices.

Scale

Absolute or relative measure of quantity, size, volume, risk, severity, disaster etc. “Ordered set of values, continuous or discrete, or a set of categories to which the attribute is mapped.  Note: the type of scale depends on the nature of the relationship between values on the scale.  Four types of scale are commonly defined: nominal - the measurement values are categorical; ordinal - the measurement values are rankings; interval - the measurement values have equal distances corresponding to equal quantities of the attribute; ratio - the measurement values have equal distances corresponding to equal quantities of the attribute, where the value of zero corresponds to none of the attribute.  These are just examples of the types of scale.” (ISO/IEC 15939:2007).

Scam

Relatively basic/simple form of fraud perpetrated by a scammer that normally (but not always) causes minor impacts on each individual victim but may lead on to more substantial incidents and can be significant in aggregate since most scams are ‘a numbers game’.  See also scareware.

Scammer

The low-life fraudster who perpetrates a scam.  Whereas career criminals and fraudsters are sometimes portrayed as cheeky chappies and lovable rogues, scammers are the lowest-of-the-low, marginalized and despised by everybody including their peers (since they take “untrustworthy” to new depths) and even, on occasions, themselves.  Entirely selfish and mean-spirited, they have absolutely no compunction about preying on the vulnerable, young, elderly, sick, charitable, naïve and intellectually-challenged, let alone fine upstanding members of society.  They would literally sell their own grandmothers if only they could find a buyer dumb enough to fall for their spiel and trust that they would ever deliver on a deal.  When caught (for they are not, as a breed, the most significant bits in a byte), they invariably plead poverty and desperation as if that somehow explains and excuses their bare-faced total disregard for the accepted social norms and reasonable expectation of any civilized society.  Incarceration and lethal injections are too humane for them.  “Off with their goolies” we say!

Scapy

Low-level network management/penetration testing/hacking tool for capturing, manipulating and transmitting packets.

Scareware

Malware intended to scare and perhaps extort the user.  One example claims that the system has been flagged by the FBI due to illegal content, so the user must pay a fine to avoid being prosecuted (they seem a bit confused about the process!).  Another is simply an online advertisement for security software of dubious value, emulating a pop-up warning message.  More malicious forms include bluff ransomware.  See also crimeware.

Scavenging

Systematically trawling through data storage media for potentially valuable information, perhaps including remnants and metadata.  “Searching through object residue to acquire data” (CNSSI-4009).

SCIF
(Sensitive Compartmented Information Facility)

Secure rooms specifically designed to isolate SECRET information.  Strongly constructed with embedded electromagnetic barriers (Faraday cages), sound insulation and strong physical access controls.

Script kiddie,
skid

Pejorative term for a relatively unsophisticated, unskilled or novice hacker or wannabe who simply uses scripts, tools or malware created by more highly skilled, capable and competent hackers, without necessarily understanding them fully.

Scorched earth

Term with military origins referring to the systematic destruction of assets that might benefit adversaries e.g. using flamethrowers and explosives when retreating from hostile territory.  As we saw in the Sony hack, hackers, fraudsters etc. sometimes attempt to cover their tracks by destroying any remaining digital evidence of their activities (such as hacking tools, log files and audit trails), most likely causing collateral damage through destruction or corruption of business data and systems causing denial of service, a disruptive information security incident.

Screened subnet

See DMZ.

Screwdriving

Hacking teledildonics.

SDDC
(Software-Defined Data Center), VDC (Virtual Data Center)

Assembly of virtual computers and services in the cloud using hardware platforms owned either by the organisation or by third parties.  Has all the advantages and disadvantages of cloud architectures.

SDN
(Software Defined Network)

Virtual networking in which virtualisation software mediates between real or virtual systems, applications and storage, and real networks.

Search

Forensic process to find or extract useful, relevant information from ESI“Use of various methods for identifying and finding Electronically Stored Information that meets criteria for potential relevance, privilege, or other attributes that may be of interest.  Notes: The actual process of searching can take many forms (e.g., keyword, fuzzy, Boolean, phonic, synonym, etc. searches).  The content considered a match for a particular search may not be an exact match to the criteria” (ISO/IEC 27050-1).

Seconded foreign national

“A representative of a foreign government on exchange or long-term posting to an agency” (NZ information Security Manual).

SECRET

Class of information that is extremely sensitive and/or business-critical and therefore needs to be protected as strongly as possible against unauthorized access.  Examples include the organisation’s strategies, plans, Board minutes, system security information (e.gpasswords, keys, firewall rules), extremely valuable trade secrets and other intellectual property, as well as a significant amount of classified governmental and military information.  Whereas the meaning may appear self-evident, the specific definition of the label and the associated controls are organisation-specific.  See also TOP SECRET.

Secret key

See private key.

Secure,
security

The state in which one or more assets is adequately protected against risks.  Note that perfect security is literally unattainable: even relatively secure assets protected by strong controls remain vulnerable to extreme or currently unappreciated/unrecognized threats that happen to negate, overwhelm, bypass or undermine the controls, and to control failures.  See also protection and information security.

Secure area

“An area that has been certified to physical security requirements as either; a Secure Area, a Partially Secure Area or an Intruder Resistant Area to allow for the processing of classified information” (NZ information Security Manual).

Secure destruction,
secure erasure

Permanent, irreversible and complete destruction of information (for example by sanitisation, degaussing and/or physical destruction of the storage media by shredding and burning, or by strongly encrypting data and destroying the key) such that it cannot subsequently be retrieved, recovered or recreated from remnants, even using forensic analysis.  See also zeroize.

Secure multi-tenancy

“Type of multi-tenancy that employs security controls to explicitly guard against data breaches and provides validation of these controls for proper governance.  Notes: Secure multi-tenancy exists when the risk profile of an individual tenant is no greater than it would be in a dedicated, single-tenant environment.  In very secure environments even the identity of the tenants is kept secret” (ISO/IEC 27040).

Secure shell

“A network protocol that can be used to securely log into a remote workstation, executing commands on a remote workstation and securely transfer file(s) between workstations” (NZ information Security Manual).

Sec[urity] Admin[istration]
(SA)

Commonplace name for the trusted corporate information security function typically responsible for administering userIDs, passwords, access to IT systems, applications etc.  As such, they have privileged access to systems and, in the absence of effective governance and security controls such as training, security monitoring and logging, and competent oversight, could easily grant themselves or third parties unauthorized or inappropriate access, perhaps as the result of social engineering attacks.

Security association

“A collection of connection-specific parameters containing information about a one-way connection within IPSec that is required for each protocol used” (NZ information Security Manual).

Security association lifetimes

“The duration security association information is valid for” (NZ information Security Manual).

Security by obscurity

Trite alliterative term referring to a relatively cheap but fragile form of security control that simply relies on attackers not knowing or discovering the existence of an information asset or vulnerabilityFails-insecure, for obvious reasons.

Security clearance

Fairly stringent and formalized version of background checks, normally performed on people appointed to trusted military or government service, defence organisations, audit and security professionals etc.  See also positive vetting.

Security Committee
(SC)

Governing body for physical and information securityOversees and directs all security activities across the organisation at the strategic level.  Operates under the delegated authority of executive management, liaising as necessary with the CISO, ISM, Local Security Committees, Internal Audit, Risk Management, Legal/Compliance functions etc.

Security culture

The information security-related attitudes, beliefs and practices generally shared, espoused and exhibited by members of a social group such as an organisation, department, team, industry, club, profession or nation.

Security domain

See zone. “Set of assets and resources subject to a common security policy” (ISO/IEC 27033-1).  “A system or collection of systems operating under a security policy that defines the classification and releasability of the information processed within the domain.  It can be exhibited as a classification, a community of interest or releasability within a certain classification.  This term is NOT synonymous with Trust Zone.” (NZ information Security Manual).

Security engineering

The application of professional engineering practices and rigor to information security“An interdisciplinary approach and means to enable the realization of secure systems. It focuses on defining customer needs, security protection requirements, and required functionality early in the systems development life cycle, documenting requirements, and then proceeding with design, synthesis, and system validation while considering the complete problem”. (CNSSI-4009).

Security gateway

See firewall“Point of connection between networks, or between subgroups within networks, or between software applications within different security domains intended to protect a network according to a given security policy” (ISO/IEC 27033-1).

Security glass

Whereas ordinary glass panes are quite easily smashed, windows made with glass containing an embedded grid of strengthening wires, toughened or laminated “safety” and “bullet proof” glass, extra thick “plate” glass, or sealed double-glazing units, are stronger and hence more intruder-resistant provided the frames, hinges, locks and surrounding walls are also sufficiently strong to resist violent physical attacks.

Security guard

Trusted physical security specialist, typically responsible for physical patrols  of the premises, manning checkpoints and various emergency responses, operating CCTV surveillance etc.  Generally has ready access to assets throughout the facilities especially when patrolling unaccompanied outside normal working hours, using master keys and/or access-all-areas passes.  Often a contractor employed by a specialist physical security company.

Security implementation standard,
corporate security standard

Standard laying out a reasonably detailed specification or description of configuration parameters, processes and/or activities and other controls deemed necessary to implement and achieve compliance with an organisation’s information security policy“Document specifying authorized ways for realizing security” (ISO/IEC 27000). 

Security landscape

A notional, visual, three-dimensional representation of the organisation’s overall or information security situation, where peaks or high points may indicate strengths while dips or valleys represent weaknesses.  A security metric.  See also attack surface, risk profile, risk universe and heatmap.

Security log,
security-related log file,
security record

Most IT systems, applications and security appliances, and some devices, generate records of events (such as successful access to the system or card-access-controlled door) and incidents (such as failed access attempts) that are stored in logs, as well as triggering alarms and alerts in specific situations (such as when log settings or other security parameters are changed, or when multiple events occur together).  Security logs are a vital source of evidence supporting subsequent forensic analysis of security-relevant situations, provided they are adequately secured against unauthorized access, tampering, falsification, manipulation, corruption, deletion, overwriting or wholesale replacement by the perpetrators or anyone else.  Security logs should be retained for as long as is necessary to complete the review and analysis, or according to legal and/or business requirements typically identified in an Information Retention Policy.  See also audit trail.

Security markings

Printed, written or stamped markings (such as “SECRET”) visibly applied to storage media, IT systems etc. to indicate their classification“Human-readable indicators applied to a document, storage media, or hardware component to designate security classification, categorization, and/or handling restrictions applicable to the information contained therein. For intelligence information, these could include compartment and sub-compartment indicators and handling restrictions.” (CNSSI-4009).

Security protections

“Measures against threats that are intended to compensate for a computer’s security weaknesses” (NIST SP800-114 rev1).

Security researcher

See hackerBlack or grey hat hackers with dubious pedigrees and unclear or nefarious motivations often claim to be “security researchers” but unless they have been explicitly commissioned and authorized to test security by the owners of the affected networks, systems, devices, applications etc., their efforts are generally unwelcome, unethical and may well be illegal.  Genuine security researchers include authorized system, application and penetration testers, and computer scientists.

Security risk management plan

“A plan that identifies the risks and appropriate risk treatments including controls needed to meet agency policy” (NZ information Security Manual).

Security screw,
one-way screw

Tamper-resistant fitting with a specially-shaped head making it easy to insert and tighten but hard to loosen and remove.  Some security screws are removable using a special tool, while others (including bolts or screws with extra hexagonal heads that shear off once they are in tight) are meant to be permanently installed.

Security strength

Metric measuring the capability of a security control, system etc. to resist attack, failure, breach, compromise etc“Number associated with the amount of work that is required to break a cryptographic algorithm or system” (ISO/IEC 27040).

Security token

Hardware device used as a credential, for example a smartcard or key fob containing a cryptographic processor and display that generates and presents a One Time Password.  See also token.

[Network] Segmentation,
segment

Logical separation of a network into distinct subnetworks or zones with differing trust levels, typically monitoring traffic and controlling access between the subnetworks at any points of contact e.g. using firewalls.  Also known as partitioning.

Segregation

“May be achieved by isolation, enforcing separation of key elements of a virtual system, removing network connectivity to the relevant device or applying access controls to prevent or limit access” (NZ information Security Manual).

SEM
(Security Event Management)

Apps/systems for centralized storage and real-time analysis of IT security events, alerts and alarms logged by disparate networked systems (e.g. correlating potentially related events generated by multiple systems such as physical and network access control systems).  See also SIM and SIEM.

Senior management

See executive management.

Sensitive information

Confidential and/or valuable information asset considered to be at especially high risk of unauthorized and inappropriate disclosure or modification (e.gpersonal or proprietary information).

SEO (Search Engine Optimisation) scam

Fraud claiming to promote victimsorganisations through online directories and search engines using methods that are largely ineffective or short-lived in practice.  Typically involves social engineering techniques such as misrepresentation, pretexting and coercion.

Separation

“Separation is a physical distinction between elements of a network or between networks.  This applies in both physical and virtual systems architectures” (NZ information Security Manual).

Separation or
segregation of duties

See division of responsibilities.

Server

Multi-user computer system“A computer (including mainframes) used to run programs that provide services to multiple users.  For example, a file server, email server or database server” (NZ information Security Manual).

Service mark

The equivalent of a trademark for a commercial service, giving it distinctive branding.  A form of intellectual property.  Sometimes denoted by SM.

Session border controller

“A device (physical or virtual) used in IP networks to control and manage the signalling and media streams of real-time UC and VoIP connections.  It includes establishing, controlling, and terminating calls, interactive media communications or other VoIP connections.  SBCs enable VoIP traffic to navigate gateways and firewalls and ensure interoperability between different SIP implementations.  Careful selection of SBCs will provide such functionality as prevention of toll fraud, resistance to denial of service attacks and resistance to eavesdropping” (NZ information Security Manual).

Session hijack

See MITM.

Session key

Cryptographic key used for symmetric encryption of traffic between two parties within a defined period or for a certain number of messages.  The initial key for the first session may be generated and shared offline (e.g. on a One Time Pad or key loader) or exchanged securely between the parties using asymmetric encryption.  Subsequent keys may be generated, encrypted with the current session key and passed to the counterparty, or the process might start over from scratch (“rekeying”).

Sexting

Portmanteau of ‘sex’ and ‘texting’ involving explicit text messages or other supposedly private person-to-person communication between friends or lovers.  Once sent, messages may be forwarded or disclosed by the recipient and/or by anyone who intercepts the communications or has control of the devices.

Sextortion

Neologism concerning threatening to disclose highly personal  and private, often sexual, information about someone (such as explicit selfies - photographs of someone taken by them – or sexting or captured webcam footage) as a means of coercing them into doing something (typically paying a ransom) to avoid embarrassment and shame.  See also revenge porn.

SFR
(Security Functional Requirement)

Standardized suite of formal descriptions for security functions such as access control and authentication, under Common Criteria.

SGX
(Software Guard EXtension)

A CPU instruction-set security extension designed to isolate trusted from untrusted code as it executes, introduced by Intel with the Skylake microarchitecture.  Intended to prevent exploitation by malware, even subverted kernel functions in operating systems.

SHA-1
(Secure Hash Algorithm № 1)

One of a set of hash algorithms developed by the NSA, SHA-1 generates 160-bit digests.  Due to known cryptographic vulnerabilities, SHA‑1 is deprecated in favour of stronger algorithms such as SHA-2, but lingers in some digital signatures, SSL, PGP, SSH and S/MIME.

SHA-2
(Secure Hash Algorithm № 2)

A set of six related hash algorithms developed by the NSA.  SHA-2 algorithms generate digests whose bit lengths are evident from their names (i.eSHA-224, SHA-256, SHA-384 and SHA-512).  SHA-2 is understood to be strong enough for all current applications but SHA-3 is available if/when vulnerabilities are discovered and disclosed.

SHA-3
(Secure Hash Algorithm № 3)

A new generation of SHA algorithms approved by NIST in FIPS 202 is based on Keccack, a sponge function.  SHA-3 is expected to supersede MD5, SHA-1 and SHA-2.

Shadow Brokers

Hacker group allegedly associated with Russian intelligence.

ShadowHammer

Malware incident in 2018/2019 which initially compromised ASUS servers, infecting motherboard software and firmware updates distributed through the ASUS Live Update mechanism.  The updates were digitally signed using genuine ASUSTek Computer Inc. certificates, hence appeared legitimate.  The malware targeted devices with specific MAC addresses on their network adapters, suggesting a spooky purpose.  The attack has been linked to the BARIUM group responsible for previous APT attacks such as ShadowPad involving Winnti malware.

Shadow IT

Unofficial, informally-organised and weakly-governed organisation outside IT Department, comprising computer-literate workers using ICT equipment (e.g. BYOD things) and services (e.gcloud computing) with little if any IT Department involvement.  Close to the business but may not be aware of and/or comply with corporate IT strategies, policies, standards, guidelines, procedures, protocols, good practices, laws, regulations, information security requirements etc.  An implied threat to IT Department’s political power.

Shadow regulations

Organisations sometimes acquiesce to unofficial requests from the authorities e.g. to disclose sensitive information or take offline material previously published online, without being legally compelled to do so.  Presumably they simply agree with the intent, are persuaded on ethical grounds, or are coerced through ‘agreements’, ‘codes of conduct’ etc.

Shamoon

Species of malware used to attack Saudi Aramco in 2012, with variants still in the wild as of 2019.  Incorporates a dropper and wiper.

Shared key

A cryptographic key for both encryption and decryption that is meant to be available only to authorized users of a symmetric cryptosystem and no others.  Cf. private key.

Shared responsibility

Information security principle that we are both collectively and individually responsible for maintaining adequate security in order to protect information assets.  See also accountability.

SEH
(Structured Exception Handling)

Windows security technique to control the way various events are dealt with during the execution of programs, in an attempt to trap and gracefully resolve issues arising from flaws and bugs, whether accidentally or deliberately caused, such as divide-by-zero errors, program crashes, buffer overflows, malware and hacks.  SEH is meant to ensure that designated exception or termination code cannot be bypassed e.g. by redirection at run time.

Shelfware

Documents such as policies and procedures that are ‘collecting dust on the shelf’ i.e. ignored rather than being actively used and complied-with.  See also hardware, software, firmware, malware and wetware.

Shellcode

Malware that covertly opens a command line interpreter (the “shell”) to call powerful low-level system commands.

Shellshock,
Bashdoor

A festering cluster of bugs in the Bash shell/command interpreter, some of which trivially permit hackers or malware root access to vulnerable UNIX systems.  Nasty.  Responsible disclosure of the vulnerability by its discoverer and ready availability of patches towards the end of 2014 did not prevent Shellshock being widely exploited because of patching delays caused by tardiness and incompetence.

Shill bid

An auction bid made by the seller of an item (directly or through an accomplice) in order to drive up the hammer price.  A form of fraud.

Shim

Thin strip of metal used to trip the catch or catches holding the shackle and hence force open a locked padlock without the correct key or combination.

Shodan

A search engine for Internet-connected devices (things), popular with hackers and cybersecurity professionals.  Characterizes devices by their responses to various queries and network packets.  See www.shodan.io 

ShopAdmin

Hacker term for an exploit that grants unauthorized access to the privileged administrative/management functions of Internet shopping/eCommerce sites.

Shred,
shredding

Physical destruction of storage media in order permanently to withhold the information content.  Cross-cut “confetti” shredders are somewhat more effective than strip-cut shredders since the fragments are smaller and more difficult to piece back together (even using automated image analysis and reconstruction techniques) but shredding followed by incineration of the waste is advisable for highly confidential or SECRET information“Destruct by cutting or tearing media into small particles” (ISO/IEC 27040).

Shrink-wrapped

Refers to the practice of packaging COTS in clear plastic film through which the marketing blurb and copyright notice or license agreement may be read prior to purchasing and is deemed to have been accepted if the user merely opens the packaging.

SID
(Security IDentifier)

Unique key value assigned by the computer system to users, user groups etc. for access control purposes.

Side channel

(a) Cryptanalytic attack that exploits some peripheral characteristic or feature of a cryptosystem, such as observing fluctuations in the power consumption or electromagnetic radiation when performing different types of cryptographic function and thereby deducing useful knowledge about, for example, the number of rounds or the length of the keyCf. covert channel. (b) Class of exploits that take advantage of unanticipated, abnormal and/or insecure communications channels or mechanisms to bypass controls over the usual channels and mechanisms e.gMeltdown

Sideloading

Installing unofficial (unauthorized, unapproved and potentially malicious) software on a jailbroken device, outside the sandbox as it were.

SIEM
(Security Incident and
Event Management)

App/system to aggregate and analyse network security alerts, alarms and logs from disparate systems in order to identify events and incidents of concern.  Combines SIM with SEM.  See also UBA, NTA and IDS/IPS.

SIGINT
(SIGnals INTelligence)

The military practice of gleaning intelligence through surveillance on [primarily] foreign communications (COMINT) and other signals (ELINT) which potentially includes analogue and digital communications, wired or wireless networks and point-to-point links, data and voice radio transmitters, beacons, steganography, cryptanalysis, traffic analysis etc.

Signature

(a) Characteristic way that a person writes their own name, providing a means to authenticate them (i.e. a biometric).  (b) Set of characteristics that uniquely identify a species of malware, system or device.  See also digital signature.

Significant Information Asset

Information asset or a related group/set of information assets having a significant/material value to its owner.  ‘Significance’ may be defined formally in a policy or standard, typically in terms of its financial or strategic value to the organisation, or left to the owners’ discretion.

Silent alarm

Covert alarm that, when triggered manually or automatically by some event or exception, is not obvious to those in the immediate vicinity or directly involved but quietly alerts remote guards, managers, authorities etcDuress alarms and tell-tales are specific examples.

Silent cyber risk

See non-affirmative cyber risk.

Silk Road,
Silk Road 2.0

Online black markets where the tools (including malware and related services) and proceeds of crime (fullz, illegal drugs and more) were traded anonymously through the Tor network for Bitcoins.  The original Silk Road was active from 2011 until being shut down by the FBI in 2013.  It was resurrected as Silk Road 2.0 and lasted another year before again being shut down.

SIM
(Security Information Management)

App/system to aggregate, store and analyse security logs from disparate networked systems, allowing the identification of trends and other relatively long-term indicators of information security incidents.  See also SEM and SIEM.

Simplocker

One of several species of Android ransomware in the wild that surreptitiously strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keys in Ukrainian hryvnias, hinting at the malware’s origin. 

SIM swap [fraud]

Fraudsters socially engineer the mobile phone companies into transferring a target’s cellphone number to a SIM card in their possession, then use it to hijack the victim’s email, banking and other online services by diverting the two-factor authentication SMS text messages used to reset forgotten password/s or authenticate/approve transactions.

Single Point of Failure
(SPoF)

Essential component or link between components whose failure would interrupt (i.eimpact the availability of) dependent services, processes, customers etc.  Eliminating SPoFs where possible through redundancy, along with reinforcing unavoidable SPoFs through solid engineering practices, is a typical resilience control“Element or component of a system, a path in a system, or a system that, if it fails, the whole system or an array of systems are unable to perform their primary functions.  Note: A single point of failure is often considered a design flaw associated with a critical element” (ISO/IEC 27040).  See also FMEA.

Single Sign On
(SSO)

Software that manages a suite of diverse passwords unique to multiple systems.  Unlike crude password synchronisation schemes, the compromise of a password for a single target system being managed through a well-designed SSO system or application should not give access to other target systems since they each have unique passwords.  However, compromising the SSO system itself may still facilitate unauthorized access to all the subsidiary systems, hence security remains paramount for the SSO system.  See also password vault.

Sinister

Dark, underhand, deceptive, surreptitious, foreboding and usually malicious behaviour e.gcoercive, threatening or menacing.  Derived from the Latin word for left, referring to a Roman soldier’s discreet use of, say, a dagger held in the left hand in addition to the obvious sword in his right hand, or perhaps the tactical advantage that a left-handed swordsman might have when fighting at tight quarters e.g. in a spiral staircase. 

Sinkhole

See bit-bucket.

SIPRnet
(Secret Internet Protocol
Router network)

US Department of Defense network for classified information up to SECRETAuthorisation to connect is required from SCAO (SIPRnet Connection Approval Office) within DISA (Defense Information Systems Agency).  See also NIPRnet.

SIS
(Secret Intelligence Service), MI6
(Military Intelligence branch 6)

UK’s foreign intelligence agency.  Originally the sixth branch of the Directorate for Military Intelligence, part of the War Office in the First World War but not officially acknowledged by the British government until the 1980’s.  See also MI5.

Situational awareness

Heightened appreciation of the risks inherent in a given context, particularly significant threats to the subject in the locality at the time.  “The ability to identify, process and comprehend the critical elements of information through a cyber threat intelligence process that provides a level of understanding that is relevant to act upon to mitigate the impact of a potentially harmful event” (CPMI-IOSCO).

Skill

Ability to do something particularly well – more than merely competently.  “Ability to perform a task or activity with a specific intended outcome acquired through education, training, experience or other means EXAMPLE An example of a skill is the ability to identify and classify the risks associated with a project” (ISO/IEC 17027).

Skipjack

Symmetric encryption algorithm invented by someone in/for the NSA or seized by them.  Originally classified SECRET and incorporated in the Clipper chip but subsequently opened to public scrutiny.

Slack space

The gap between the full extent of a file (up to the end of file marker) and the remaining disk space allocated for the file  (including any further sectors in a cluster), which may contain residual data (remnants) from files that previously occupied the area before being moved/deleted but not securely erased.  Slack space can also exist in working memory, depending on the operating system.  See also unallocated space.

Slander,
slanderous

Transitory and generally unrecorded form of defamation, for example a spoken statement or gesture, perhaps falsely accusing someone of something untoward and inappropriate.  Cf. libel.

S/MIME
(Secure/Multipurpose Internet Mail Extensions)

Public key cryptosystem used to encrypt and/or to digitally sign and authenticate emails.  In contrast to PGP’s web of trust approach, S/MIME is a conventional PKI revolving around digital certificates formally issued and controlled by trustworthy Certification Authorities (e.g. capable of being revoked and listed on a Certificate Revocation List).  “A protocol which allows the encryption and signing of Multipurpose Internet Mail Extension-encoded email messages including attachments” (NZ information Security Manual).

Sleeper

A deep cover mole who remains under cover for an extended period (years) in the target organisation/group/culture in order to establish the (ill-founded) trust of his/her colleagues and ascend to a position of power and authority from which he may be ‘awoken’ to commit an act of espionage, sabotage or betrayal.  An extreme example of social engineering.

Smart-

Generic prefix normally referring to something electronic having an embedded processor, ranging from basic (dumb) to advanced things (e.g. autonomous cyberweapons using artificial intelligence). 

Smart appliance

Smart device such as a refrigerator or oven (‘white goods’), home entertainment system etc. typically found in smart homes.

Smart building

Building, home or other facilities containing integrated computer systems and networks for monitoring, control, security etc.

Smart button

Switch thing used to trigger an action elsewhere via the network.

Smartcard

Credit-card-sized device containing a cryptographic or other processor plus contact pads and/or short-range wireless networking capabilities.

Smart device

A device with an embedded processor, usually also network-capable making it a thing.  Some dumb devices can be smartened-up using add-on smart interfaces, ranging from remotely-switchable power plugs up to quite sophisticated automation involving both monitoring/measurement and control.

Smart grid

Electricity grids have long been used by the power companies to pass low-rate data and commands to their remote substations, switchgear etc. through the power cables.  Modern networking technologies, communicating either over the power lines themselves or by some other medium (normally radio e.gmesh networks), allow greater bandwidths so power companies can extend the reach of their control into consumer premises, particularly industrial premises, for metering and demand management (e.g. shedding non-critical loads such as household and office air conditioners if peak demands threaten to overload the grid).

Smart home

Residential property that uses home automation, typically involving Home Area Networks of smart devices and the Internet of Things.

Smart hub

While smart home devices and things may use decentralized peer-to-peer ad hoc network topologies, smart hubs bring logical order to the chaos for monitoring and management purposes (such as device configuration), as well as interconnecting Home Area Networks to wide area networks, particularly the Internet.

Smart lock

Thing that locks a door and can be commanded to open through the network, for instance when the owner’s smartphone is detected in the vicinity, or when hacked.

Smart meter

Meter that can be remotely interrogated (for meter readings) and perhaps commanded (e.g. switching between charging bands or dis/connecting services), typically through a mesh network.  Within a smart home or business, the smart meter may communicate wirelessly with things such as smart appliances, typically monitoring and perhaps controlling them for power demand management purposes, raising information security and privacy concerns.

Smartphone

Modern cellphones (cellular telephones) have sophisticated processing capabilities – they are in fact miniature networked computers and cryptographic systems.  With powerful processors running multi-tasking operating systems such as IOS and Android, solid-state storage, high-resolution touch screens, access to multiple networks and other technically advanced capabilities such as GPS, they can run a wide variety of apps … as well as being nifty portable telephones, Internet terminals and surveillance devices.

Smart plug,
smart socket

Power plug or socket thing that can be commanded to switch connected equipment on or off through the network, at predefined times, when it gets dark/cold, or when someone is in the room etc.

Smart thermostat,
smart HVAC controller

Thing monitoring the ambient temperature, humidity or other parameters relative to set points or other criteria, signalling or commanding the HVAC (Heating, Ventilating and Air Conditioning) equipment to operate as appropriate.

Smart worker

More than simply an employee who dresses to impress, achieving this well-informed, highly-motivated and alert state among workers is an interim goal of information security awareness, training and educational programs, marking a significant step on the way towards building a security culture that reduces information risks.

Smoke detector

Device that detects smoke particles in the air, triggering an alert or alarm for the presence of fire.  Common types use either an infrared light beam or a small radioactive source for detection – the latter type is more sensitive when new but loses its sensitivity as the source decays and should be replaced every few years.  Fire safety experts often advise the use of both types.

SMS
(Simple Messaging Service),
TXT (TeXT)

Form of person-to-person communication using the cellphone networks to pass short text messages.  SMS users typically abbreviate words (e.g. “you” becomes “U”) creating a shorthand or bastardized English language variant known as TXT-speak, arguably reducing literacy and increasing the risk of misinterpretation.  SMS users are vulnerable to phishing and other social engineering attacksSystems that receive and process SMS messages automatically may be vulnerable to hacking.

SMTP
(Simple Mail Transfer Protocol)

Protocol used to send emails from a client or server to a mail server.

SNAFU
(Status/Situation Normal:
All Fouled Up)

Acronym popular in the US Marine Corp in World War II.  The original expansion was cruder than ‘all fouled up’.  Generally refers to incidents arising from errors, mistakes and accidents.

Snake oil

A virtually worthless liquid medicine allegedly derived from snakes with magical cure-all properties, sold by charlatans to vulnerable customers in 18th and 19th Centuries.  Mobile snake oil salesmen used hard-sell social engineering techniques to fleece customers of their money, moving rapidly on to the next town before victims realized they had been duped.  A classic fraud.  As with today’s homeopathy, any medical effect is probably psychosomatic – the placebo effect.

[Network] Sniffer

Networking software (such as Tcpdump) or hardware device (such as a network analyser) that passively monitors and usually records passing network traffic, for example using an Ethernet card in promiscuous mode“Device or software used to capture information flowing in networks” (ISO/IEC 27033-1).

Snitch

See whistleblower.

Snitchline

See whistleblower’s hotline

Snoop, snooper, snooping

Generally a low-grade, crude, amateurish or inept form of spying such as voyeurism, but sometimes refers to high-grade surveillance by the authorities.  Either way, it implies something unethical and somewhat sinister.

Snoopers’ charter

See IPA.

Snort

NIDSOpen source software available in free and commercial versions.  With the appropriate rules in place, Snort can detect, alert and in some cases respond to thousands of different network attacks/hacks, worms etc.

Snowshoe spamming

Small-scale spamming, deliberately designed to ‘leave a small footprint ’and so evade the automated checks that normally catch and quickly block mass spamming.  Analogous to spear-phishing, it typically involves spamming a relatively small group of targets with carefully-crafted custom messages less likely to be flagged as spam.

SoA

See statement of applicability.

SOAR (Security Orchestrations, Analytics and Response)

Advanced form of SIEM making still greater use of automation to react more rapidly to network security alerts, alarms, situations, events or incidents.

Social engineering,
social hacking

Hacking/scamming/fraud techniques involving the manipulation of people through a combination of deception (such as pretexting and masquerading) and persuasive, coercive or assertive behaviour (such as ‘bravado’ and manipulative psychological tricks), typically leading to them revealing or permitting unauthorized access to sensitive information“A general term for attackers trying to trick people into revealing sensitive information or performing certain actions, such as downloading and executing files that appear to be benign but are actually malicious” (NIST SP800-114 rev1).  “A general term for trying to deceive people into revealing information or performing certain actions” (Financial Stability Board Cyber Lexicon, November 2018).

Social identity,
social ID

Social media apps and functions (such as those allowing visitors to comment on news items, blogs etc. or review products and services) often invite users to identify and authenticate themselves using their Facebook, Twitter, Google or LinkedIn accounts (their ‘social identities’), provided the users are willing for those social media sites to disclose selected personal information to the social media apps and functions.  This single sign on approach avoids users having to register separately in each case but raises privacy concerns.

Social insecurity

Neologism refers to information security and privacy risks, controls and incidents directly involving human factors and affecting people, including social engineering, scams, frauds, social media, social networking, social proofing, blended attacks, phishing, spear-phishing, pretexting, coercion, spoofing and masquerading.

Social media

Interactive websites and applications (such as Facebook, Tumblr, LinkeDin, Twitter, Blogger, Myspace, YouTube, blogs and discussion forums) that facilitate social networking and personal interaction, both benign and malicious.

Social networking

Socializing and mixing with other people, either face to face (in person) or remotely through various communications technologies, apps and websites.  We tend to relax our guards in social situations, typically trusting people and often revealing information and accepting things at face value, increasing our vulnerability to social engineering.

Social proofing,
group affirmation

People in tight-knit social groups tend to believe in, trust and respect the same things.  Therefore, if a friend (or someone who has stolen our friend’s ID) recommends a link or an app, we are inclined to load it without necessarily considering the risks of malware, fraud etc.

Sodinokibi,
REvil

A family of ransomware in the wild in 2019 and 2020, responsible for the Travelex incidentEncrypts particular types of file on a Windows system, then demands a ransom payment to decrypt them, with an escalating charge if the victim delays.  Can also exfiltrate data.  The code bears similarities to the GandCrab malware.

Softphone

“A software application that allows a workstation to act as a VoIP phone, using either a built-in or an externally connected microphone and speaker” (NZ information Security Manual).

Software

One or more computer programs.  Cf. hardware, firmware, data, wetware, malware, ransomware, scareware and shelfware.

Software component

“An element of a system, including but not limited to, a database, operating system, network or Web application” (NZ information Security Manual).

Solar flare

Eruption of intensely energetic particles from the sun that can irradiate the Earth, affecting the Earth’s magnetosphere and ionosphere, possibly unsettling electrical grids, wired and wireless communications and damaging delicate electronics, particularly on orbiting satellites (such as those providing GPS) and high-altitude aircraft.  The frequency and intensity of flares, and hence the threat, tracks the number of sunspots which peak every 11 years or so (most recently in 2014).

Solid state drives

“Non-volatile media that uses flash memory media to retain its information when power is removed and, unlike non-volatile magnetic media, contains no moving parts” (NZ information Security Manual).

[The] Sony hack

Major information security incident at the end of 2014 affecting Sony Pictures Entertainment.  Malicious hackers allegedly working for the North Vietnamese government compromised Sony’s corporate network, stealing a large quantity of sensitive proprietary and personal information over several months which they then used to extort Sony by disclosing some (creating a media storm) and threatening to disclose more embarrassing and damaging content.  Presumably in an effort to cover their tracks (scorched earth), the hackers also unleashed a network worm that displayed a scary graphic and threats on desktop screens, destroyed data and took IT systems out of service for months, massively disrupting Sony’s business activities and causing serious commercial, legal and brand impacts.

Soraya

One of several species of memory-scraping malware in the wild.

Source available

Some software owner are willing to disclose their source code to specific third parties, usually in confidence (e.g. after entering into a nondisclosure agreement), in order for them to be able to check the design, functionality, quality, supportability, security etc.

Source code escrow

Escrow of program source code enabling it to be released to users/customers etc. under specific conditions, for example if the original developer dies, ceases trading or is unwilling/unable to continue supporting/maintaining the software.

Spam,
UBE
(Unsolicited Bulk Email)

Advertisements pumped out by some low-life scammer or naïve/over-zealous/unethical marketer taking advantage of the negligible costs of emails and contact lists.  “Unsolicited emails, which can carry malicious contents and/or scam messages” (ISO/IEC 27033-1).  [Note: SPAM in capitals shouts the trademarked name of a pink spiced ham product made infamous by a 1970’s Monty Python sketch.]  See also SPIM.

Spam bomb

See email bomb.

Spambot

Robotic program that systematically harvests email addresses from the Web and/or sends spam.  Typically, part of a botnet.

Spamtrap

A honeypot system designed to improve anti-spam controls by luring, monitoring, logging, capturing, analysing and/or characterizing spam messages.

Speak Up

A species of malware in the wild in 2019, targeting Linux systems with a backdoor Trojan.  Currently being used to install a cryptominer.

Spear phishing

Narrowly-targeted phishing attack that uses information about or of direct interest to specific target individuals as a pretext to establish contact and false credibility with them, thereby increasing the scammers’ chances of success.

Special collection

CIA term for surveillance that would require a warrant if performed within the US for law enforcement … but not when performed overseas, nor if it would be permitted domestically for other purposes (such as counter-terrorism or national defence) or for testing/training, nor if conducted by other agencies (such as the FBI or Five Eyes) at the CIA’s request, perhaps using information and tools (i.e. surveillance capabilities and tradecraft) furnished by the CIA.  This level of access is indeed “special”, as in exceptional.  See also basic collection and standard collection.

Species [of malware]

By analogy to living organisms, malware is rapidly ‘evolving’.  Several distinct ‘families’ of malware are known, containing one or more ‘species’ often with multiple ‘variants’ or ‘mutants’ – millions of them in the case of highly polymorphic or heavily obfuscated types.

Spike

Momentary/transient peak in the supply voltage, typically caused by switching heavy inductive loads such as large motors on the same circuit, or a lightning strike on or near the power cables and electrical/electronic devices.  May overload and cause unreliability or premature failure of sensitive electronics having inadequate voltage regulation or protection such as MOVs.  See also surge, dip, brownout, blackout and EMP.

Spikes

Physical security control consisting of upward-pointing sharpened strong steel rods or similar, normally firmly fixed to the top of a wall or fence or implanted in the ground (sometimes on hinged plates allowing vehicles to pass safely in one direction) to deter or prevent intrusion

[Data] Spill

An incident involving the unauthorized accidental leak or deliberate transmission or exfiltration of classified information to a system, network or some other recipient classified to a lower level, perhaps unclassified.

SPIM
(SPam via IM)

Spam sent over IM.  A term allegedly created by the marketing departments of certain antivirus/anti-spam companies desperate to sell their services to naïve IM users.

Split knowledge

An application of the principle of division of responsibility whereby critical information (such as a trade secret, PIN code or cryptographic key) is deliberately divided among multiple people, systems etc. who are required to keep their parts confidential so that that none of them alone holds the complete picture.  “1. Separation of data or information into two or more parts, each part constantly kept under control of separate authorized individuals or teams so that no one individual or team will know the whole data.  2. A process by which a cryptographic key is split into multiple key components, individually sharing no knowledge of the original key, which can be subsequently input into, or output from, a cryptographic module by separate entities and combined to recreate the original cryptographic key.” (CNSSI-4009).

Sploit

Leet/hacker slang for exploit.

Splunk

Commercial application for analysing logs.

Spoliation

Deliberate (malicious) or accidental (benign) spoilage (i.e. destruction, discrediting or otherwise devaluing) of forensic evidence“Act of making or allowing a change to Electronically Stored Information where there is a requirement to keep it intact.  Note: Spoliation can take the form of ESI destruction, corruption, or alteration of the ESI or associated metadata as well as rendering ESI unavailable (e.g., due to encryption with no access to the decryption key, loss of media, under the control of a third party, etc.) (ISO/IEC 27050-1).  “Act of making or allowing change(s) to the potential digital evidence that diminishes its evidential value” (ISO/IEC 27037).

Sponge function

A family of cryptographic algorithms that can generate an arbitrary length output string from an arbitrary length input string, using defined internal states, transformations and padding.  Has applications in hashing and message authentication codes, stream ciphers and pseudo random number generation.

Spouseware

Neologism for spyware used by one partner in a personal relationship to spy on (typically track and monitor) another, having exploited opportunities to infect the partner’s ICT systems.  See also stalkerware.

Spoof,
spoofing

The deliberate faking or falsification of identity information in systems, networks or protocols that lack adequate authentication controls, for example email addresses, caller ID numbers, IP and MAC addresses.  Typically used to conceal the perpetrator’s true identity, bypass simplistic identity-based access controls, socially engineer a target, commit fraud or hack“Impersonating a legitimate resource or user” (ISO/IEC 27033-1).  See also masquerade.

Spook, spooky

Deliberately vague, tongue-in-cheek yet somewhat sinister reference to someone who is or may be part of the intelligence community i.e. a spy, agent, intelligence operative, source, collector etc.

Spora

One of several nasty species of ransomware in the wild that surreptitiously and strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keys.

Spread spectrum

Radio communications technique involving the transmission of (usually covert) messages across a range of frequencies simultaneously, reducing the possibility of (a) an unauthorized interceptor identifying the transmission and ascertaining the information content; and (b) accidental or deliberate interference (jamming) materially damaging the information.  “Telecommunications techniques in which a signal is transmitted in a bandwidth considerably greater than the frequency content of the original information. Frequency hopping, direct sequence spreading, time scrambling, and combinations of these techniques are forms of spread spectrum.” (CNSSI-4009).

Spy

Secret agent working undercover to gather intelligence, usually for commercial (industrial or economic espionage) or national security purposes.  See also spook.

Spying,
espionage,
counterintelligence

Covertly selecting, collecting and analysing intelligence, typically for commercial and/or national security/military purposes but sometimes for personal reasons, for example to sell to an information broker or to exploit through social engineering, fraud, hacking, blackmail etc

Spyware

Category of malware used to spy on victims through their ICT devices for example covertly sending information about the programs run, websites visited or data submitted, to a remote system or hacker.  May involve surreptitious access to the microphone, camera and/or keyboard.  See also spouseware and stalkerware.

SQL injection,
SQLi

Versatile, effective and hence very common means of hacking vulnerable database apps involving the entry of malicious SQL commands through interfaces that were naïvely anticipated by the system owners, designers and developers only to pass legitimate, benign data, not program instructions and privileged database commands.  A form of code injection.

SSAE 16
(Statements on Standards for Attestation Engagements № 16),
SOC 1
(S
ervice Organisation Controls report № 1)

Type of audit report and attestation specified in detail by the American Institute of Certified Public Accountants (AICPA), concerning the compliance of a financial services provider with its security policies and procedures, and their suitability in relation to controls over financial reporting.  Intended as a one-size-fits-all comprehensive report to avoid wasteful multiple audits by each of a provider’s individual customers.  Superseded SAS 70.  Similar accounting/auditing standards and approaches are used in other countries.

SSH
(Secure SHell)

Cryptosystem commonly used for network access to privileged accounts on UNIX-based systems for remote systems administration purposes.  SSH-1 has known flaws and is therefore deprecated in favour of SSH-2.

SSH-agent

“An automated or script-based Secure Shell session” (NZ information Security Manual).

SSID (Service Set IDentifier)

The name for a Wi-Fi network service set (group of communicating devices), usually broadcast periodically by access points.  “A name assigned to a wireless AP” (NIST SP800-114 rev1).

SSL
(Secure Sockets Layer)

Cryptosystem used to secure the transport of HTTPS web traffic between web servers and web browsers.  Uses RC-4Vulnerable to cryptographic attacks, hence strongly deprecated in favour of TLS.

ST
(Security Target)

A set of specific security requirements for an ICT product associated with an implementation as opposed to the generic PP, under Common Criteria“An artefact of Common Criteria evaluations.  It contains the information security requirements of an identified target of evaluation and specifies the functional and assurance security measures offered by that target of evaluation to meet the stated requirements” (NZ information Security Manual).

Stack

Small areas of memory, managed by the operating system, containing code, pointers and variables sequentially placed on and retrieved from the stack by programs.  See also heap.

Stack overflow

Class of software vulnerability similar to buffer overflow in which programs exceed the allocated bounds of the stack (e.g. due to excessively numerous or large variables having been saved to the stack), leading to the unauthorized execution of code inserted by a hacker or malware.  See also heap overflow.

Stagefright

Exploit for old unpatched versions of Android, arising from a buffer overflow bug in an operating system library used to process video files.  A malware-infected video message sent to a vulnerable mobile device may be pre-processed and compromise the device on receipt, before the user even has the chance to open, check or delete it.

Stakeholder

Person or organisation with a stake – a material interest – in something, such as the owners, managers, workers, suppliers, customers, partners/associates or regulators of an organisation, infrastructure, information etc.  “Person or organisation that can affect, be affected by, or perceive themselves to be affected by a decision or activity” (ISO/IEC Guide 73).  “Individual or organisation with interest in an asset in the supplier relationship.  Note: For the purpose of this International Standard, an asset is information associated with products and services.” (ISO/IEC 27036-1).

Stalkerware

Neologism for spyware used by stalkers to spy on, track, monitor and harass victims.  See also spouseware.

Stampado

One of several species of ransomware in the wild that surreptitiously encrypts victimsdata, coercing them into paying a ransom for the decryption keys.  Basic but readily available on the Darknet.

[Security] Standard

Documented specification or description of security.  May be published and publicly available (such as ISO27k) or proprietary to an organisation or group.  See also security implementation standard.

Standard collection

CIA term for surveillance obtained by neither basic collection (OSINT) nor special collection such as “requesting another government agency to provide their records about a United States person, asking a current CIA asset about the activities of a United States person living in a foreign country, or asking a foreign government for information about the same person” [source: CIA’s Updated Executive Order 12333 Attorney General Guidelines, 2017].

Standard deletion periods

“Unified deletion periods for the PII controller.  Note: A standard deletion period is a deletion period used for several clusters of PII to standardize several deletion periods lying close to one another (see [clause] 7.1).” (ISO/IEC 27555 draft).

Standard Operating Environment (SOE)

“A standardised build of an operating system and associated software that is deployed on multiple devices.  A SOE can be used for servers, workstations, laptops and mobile devices” (NZ information Security Manual).

Standard Operating Procedure (SOP)

“Instructions for complying with a SecPlan and procedures for the operation of systems” (NZ information Security Manual).

Standard user account

A normal userID lacking the powerful privileges required for system administration, hence lower risk if compromised“A user account with limited privileges that will be used for general tasks such as reading email and surfing the web” (NIST SP800-114 rev1).

Standing data,
static data

Reference items or fields that are relatively static and unchanging (e.g. bank account numbers) compared to more volatile or dynamic user data (e.g. current account balances).

STAR
(Security, Trust and
Assurance Registry)

CSA scheme for information security attestation and certification of cloud service providers.  The trust-based entry-level involves organisations simply self-assessing and (optionally) formally asserting that they fulfil the requirements of both ISO/IEC 27001 and the CCM, with no independent assessments necessary.  Higher levels require periodic independent compliance assessments and certification by accredited assessors.  The top level will (when eventually introduced) add a further requirement to maintain continuous compliance with the CCM, not just at the assessment touchpoints (!).

Stateful firewall,
stateful packet inspection

In contrast to simple packet filters, second generation firewalls analyse packets in context and maintain internal state tables for the connections e.g. reconstructing fragmented packets before scrutinizing the content or identifying spoofed responses lacking the corresponding requests.  Cf. deep packet inspection.

Statement of Applicability
(SoA)

List or matrix identifying information security controls required to satisfy relevant control objectives i.e. those that address information risks of concern to the organisation“Documented statement describing the control objectives and controls that are relevant and applicable to the organisation’s ISMS” (ISO/IEC TR 27019).

Static data

See standing data.

Static electricity

Electrostatic charging and discharging of insulating materials by very high voltages, normally induced by the frictional movement of surfaces past each other.  Static discharges can damage semiconductor junctions in electrostatically-sensitive electronic devices, causing them to fail immediately … or at some future point.  A lightning storm is a dramatic demonstration of the immense power of static discharges.

STE
(Secure Terminal Equipment)

Device such as a telephone designed to communicate government/military classified information, incorporating security features such as a verifiable unique and un-spoofable identifier, RFI shielding, tamper resistance and data encryption.

Stealth virus

Cryptic virus that attempts to conceal its presence on the system, typically by intercepting and manipulating directory/disk access requests.  When for example an unskilled user or a crude antivirus program searches the disk, the virus dynamically removes or changes program names, file names etc. in the information provided/presented by the operating system.  More sophisticated methods are widely used by more advanced malware, including APTs.

Stream cipher

Type of cryptographic algorithm that encrypts each character or byte as it flows through the process by combining it with a character or byte from a parallel pseudorandom stream.  Cf. block cipher.

Steganography,
stego,
steg

Hiding information ‘in plain sight’, for example by cryptographically manipulating the least significant bits of certain pixels in a graphic image causing changes that are virtually invisible to the human eye but can be identified by a program that checks the same pixel values.  Commonly used to assert ownership of and copyright on digital content, or to pass covert messages despite surveillance“The art, science, and practice of communicating in a way that hides the existence of the communication” (CNSSI-4009).

STELLARWIND

One of several secret US surveillance programs.

Stepping stone

See foothold.

Stingray

Family of commercial surveillance devices capable of spoofing cellular phone base stations, enabling the police, FBI etc. to conduct man-in-the-middle attacks in order to intercept voice calls and SMS/text messages, capture metadata etc. from cellphones within range, sometimes with valid court orders or warrants.  See also IMSI-catcher.

STIX
(Structured Threat Information eXpression)

Structured, flexible, extensible language for sharing unclassified threat information in machine- and human-readable form for cybersecurity situational awareness, real-time network defence and threat analysis.  See also TAXII and CybOX.

Stoned

One of the earliest boot-sector viruses, allegedly written by students at the University of Wellington, New Zealand in 1987.  It displayed the message “Your PC is now Stoned!” on some infected systems.  Copycat variants followed, displaying different messages.

Storage

Medium or mechanism for retaining information“Device, function, or service supporting data entry and retrieval” (ISO/IEC 27040).

Storage Area Network
(SAN)

“Network whose primary purpose is the transfer of data between computer systems and storage devices and among storage devices.  Note: A SAN consists of a communication infrastructure, which provides physical connections, and a management layer, which organises the connections, storage devices, and computer systems so that data transfer is secure and robust” (ISO/IEC 27040).

Storage device

Hardware designed to store stuff, such as a cardboard box, tank, wardrobe, cupboard, filing cabinet, brain or computer disk.  “Any storage element or aggregation of storage elements, designed and built primarily for the purpose of data storage and delivery” (ISO/IEC 27040).

Storage ecosystem

“Complex system of interdependent components that work together to enable storage services and capabilities.  Note: The components often include storage devices, storage elements, storage networks, storage management, and other Information and Communications Technology (ICT) infrastructure” (ISO/IEC 27040).

Storage element

“Component that is used to build storage devices and which contributes to data storage and delivery.  Note: Common examples of a storage element include a disk or tape drive” (ISO/IEC 27040).

Storage medium,
storage media, media [plural]

Physical substrate/s on which information can be recorded and retained e.g. computer disks, magnetic tapes, papers, brass nameplates or stone tablets.  “Material on which Electronically Stored Information or digital data are or can be recorded” (ISO/IEC 27040).

Storage security

“Application of physical, technical, and administrative controls to protect storage systems and infrastructure as well as the data stored within them.  Notes: Storage security is focused on protecting data (and its storage infrastructure) against unauthorized disclosure, modification, or destruction while assuring its availability to authorized users.  These controls may be preventive, detective, corrective, deterrent, recovery, or compensatory in nature” (ISO/IEC 27040).

Store

Keep, stash, accumulate, squirrel-away for a rainy day.  “Record data on volatile storage or non-volatile storage” (ISO/IEC 27040).

Stored procedure

In some DBMSs, subroutines for manipulating data can be stored in data tables, blurring the distinction between data and code.

Stresser,
booter

Commercial Internet traffic load-testing services, rentable for minutes or hours at a time, ostensibly for legitimate performance and capacity stress-testing of websites by their owners but in reality mostly used by black hats for DDoS attacks, extortion and hacking of third parties.  Typically use reflection attacks to amplify TCP or UDP traffic.

STRIDE

Application security threat assessment method used by Microsoft to evaluate the potential for: Spoofing identities, Tampering with data, Repudiation, Information disclosure, Denial of Service and Elevation of privileges … plus other threats or risks.

Strong authentication

Relatively high-integrity, trustworthy form of authentication involving cryptography“Authentication by means of cryptographically derived credentials” (ISO/TS 22600-1:2006).

Stuxnet

APT malware used by the US and Israeli governments to attack and damage Natanz, a supposedly highly secure but patently vulnerable Iranian nuclear fuel processing facility in 2010.  A very public demonstration of advanced cyberwarfare capabilities since the malware escaped the intended target and spread globally.  Developed by the NSA’s Tailored Access Operations (TAO) unit.

Stylometry,
stylometric analysis

Neologism about identifying originators of artistic works by analysing linguistic cues and writing styles, brushwork techniques, chord sequences etc., typically to identify fakes and forgeries or the true authors of unattributed works.

Subpoena

Legally-binding order for someone to appear in person before, or provide evidence to, a court (usually).  Relevant and potentially incriminating emails, memoranda, database records and other notes or files are commonly demanded in commercial disputes and compliance cases.

Substitution

Cryptographic process in which characters or bytes in the plaintext are replaced by different characters/bytes in the cyphertext using a simple rule (e.g. ‘Use the next letter in the alphabet’, Caesar’s cipher) or a more complex scheme (e.gVigenére’s cipher).

Subterfuge

Deceptive and often covert activities conducted under the pretence of something innocuous and/or legitimate.  A form of social engineering.  May be malicious or benign depending on situations, motives and perspectives.

Subversive

[Adjective] Activities intending to subvert (undermine, bypass or negate) controls, constraints, requirements or expectations.  [Noun] Person who commits subterfuge.

Succession planning

Paving the way for workers currently performing vital rôles in the organisation to be replaced by someone sufficiently knowledgeable and competent, typically a deputy or understudy in training for the rôle, for business continuity purposes in the event of incapacity, illness or death, retirement, promotion, demotion, resignation, termination of contract, reassignment, overload, exhaustion etc.

Supervise, supervision, supervisor

To direct, control and/or oversee someone or something, such as a worker or system performing important tasks.  Supervisors are generally experienced, competent and trusted, effectively junior or blue-collar managers.

Supervisory authority

“An independent public authority which is established by a Member State pursuant to Article 51” (GDPR).

Supervisory authority concerned

“A supervisory authority which is concerned by the processing of personal data because: (a) the controller or processor is established on the territory of the Member State of that supervisory authority; (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or (c) a complaint has been lodged with that supervisory authority" (GDPR).

Supervisory control

See management control.

Superzap

A privileged IBM mainframe program that lets the user override logical access controls that would otherwise prevent their access to executable programs, in order to apply binary patches.  Exemplifies the powerful rights that system administrators have or can potentially obtain, emphasizing the need for them to be both competent and trustworthy.

Supplier, contractor, producer, seller, vendor

Commercial source of products (goods and/or services).  “Organisation or an individual that enters into agreement with the acquirer for the supply of a product or service.  Note 1: Other terms commonly used for supplier are contractor, producer, seller, or vendor.  Note 2: The acquirer and the supplier can be part of the same organisation.  Note 3: Types of suppliers include those organisations that permit agreement negotiation with an acquirer and those that do not permit negotiation with agreements, e.g. end-user license agreements, terms of use, or open source products copyright or intellectual property releases.” (ISO/IEC 27036-1).

Supplier relationship

An ongoing business arrangement between a supplier and customer involving the exchange of information pertinent to the goods and/or services supplied.  “Agreement or agreements between acquirers and suppliers to conduct business, deliver products or services, and realize business benefit” (ISO/IEC 27036-1).

Supply chain, supply network, supply mesh

The production of commercial products involves a number of suppliers obtaining and adding value to the raw materials, often but not necessarily in a linear sequence. Due to the many-to-many relationships, ‘network’ or ‘mesh’ is more descriptive than ‘chain’.  “Set of organisations with linked set of resources and processes, each of which acts as an acquirer, supplier, or both to form successive supplier relationships established upon placement of a purchase order, agreement, or other formal sourcing agreement.  Note 1: A supply chain can include vendors, manufacturing facilities, logistics providers, distribution centres, distributors, wholesalers, and other organisations involved in the manufacturing, processing, design and development, and handling and delivery of the products, or service providers involved in the operation, management, and delivery of the services.  Note 2: The supply chain view is relative to the position of the acquirer.” (ISO/IEC 27036-1).

Surge

Excessive supply voltage lasting more than just a few micro- or milliseconds.  May blow fuses or damage electronics having inadequate voltage regulation.  See also spike, dip and brownout.

Surge protector

A relatively cheap, low-quality substitute for properly-engineered power regulation and protection techniques, often consisting of nothing more than an MOV across the power supply.

Surveillance

The process of covertly observing, snooping or spying on someone’s activities, whether literally watching them, surreptitiously monitoring and perhaps recording their activities and movements, or tapping-in to their network/online and/or telephone communications e.g. using spyware.  See also mass surveillance.

Survivability

Capability to survive serious incidents or disasters, not necessarily unscathed but still operating to some extent.

Susceptibility

Vulnerability or inability to avoid being successfully attacked.

Suspense file

See hold file.

Suspicion,
suspicious

Something that strikes an alert and security-aware person as unusual and causes concern as a potential information security matter, such as a stranger in a secure area, information assets unexpectedly going missing or the belief that confidential information may have been disclosed inappropriately.  While some suspicious events may turn out to be entirely innocuous or benign, some may be near-misses or incidents, and hence should be reported to management or Help Desk.

Switch

Network node providing basic, dumb, network traffic routing capabilities.  “Device which provides connectivity between networked devices by means of internal switching mechanisms, with the switching technology typically implemented at layer 2 or layer 3 of the OSI reference model” (ISO/IEC 27033-1).

Symmetric

Cryptographic system in which an identical or trivially related key is used for both encryption and decryption.  Clearly the key must be kept secret from anyone not authorized to encrypt or decrypt the information, and must not be guessable.

SYNful Knock

Persistent exploit against Cisco routers involving the installation (using a privileged account) of a hacked version of the operating system (malware) with a C2 capability allowing the router to be remotely controlled through HTTP and custom TCP packets.

Sysinternals

Microsoft’s suite of Windows system, network and security management tools. Useful to diagnose problems with performance, slow booting, spyware etc.  Originally open source thanks to the generosity of its original author but no longer, having been absorbed by Redmond like a macrophage consumes a bacterium.

SYSKEY

A Windows function optionally encrypts stored password hashes to frustrate brute force and rainbow table attacks in the event a hacker successfully obtains the SAM (called the “Windows Account Database” by syskey.exe).  The RC-4 encryption key is normally stored in the registry but Windows can be configured to demand that it is typed in or provided on removable media as a password at startup in order to continue booting.  Fake ‘Microsoft support’ phone scammers sometimes socially engineer this configuration change in order to lock victims out of their own computers and so coerce them into paying a ransom, unless they simply revert the change by loading a previous restore point or registry backup … assuming they have one and it hasn’t been deleted by the scammers.

Syslog

A de facto technical standard for system and application logging, primarily on UNIX systems.

[Computer or IT] System,
host

Usually, in the ICT and information security context, a computer system or server i.e.  ICT hardware plus the associated firmware and software forming a discrete functional unit.  Otherwise, an integrated suite of related items and processes forming a discrete operating or functional unit, such as a management systemA related set of IT equipment and software used for the processing, storage or communication of information and the governance framework in which it operates” (NZ information Security Manual). “Combination of interacting elements organised to achieve one or more stated purposes.  Note 1: A system can be considered as a product or as the services it provides.  Note 2: In practice, the interpretation of its meaning is frequently clarified by the use of an associative noun, e.g. aircraft system. Alternatively, the word “system” can be substituted simply by a context-dependent synonym, e.g. aircraft, though this can then obscure a system principles perspective.” (ISO/IEC 27036-1)See also operating system, device and virtual machine.

System classification

“The highest classification of information for which the system is approved to store or process” (NZ information Security Manual).

System Development Life Cycle (SDLC)

The entire cradle-to-grave process through which an application system is conceived, specified, developed, tested, implemented, operated, managed, maintained and eventually retired from service.

System files

Primarily programs comprising a computer’s operating system but can include the associated device drivers, boot loaders, configuration files, startup and logon scripts, and even application programs in some contexts.  Excludes user data files however.

System owner

“The person responsible for the information resource” (NZ information Security Manual).

System security plan

“A plan documenting the controls for a system” (NZ information Security Manual).

System time

“Time generated by the system clock and used by the operating system, not the time computed by the operating system” (ISO/IEC 27037).

System user

See user“A general user or a privileged user of a system” (NZ information Security Manual).

Tag

SCADA/ICS term for a data set point e.g. the temperature at which a chiller unit starts up.  Tag processing can get quite sophisticated on some systems e.g. whether the chiller operates may depend on the rate of change of temperature, the humidity level and/or the available power, rather than simply being triggered at a certain temperature value like a mechanical thermostat.

Tailgating,
piggybacking

Gaining unauthorized physical access to a site, building etc. by slipping through an access-controlled door, gate, car-park barrier, turnstile etc. at the same time as an authorized person is authenticated and enters.  May involve social engineering or masquerading.  A simple yet effective technique to get inside areas that lack adequate physical and procedural security controls without the requisite permission

TAILS
(The Amnesic Incognito Live System)

A Linux-based open-source portable operating system and apps designed to leave behind no forensic evidence of user activity on the computer and to conceal online activities.  Used by hackers, spies, spooks, activists, investigative journalists and others attempting to ensure their anonymity.

Tamper evident

Physical control that aims to make it evident or obvious that someone has tampered with something, such as the uniquely-identified seal on a forensic evidence bag or the grossly distorted features of someone who has over-indulged on Botox.

Tampering

“Act of deliberately making or allowing change(s) to digital evidence (i.e. intended or purposeful spoliation)” (ISO/IEC 27037).

Tamper resistant,
tamper proof

Physical access controls are often important to prevent other security mechanisms from being breached, bypassed or otherwise compromised by attackers with sufficient physical access to the systems or devices concerned.  Since no control is absolutely effective, however, this is properly termed ‘tamper resistance’ rather than ‘tamper proofing’.  See also tamper evident.

TAO
(Tailored Access Operations)

NSA’s elite hacking unit.

Target,
mark,
patsy

Vulnerable person, organisation, system, network, program, database etc. singled out for a deliberate attack such as a hack, malware infection or fraud.  Implies that they are identified and aimed-at specifically, although indiscriminate attacks may also compromise vulnerable targets.  See also victim.

Target data

“Information subject to a given process, typically including most or all information on a piece of storage media” (ISO/IEC 27040).

Tarpit

System specifically designed to delay network worms and probes using TCP/IP timeouts, malformed responses, multiple retransmissions etc., either in the hope that attackers will go after easier targets or giving analysts time to examine their activities and perhaps respond.  Often combined with honeynets.

TAXII
(Trusted Automated eXchange of Indicator Information)

Protocol for services and messages for sharing unclassified threat information in machine-readable form for cybersecurity situational awareness, real-time network defence and threat analysis.  See also STIX and CybOX.

TCap
(Threat Capability)

One of the risk parameters in the FAIR method, TCap is an estimate of the ability of a threat agent to compromise the information assets under analysis.  See also CS, PLM, LEF and TEF.

TCB
(Trusted Computing Base)

Relatively secure and trustworthy low-level computing subsystem typically comprising hardware, software and firmware specifically designed to perform certain privileged security activities with the integrity necessary to secure the system as a whole.  May be formally designed and mathematically proven secure.

Tcpdump

Network analysis tool, the source of the Libpcap/WinPcap packet capture library used by nmap and others.

TSCM
(Technical Surveillance CounterMeasures)

Bug-detection and related techniques to identify and perhaps nullify or subvert covert transmitters and recorders, for example by transmitting pulsed RF signals and monitoring for ‘reflections’ radiated by semiconductor junctions in bugs secreted in a supposedly secure zoneThe process of surveying facilitates to detect the presence of technical surveillance devices and to identify technical security weaknesses that could aid in the conduct of a technical penetration of the surveyed facility” (NZ information Security Manual).

Technical control

See automated control.

Technical [security] standard

Standard documenting the IT security parameters required on a particular technology platform or situation.  Interprets general control requirements from information security policies in a more specific and explicit context.

TEF
(Threat Event Frequency)

One of the risk factors in FAIR, TEF estimates the probability of a threat agent coming into contact with and acting upon the information assets under analysis.  It alludes to the assets being exposed to threat agents.  See also CS, PLM, LEF and TCap.

Telecommunications applications

“Applications such as Voice over IP (VoIP) that are consumed by end-users and built upon the network based services” (ISO/IEC 27011).

Telecommunications business

“Business to provide telecommunications services in order to meet the demand of others” (ISO/IEC 27011).

Telecommunications equipment room

Place containing most telecoms devices“A secure location or room within a general building where equipment for providing telecommunications businesses are sited” (ISO/IEC 27011).

Telecommunications facilities

“Machines, equipment, wire and cables, physical buildings or other electrical facilities for the operation of telecommunications” (ISO/IEC 27011).

Telecommunications organisations

“Business entities who provide telecommunications services in order to meet the demand of others” (ISO/IEC 27011).

Telecommunications records

Metadata relating to telecommunications.  “Information concerning the parties in a communication excluding the contents of the communication, and the time, and the duration of the communication that took place” (ISO/IEC 27011).

Telecommunications service customer

“Person or organisation who enters into a contract with telecommunications organisations to be offered telecommunications services by them” (ISO/IEC 27011).

Telecommunications service user

“Person or organisation who utilizes telecommunications services” (ISO/IEC 27011).

Telecommunications services

“Communications using telecommunications facilities, or any other means of providing communications either between telecommunications service users or telecommunications service customers” (ISO/IEC 27011).

Teledildonics

A neologism meaning smart network-connected sex toys.  See also screwdriving.

Telephone

“A device that converts between sound waves and electronic signals that can be communicated over a distance” (NZ information Security Manual).

  Yes, really.

Telephone system

“A system designed primarily for the transmission of voice traffic” (NZ information Security Manual).

Telework

“The ability for an organisation’s employees, contractors, business partners, vendors, and other users to perform work from locations other than the organisation’s facilities” (NIST SP800-114 rev1).

Tell-tale

In the same way that school children sometimes ‘tell tales’ on each other, claiming that their peers have behaved badly or broken the rules, tell-tales can be built in to systems and processes to flag information security situations, inconsistencies, incidents etc. to management or other authorities, typically by raising some form of alert or more often a silent alarm.  An offensive security practice.

TEMPEST

Shielding, filtering and related approaches designed to prevent electronic equipment (particularly IT systems) radiating signals that may prove useful to an adversary.  Square-wave signals in digital computers, point-of-sale card readers, HSMs etc. generate high frequency signals and harmonics that are radiated from inadequately-shielded wiring as radio waves that may be monitored covertly on a receiver, thus enabling confidential data to be determined (a side-channel attack).  “A name referring to the investigation, study, and control of compromising emanations from telecommunications and automated information systems equipment” (CNSSI-4009).  “A short name referring to investigations and studies of compromising emanations” (NZ information Security Manual).

TEMPEST rated IT equipment

“IT equipment that has been specifically designed to minimise TEMPEST emanations” (NZ information Security Manual).

Tempora

Secret UK mass surveillance program, disclosed by Ed Snowden, tapping into hundreds of fibre-optic communications cables through the services of ‘intercept partners’ (Internet and telecommunications service providers).

Terminal facilities

“Telecommunications facilities which are to be connected to one end of telecommunications circuit facilities and part of which is to be installed on the same premises (including the areas regarded as the same premises) or in the same building where any other part thereof is also to be installed” (ISO/IEC 27011).

Terrorism

One or more deliberate attacks on a population, nation or race by violent extremists or anarchists intent on causing maximum media coverage, terrifying etc., generally by killing and injuring people but sometimes by other means such as sabotaging the critical infrastructure, safety-critical ICT networks and/or systems to inflict physical or economic damage, disruption and chaos [note: these are not mutually exclusive goals].

Teslacrypt

Species of ransomware voluntarily terminated by its originators when they released the ‘master key’ in 2016, having presumably made their fortunes and retired.

[Software or system] Test

Assurance process to check and hopefully confirm that an IT system, or some part of it, meets the specified requirements prior to it being authorized and released for use in production, otherwise feeding information about the failure/s back into development.

Test environment

Computer environment comprising IT systems, networks, devices, data and supporting processes that are used for testing.  Generally isolated from both development and production environments using separate hardware or virtual systems to reduce risks.

Test harness,
automated test framework

The combination of a test execution engine (software to automate the testing process) and a repository of test scripts (details of the tests to be conducted plus test data), used for regression testing of software.

THC Hydra, Hydra

Brute-force network authentication attack tool.  Can perform dictionary attacks on more than 50 protocols.

TheHarvester

Google app ostensibly designed to support the target research phase of penetration testing, or as a means to check how much information about one’s organisation is publicly accessible through search engines, social media etc.  A classic example of dual-use technology that can be used for both offensive and defensive purposes.  More.

The Internet Worm,
Morris Worm,
UNIX Worm

The first network worm that spread widely across the early Internet in 1988.  Written and released by Robert Tappan Morris as an experiment to determine the size of the Internet.

Thing

A networkable smart device e.g. building management system, heating-ventilating-air conditioning, alarm system, lighting controller or lightbulb, home entertainment system, door lock, garage door opener, refrigerator, vending machine, baby monitor, meter, vehicle, smartphone, laptop, smart sensor (e.g. fitness monitor), pacemaker or some other such gizmo (including processors embedded within or attached to dumb equipment) that is, or could become, part of the Internet of Things.  Often but not always small and low-powered, with limited processing and storage capabilities.  Vulnerable to design flaws and bugshacking and malware, including ransomware, physical threats and so on.

Third party

Independent person or external organisation not directly employed or owned by the first party.  “A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data” (GDPR).  See also external party.

Threat

A person, situation or event (whether deliberate or accidental, targeted or generic in nature) that is hazardous or dangerous, capable of causing an information security incident“Potential cause of an unwanted incident, which may result in harm to a system or organisation” (ISO/IEC 27000).  “Any circumstance or event with the potential to adversely impact organisational operations (including mission, functions, image, or reputation), organisational assets, individuals, other organisations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service” (CNSSI-4009).

Threat actor,
threat agent

Normally the person responsible for, or capable of, deliberately causing an information security incident, for example a fraudster, hacker or cyberteur.  May be an organisation enabling, supporting, sponsoring or commissioning attacks (such as a competitor, adversary or enemy) or their agent/s, perhaps acting independently.

Threat tree

Top-down graphical representation generated by successively deconstructing threats, risks, hazards or undesirable outcomes to expose the contributory factors, elements or root causes, such as potential attacks.  See also FMEA.

Throttling

Rate-limiting technical security control designed to reduce the risk of brute-force guessing of PIN codes, passwords etc. by enforcing a lockout after a certain number of incorrect attempts (typically 3 or 5), within which period (typically 5 to 30 minutes) further access attempts are ignored even if they are correct.  The user may or may not be informed about the lockout, and details of the associated security events are generally sent to the security logging, alarming or alerting subsystems.

Tier 1, 2 or 3

Classification label relating to the availability requirements or business-criticality of a business process and any supporting information systems.  Tier 1 is normally the highest as in most critical class.

Time bomb

A form of logic bomb triggered at a specific time.  “Resident computer program that triggers an unauthorized act at a predefined time” (CNSSI-4009).

Timeout

Function that automatically suspends and password-locks, or terminates, a computer session after a specified period (normally several minutes) without user activity.  Reduces the risk of someone taking advantage of a system from which the legitimate user has walked away without having screen-locked or logged off (naughty naughty).

Timestamp

“Time variant parameter which denotes a point in time with respect to a common time reference” (ISO/IEC 11770-1).

Tinba (Tiny banker Trojan)

Bank Trojan in the wild in 2016.  Manipulates the lure bank’s logon page using HTML injection, capturing customers’ credentials and presenting them with an error message while sending the credentials to a command and control node for subsequent exploitation.

TLP
(Traffic Light Protocol)

Classification scheme specified by US CERT for security information potentially of national importance, with four (!) traffic-light colors: TLP:RED (not to be disclosed), TLP:AMBER (limited disclosure permitted within the recipient organisation), TLP:GREEN (limited disclosure permitted within the information security community), and TLP:WHITE  (freely disclosable, distribution unrestricted).

TLS
(Transport Layer Security)

Cryptographic protocol using X.509 digital certificates for authentication and secure exchange of session keys used for symmetric encryption e.g. of data flowing between a browser and a web server.  A relatively secure replacement for the deprecated SSL.

TOCTOU
(Time Of Check,
Time Of Use)

Type of hack that changes or swaps something (such as a file) after it has been checked and authorized or granted permission for access, but before subsequent steps in the program or process such as the actual access.  Similar to a race condition.  An example involves smugglers exploiting the pre-clearance and consequent enhanced trustworthiness of frequent travellers, using them as (possibly unwitting) mules to carry contraband across borders.

TOE
(Target Of Evaluation)

Formal name for an ICT product certified against the Common Criteria“The functions of a product subject to evaluation under the Common Criteria” (NZ information Security Manual).

Token

Something that represents or stands-in-for something else, such as a security token (physically authenticates the user) or a fictitious value in a file (see tokenisation).  See also honeytoken.

Tokenisation

The process of systematically replacing names, labels etc. that identify specific individuals with fictitious, generic or randomly generated tokens, tags, code words, numeric identifiers etc., usually for privacy reasons such as pseudonymity.

Top management

See executive management“Person or group of people who directs and controls an organisation at the highest level.  Notes: top management has the power to delegate authority and provide resources within the organisation.  If the scope of the management system covers only part of an organisation then top management refers to those who direct and control that part of the organisation” (ISO/IEC 27000).

TOP SECRET

Class of information even more confidential than SECRET.  TOP SECRET information may be further classified according to its nature and distribution e.g. “NOFORN” (no foreign nationals) or “UK eyes only”.  See also ULTRA.

TOP SECRET areas

“Any area certified to operate at TOP SECRET, containing TOP SECRET servers, workstations or associated network infrastructure” (NZ information Security Manual).

Tor
(The onion router)

Internet communications app and associated global network.  Tor traffic passes through thousands of Tor relays, using multiple layers of encryption to reduce (but not eliminate) the risk of interception, monitoring, surveillance and traffic analysis, and so protect usersprivacy.  A mix network.

Torrentlocker

One of several nasty species of ransomware in the wild that surreptitiously and strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keys.

Tort

Legal term for a civil as opposed to criminal wrong.  The tort victim or plaintiff in a civil court case may seek compensation for the damages they have suffered from, and/or court orders (injunctions) concerning, the defendant or tortfeasor.

TPM
(Trusted Platform Module)

Type of HSM incorporated into some PCs, providing a supposedly secure vault for cryptographic keys and certain cryptographic functions in an embedded subsystem built around a tamper-resistant TPM microchip.  A unique private RSA key, burned into the chip during manufacturing, allows the TPM to be authenticated by systems or programs that need this level of trust (e.g. for whole disk encryption or DRM).  However, researchers claim to have overcome the tamper-resistance physical security features of some TPM chips, while the NSA’s involvement with RSA raises the distinct possibility that TPM security may have been deliberately crippled, raising doubts about the value of this physical security control.

Traceability

The ability to link a person, event, transaction etc. unambiguously back to its origin or cause.  For example, telephone callers can be traced using a pen register, while audit trails and change logs may implicate or exonerate someone in relation to an information security incidents.

Tradecraft

Valuable skills and techniques learnt while spying or performing similar clandestine or indeed overt activities.  Cunning tricks-of-the-trade accumulated and, in some cases, invented or actively developed by experienced professionals and talented amateurs.

Trademark, trade mark

Legal protection for words/phrases, images, designs and other characteristics distinctive of branded products.  An intellectual property right, often designated by ® if formally registered with the authorities or if claimed in common law.  See also service mark“Legally protectable sign, or any combination of signs, capable of distinguishing the goods or services of one undertaking from those of other undertakings.  EXAMPLE: Words (including personal names), letters, numerals, figurative elements and combinations of colours. Note 1: This definition is in accordance with the trade mark definition of the WTO Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS).  Note 2: A trade name is the name of a business, association or other organisation used to identify it. It might or might not be the same as the trade mark used to identify the company's goods and/or services.” (ISO 10668).

Trade secret

Confidential information asset such as proprietary knowledge owned by an organisation which gives it competitive advantage so long as it remains unknown and/or unexploited by competitors.  For example, an invention may be both valuable and vulnerable to intellectual property theft through industrial or economic espionage.

Traffic analysis
(TA)

The use of metadata relating to communications to derive potentially sensitive and/or valuable information.  Even if communications between two or more parties are strongly encrypted so that the pure information content of the exchanges themselves remains confidential, an observer may glean, deduce or infer useful information from the nature of the traffic flows.  The mere fact that communication appears to be occurring at all may be incriminating in some circumstances, for example if the specific counterparties (identified by their phone numbers, names, email addresses etc.), or the volume, timing and general nature of traffic indicate what might be going on (e.g. secretive negotiations between business partners, financiers and other advisors prior to a merger or deal, or criminals conspiring).  “Gaining knowledge of information by inference from observable characteristics of a data flow, even if the information is not directly available (e.g., when the data is encrypted). These characteristics include the identities and locations of the source(s) and destination(s) of the flow, and the flow's presence, amount, frequency, and duration of occurrence.” (CNSSI-4009).

Traffic flow filter

“A device that has been configured to automatically filter and control the form of network data” (NZ information Security Manual).

Traffic padding

A control against traffic analysis involves generating fake traffic in order to distract adversaries, making it harder for them to identify genuine information flows.  “Generation of mock communications or data units to disguise the amount of real data units being sent” (CNSSI-4009).

[Information security] Training

Educational activity in which students are taught about and study specific aspects of information security in some depth, for instance how to perform particular activities or tasks such administering user access rightsCf. awareness.

Tranquillity

Security principle that an object’s security/classification level must not change while it is being processed.

Transfer gateway

“A gateway that facilitates the transfer of information, in one or multiple directions (i.e. low to high or high to low), between different security domains” (NZ information Security Manual).

Transitive trust

In many situations, if our trusted colleague, business partner, computer system etc. trusts a third party, we also implicitly trust the third party to some extent.  In effect, trust is capable of transiting or spanning multiple relationships, albeit weakening with distance.  For example, placing trust in an organisation’s ISO/IEC 27001 compliance certificate implies trusting the certification body that issued it, and vice versa.

Transparency,
openness

Information security governance, management and privacy principle to be open and honest, disclosing ownership, risks, controls, incidents etc. under appropriate circumstances.

Transport mode

“An IPSec mode that provides a secure connection between two endpoints by encapsulating an IP payload” (NZ information Security Manual).

Transposition,
permutation

Cryptographic process for re-sequencing and hence scrambling characters or bits from the plaintext to create the cyphertext, often systematically such that the process can later be reversed using the same key.  A trivial example might involve writing the plaintext into a grid in one direction, then reading off the cyphertext in a different direction: modern cryptographic algorithms make the process far more complex and hard to follow.  Cf. substitution

Trap and trace

See pen register.

Trapdoor

See backdoor.

Treason

Serious act of betrayal that threatens to cause, or causes, material harm to the state, the crown, or a similar authority or ruler, or that aides, or attempts to aide, an enemy of the state.  An insider threat.

Trembler

Motion detection device (such as a magnetic reed switch and magnetic steel ball, a blob of mercury in a glass vial with wire contact points or an inertial sensor) attached to an object such as a server, door, window, safe, media transporter or vehicle triggered by vibration, shock or tumbling perhaps indicating unauthorized removal or penetration.

Trespass

Unauthorized physical entry into private property, zone or area, or assaulting or interfering with property belonging to another person.  Whether a trespasser acts accidentally or maliciously affects the level of risk to the victim and has legal ramifications for the trespasser, while the victim’s negligence (e.g. in not clearly designating the area private) may also affect the legal outcome.

Triada

One of several nasty species of malware that infects Android mobiles, in the wild in 2018.  Exploits a privilege escalation vulnerability, allowing it and other malware to take control of infected devices.

Triage

Term borrowed from the emergency medical practice of quickly assessing an influx of patients to distinguish and focus limited resources on those who can probably be saved from those who stand little if any chance of survival.  Information security is seldom literally a matter of life-or-death but similar difficult decisions must be made, often rapidly and with low-quality information, following serious incidents and disasters.  Establishing the capability to perform triage is part of business continuity management and contingency planning.

Triple-DES
(3DES)

Cryptographic algorithm which repeats DES three times in succession using two (ABA, AAB or ABB) or three (ABC) different keys.  Specified in FIPS PUB 46-3.  Somewhat more secure than plain DES and still in use in a few legacy systems but now considered vulnerable to brute-force attacks and hence deprecated in favour of AES.

Triton, Trisis

One of several nasty species of malware in the wild in 2019.  This one targets Triconex industrial plant safety/control systems raising human safety and critical infrastructure concerns.

Trojan,
Trojan horse [program]

A program that appears to the user to offer a useful function or to do nothing, but in fact contains hidden malicious functions, typically allowing remote control of the system by hackers, or installing keyloggers to steal personal information, passwords, PINs, credit card numbers or online banking credentials (e.gMan-In-The-Browser).  A form of malware“A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program” (CNSSI-4009).

Trust,
trusted

Relatively weak but commonplace information security control in which supposedly trustworthy people, systems, programs, functions, organisations etc. are expected, anticipated or to various extents required to behave predictably, appropriately, responsibly, ethically and in the trusting party’s best interests.  Trust usually takes time to be established and yet can be destroyed in an instant by an incident, hence contingency arrangements and/or other controls (such as compliance checks and pre-defined liabilities) are generally advisable, where possible.  “Relationship between two entities and/or elements, consisting of a set of activities and a security policy in which element x trusts element y if and only if x has confidence that y will behave in a well-defined way (with respect to the activities) that does not violate the given security policy” (ISO/IEC 27036-1).

Trust boundary

“The interface between two or more Trust Zones” (NZ information Security Manual).

Trusted download

Special process for exporting information from a highly classified to a lowly classified or unclassified system, in an approved simple data format (e.g. plain ASCII, HTML, JPG, BMP or GIF rather than MS Office or other complex file types) that can be and in fact is inspected for any inappropriate content before being authorized for release.

Trusted information communication entity

Trustworthy organisation or individual with whom even sensitive information relating to information security, risks, threats, vulnerabilities etc. can be shared.  “Autonomous organisation supporting information exchange within an information sharing community” (ISO/IEC 27000).

Trusted Third Party
(TTP)

An organisation or individual that is trusted by others, and may therefore act as a mutually-acceptable intermediary between them, for example to hold and transfer valuables such as cryptographic keys or money (escrow) or to audit one party and report the overall findings to the others without necessarily disclosing confidential details (e.g. a certification body).

Trustworthy,
trustworthiness

A measure of the extent to which someone or something is truly worthy of being trusted.  An integrity property.  Snake oil salesmen, the NSA and some politicians score low on this scale.  “The attribute of a person or enterprise that provides confidence to others of the qualifications, capabilities, and reliability of that entity to perform specific tasks and fulfill assigned responsibilities” (CNSSI-4009).  Cf. untrustworthy.

Trust zone

“A logical construct encompassing an area with a high degree of trust between the data, users, providers and the systems.  It may include a number of capabilities such as secure boot, code-signing, trusted execution and DRM.  This term is NOT synonymous with Security Domain” (NZ information Security Manual).

Trusted source

“A person or system formally identified as being capable of reliably producing information meeting certain defined parameters, such as a maximum data classification and reliably reviewing information produced by others to confirm compliance with certain defined parameters” (NZ information Security Manual).

TSR
(Terminate and Stay Resident)

DOS program that appears to terminate but continues processing in the background, waiting for specific interrupts.  Overcomes the DOS mono-threading limitation.  Early viruses were often TSR programs, as were various utilities (known as services in Windows) and suspended user programs that could be reactivated rapidly (e.g. Sidekick).

Tunnel

Relatively secure, trustworthy path through an insecure or untrusted route, network etc., such as a VPN.  “Data path between networked devices which is established across an existing network infrastructure.  Note: Tunnels can be established using techniques such as protocol encapsulation, label switching, or virtual circuits” (ISO/IEC 27033-1).

Tunnelling

Creation, provision or use of a tunnel“Technology enabling one network to send its data via another network’s connections. Tunneling works by encapsulating a network protocol within packets carried by the second network.” (CNSSI-4009).

Tunnel mode

“An IPSec mode that provides a secure connection between two endpoints by encapsulating an entire IP packet” (NZ information Security Manual).

Two Factor Authentication
(2FA)

Simplest form of multifactor authentication, for example requiring a password plus the current value displayed on a security token or a biometric to authenticate a computer user.

TXT (TeXT) messaging

See SMS.

Type I error

See false acceptance

Type II error

See false rejection.

Typex machine

Electromechanical typewriter-style rotor-based cryptographic machine, modelled on the pre-WWII Enigma, used by the UK government from 1937 until the late 1960s.

Typo, typoo

Typing error, a common cause of information security incidents that are usually relatively minor but in rare cases can be extremely serious, costly, life-threatening even.

Typosquatter,
typosquatting

Someone who registers a lookalike domain name remarkably similar to a legitimate website (e.g. bank.net instead of bank.com) intending to deceive website visitors who make typos when typing the intended URL or click phishing links, into believing that they are interacting with the genuine website.  May be part of social engineering, identity theft, drive-by downloads and other frauds/scams, malware infection etc.  May infringe trademarks.  May involve DNS redirection to frustrate attempts to shut down the fakes.  See also cybersquatting.

UBA, UEBA
(User [Entity] Behaviour Analytics)

Cluster of techniques to identify anomalous and potentially concerning activities by users of networks and systems.  See also SIEM, NTA, IDS/IPS and CARTA.

UBE
(Unsolicited Bulk Email)

See spam.

Ubiquitous computing, ubicomp

See Internet of Things.

UEFI
(Unified Extensible Firmware Interface)

Superseding the BIOS approach, UEFI provides a standardized interface between a computer’s firmware (from initial power-up, accessing and controlling the underlying hardware) and the operating system (which takes over from the UEFI boot manager to boot and run the operating system).

ULTRA

UK classification level above TOP SECRET for military intelligence whose very existence would be strenuously and plausibly denied, since that would indicate the presence of, and hence threaten, effective espionage capabilities and compromised sources, putting the targets on guard.  Intelligence gathered through cryptanalysis at Bletchley Park during WWII was classified ULTRA, sustaining the enemy’s trust in Enigma and other flawed cryptographic devices and practices.

Unallocated space

“Area on digital media, including primary memory, which has not been allocated by the operating system, and which is available for the storage of data, including metadata” (ISO/IEC 27037).  See also slack space.

Unauthorized

Lacking the requisite authority or permission.  Not permitted, accepted or agreed by management as being in the best interests of the organisation or other stakeholdersCf. authorized.

Unsecure

Inadequately protected and hence vulnerableCf. insecure.

Unclassified

Paradoxical/oxymoronic term for information, systems, networks etc. that have, in fact, been classified at the lowest level, requiring few if any protective controls.  Alternatively, it may mean that they have not (yet) been assessed and classified, with markedly different implications.

UNCLASSIFIED information

“Information that is assessed as not requiring a classification” (NZ information Security Manual).

UNCLASSIFIED systems

“Systems that process, store or communicate information produced by the New Zealand Government that does not require a classification” (NZ information Security Manual).

Undercover

Covert, surreptitious, discreet.

Unethical

Behaviour which is not ethical and hence is generally considered inappropriate, distasteful or undesirable if not totally unacceptable and possibly even illegal.  The willingness to disregard social norms and constraints on behaviour sets liars, cheats, spies, hackers, fraudsters, criminals and other reprobates apart from the general population, and is itself a threat to naïve or unaware victims.  At the same time, different social groups have their own unique ethics, codes and sense of what is right or wrong, so for example hacking is deemed acceptable (cool or revered in fact) within the hacker community, while cracking is openly frowned upon and despised (regardless of what may happen in private).

Unified Communications (UC)

“A term describing the integration of real-time and near real time communication and interaction services in an organisation or agency.  UC may integrate several communication systems including unified messaging, collaboration, and interaction systems; real-time and near real-time communications; and transactional applications” (NZ information Security Manual).

Unit of measurement,
unit of measure,
unit

Defined standardized reference quantities or amounts against which things can be compared and hence measured or quantified e.g. grams, metres, seconds.  “Particular quantity, defined and adopted by convention, with which other quantities of the same kind are compared in order to express their magnitude relative to that quantity” (ISO/IEC 15939:2007).

Unlinkable

Items of information relating to a single source (such as personal information on a data subject) that cannot be readily correlated or associated with that source.  Generally achieved through information security controls such as anonymisation.

Unmanned Autonomous Vehicle (UAV)

See drone.

Unsecure area

“An area that has not been certified to physical security requirements to allow for the processing of classified information” (NZ information Security Manual).

Untrustworthy

A person, organisation, system, control etc. that cannot or should not (‘does not deserve to’) be trusted, or that lacks sufficient credibility or is for some reason considered unsuitable or too risky to be trusted by another.

Upatre

A downloader/backdoor Trojan released in 2013, used to spread GameOver Zeus, Locky and other malware.

UPnP
(Universal Plug and Play)

A suite of protocols by which various devices, things and peripherals ‘announce’ (broadcast) their presence and capabilities on a network, allowing other devices to ‘discover’ and utilize them, or exploit known vulnerabilities in them.  A triumph of convenience over security.

UPS
(Uninterruptible Power Supply)

Resilient auxiliary power supply connected to batteries and/or an electrical power generator intended to maintain power to attached ICT equipment etc. if the incoming main power source should fail.  A contingency and business continuity control.  Paradoxically, inadequately specified, manufactured, tested and managed UPSs are a major cause of power problems, making this a relatively fragile control prone to failure unless professionally engineered, monitored and maintained.

Upstream

Previous activities in a sequence.  “Handling processes and movements of products and services that occur before an entity in the supply chain takes custody of the products and responsibility for information and communication technology (ICT) services” (ISO/IEC 27036-1).

[IT] User,
end-user

Person who uses computer systems, networks, information etc.  Nothing to do with narcotics, in this context. [User] “Person or organisation who utilizes information processing facilities or systems, e.g. employee, contractor or third party user” (ISO/IEC 27011).

[Network/system/IT] UserID,
user ID
(User IDentifier or IDentity),
username,
login, login name,
computer account

Label used to identify a user and their activities on a computer system so that they may be assigned appropriate user rôles, logical access rights and permissions, and be linked to their system activities recorded in log files, audit trails etcAsserted and normally authenticated during the logon process.

User rôle

Logical access rights are standardized by defining and assigning the minimal rights necessary for users in certain job functions to perform their rôles within the organisation (see also privileged user rôle).

Valid, validity

State of being true, accurate, complete, authentic etc., and in compliance with applicable specifications, limits or constraints.

Validation

Process to check and confirm that something (such as data entered by a person or generated by a computer) is valid“Confirmation, through the provision of objective proof, that the requirements for a specific intended use or application have been fulfilled” (ISO/IEC 27004:2009).  “Confirmation, through the provision of objective evidence, that the requirements for a specific intended use or application have been fulfilled” (ISO 9000:2005).  “Confirmation (through the provision of strong, sound, objective evidence) that requirements for a specific intended use or application have been fulfilled (e.g., a trustworthy credential has been presented, or data or information has been formatted in accordance with a defined set of rules, or a specific process has demonstrated that an entity under consideration meets, in all respects, its defined attributes or requirements).” (CNSSI-4009).

Vandal,
vandalism

Someone who commits mindless acts of relatively minor malicious damage.  The term stems from an itinerant European tribe, originally from Scandinavia, who sacked and looted Rome in 455 AD.  Whereas modern-day vandalism normally involves physical acts such as spray painting graffiti, it sometimes involves electronic attacks such as hacking, website defacement, email bombing and cybertage

VAPT
(Vulnerability And Penetration Testing)

A pretentious name for plain ol’ penetration testing that may involve additional testing for security vulnerabilities other than the usual network and application security issues.

Vault

See safe.

VDC
(Virtual Data Center)

See SDDC.

VEC
(Vendor Email Compromise)

A variant of BEC in which the fraudsters masquerade as vendor representatives (rather than managers) by email to trick customer Procurement or Finance professionals into changing payment details, sending funds to the fraudsters instead of the vendor.  The fraudsters initially compromise the vendor using phishing, malware etc., gathering intelligence about their customers, contacts, invoicing etc. to make the frauds more credible.

Verification,
verify

Process to check the integrity and/or authenticity of something.  “Confirmation, through the provision of objective evidence, that specified requirements have been fulfilled.  Note: Verification only provides assurance that a product conforms to its specification.” (ISO/IEC 27041).  “Confirmation, through the provision of objective evidence, that specified requirements have been fulfilled.  Note: this could also be called compliance testing.” (ISO 9000:2005).  “Confirmation, through the provision of objective evidence, that specified requirements have been fulfilled (e.g., an entity’s requirements have been correctly defined, or an entity’s attributes have been correctly presented; or a procedure or function performs as intended and leads to the expected outcome)” (CNSSI-4009).

Verification function

“Function which is used to verify that two sets of data are identical.  Notes: No two non-identical data sets should produce an identical match from a verification function.  Verification functions are commonly implemented using hash functions such as MD5, SHA1, etc., but other methods may be used.” (ISO/IEC 27037).

Vernam cypher

Theoretically unbreakable encryption algorithm invented in 1917 by Joseph Mauborgne and Gilbert Vernam.  See also One Time Pad.

Version control,
revision control,
release management

That part of change control and configuration management concerning the control of software, firmware, hardware and documentation updates including minor and major releases and patches.  A well-engineered process involves allocating unique identifiers for each new version, traceability of the changes, various checks or tests (including security testing) along the way and some form of release authorisation (sign-off).

Victim

The person or organisation actually harmed by an incident, whether deliberate (i.e. an attack) or accidental in nature.  May have been a target, but could also have been an innocent bystander (collateral damage) or business partner (consequential damage).

Victimize, victimisation

The act of singling someone out to be a victim.

Vigenére’s cipher

Polyalphabetic encryption protocol named after the 16th Century French cryptographer, Blaise de Vigenére, despite having been described by Giovan Battista Bellaso 3 decades earlier.  Adds entropy to Caesar’s cipher by substituting successive letters of the plaintext from not one but a sequence of offset alphabets, each one offset according to the key.

Vigilance

See awareness.

Vigilante worm

Malware (such as BrickerBot and Wifatch) created and released into the wild ostensibly as an automated tool to address widespread cybersecurity issues (e.g. warning of, or even patching, currently unpatched vulnerabilities).  Can create more problems than it solves, hence a risky as well as unethical and potentially illegal approach.

Violation

Security incident or infringement involving the failure to uphold one or more rights, for example a person’s right to privacy, often implying the use of coercion, violence, aggression or victimisation.

Virtualisation,
virtual system,
virtual network,
virtual storage,
virtual application

Simulation of the bare metal in such a way that each guest system appears to have complete, independent access to and control of (selected elements of) the underlying computer platform, whereas in fact it is being shared with other virtual systems.  Mediated by the hypervisor.  As well as operating systems, networks, data storage and apps can also be virtualized.  “Virtualisation is the software simulation of the components of an information system and may include the simulation of hardware, operating systems, applications, infrastructure and storage” (NZ information Security Manual).

Virus

Strictly speaking, a form of malware that replicates by attaching itself to other programs, but loosely refers to malware in general.  Usually contains a payload that performs unauthorized functions such as deleting or modifying files etc.

Virus hoax,
hoax

Chain letter spreading a false virus warning.  A form of social engineering.  Hoaxes can cause alarm and waste time but are generally benign rather than malicious.

Visibility

The extent to which something is exposed and hence can be seen, literally, or more generally may be perceived by others.  “Property of a system or process that enables system elements and processes to be documented and available for monitoring and inspection” (ISO/IEC 27036-1).

Vishing
(VoIP phishing)

Phishing-type attack using Voice over Internetworking Protocol to spoof caller identities, misleading victims while concealing the true origin of the scam.

VLAN
(Virtual Local Area Network)

Broadcast local area network domain containing one or more workstations and/or servers, usually associated to specific ports on switches or routers to which they are connected.  “Independent network created from a logical point of view within a physical network” (ISO/IEC 27033-1).  See also PVLAN.

VM
(Virtual Machine),
virtual system

A software emulation of a guest system within a host computer using virtualisation“Complete environment that supports the execution of guest software.  Note: A virtual machine is a full encapsulation of the virtual hardware, virtual disks, and the metadata associated with it.  Virtual machines allow multiplexing of the underlying physical machine through a software later called a hypervisor” (ISO/IEC 27017).

Void

Enclosed space in a building, such as a plenum or cable duct.  In the movies, if not in real life, voids allow intruders to crawl covertly between rooms, without even getting dirty.

Volatile data

Ephemeral data that normally exists only temporarily or fleetingly unless captured and stored, such as the content of a device’s working memory (DRAM) or session keys“Data that is especially prone to change and can be easily modified.  Note: Change can be switching off the power or passing through a magnetic field.  Volatile data also includes data that changes as the system state changes.  Examples include data stored in RAM and dynamic IP addresses.” (ISO/IEC 27037).

Volatile storage,
volatile memory

Type of data storage that gradually ‘loses its memory’ if the power is disconnected e.g. many forms of Random Access Memory.  Data normally persists inside RAM chips for a period after a computer is powered-down, especially if they are deep-frozen, and may therefore be recoverable using forensic techniques.  “Storage that fails to retain its contents after power is removed” (ISO/IEC 27040).  “A type of media, such as RAM, which gradually loses its information when power is removed” (NZ information Security Manual).

Voyeur,
voyeurism

Someone who surreptitiously and inappropriately watches or snoops on others without their permission.  A form of surveillance.  A breach of privacy, unethical and potentially illegal.

VPN
(Virtual Private Network)

Application of cryptography to create a relatively secure, trustworthy data tunnel between computer systems through an insecure or untrustworthy network (such as the Internet) or path (such as a dial-up modem connection).  “The tunnelling of a network’s traffic through another network, separating the VPN traffic from the underlying network.  A VPN can encrypt traffic if necessary” (NZ information Security Manual).  “A tunnel that connects the teleworker’s computer to the organisation’s network” (NIST SP800-114 rev1).

VPN split tunnelling

“Functionality that allows personnel to access both a public network and a VPN connection at the same time, such as an agency system and the Internet” (NZ information Security Manual).

Vulnerability,
vulnerable

An inherent and potentially exploitable weakness in an information asset, system, process, organisation etc. “Weakness of an asset or control that can be exploited by one or more threats” (ISO/IEC 27000).  “A weakness, susceptibility or flaw of an asset or control that can be exploited by one or more threats.” (Financial Stability Board Cyber Lexicon, November 2018).  “A security weakness in a computer” (NIST SP800-114 rev1).  Often misinterpreted to include weak or missing information security controls, a related but distinct concern that only constitutes a risk if that exposes inherent weaknesses to threats causing impacts of concern. 

VXer

A miscreant programmer who creates new species of malware.  See also hacker and cracker.

w3af

Penetration testing/hacking tool to find and exploit vulnerabilities in web applications.

Wabbit

See fork bomb.

WAF
(Web Application Firewall)

Firewall designed to protect a web app, for example by monitoring network traffic for suspicious activities and filtering out/blocking malicious attacks such as XSS and SQL injection.  Close integration with a specific app means the WAF can be context-aware, reacting intelligently to suspicious situations and data flows that may appear innocuous to conventional multi-purpose network firewalls e.g. triggering the app to impose additional authentication controls or tighten transaction limits.

Waiver

See exemption“The formal acknowledgement that a particular compliance requirement of the NZISM cannot currently be met and that a waiver is granted by the Accreditation Authority on the basis that full compliance with the NZISM is achieved or compensating controls are implemented within a time specified by the Accreditation Authority. Waivers are valid in the short term only and full accreditation cannot be granted until all conditions of the waiver have been met” (NZ information Security Manual).

Waivers and exceptions

“A waiver means that some alternative controls or conditions are implemented. An exception means that the requirement need not be followed. An exception is NOT the same as a waiver” (NZ information Security Manual).

Walled garden

See sandbox.

WANK worm

Malware that infected DEC VMS systems on the early Internet in 1989, displaying hacktivist politically-motivated anti-war messages under the banner WORMS AGAINST NUCLEAR KILLERS.  Allegedly created by an Australian hacker group including Julian Assange.

Wannabe

Someone who wants-to-be something (such as a hacker) but falls short.  See also script kiddie.

WannaCry
(WannaCryptor)

One of several prolific species of ransomware still in the wild in 2020, some years after it was first spotted.  It surreptitiously and strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keys.  This worm, based on EternalBlue, exploited a known Windows vulnerability, spreading via SMB.  A global outbreak caused life-threatening and business disruptive incidents in 2017 due to inadequate security awareness, missed patches and other weak or missing controls such as offline backups, sound incident management and business continuity arrangements.

Wapiti

Hacking/penetration testing tool that automates a range of exploits against HTML pages and web sites.

Wapomi,
Simfect

Species of malware (described as a virus with Trojan and worm-like features) that established a massive, mostly Chinese botnet in 2015.

War dialling,
war dialler

Old-school hacking or penetration testing technique involving automatically calling phone numbers within certain number ranges using hacking software and one or more modems in an attempt to locate vulnerable modems, FAX machines, voicemail systems, Remote Diagnostic Ports etc.  Originally seen in the 1983 film War Games, hence the name (it is not literal).

War chalking

Wireless hackers in some cities used to physically mark the locations of vulnerable wireless networks with chalk symbols designating the types of network and their security parameters.  Rare in practice, largely confined to the fertile imaginations of technology news reporters.

Ward

Shaped physical obstruction in the keyway designed to prevent the insertion of the wrong types of key, or lock picks or screwdrivers/levers/torque wrenches etc., into a physical lock.

War driving

Wireless hackers sometimes identify and record information on wireless networks automatically while driving along using mobile ICT equipment.

Warez

Leet spelling of “wares” referring to cracked (unprotected and illicit) copies of commercial software.

Warhol worm

A network worm that spreads in a flash throughout the entire vulnerable population of systems on the Internet, gaining its ‘fifteen minutes of fame’.  SQL Slammer was a classic example back in 2002, achieving notoriety by infecting ~90% of vulnerable systems across the early Internet within ten minutes of its release.

War flying

Some enterprising wireless hackers collect information on vulnerable wireless networks using private planes or remote controlled aircraft (drones) to traverse wide or inaccessible areas.

Warm site

Secondary (fallback) location with an ICT facility that can be brought fully into operation typically within a few days of a disaster affecting the main site.  Falls between cold site and hot site on a notional scale, but exactly where it falls is a matter of conjecture unless specified.  “Backup site which typically contains the data links and preconfigured equipment necessary to rapidly start operations, but does not contain live data. Thus commencing operations at a warm site will (at a minimum) require the restoration of current data.” (CNSSI-4009).

Warrant canary

Public statement confirming that an organisation is not subject to a National Security Letter (NSL).  If the FBI serves an NSL, it may also (under specified conditions) forbid the organisation from disclosing that fact directly but cannot legally prevent the organisation from withdrawing its warrant canary, thereby signalling the fact indirectly.  A civil rights passive-aggressive response to the perceived lack of control/oversight and intrusive/oppressive nature of certain US government agencies.

War walking

Like war driving except on foot using portable ICT equipment.  War jogging, war cycling, war hopping, war crawling, war slithering … you get the idea – these are all terms derived from war dialling.

Waterfall method

Conventional sequential software development approach in which requirements analysis (including information security risk analysis) precedes design and development, leading on to testing then implementation. 

Watering hole attack

Hacking method that uses social engineering to entice victims to an interesting website where their systems are compromised through drive-by downloads, Trojans or other exploits.

Weak key

Mathematical constraints in some cryptographic algorithms make it inadvisable to use specific key values.  “Key that interacts with some aspect of a particular cipher's definition in such a way that it weakens the security strength of the cipher” (ISO/IEC 27040).

Wear levelling

“A technique used in flash memory that is used to prolong the life of the media.  Data can be written to and erased from an address on flash memory a finite number of times.  The wear levelling algorithm helps to distribute writes evenly across each memory block, thereby decreasing the wear on the media and increasing its lifetime.  The algorithm ensures that updated or new data is written to the first available free block with the least number of writes.  This creates free blocks that previously contained data” (NZ information Security Manual).

Web bug

Tracking hyperlink within a web page that refers the user’s browser to a particular file, typically an unnoticeable single-pixel image or an innocuous image such as this copyright symbol:  When the user’s browser reads the page, interprets the HTML code and retrieves the file, the web server records the network access by the user’s IP address in its log, potentially compromising the user’s privacy.  Normally used for relatively benign marketing purposes, occasionally to indicate and trace the theft of intellectual property“Malicious code, invisible to a user, placed on Web sites in such a way that it allows third parties to track use of Web servers and collect information about the user, including IP address, host name, browser type and version, operating system name and version, and Web browser cookie.” (CNSSI-4009).

Web-inject malware

See drive-by download and code injection.

Website defacement

Vandalistic hacker/cracker attack on a web server, altering or replacing the website’s content typically to demonstrate the hacker’s prowess, to infect website visitors’ systems with malware, to make some ideological or political statement (hacktivism), or to discredit/embarrass and thus harm the website’s real owner (cybertage).

WEP
(Wired Equivalent Privacy,
Weak Early Protection)

Flawed and deprecated cryptosystem hastily incorporated into early IEEE 802.11 Wi-Fi wireless networking equipment but soon broken by wireless hackers.  Used RC-4 for encryptionVulnerabilities in the way shared keys are generated render WEP only marginally better than no encryption at all, hence it is deprecated in favour of WPA2“A security protocol, specified in the IEEE 802.11 standard, that is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. WEP is no longer considered a viable encryption mechanism due to known weaknesses” (NIST SP 800-48).

Wetware

People, or more specifically our brains.  Alludes to the fact that we human beings are about 60% water, and some of us are ‘wet behind the ears’ i.e. naïve and vulnerableCf. hardware, software, firmware, malware and shelfware.

Whaling

Refers to the use of phishing, spear phishing and other social engineering, fraud or scamming techniques to coerce ‘big fish’ such as corporate financial controllers and executives, for example sending an email that appears to come from the CEO instructing the Head of Finance to authorize a large wire transfer for a secretive special project.

Whistleblower,
snitch

Informant who privately discloses (“reports”, “speaks up about” or “calls out”) a breach of ethics, security, policy, law etc. to management, an auditor, an authority etc. triggering the process of evidence gathering and investigation and, if appropriate, calling the perpetrator and/or participants to account for their actions or inactions.

Whistleblower’s hotline,
snitchline

Confidential service for whistleblowers to report (“speak up about” or “call out”) their knowledge or suspicions about improprieties such as coercion, fraud, bribery, corruption and malpractice to be formally and independently investigated.  Confidentiality and independence are intended to reduce the possibility of actual or threatened reprisals or retribution against whistleblowers, but inevitably the residual risks are substantial.

White collar crime

Generic term for fraud, theft, tax evasion, insider dealing, blackmail, counterfeiting and other crimes typically perpetrated by office workers or professionals.

White hat

Benign, ethical hacker or information security professional.  Cfblack hat and grey hat.

Whitelist

Explicit list of URLs, programs, email senders etc. that are considered benign or (to some extent) trusted and hence to which access is permitted, while access is denied to unlisted items by default (hence fail-secure).  ”A set of inclusive accepted items that confirm the item being analysed is acceptable. It is the opposite of a blacklist which confirms that items are not acceptable” (NZ information Security Manual).  “A list of email senders known to be benign, such as a user’s coworkers, friends, and family” (NIST SP800-114 rev1)

Cf. blacklist.

White team

“1. The group responsible for refereeing an engagement between a Red Team of mock attackers and a Blue Team of actual defenders of their enterprise’s use of information systems. In an exercise, the White Team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender's mission. The White Team helps to establish the rules of engagement, the metrics for assessing results and the procedures for providing operational security for the engagement. The White Team normally has responsibility for deriving lessons-learned, conducting the post engagement assessment, and promulgating results.  2. Can also refer to a small group of people who have prior knowledge of unannounced Red Team activities. The White Team acts as observers during the Red Team activity and ensures the scope of testing does not exceed a predefined threshold.” (CNSSI-4009).  See also blue, red and purple team.

Wi-Fi, WiFi, wifi, WLAN (Wireless Local Area Network)

“Wireless local area networking technology that allows electronic devices to network, mainly using the 2.5 GHz and 5 GHz radio bands.  Note: ‘Wi-Fi’ is a trademark of the Wi-Fi Alliance. ‘Wi-Fi’ is generally used as a synonym for ‘WLAN’ since most modern WLANs are based on these standards.” (ISO/IEC 27033-6).

Wi-Fi Ad-Hoc network,
wireless ad-hoc network

“Decentralized wireless network which does not rely on a pre-existing infrastructure.  Note: Examples of pre-existing infrastructure are routers in wired networks or access points in managed (infrastructure) wireless networks.” (ISO/IEC 27033-6).

Wifatch

Vigilante worm that infects insecure Linux-based things such as network routers, then patches them and joins them to a botnetExploits basic vulnerabilities such as default Telnet passwords.

Window bars

Strong steel bars permanently fitted across a window or opening to reduce the risk of physical intrusion.  May be welded to a steel frame for extra strength, and/or attached using security screws.  A physical security mechanism or tool … as opposed to the Seattle watering holes where Microsofties hang out of an evening.

Windows Defender

Microsoft’s antivirus software, built-in to recent versions of Windows.

Windows Defender ATP (Advanced Threat Protection)

A cloud-based system for malware prevention, incident detection, automated investigation and incident response.  Part of Windows 10 Enterprise.  Not to be confused with APT.

Wiper

A destructive type of malware that deliberately wipes data from infected systems, possibly for extortion (i.eransomware), cybertage or cyberterrorism, or to destroy forensic evidence.  May be part of multifunctional malware.  Examples: Black Energy, Destover, NotPetya, Olympic Destroyer and Shamoon.  See also logic bomb.

Wireless access point

See access point“A device which enables communications between wireless clients. It is typically also the device which connects the wireless local area network to the wired local area network” (NZ information Security Manual).

Wireless communications

“The transmission of data over a communications path using electromagnetic waves rather than a wired medium” (NZ information Security Manual).

Wireless hacker,
wHacker

A hacker who exploits security vulnerabilities in wireless networks.

Wireless Local Area Network (wLAN)

“A network based upon the 802.11 set of standards.  Such networks are often referred to as wireless networks” (NZ information Security Manual).

WireLurker

Trojan exploiting Apple Mac OS X mobile devices.  The infection spread via unofficial app stores, side-stepping the official Apple app store’s anti-malware controls.

Wireshark,
Ethereal

Open source network monitoring, packet capture and analysis application. Understands hundreds of network protocols.  An example of dual-use technology, popular with black-, grey- and white-hats.  Originally called Ethereal.

Wiretap

Covert surveillance device physically attached to a phone line or network cable, or configuration settings on the systems, which enables phone calls and network traffic on the line to be secretly replicated on another line or port, hence monitored and/or recorded.  Generally installed by the phone company as demanded by a court order to capture forensic evidence for criminal investigations.  Sometimes installed by hackers to snoop on the spooks.  See also pen register.

WMI
(Windows Management Instrumentation)

WMI, an integral part of the Windows operating system, provides system management capabilities such as Windows updates.  Due to flaws in its security architecture, WMI may be exploited for malicious purposes, however, like built-in malware.  See also Powershell.

Worker

A permanent or temporary employee of the organisation (whether a member of staff or a manager), or someone self-employed or employed by a third party such as a consultant or contractor but acting in a similar capacity to employees i.e. working on behalf of, and to a large extent directed and controlled by, the organisation.  An information asset.

Workstation

“A stand-alone or networked single-user computer” (NZ information Security Manual).

[Network] Worm

Form of malware consisting of mobile code that exploits network connections to spread itself between systems and often performs unauthorized functions such as sending unsavoury emails or spam, denial of service attacks (including unintentional attacks due to overwhelming networks/systems) etc.  Unlike a virus, a worm is self-contained and does not need to hitch a ride on other programs.  Unlike a Trojan, it does not appear to be a useful program and does not mislead humans into executing it.  Unlike the living creature, it is not slimy and it’s no good for composting.

Worst case scenario

Notional scenario considered to represent the worst possible and generally disastrous outcome from an event or combination of events constituting a serious information security incidents.  Often developed to help people understand the challenges of business continuity management albeit at the risk of constraining plans to versions of the specific situations discussed, ignoring other scenarios and black swan events.

WPA
(Wi-Fi Protected Access,
Weak Protection Algorithm)

Flawed second generation Wi-Fi cryptosystem, also broken by wireless hackers.  Marginally more secure than WEP but also deprecated in favour of WPA2“Certifications of the implementations of protocols designed to replace WEP.  They refer to components of the 802.11i security standard” (NZ information Security Manual).

WPA2
(Wi-Fi Protected Access № 2)

Third generation Wi-Fi cryptosystem specified in IEEE standard 802.11i.  Allows the use of AES for strong encryption provided the cryptographic key (or the passphrase used to generate the key) is strong, confidential to the intended parties to the session key exchange, and cannot be substituted with a chosen key, for example by wireless hackers using Krack against vulnerable Android systems.  Oops.

WPA3
(Wi-Fi Protected Access № 3)

Fourth generation Wi-Fi cryptosystem, announced by the Wi‑Fi Alliance in June 2018.  Uses SAE to overcome the offline/asynchronous password brute force vulnerability in WPA2, and Opportunistic Wireless Encryption to encrypt Wi-Fi connections automatically.  Designed to make it easy to connect mobile devices including things to Wi-Fi networks, securely, for example by scanning a QR code displayed in an Internet café.

Write-blocker

Hardware device that physically prevents data changes being made on an attached storage device by blocking write/update access while permitting read access. Typically required to avoid spoliation of forensic evidence.

X.1056 (2009)

ITU standardSecurity incident management guidelines for telecommunications organisations” recommends how to manage information security incidents affecting telecommunications organisations, or indeed telecoms functions within any organisation.

X11 forwarding

“X11, also known as the X Window System, is a basic method of video display used in a variety of operating systems.  X11 forwarding allows the video display from one network node to be shown on another node” (NZ information Security Manual).

Xafecopy

Species of Trojan exploits Android systemsIn the wild in 2017.

Xkeyscore (XKS)

Top secret US surveillance system disclosed by Ed Snowden.  Intercepts from spy stations around the globe can be searched using NSA databases, making it like ‘Google for spooks’.

XML eXternal Entities
(XXE)

External files etc., referenced within XML documents, may be interpreted by insecurely designed or configured XML applications, leading to the disclosure of sensitive information, command execution etc.  An XML-specific form of injection flaw.

Xorist

A species of ransomware in the wild in 2016.

YiSpecter

In the wild malware exploiting Apple devices running iOS older than version 8.4.

Z-wave

See ZigBee.

Zero-day,
0-day,
O-day,
oh-day

Originally referred to pirated software that was available on the black market before the legitimate original had officially been released.  Evolved into a term for exploits against software security vulnerabilities that have not yet been recognized as such by the public or by the software authors, and for which security patches are not yet available.  The term is misused so often that nobody except the writer knows for sure what it means any more, except that it is bad.

Zero-fill

Computer storage operation to overwrite the data content of a file with zeroes, or with a pre-defined pattern or a pseudo-random sequence of digital bits, with the intention of rendering the original information permanently irretrievable.

Zeroize

Process to delete a cryptographic key or other highly confidential data from a system, whether on disk or in RAM, typically by zero-filling or overwriting it with pseudo-random bits.

Zero knowledge

A cryptographic protocol used to confirm or refute knowledge of a secret (such as a password) without disclosing the secret itself, nor any part of it (e.g. “Tell me the second and third characters of your password” is not a zero knowledge approach!).  See also challenge-response and nonce.

Zero trust,
zero trust network,
zero trust architecture,
zero trust model

Security concept or architecture based on the premise that the network and/or system is inherently untrustworthy, hence applications must independently establish and maintain sufficient information security (particularly identification and authentication) without relying upon the platforms on which they are running. 

ZeuS, Zeus,
Zbot

Crimeware kit, a multifunctional Trojan that generates Windows malware.  Discovered in 2007, source disclosed on the Internet in 2011,  with variants still in the wild in 2019.  Used by keylogging bank Trojans, CryptoLocker etc.  Spread by drive-by downloads, phishing attacks and infectious email attachments.

ZigBee,
Z-wave

Low-rate short-range low-power wireless networking protocols used by some consumer smart devices and things to form ad hoc local or Home Area Networks and perhaps join the Internet of Things.  Along with Bluetooth Low Energy, Wi-Fi and others, several technology standards are, in effect, competing to establish a foothold if not dominate various market segments (e.g. home automation and mobile office).

Zip bomb

Malware that decompresses a massive file, consuming system resources until the system crawls to a halt and crashes.  A crude type of logic bomb.

Zombie

See bot.

ZombieLoad
ZombieLoad 2

Exploits capable of compromising Intel CPUs.  Design flaws deep in the CPU hardware can allow rogue processes (malware) to access information belonging other processes held transiently in internal buffers despite higher-level firmware and software controls meant to prevent that.  Firmware and software patches can mitigate attacks by disabling hyperthreading and improving buffer flushing, but a CPU hardware redesign is required to fix the underlying vulnerabilities without the functionality and performance impacts caused by workarounds.  See also Meltdown.

Zone,
security domain

Defined physical area or logical grouping within which a common physical or logical security baseline applies.  Perimeter controls such as firewalls, walls and doors usually isolate or separate different zones.  High-security zones, such as the keep in a castle or the data centre or local area network in a commercial organisation, should be better protected against unauthorized access than the surrounding areas.  Zoning is akin to classification in that things within a given zone are treated similarly, although their individual security requirements may vary somewhat.

Zoo

Malware collection typically maintained by security researchers and antivirus companies, as well as by VXers, hackers and crackers.

* * *  End  of  glossary  * * *

 

 

Important disclaimer

 

This web version of the glossary was last updated in 2021. Several of the cited sources have been revised, new terms have emerged and some of the interpretations given on this page have materially changed since 2021. Language is a moving target, constantly evolving and sometimes misused or misunderstood by mere humans … including the all-too-fallible author of this glossary. Whereas I have done my level best to research and define the terms carefully, they often have or take on different, flexible meanings or implications in practice, and I am not necessarily correct in my interpretations. I am biased, prejudiced even and certainly jaundiced after three decades in the game. Furthermore, context is important.

This is, in parts, a parody. A few definitions are decidedly tongue-in-cheek, but, hey, it would be even more tedious otherwise!

Some definitions include quoted text in italics, drawn mostly from published or draft security standards. The quoted text may be neither complete nor accurate, while drafts may not even make it into print, at least not without changes. Please refer to the original cited sources and the published final versions for the definitive text and supporting information.

To be crystal clear, IANAL and this is not legal advice. In some jurisdictions and circumstances, some of the terms in this glossary have specific legal interpretations and implications that differ from those stated herein. Do not rely on this glossary for anything important. It is provided purely for information and entertainment, no more, no less.

This is also not information risk, security, privacy, compliance or governance advice, except in the very general and vague sense of espousing the author’s limited understanding of generic good practice. Your information risks, and your information security and privacy requirements and obligations, undoubtedly differ from those noted in or implied by the glossary. Seek advice from competent, trustworthy, qualified and experienced professional advisors, and weigh it up. Caveat lector. Ask a grown-up and do not run with scissors.

 

Copyright

Copyright © 2021  IsecT Ltd.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License

This webpage is provided as a public service,
but the content is not public domain.

The glossary from which this static webpage was generated is actively maintained:
for the expanded and up-dated version, please visit SecAware.com.
As of July 2023, the full SecAware hyper-glossary has ~40% more entries.

Comments and corrections are welcome: please email Gary@isect.com