Discover Your Cybersecurity and Compliance Needs

Glossary And Definitions

Glossary And Definitions

Explore commonly used cybersecurity terms and definitions. 

Cybersecurity can be a confusing landscape with unfamiliar terms. Explore our interactive glossary and gain a better understanding of common security lingo.

Glossary Terms

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

Whether you're studying cybersecurity to protect your organization or needing specific product training, SecurityMetrics has free courses to help you learn.


Access: The ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions.


Access Control: The process of granting or denying specific requests for or attempts to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities.


Access Control List (ACL): A list of instructions for firewalls to know what to allow in and out of systems.


Access Control Mechanism: Security measures designed to detect and deny unauthorized access and permit authorized access to an information system or a physical facility.


Active Attack: An actual assault perpetrated by an intentional threat source that attempts to alter a system, its resources, its data, or its operations.


Active Content: Software that is able to automatically carry out or trigger actions without the explicit intervention of a user.


Advanced Persistent Threat (APT): network attack in which a hacker breaks into a network undetected and harvests information over a long period of time. These guys are really good and very patient. If you don’t have the right software to detect them, such as IDS/IPS and FIM you will likely never know they were there.


Advanced Encryption Standard (AES): government encryption standard to secure sensitive electronic information.


Adversary: An individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.


Air Gap: To physically separate or isolate a system from other systems or networks (verb). The physical separation or isolation of a system from other systems or networks (noun).


Alert: A notification that a specific attack has been detected or directed at an organization’s information systems.


Allowlist: A list of entities that are considered trustworthy and are granted access or privileges. Related Term(s): Blocklist


All Source Intelligence: In the NICE Framework, cybersecurity work where a person: Analyzes threat information from multiple sources, disciplines, and agencies across the Intelligence Community. Synthesizes and places intelligence information in context; draws insights about the possible implications.


Analyze: A NICE Framework category consisting of specialty areas responsible for highly specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence.


Anti Spyware Software: A program that specializes in detecting and blocking or removing forms of spyware.


Antivirus Software: A program that monitors a computer or network to detect or identify major types of malicious code and to prevent or contain malware incidents. Sometimes by removing or neutralizing the malicious code.


Approved Scanning Vendor (ASV): ​​A company approved by the PCI SSC to conduct vulnerability scanning tests.


Asset: A person, structure, facility, information, and records, information technology systems and resources, material, process, relationships, or reputation that has value. Extended Definition: Anything useful that contributes to the success of something, such as an organizational mission; assets are things of value or properties to which value can be assigned.


Asymmetric Cryptography: public key cryptography.


Attack: An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity. Extended Definition: The intentional act of attempting to bypass one or more security services or controls of an information system.


Attack Method: The manner or technique and means an adversary may use in an assault on information or an information system.


Attack mode: Synonym(s): attack method


Attack Path: An attack path is one or more security gaps that attackers can exploit to gain access to an IT asset and to move from one IT asset to another. A clear understanding of possible attack paths helps security teams accurately gauge cybersecurity risk.


Attack Pattern: Similar cyber events or behaviors that may indicate an attack has occurred or is occurring, resulting in a security violation or a potential security violation. Extended Definition: For software, descriptions of common methods for exploiting software systems.


Attack Surface Protection: Attack surface protection is the process of continuously discovering, classifying and testing the security of your attacker-exposed IT ecosystem. It combines advanced ASM capabilities with automated multi-factor testing to discover the paths of least resistance that attackers are most likely to use to compromise organizations. The first, foundational step in attack surface protection is to fully map the organization’s externally-exposed attack surface. While most ASM and EASM approaches stop there or use a proxy risk measure (such as banner grabbing), attack surface protection takes that process a step further. Attack surface protection uses active security testing that goes beyond simply mapping out the attack surface and applying indirect security measurements. To complete the protection process, discovered risks must be prioritized, so that security teams can plan their remediation efforts and address the most potentially damaging issues.


Attack Signature: A characteristic or distinctive pattern that can be searched for or that can be used in matching to previously identified attacks. Extended Definition: An automated set of rules for identifying a potential threat (such as an exploit or the presence of an attacker tool) and possible responses to that threat.


Attack Surface: An attack surface is the sum of an organization’s attacker-exposed IT assets, whether these assets are secure or vulnerable, known or unknown, in active use or not and regardless of IT/security team awareness of them. The attack surface changes continuously over time, and includes assets that are on-premises, in the cloud, and in subsidiary networks as well as those in third-party or partner environments. 


Attack Surface Management: Attack surface management (ASM) is the process of continuously discovering, classifying and assessing the security of your IT ecosystem. The process can be broadly divided into (a) activities performed in managing internet-exposed assets (a process called external attack surface management, or EASM) and (b) management activities on assets accessible only from within an organization. Many organizations use an assortment of tools and manual processes to secure their attack surface, making the process fraught with operational complexity, human error and best-guess analysis.


Attacker: An individual, group, organization, or government that executes an attack. Extended Definition: A party acting with malicious intent to compromise an information system.


Attack Vector: An attack vector is a path that an attacker can use to gain access to an organization’s network. Attack vectors can include exposed assets or abandoned assets, but they can also include unpatched software vulnerabilities, misconfigured software, weak authentication, and domain hijacking. 


Attestation of Compliance (AOC): a declaration of a merchant’s adherence to the PCI DSS.


Authentication: The process of verifying the identity or other attributes of an entity (user, process, or device). Extended Definition: Also the process of verifying the source and integrity of data.


Authenticity: A property achieved through cryptographic methods of being genuine and being able to be verified and trusted, resulting in confidence in the validity of a transmission, information or a message, or sender of information or a message.


Authorization: A process of determining, by evaluating applicable access control information, whether a subject is allowed to have the specified types of access to a particular resource. Extended Definition: The process or act of granting access privileges or the access privileges as granted.


Availability: The property of being accessible and usable upon demand. Extended Definition: In cybersecurity, applies to assets such as information or information systems.



Backdoor: a tool installed after a compromise to give an attacker easier access to the compromised system around any security mechanisms that are in place.


Bandwidth: Commonly used to mean the capacity of a communication channel to pass data through the channel in a given amount of time. Usually expressed in bits per second.


Banner Grabbing: a process of collecting intelligence about IT assets and the services available on those assets. Banners provide information such as the version of software running on a system. That intelligence can be used by IT and Security administrators, or by attackers, to get a sense of what vulnerabilities may be present on the asset. Banners provide limited value because the only security issues they might indicate are software version-related (e.g., CVEs) and even then banners won’t reflect that a system has been patched. Therefore, banner grabbing is prone to false-positives.


Basic Authentication: the simplest web-based authentication scheme that works by sending the username and password with each request.


Bastion Host: A bastion host has been hardened in anticipation of vulnerabilities that have not been discovered yet.


Behavior Monitoring: Observing activities of users, information systems, and processes and measuring the activities against organizational policies and rule, baselines of normal activity, thresholds, and trends.


BIND: stands for Berkeley Internet Name Domain and is an implementation of DNS. DNS is used for domain name to IP address resolution.


Biometrics: the use of physical characteristics of the users to determine access.


Bit: The smallest unit of information storage; a contraction of the term "binary digit;" one of two symbolsN"0" (zero) and "1" (one) - that are used to represent binary numbers.


Block Cipher: encrypts one block of data at a time.


Blocklist: A list of entities that are blocked or denied privileges or access.


Blue Team: A group that defends an enterprise's information systems when mock attackers (i.e., the Red Team) attack, typically as part of an operational exercise conducted according to rules established and monitored by a neutral group (i.e., the White Team).


Boot Record Infector: a piece of malware that inserts malicious code into the boot sector of a disk.


Border Gateway Protocol: An inter-autonomous system routing protocol. BGP is used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISP).


Bot: A computer connected to the Internet that has been surreptitiously / secretly compromised with malicious logic to perform activities under the remote command and control of a remote administrator. Extended Definition: A member of a larger collection of compromised computers known as a botnet.


Bot Master: The controller of a botnet that, from a remote location, provides direction to the compromised computers in the botnet.


Bot Net: A collection of computers compromised by malicious code and controlled across a network.


Breach: An impermissible use or disclosure of protected health information, resulting in significant risk of financial, reputational, or other harm to the affected individual.


Bridge: A product that connects a local area network (LAN) to another local area network that uses the same protocol (for example, Ethernet or token ring).


British Standard 7799: A standard code of practice and provides guidance on how to secure an information system. It includes the management framework, objectives, and control requirements for information security management systems.


Broadcast: To simultaneously send the same message to multiple recipients. One host to all hosts on network.


Broadcast Address: An address used to broadcast a datagram to all hosts on a given network using UDP or ICMP protocol.


Browser: A client computer program that can retrieve and display information from servers on the World Wide Web.


Brute Force: A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries all possibilities, one-by-one.


Buffer Overflow: A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.


Bug: An unexpected and relatively small defect, fault, flaw, or imperfection in an information system or device.


Build Security In: A set of principles, practices, and tools to design, develop, and evolve information systems and software that enhance resistance to vulnerabilities, flaws, and attacks.


Business Associate (BA): A person or entity that performs certain functions that involve the use or disclosure of PHI (e.g., CPA, IT provider, billing services, coding services).


Business Associate Agreement (BAA): a contract between a covered entity and business associate to safeguard PHI and comply with HIPAA.


Business Continuity Plan (BCP): identifies an organization’s exposure to internal and external threats.


Business Impact Analysis (BIA): A Business Impact Analysis determines what levels of impact to a system are tolerable.

Byte: A fundamental unit of computer storage; the smallest addressable unit in a computer's architecture. Usually holds one character of information and usually means eight bits.


Pronounced cash, a special high-speed storage mechanism. It can be either a reserved section of main memory or an independent high-speed storage device. Two types of caching are commonly used in personal computers: memory caching and disk caching.


Cache Cramming: Cache Cramming is the technique of tricking a browser to run cached Java code from the local disk, instead of the internet zone, so it runs with less restrictive permissions.


Cache Poisoning: Malicious or misleading data from a remote name server is saved [cached] by another name server. Typically used with DNS cache poisoning attacks.


Call Admission Control (CAC): The inspection and control all inbound and outbound voice network activity by a voice firewall based on user-defined policies.


Capability: The means to accomplish a mission, function, or objective.


Captured: Data is being recorded, gathered, or stored from an unauthorized source.


Cardholder Data (CHD): sensitive data found on payment cards, such as an account holder name or primary account number (PAN) data.


Cardholder Data Environment (CDE): any individual, software, system, or process that stores, processes, transmits, or handles cardholder data.


Card Verification Value (CVV/CSC/CVC/CAV): element on a payment card that protects information on the magnetic stripe. Specific acronym depends on card brand.


Cell: a unit of data transmitted over an ATM network.


Certificate-Based Authentication: the use of SSL and certificates to authenticate and encrypt HTTP traffic.


Certified Information Systems Security Professional (CISSP): a globally recognized certification that confirms an individual’s knowledge about information security.


Common Gateway Interface (CGI): Common Gateway Interface. This mechanism is used by HTTP servers (web servers) to pass parameters to executable scripts in order to generate responses dynamically.


Chain of Custody: the important application of the Federal rules of evidence and its handling.


Challenge-Handshake Authentication Protocol (CHAP): uses a challenge/response authentication mechanism where the response varies every challenge to prevent replay attacks.


Checksum: A value that is computed by a function that is dependent on the contents of a data object and is stored or transmitted together with the object, for the purpose of detecting changes in the data.


Chief Information Security Officer (CISO): Similar to a CSO, but with responsibility for IT rather than entity-wide security


Chief Security Officer (CSO): Company position with responsibility towards HIPAA compliance, PCI compliance, physical security, network security, and other security protocols.


Cipher: A cryptographic algorithm for encryption and decryption.


Ciphertext: the encrypted form of the message being sent.


Circuit Switched Network: where a single continuous physical circuit connected two endpoints where the route was immutable once set up.


Client: A system entity that requests and uses a service provided by another system entity, called a "server." In some cases, the server may itself be a client of some other server.


Cloud computing: A model for enabling on-demand network access to a shared pool of configurable computing capabilities or resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.


Cold/Warm/Hot Disaster Recovery Site: Hot site. It contains fully redundant hardware and software, with telecommunications, telephone and utility connectivity to continue all primary site operations. Failover occurs within minutes or hours, following a disaster. Daily data synchronization usually occurs between the primary and hot site, resulting in minimum or no data loss. Offsite data backup tapes might be obtained and delivered to the hot site to help restore operations. Backup tapes should be regularly tested to detect data corruption, malicious code and environmental damage. A hot site is the most expensive option. * Warm site. It contains partially redundant hardware and software, with telecommunications, telephone and utility connectivity to continue some, but not all primary site operations. Failover occurs within hours or days, following a disaster. Daily or weekly data synchronization usually occurs between the primary and warm site, resulting in minimum data loss. Offsite data backup tapes must be obtained and delivered to the warm site to restore operations. A warm site is the second most expensive option. * Cold site. Hardware is ordered, shipped and installed, and software is loaded. Basic telecommunications, telephone and utility connectivity might need turning on to continue some, but not all primary site operations. Relocation occurs within weeks or longer, depending on hardware arrival time, following a disaster. No data synchronization occurs between the primary and cold site, and could result in significant data loss. Offsite data backup tapes must be obtained and delivered to the cold site to restore operations. A cold site is the least expensive option.


Collect & Operate: A NICE Framework category consisting of specialty areas responsible for specialized denial and deception operations and collection of cybersecurity information that may be used to develop intelligence.


Collection Operations: In the NICE Framework, cybersecurity work where a person: Executes collection using appropriate strategies and within the priorities established through the collection management process.


Collision: A collision occurs when multiple systems transmit simultaneously on the same wire.


Common Vulnerability Scoring System (CVSS): standardized method for rating and describing IT vulnerabilities.


Competitive Intelligence: espionage using legal, or at least not obviously illegal, means.


Computer Emergency Response Team (CERT): designated group to handle computer security incidents.


Computerized Provider Order Entry (CPOE): management software that allows physicians to provide electronic instructions to staff (vs. handwritten) on a patient’s treatment and care.


Computer Network: A collection of host computers together with the sub-network or inter-network through which they can exchange data.


Computer Network Defense: The actions taken to defend against unauthorized activity within computer networks.


Computer Network Defense Analysis: In the NICE Framework, cybersecurity work where a person: Uses defensive measures and information collected from a variety of sources to identify, analyze, and report events that occur or might occur within the network in order to protect information, information systems, and networks from threats.


Computer Network Defense Infrastructure Support: In the NICE Framework, cybersecurity work where a person: Tests, implements, deploys, maintains, reviews, and administers the infrastructure hardware and software that are required to effectively manage the computer network defense service provider network and resources; monitors network to actively remediate unauthorized activities.


Confidentiality: the need to ensure that information is disclosed only to those who are authorized to view it.


Configuration Management: Establish a known baseline condition and manage it.


Consequence: The effect of an event, incident, or occurrence. Extended Definition: In cybersecurity, the effect of a loss of confidentiality, integrity or availability of information or an information system on an organization's operations, its assets, on individuals, other organizations, or on national interests.


Continuity of Operations Plan: A document that sets forth procedures for the continued performance of core capabilities and critical operations during any disruption or potential disruption.


Continuous Security Monitoring: Continuous security monitoring is the process of monitoring an organization’s IT ecosystem to identify and provide timely visibility into cyberthreats or risks. By discovering and monitoring all assets in the IT ecosystem, both known and unknown, security professionals can then find the path of least resistance and vulnerabilities that attackers may use as a security gap to penetrate organizations. 


Cookie: Data exchanged between an HTTP server and a browser (a client of the server) to store state information on the client side and retrieve it later for server use. An HTTP server, when sending data to a client, may send along a cookie, which the client retains after the HTTP connection closes. A server can use this mechanism to maintain persistent client-side state information for HTTP-based applications, retrieving the state information in later connections.


Corruption: A threat action that undesirably alters system operation by adversely modifying system functions or data.


Cost Benefit Analysis: compares the cost of implementing countermeasures with the value of the reduced risk.


Countermeasure: Reactive methods used to prevent an exploit from successfully occurring once a threat has been detected. Intrusion Prevention Systems (IPS) commonly employ countermeasures to prevent intruders form gaining further access to a computer network. Other counter measures are patches, access control lists and malware filters.


Covered Entity (CE): A health plan, healthcare clearinghouse, or healthcare provider that electronically transmits health information (e.g., doctors, dentists, pharmacies, health insurance companies, company health plans).


Covert Channels: the means by which information can be communicated between two parties in a covert fashion using normal system operations. For example by changing the amount of hard drive space that is available on a file server can be used to communicate information.


Crimeware: A type of malware used by cyber criminals. The malware is designed to enable the cyber criminal to make money off of the infected system (such as harvesting key strokes, using the infected systems to launch Denial of Service Attacks, etc.).


Critical Infrastructure: The systems and assets, whether physical or virtual, so vital to society that the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment, or any combination of these matters.


Crossover Cable: A crossover cable reverses the pairs of cables at the other end and can be used to connect devices directly together.


Cross-Site Scripting (XSS): An attack that enables hackers to inject code into public-facing web pages and gain access into a system.


Cryptanalysis: The operations performed in defeating or circumventing cryptographic protection of information by applying mathematical techniques and without an initial knowledge of the key employed in providing the protection. Extended Definition: The study of mathematical techniques for attempting to defeat or circumvent cryptographic techniques and/or information systems security.


Cryptographic Algorithm or Hash: An algorithm that employs the science of cryptography, including encryption algorithms, cryptographic hash algorithms, digital signature algorithms, and key agreement algorithms.


Cryptography: The use of mathematical techniques to provide security services, such as confidentiality, data integrity, entity authentication, and data origin authentication. Extended Definition: The art or science concerning the principles, means, and methods for converting plaintext into ciphertext and for restoring encrypted ciphertext to plaintext.


Cryptology: The mathematical science that deals with cryptanalysis and cryptography.


Customer Service and Technical Support: In the NICE Framework, cybersecurity work where a person: Addresses problems, installs, configures, troubleshoots, and provides maintenance and training in response to customer requirements or inquiries (e.g., tiered-level customer support).


Cut-Through: a method of switching where only the header of a packet is read before it is forwarded to its destination.


Cyber Ecosystem: The interconnected information infrastructure of interactions among persons, processes, data, and information and communications technologies, along with the environment and conditions that influence those interactions.


Cyber Exercise (also known as table-top exercise): A planned event during which an organization simulates a cyber disruption to develop or test capabilities such as preventing, detecting, mitigating, responding to or recovering from the disruption.


Cyber Infrastructure: An electronic information and communications systems and services and the information contained therein. 


Cyber Killchain: A cyber kill chain is a series of 7 stages that model the primary actions conducted in a cyberattack. Lockheed Martin developed the cyber kill chain model in 2011 to help cyber defenders identify and prevent the steps of an attack. Other organizations have slightly different models and critics have noted that attackers increasingly flout the cyber kill chain model, but there is broad agreement that organizations should always strive to eliminate potential threats as early as possible in the cyber kill chain.


Cyber Operations: In the NICE Framework, cybersecurity work where a person: Performs activities to gather evidence on criminal or foreign intelligence entities in order to mitigate possible or real-time threats, protect against espionage or insider threats, foreign sabotage, international terrorist activities, or to support other intelligence activities.


Cyber Operations Planning: in the NICE Framework, cybersecurity work where a person: Performs in-depth joint targeting and cyber planning process. Gathers information and develops detailed Operational Plans and Orders supporting requirements. Conducts strategic and operational-level planning across the full range of operations for integrated information and cyberspace operations


Cyber Reconnaissance: Cyber reconnaissance is a cybersecurity term built from the French word “reconnaissance,” which means “surveying” and adapted from the military practice of reconnaissance, conducting an exploratory survey of enemy territory.


Cyber Risk Management: Cyber risk management involves continuously identifying, assessing, and mitigating potential cyber risks as well as understanding their potential impacts. Because cyber risk cannot be effectively managed without a comprehensive view of the overall attack surface, it is vital to have an awareness of all assets and understand their business context.


Cybersecurity: The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation. Extended Definition: Strategy, policy, and standards regarding the security of and operations in cyberspace, and encompass[ing] the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure.


Cyberspace: The interdependent network of information technology infrastructures, that includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers.


Cyber Threat Intelligence (CTI): The collecting, processing, organizing, and analyzing data into actionable information that relates to capabilities, opportunities, actions, and intent of adversaries in the cyber domain to meet a specific requirement determined by and informing decision-makers. 


Cyclic Redundancy Check (CRC): Sometimes called "cyclic redundancy code." A type of checksum algorithm that is not a cryptographic hash but is used to implement data integrity service where accidental changes to data are expected.


A program which is often started at the time the system boots and runs continuously without intervention from any of the users on the system. The daemon program forwards the requests to other programs (or processes) as appropriate. The term daemon is a Unix term, though many other operating systems provide support for daemons, though they're sometimes called other names. Windows, for example, refers to daemons and System Agents and services.


Data Administration: In the NICE Framework, cybersecurity work where a person: Develops and administers databases and/or data management systems that allow for the storage, query, and utilization of data.


Data Aggregation: The process of gathering and combining data from different sources, so that the combined data reveals new information. Extended Definition: The new information is more sensitive than the individual data elements themselves and the person who aggregates the data was not granted access to the totality of the information.


Data Breach: The unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.


Data Custodian: the entity currently using or manipulating the data, and therefore, temporarily taking responsibility for the data.


Data Encryption Standard (DES): A widely-used method of data encryption using a private (secret) key. There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption keys that can be used. For each given message, the key is chosen at random from among this enormous number of keys. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key.


Data Integrity: The property that data is complete, intact, and trusted and has not been modified or destroyed in an unauthorized or accidental manner.


Data Loss: ​​The result of unintentionally or accidentally deleting data, forgetting where it is stored, or exposure to an unauthorized party.


Data Loss Prevention (DLP): a piece of software or strategy used to catch unencrypted data being exfiltrated or sent outside the network.


Data Mining: a technique used to analyze existing information, usually with the intention of pursuing new avenues to pursue business.


Data Owner: the entity having responsibility and authority for the data.


Data Security Standard: (see PCI DSS)


Data Theft: The deliberate or intentional act of stealing of information.


Data Warehousing: The consolidation of several previously independent databases into one location.


Datagram: Request for Comment 1594 says, "a self-contained, independent entity of data carrying sufficient information to be routed from the source to the destination computer without reliance on earlier exchanges between this source and destination computer and the transporting network." The term has been generally replaced by the term packet. Datagrams or packets are the message units that the Internet Protocol deals with and that the Internet transports. A datagram or packet needs to be self-contained without reliance on earlier exchanges because there is no connection of fixed duration between the two communicating points as there is, for example, in most voice telephone conversations. (This kind of protocol is referred to as connectionless.)


Day Zero: The "Day Zero" or "Zero Day" is the day a new vulnerability is made known. In some cases, a "zero day" exploit is referred to an exploit for which no patch is available yet. ("day one"-> day at which the patch is made available).


Decapsulation: the process of stripping off one layer's headers and passing the rest of the packet up to the next higher layer on the protocol stack.


Decipher: To convert enciphered text to plain text by means of a cryptographic system.


Decode: To convert encoded text to plain text by means of a code.


Decrypt: A generic term encompassing decode and decipher.


Decryption: The process of transforming ciphertext into its original plaintext. Extended Definition: The process of converting encrypted data back into its original form, so it can be understood.


Defacement: the method of modifying the content of a website in such a way that it becomes "vandalized" or embarrassing to the website owner.


Defense In-Depth: the approach of using multiple layers of security to guard against failure of a single security component.


Defensive Security: a proactive approach that focuses on prevention, detection, and response to attacks from the perspective of defending the organization. 


Demilitarized Zone (DMZ): neutral zone between a private and public network, providing an additional buffering layer of security, typically where web servers are hosted.


Denial of Service: An attack that prevents or impairs the authorized use of information system resources or services.


Dictionary Attack: An attack that tries all of the phrases or words in a dictionary, trying to crack a password or key. A dictionary attack uses a predefined list of words compared to a brute force attack that tries all possible combinations.


Diffie-Hellman: A key agreement algorithm published in 1976 by Whitfield Diffie and Martin Hellman. Diffie-Hellman does key establishment, not encryption. However, the key that it produces may be used for encryption, for further key management operations, or for any other cryptography.


Digest Authentication: allows a web client to compute MD5 hashes of the password to prove it has the password.


Digital Certificate: an electronic "credit card" that establishes your credentials when doing business or other transactions on the Web. It is issued by a certification authority. It contains your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.


Digital Envelope: an encrypted message with the encrypted session key.


Digital Forensics: The processes and specialized techniques for gathering, retaining, and analyzing system-related data (digital evidence) for investigative purposes. Extended Definition: In the NICE Framework, cybersecurity work where a person: Collects, processes, preserves, analyzes, and presents computer-related evidence in support of network vulnerability, mitigation, and/or criminal, fraud, counterintelligence or law enforcement investigations.


Digital Rights Management: A form of access control technology to protect and manage use of digital content or devices in accordance with the content or device provider's intentions.

Digital Signature: A value computed with a cryptographic process using a private key and then appended to a data object, thereby digitally signing the data.


Digital Signature Algorithm (DSA): An asymmetric cryptographic algorithm that produces a digital signature in the form of a pair of large numbers. The signature is computed using rules and parameters such that the identity of the signer and the integrity of the signed data can be verified.


Digital Signature Standard (DSS): The US Government standard that specifies the Digital Signature Algorithm (DSA), which involves asymmetric cryptography.


Disassembly: The process of taking a binary program and deriving the source code from it.


Disaster Recovery Plan (DRP): The process of recovery of IT systems in the event of a disruption or disaster.


Discretionary Access Control (DAC): Consists of something the user can manage, such as a document password.


Disruption: A circumstance or event that interrupts or prevents the correct operation of system services and functions.


Distance Vector: measure the cost of routes to determine the best route to all known networks.


Distributed Denial of Service: A denial of service technique that uses numerous systems to perform the attack simultaneously.


Distributed Scans: Scans that use multiple source addresses to gather information.


Domain: A sphere of knowledge, or a collection of facts about some program entities or a number of network points or addresses, identified by a name. On the Internet, a domain consists of a set of network addresses. 


Domain Hijacking: an attack by which an attacker takes over a domain by first blocking access to the domain's DNS server and then putting his own server up in its place.


Domain Name: locates an organization or other entity on the Internet. For example, the domain name "" locates an Internet address for "" at Internet point and a particular host server named "www". The "org" part of the domain name reflects the purpose of the organization or entity (in this example, "organization") and is called the top-level domain name. The "sans" part of the domain name defines the organization or entity and together with the top-level is called the second-level domain name.


Domain Name Server: a way to translate URLs to IP addresses.


Domain Name System: The way that Internet domain names are located and translated into Internet Protocol addresses. A domain name is a meaningful and easy-to-remember "handle" for an Internet address.


Domain Name System History/Passive Domain Name System: The traditional Domain Name System (DNS) is a real-time, distributed database system where queries to DNS servers and resolvers translate hostnames into IP addresses and vice versa. While not all DNS data is public, much of it can be easily accessed and much of the information is in clear text. While traditional DNS records are transient, passive DNS enables the collection and archiving of historical DNS data which contains a wealth of information about DNS queries on the Internet. Analysis of this data provides insights into old DNS records, new values, differences, and can find possible attack vectors. An attacker or defender with this information can see where, how, and when your organization’s domain names and IP addresses have changed over time and who is changing them.


Due Care: Ensures that a minimal level of protection is in place in accordance with the best practice in the industry.


Due Diligence: ​​The requirement that organizations must develop and deploy a protection plan to prevent fraud, abuse, and additional deploy a means to detect them if they occur.


DumpSec: A security tool that dumps a variety of information about a system's users, file system, registry, permissions, password policy, and services.


Dumpster Diving: Obtaining passwords and corporate directories by searching through discarded media.


Dynamic Attack Surface: The automated, on-the-fly changes of an information system's characteristics to thwart actions of an adversary.


Dynamic Link Library: A collection of small programs, any of which can be called when needed by a larger program that is running in the computer. The small program that lets the larger program communicate with a specific device such as a printer or scanner is often packaged as a DLL program (usually referred to as a DLL file).


Dynamic Routing Protocol: Allows network devices to learn routes. Ex. RIP, EIGRP Dynamic routing occurs when routers talk to adjacent routers, informing each other of what networks each router is currently connected to. The routers must communicate using a routing protocol, of which there are many to choose from. The process on the router that is running the routing protocol, communicating with its neighbor routers, is usually called a routing daemon. The routing daemon updates the kernel's routing table with information it receives from neighbor routers.



Eavesdropping: Simply listening to a private conversation which may reveal information which can provide access to a facility or network.


Echo Reply: The response a machine that has received an echo request sends over ICMP.


Echo Request: An ICMP message sent to a machine to determine if it is online and how long traffic takes to get to it.


Education and Training: In the NICE Framework, cybersecurity work where a person: Conducts training of personnel within pertinent subject domain; develop, plan, coordinate, deliver, and/or evaluate training courses, methods, and techniques as appropriate.


Egress Filtering: Filtering outbound traffic.


Electronic Health Record(EHR): Digital chart that contains a patient’s comprehensive medical history from multiple healthcare providers. 


Electronic Medication Administration Record: a way to track medication administration using electronic tracking sensors.


Electronic Medical Record (EMR): digital chart that contains a patient’s medical history from a single practice used for diagnosis and treatment.


Electronic Protected Health Information(ePHI): health information sent or stored electronically protected by the HIPAA Security Rule.


Electronic Signature: Any mark in electronic form associated with an electronic document, applied with the intent to sign the document.


Emanations Analysis: Gaining direct knowledge of communicated data by monitoring and resolving a signal that is emitted by a system and that contains the data but is not intended to communicate the data.


Encapsulation: The inclusion of one data structure within another structure so that the first data structure is hidden for the time being.


Encipher: To convert plaintext to ciphertext by means of a cryptographic system.


Encode: To convert plaintext to ciphertext by means of a code.


Encryption: The process of transforming plaintext into ciphertext.


Enterprise Risk Management: A comprehensive approach to risk management that engages people, processes, and systems across an organization to improve the quality of decision making for managing risks that may hinder an organization’s ability to achieve its objectives.



Ephemeral Port: Also called a transient port or a temporary port. Usually is on the client side. It is set up when a client application wants to connect to a server and is destroyed when the client application terminates. It has a number chosen at random that is greater than 1023.


Escrow Passwords: Escrow Passwords are passwords that are written down and stored in a secure location (like a safe) that are used by emergency personnel when privileged personnel are unavailable.


Ethernet: The most widely-installed LAN technology. Specified in a standard, IEEE 802.3, an Ethernet LAN typically uses coaxial cable or special grades of twisted pair wires. Devices are connected to the cable and compete for access using a CSMA/CD protocol.


Ethical Hacking: Ethical hacking is a form of offensive security that involves authorized attempts to break into systems and applications in order to test an organization’s security posture. One example of ethical hacking is penetration testing.


Event: An observable occurrence in an information system or network.


Exfiltration: The unauthorized transfer of information from an information system.


Exploit: A technique to breach the security of a network or information system in violation of security policy.


Exploitation Analysis: In the NICE Framework, cybersecurity work where a person: Analyzes collected information to identify vulnerabilities and potential for exploitation.


Exponential Backoff Algorithm: An exponential backoff algorithm is used to adjust TCP timeout values on the fly so that network devices don't continue to timeout sending data over saturated links.


Exposure: A threat action whereby sensitive data is directly released to an unauthorized entity.


Extended ACLs (Cisco): Are a more powerful form of Standard ACLs on Cisco routers. They can make filtering decisions based on IP addresses (source or destination), Ports (source or destination), protocols, and whether a session is established.


Extensible Authentication Protocol (EAP): A framework that supports multiple, optional authentication mechanisms for PPP, including clear-text passwords, challenge-response, and arbitrary dialog sequences.


Exterior Gateway Protocol (EGP): A protocol which distributes routing information to the routers which connect autonomous systems.


External Attack Surface Management: External Attack Surface Management (EASM) is an emerging market category that Gartner created in March 2021 to describe a set of products that supports organizations in identifying risks coming from internet-facing assets and systems that they may be unaware of.



Failure: The inability of a system or component to perform its required functions within specified performance requirements.


False Rejects: when an authentication system fails to recognize a valid user.


Fast File System: The first major revision to the Unix file system, providing faster read access and faster (delayed, asynchronous) write access through a disk cache and better file system layout on disk. It uses inodes (pointers) and data blocks.


Fast Flux: Protection method used by botnets consisting of a continuous and fast change of the DNS records for a domain name through different IP addresses.


Federal Information Processing Standards (FIPS): US federal government standards for computer security that are publicly announced (e.g., encryption standards).


File Integrity Monitoring (FIM): a method to watch for changes in software, systems, and applications in order to detect potential malicious activity.


File Transfer Protocol (FTP): an insecure way to transfer computer files from computer to computer using the Internet. (see SFTP)


Filter: A filter is used to specify which packets will or will not be used. It can be used in sniffers to determine which packets get displayed, or by firewalls to determine which packets get blocked.


Filtering Router: An inter-network router that selectively prevents the passage of data packets according to a security policy. A filtering router may be used as a firewall or part of a firewall. A router usually receives a packet from a network and decides where to forward it on a second network. A filtering router does the same, but first decides whether the packet should be forwarded at all, according to some security policy. The policy is implemented by rules (packet filters) loaded into the router.


Finger: A protocol to lookup user information on a given host. A Unix program that takes an e-mail address as input and returns information about the user who owns that e-mail address. On some systems, finger only reports whether the user is currently logged on. Other systems return additional information, such as the user's full name, address, and telephone number. Of course, the user must first enter this information into the system. Many e-mail programs now have a finger utility built into them.


Fingerprinting: Sending strange packets to a system in order to gauge how it responds to determine the operating system.


Firewall: system designed to screen incoming and outgoing network traffic.


Flooding: An attack that attempts to cause a failure in (especially, in the security of) a computer system or other data processing entity by providing more input than the entity can process properly.


Forest: A set of Active Directory domains that replicate their databases with each other.


Fork Bomb: A Fork Bomb works by using the fork() call to create a new process which is a copy of the original. By doing this repeatedly, all available processes on the machine can be taken up.


Form-Based Authentication: Uses forms on a webpage to ask a user to input username and password information.


Forward Lookup: uses an Internet domain name to find an IP address


Forward Proxy: Forward Proxies are designed to be the server through which all requests are made.


Fragment Offset: Tells the sender where a particular fragment falls in relation to other fragments in the original larger packet.


Fragment Overlap Attack: A TCP/IP Fragmentation Attack that is possible because IP allows packets to be broken down into fragments for more efficient transport across various media. The TCP packet (and its header) are carried in the IP packet. In this attack the second fragment contains incorrect offset. When packet is reconstructed, the port number will be overwritten.


Fragmentation: The process of storing a data file in several "chunks" or fragments rather than in a single contiguous sequence of bits in one place on the storage medium.


Frames: Data that is transmitted between network points as a unit complete with addressing and necessary protocol control information. A frame is usually transmitted serial bit by bit and contains a header field and a trailer field that "frame" the data. (Some control frames contain no data.)


Full Duplex: A type of duplex communications channel which carries data in both directions at once. Refers to the transmission of data in two directions simultaneously. Communications in which both sender and receiver can send at the same time.


Fully-Qualified Domain Name: a server name with a hostname followed by the full domain name.


Fuzzing: The use of special regression testing tools to generate out-of-spec input for an application in order to find security vulnerabilities. Also see "regression testing".



Gateway: A network point that acts as an entrance to another network.


Gethostbyaddr: The gethostbyaddr DNS query is when the address of a machine is known and the name is needed.


Gethostbyname: The gethostbyname DNS quest is when the name of a machine is known and the address is needed.


GNU: GNU is a Unix-like operating system that comes with source code that can be copied, modified, and redistributed. The GNU project was started in 1983 by Richard Stallman and others, who formed the Free Software Foundation.


GNU Privacy Guard (GPG): The free version of PGP


Gnutella: An Internet file sharing utility. Gnutella acts as a server for sharing files while simultaneously acting as a client that searches for and downloads files from other users.



Hacker: An unauthorized user who attempts to or gains access to an information system.


Hardening: The process of identifying and fixing vulnerabilities on a system.


Hardware Security Module (HSM): a physical computing device that safeguards and manages digital keys for strong authentication.


Hash Function: An algorithm that computes a value based on a data object thereby mapping the data object to a smaller data object.


Hash Value: A numeric value resulting from applying a mathematical algorithm against a set of data such as a file.


Hashing: A process of applying a mathematical algorithm against a set of data to produce a numeric value (a 'hash value') that represents the data.

Header: the extra information in a packet that is needed for the protocol stack to process the packet.


Health Information Technology (HIT): the management of ePHI and its secure exchange between covered entities, business associates, and patients.


Health Information Technology for Economic and Clinical Health (HITECH Act): A 2009 legislative act that, among other things, implements a series of fines to enforce HIPAA compliance and requires business associates to adhere to the same level of HIPAA compliance as covered entities.


Health Insurance Portability and Accountability Act (HIPAA): a federal mandate that, among other things, requires organizations to keep patient data secure through a myriad of privacy and security procedures, policies, and actions.


Hijack Attack: A form of active wiretapping in which the attacker seizes control of a previously established communication association.


Honey pot: Programs that simulate one or more network services that you designate on your computer's ports. An attacker assumes you're running vulnerable services that can be used to break into the machine. A honey pot can be used to log access attempts to those ports including the attacker's keystrokes. This could give you advanced warning of a more concerted attack.


Honey Client/ Honeymonkey: Automated system simulating a user browsing websites. The system is typically configured to detect web sites which exploit vulnerabilities in the browser. Also known as Honey Client.


Hops: A hop is each exchange with a gateway a packet takes on its way to the destination.


Host: Any computer that has full two-way access to other computers on the Internet. Or a computer with a web server that serves the pages for one or more Web sites.


Host-Based ID: Host-based intrusion detection systems use information from the operating system audit records to watch all operations occurring on the host that the intrusion detection software has been installed upon. These operations are then compared with a pre-defined security policy. This analysis of the audit trail imposes potentially significant overhead requirements on the system because of the increased amount of processing power which must be utilized by the intrusion detection system. Depending on the size of the audit trail and the processing ability of the system, the review of audit data could result in the loss of a real-time analysis capability.


HTTP Proxy: A server that acts as a middleman in the communication between HTTP clients and servers.


Hypertext Transfer Protocol Over Secure Socket Layer (HTTPS): A secured method of communication between servers and browsers.


Hub: A hub is a network device that operates by repeating data that it receives on one port to all the other ports. As a result, data transmitted by one host is retransmitted to all other hosts on the hub.


Hybrid Attack: Builds on the dictionary attack method by adding numerals and symbols to dictionary words.


Hybrid Encryption: An application of cryptography that combines two or more encryption algorithms, particularly a combination of symmetric and asymmetric encryption.


Hyperlink: In hypertext or hypermedia, an information object (such as a word, a phrase, or an image; usually highlighted by color or underscoring) that points (indicates how to connect) to related information that is located elsewhere and can be retrieved by activating the link.


Hypertext Markup Language (HTML): The set of markup symbols or codes inserted in a file intended for display on a World Wide Web browser page.


Hypertext Transfer Protocol (HTTP): A method of communication between servers and browsers. (See: HTTPS)


Hazard: A natural or man-made source or cause of harm or difficulty.


ICT Supply Chain Threat:
A man-made threat achieved through exploitation of the information and communications technology (ICT) system’s supply chain, including acquisition processes.


Identity: Whom someone or what something is, for example, the name by which something is known.


Identity and Access Management: The methods and processes used to manage subjects and their authentication and authorizations to access specific objects.


Incident: An occurrence that actually or potentially results in adverse consequences to (adverse effects on) (poses a threat to) an information system or the information that the system processes, stores, or transmits and that may require a response action to mitigate the consequences.


Incident Handling: an action plan for dealing with intrusions, cyber-theft, denial of service, fire, floods, and other security-related events. It is a six step process: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.


Incident Management: The management and coordination of activities associated with an actual or potential occurrence of an event that may result in adverse consequences to information or information systems.


Incident Response: The activities that address the short-term, direct effects of an incident and may also support short-term recovery.


Incident Response Plan (IRP): policies and procedures to effectively limit the effects of security breach.


Incremental Backups: only backup the files that have been modified since the last backup. If dump levels are used, incremental backups only backup files changed since last backup of a lower dump level.


Indicator: An occurrence or sign that an incident may have occurred or may be in progress.


Individually Identifiable Health Information (IIHI): (see PHI)


Industrial Control System: An information system used to control industrial processes such as manufacturing, product handling, production, and distribution or to control infrastructure assets.


Inetd (Xinetd): an application that controls smaller internet services like telnet, ftp, and POP.


Inference Attack: rely on the user to make logical connections between seemingly unrelated pieces of information.


Information and Communication(s) technology: Any information technology, equipment, or interconnected system or subsystem of equipment that processes, transmits, receives, or interchanges data or information.


Information Assurance: The measures that protect and defend information and information systems by ensuring their availability, integrity, and confidentiality.


Information Assurance Compliance: In the NICE Framework, cybersecurity work where a person: Oversees, evaluates, and supports the documentation, validation, and accreditation processes necessary to assure that new IT systems meet the organization's information assurance and security requirements; ensures appropriate treatment of risk, compliance, and assurance from internal and external perspectives.


Information Security Policy: An aggregate of directives, regulations, rules, and practices that prescribe how an organization manages, protects, and distributes information.


Information Sharing: An exchange of data, information, and/or knowledge to manage risks or respond to incidents.


Information System Resilience: The ability of an information system to: (1) continue to operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (2) recover effectively in a timely manner.


Information Systems Security Operations: In the NICE Framework, cybersecurity work where a person: Oversees the information assurance program of an information system in or outside the network environment; may include procurement duties (e.g., Information Systems Security Officer).


Information Technology (IT): anything relating to networks, computers, and programming, and the people that work with those technologies.


Information Warfare: the competition between offensive and defensive players over information resources.


Ingress Filtering: filtering inbound traffic.


Input Validation Attacks: Where an attacker intentionally sends unusual input in the hopes of confusing an application.


Inside(r) Threat: A person or group of persons within an organization who pose a potential risk through violating security policies.


Integrated Risk Management: The structured approach that enables an enterprise or organization to share risk information and risk analysis and to synchronize independent yet complementary risk management strategies to unify efforts across the enterprise.


Integrity: The property whereby information, an information system, or a component of a system has not been modified or destroyed in an unauthorized manner.


Integrity Star Property: a user cannot read data of a lower integrity level then their own.


Internet: A term to describe connecting multiple separate networks together.


Internet Control Message Protocol (ICMP): An Internet Standard protocol that is used to report error conditions during IP datagram processing and to exchange other information concerning the state of the IP network.


Internet Engineering Task Force (IETF): The body that defines standard Internet operating protocols such as TCP/IP. The IETF is supervised by the Internet Society Internet Architecture Board (IAB). IETF members are drawn from the Internet Society's individual and organization membership.


Internet Message Access Protocol (IMAP): a communication protocol used to access email from your mail server.


Internet Protocol (IP): defines how computers send packets of data to each other.


Internet Protocol Security (IPsec): A developing standard for security at the network or packet processing layer of network communication.


Internet Standard: A specification, approved by the IESG and published as an RFC, that is stable and well-understood, is technically competent, has multiple, independent, and interoperable implementations with substantial operational experience, enjoys significant public support, and is recognizably useful in some or all parts of the Internet.


Interoperability: The ability of two or more systems or components to exchange information and to use the information that has been exchanged.


International Organization for Standardization (ISO): International Organization for Standardization, a voluntary, non-treaty, non-government organization, established in 1947, with voting members that are designated standards bodies of participating nations and non-voting observer organizations.


International Telecommunications Union, Telecommunication Standardization Sector (ITU-T): International Telecommunications Union, Telecommunication Standardization Sector (formerly "CCITT"), a United Nations treaty organization that is composed mainly of postal, telephone, and telegraph authorities of the member countries and that publishes standards called "Recommendations."


Interrupt: a signal that informs the OS that something has occurred.


Intranet: A computer network, especially one based on Internet technology, that an organization uses for its own internal, and usually private, purposes and that is closed to outsiders.


Intrusion: An unauthorized act of bypassing the security mechanisms of a network or information system.


Intrusion Detection System/ Intrusion Prevention System (IDS/IPS): A monitoring system to monitor network security appliances and report malicious activity.


Investigate: A NICE Framework category consisting of specialty areas responsible for the investigation of cyber events and/or crimes of IT systems, networks, and digital evidence


IP Address: A computer's inter-network address that is assigned for use by the Internet Protocol and other protocols. An IP version 4 address is written as a series of four 8-bit numbers separated by periods.


IP Flood: A denial of service attack that sends a host more echo request ("ping") packets than the protocol implementation can handle.


IP Forwarding: An Operating System option that allows a host to act as a router. A system that has more than 1 network interface card must have IP forwarding turned on in order for the system to be able to act as a router.


IP Spoofing: The technique of supplying a false IP address.


Issue-Specific Policy: An Issue-Specific Policy is intended to address specific needs within an organization, such as a password policy.


Information Technology (IT): Anything relating to networks, computers, and programming, including the people that work with those technologies.


IT Asset: A piece of software or hardware within an information technology environment.


IT Ecosystem: An organization’s IT ecosystem is the network of services, providers and other organizations connected to the organization that create and deliver information technology products and services. This ecosystem includes entities that are connected to but not controlled directly by the organization, such as a third-party vendor, an independent subsidiary or a company added via merger or acquisition. Cloud computing resources used by the organization are also part of its IT ecosystem. All of the assets associated with all of the IT ecosystem entities define the organization’s attack surface.


Investigation: A systematic and formal inquiry into a qualified threat or incident using digital forensics and perhaps other traditional criminal inquiry techniques to determine the events that transpired and to collect evidence.



Jitter: Jitter or Noise is the modification of fields in a database while preserving the aggregate characteristics that make the database useful in the first place.

Jump Bag: A container that has all the items necessary to respond to an incident inside to help mitigate the effects of delayed reactions.



Kali Linux: Kali Linux is an open-source, specialized Linux platform developed and supported by Offensive Security and used for security research, penetration testing and security forensics. The platform packages a number of tools and utilities for security professionals and features popular apps such as Nmap, metasploit, OWASP Zap, Wireshark and others.


Kerberos: A system developed at the Massachusetts Institute of Technology that depends on passwords and symmetric cryptography (DES) to implement ticket-based, peer entity authentication service and access control service distributed in a client-server network environment.


Kernel: The essential center of a computer operating system, the core that provides basic services for all other parts of the operating system. A synonym is nucleus. A kernel can be contrasted with a shell, the outermost part of an operating system that interacts with user commands. Kernel and shell are terms used more frequently in Unix and some other operating systems than in IBM mainframe systems.


Key: The numerical value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification.


Key Pair: A public key and its corresponding private key.


Key Resource: A publicly or privately controlled asset necessary to sustain continuity of government and/or economic operations, or an asset that is of great historical significance.


Keylogger: Software or hardware that tracks keystrokes and keyboard events, usually surreptitiously / secretly, to monitor actions by the user of an information system.

Knowledge Management: In the NICE Framework, cybersecurity work where a person: Manages and administers processes and tools that enable the organization to identify, document, and access intellectual capital and information content.



Lattice Techniques: Use security designations to determine access to information.


Layer 2 Forwarding Protocol (L2F): An Internet protocol (originally developed by Cisco Corporation) that uses tunneling of PPP over IP to create a virtual extension of a dial-up link across a network, initiated by the dial-up server and transparent to the dial-up user.


Layer 2 Tunneling Protocol (L2TP): An extension of the Point-to-Point Tunneling Protocol used by an Internet service provider to enable the operation of a virtual private network over the Internet.


Least Privilege: The principle of allowing users or applications the least amount of permissions necessary to perform their intended function.


Legal Advice and Advocacy: In the NICE Framework, cybersecurity work where a person: Provides legally sound advice and recommendations to leadership and staff on a variety of relevant topics within the pertinent subject domain; advocates legal and policy changes and makes a case on behalf of client via a wide range of written and oral work products, including legal briefs and proceedings.


Legion: Software to detect unprotected shares.


Lightweight Directory Access Protocol (LDAP): A software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate Intranet.


Link State: With link state, routes maintain information about all routers and router-to-router links within a geographic area, and creates a table of best routes with that information.


List Based Access Control: Associates a list of users and their privileges with each object.


Loadable Kernel Modules (LKM): allow for the adding of additional functionality directly into the kernel while the system is running.


Log Clipping: The selective removal of log entries from a system log to hide a compromise.


Logical Partition (LPAR): Partitioning a computer’s resources, processors, memory, and storage into a smaller unit, normally a term associated with mainframe computers.


Logic Bombs: Programs or snippets of code that execute when a certain predefined event occurs. Logic bombs may also be set to go off on a certain date or when a specified set of circumstances occurs.


Logic Gate: An elementary building block of a digital circuit. Most logic gates have two inputs and one output. As digital circuits can only understand binary, inputs and outputs can assume only one of two states, 0 or 1.

Loopback Address: A pseudo IP address that always refers back to the local host and are never sent out onto a network.



MAC Address: A physical address; a numeric value that uniquely identifies that network device from every other device on the planet.


Machine Learning and Evolution: A field concerned with designing and developing artificial intelligence algorithms for automated knowledge discovery and innovation by information systems.


Macro Virus: A type of malicious code that attaches itself to documents and uses the macro programming capabilities of the document’s application to execute, replicate, and spread or propagate itself.


Malicious Applet: A small application program that is automatically downloaded and executed and that performs an unauthorized function on an information system.


Malicious Code: Program code intended to perform an unauthorized function or process that will have adverse impact on the confidentiality, integrity, or availability of an information system.


Malicious Logic: Hardware, firmware, or software that is intentionally included or inserted in a system to perform an unauthorized function or process that will have adverse impact on the confidentiality, integrity, or availability of an information system.


Maltego: Maltego is an open-source intelligence (OSINT) tool for gathering and connecting data on the internet and illustrating relationships and links between things on a node-based graph. The platform offers a graphical user interface (GUI) that allows security professionals to mine data and helps IT and security teams build a picture of threats, their complexity and severity.


Malware: Software that compromises the operation of a system by performing an unauthorized function or process.


Mandatory Access Control (MAC): Where the system controls access to resources based on classification levels assigned to both the objects and the users. These controls cannot be changed by anyone.


Masquerade Attack: A type of attack in which one system entity illegitimately poses as (assumes the identity of) another entity.


Md5: A one way cryptographic hash function. Also see "hash functions" and "sha1"


Measures of Effectiveness (MOE): A probability model based on engineering concepts that allows one to approximate the impact a give action will have on an environment. In Information warfare it is the ability to attack or defend within an Internet environment.


Meaningful Use (MU): A requirement that states providers sharing patient data with other healthcare professionals must do so in a way that can be measured.


Message Authentication Code (MAC): Information used to authenticate a message to ensure its authenticity.


Mitigation: The application of one or more measures to reduce the likelihood of an unwanted occurrence and/or lessen its consequences.


Mitre ATT&CK: MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a curated, globally accessible knowledgebase of adversary tactics and techniques based on real-world observations. The framework represents the various phases of an attack lifecycle, as well as the platforms targeted. While the majority of the ATT&CK framework is geared towards providing insight into detecting attackers in real time during an attack, its Reconnaissance and Resource Development tactics (previously known as Pre-ATT&CK) are focused on an attacker's pre-attack preparation. 


Mitre Pre-ATT&CK: MITRE PRE-ATT&CK was a framework of tactics and techniques to help uncover the many pre-compromise behaviors attackers perform. It was deprecated and removed by MITRE in late 2020 and has since been rolled into the Enterprise matrix under Reconnaissance and the Resource Development categories. Those techniques can also be found under the MITRE Enterprise > PRE matrix, and the primary Enterprise matrix also lists Initial Access techniques as well as additional technique categories that follow an attack to execution.  


Monoculture: The case where a large number of users run the same software, and are vulnerable to the same attacks.


Morris Worm: A worm program written by Robert T. Morris, Jr. that flooded the ARPANET in November, 1988, causing problems for thousands of hosts.


Moving Target Defense: The presentation of a dynamic attack surface, increasing an adversary's work factor necessary to probe, attack, or maintain presence in a cyber target.


Multi-Cast: Broadcasting from one host to a given set of hosts.


Multi-Factor Authentication (MFA): Two out of three independent methods of authentication are required to verify a computer or network user. The three possible factors are: 

  • Something you know (e.g., a username and password) 

  • Something you have (e.g., an RSA token or cell phone which gives you a new code for each login) 

  • Something you are (e.g., fingerprint or iris scan)


Multi-Homed: You are "multi-homed" if your network is directly connected to two or more ISP's.

Multiplexing: To combine multiple signals from possibly disparate sources, in order to transmit them over a single path.



NAT: Network Address Translation. It is used to share one or a small number of publicly routable IP addresses among a larger number of hosts. The hosts are assigned private IP addresses, which are then "translated" into one of the publicly routed IP addresses. Typically home or small business networks use NAT to share a single DLS or Cable modem IP address. However, in some cases NAT is used for servers as an additional layer of protection.


National Institute of Standards and Technology (NIST): federal agency that measures standards and maintains the NVD.


National Vulnerability Database (NVD): a repository of all known vulnerabilities, maintained by NIST.


Natural Disaster: Any "act of God" (e.g., fire, flood, earthquake, lightning, or wind) that disables a system component.


Netmask: 32-bit number indicating the range of IP addresses residing on a single IP network/subnet/supernet. This specification displays network masks as hexadecimal numbers. For example, the network mask for a class C IP network is displayed as 0xffffff00. Such a mask is often displayed elsewhere in the literature as


Network Address Translation: The translation of an Internet Protocol address used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside.


Network Access Control (NAC): Restricts data that users, apps, and programs can access on a computer network.


Network Mapping: To compile an electronic inventory of the systems and the services on your network.


Network Taps: Hardware devices that hook directly onto the network cable and send a copy of the traffic that passes through it to one or more other networked devices.


Network Based IDS: A network-based IDS system monitors the traffic on its network segment as a data source. This is generally accomplished by placing the network interface card in promiscuous mode to capture all network traffic that crosses its network segment. Network traffic on other segments, and traffic on other means of communication (like phone lines) can't be monitored. 


Network Resilience: The ability of a network to: (1) provide continuous operation (i.e., highly resistant to disruption and able to operate in a degraded mode if damaged); (2) recover effectively if failure does occur; and (3) scale to meet rapid or unpredictable demands.


Network Services: In the NICE Framework, cybersecurity work where a person: Installs, configures, tests, operates, maintains, and manages networks and their firewalls, including hardware (e.g., hubs, bridges, switches, multiplexers, routers, cables, proxy servers, and protective distributor systems) and software that permit the sharing and transmission of all spectrum transmissions of information to support the security of information and information systems.


NIST Cybersecurity Framework: The NIST Framework for Improving Critical Infrastructure Cybersecurity (or “The Framework” for short) consists of standards, guidelines, and practices to promote the protection of critical infrastructure. 


Non-Printable Character: A character that doesn't have a corresponding character letter to its corresponding ASCII code. Examples would be the Linefeed, which is ASCII character code 10 decimal, the Carriage Return, which is 13 decimal, or the bell sound, which is decimal 7. On a PC, you can often add non-printable characters by holding down the Alt key, and typing in the decimal value (i.e., Alt-007 gets you a bell). There are other character encoding schemes, but ASCII is the most prevalent.


Non-Repudiation: The ability for a system to prove that a specific user and only that specific user sent a message and that it hasn't been modified.


Notice of Privacy Practices (NPP or NoPP): The required document or notice that provides a clear explanation of patient rights and covered entity practices concerning a patient’s PHI.

Null Session: Known as Anonymous Logon, it is a way of letting an anonymous user retrieve information such as user names and shares over the network or connect without authentication. It is used by applications such as explorer.exe to enumerate shares on remote servers.



Object: A passive information system-related entity containing or receiving information.


Octet: A sequence of eight bits. An octet is an eight-bit byte.


Offensive Security: Offensive security is a proactive approach that involves testing an organization’s security posture from the viewpoint of an adversary. The intent of offensive security is to validate that an organization’s security performs as intended. It can include activities such as ethical hacking and penetration testing to identify and remediate risks that a malicious party could exploit. By employing offensive security methods, security teams can act like attackers to help the organization uncover and eliminate paths of least resistance before attackers can exploit gaps.


Office for Civil Rights (OCR): the federal organization responsible for enforcing HIPAA compliance.


Office of the National Coordinator for Health Information Technology (ONC): The federal organization charged with coordination of nationwide efforts to implement and use advanced health information technology.


One-Way Encryption: Irreversible transformation of plaintext to cipher text, such that the plaintext cannot be recovered from the cipher text by other than exhaustive procedures even if the cryptographic key is known.


One-Way Function: A (mathematical) function, f, which is easy to compute the output based on a given input. However given only the output value it is impossible (except for a brute force attack) to figure out what the input value is.


Open Shortest Path First (OSPF): Open Shortest Path First is a link state routing algorithm used in interior gateway routing. Routers maintain a database of all routers in the autonomous system with links between the routers, link costs, and link states (up and down).


Open-Source Intelligence (OSINT): Open-Source Intelligence (OSINT) refers to the collection and analysis of any information about an individual or organization that can be legally gathered from free, public sources. 


Open-Web Application Security Project (OWASP): A non-profit organization focused on software security improvement, often heard in the context of “OWASP Top 10”–a list of top threatening vulnerabilities.


Open Systems Interconnection (OSI): OSI (Open Systems Interconnection) is a standard description or "reference model" for how messages should be transmitted between any two points in a telecommunication network. Its purpose is to guide product implementers so that their products will consistently work with other products. 


Operate & Maintain: A NICE Framework category consisting of specialty areas responsible for providing the support, administration, and maintenance necessary to ensure effective and efficient IT system performance and security.


Operational Exercise: An action-based exercise where personnel rehearse reactions to an incident scenario, drawing on their understanding of plans and procedures, roles, and responsibilities.


Operations Technology: The hardware and software systems used to operate industrial control devices.


Outside(r) Threat: A person or group of persons external to an organization who are not authorized to access its assets and pose a potential risk to the organization and its assets.


Overload: Hindrance of system operation by placing excess burden on the performance capabilities of a system component.


Oversight and Development: A NICE Framework category consisting of specialty areas providing leadership, management, direction, and/or development and advocacy so that all individuals and the organization may effectively conduct cybersecurity work.



Packet: A piece of a message transmitted over a packet-switching network. One of the key features of a packet is that it contains the destination address in addition to the data. In IP networks, packets are often called datagrams.


Packet Switched Network: A packet switched network is where individual packets each follow their own paths through the network from one endpoint to another.


Partitions: Major divisions of the total physical hard disk space.


Passive Attack: An actual assault perpetrated by an intentional threat source that attempts to learn or make use of information from a system, but does not attempt to alter the system, its resources, its data, or its operations.


Password: A string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization.


Password Authentication Protocol (PAP): A simple, weak authentication mechanism where a user enters the password and it is then sent across the network, usually in the clear.


Password Cracking: The process of attempting to guess passwords, given the password file information.


Password Sniffing: Passive wiretapping, usually on a local area network, to gain knowledge of passwords.


Patch: A small update released by a software manufacturer to fix bugs in existing programs.


Patching: The process of updating software to a different version.


Path of Least Resistance: The path of least resistance in cybersecurity is an attacker’s easiest route to reaching a target asset. When an attacker is considering an attack, they will typically look for the easiest way to succeed such as externally-exposed systems and assets that are mostly overlooked by organizations.


Payload: The actual application data a packet contains.


Payment Application Data Security Standard (PA DSS): Validation standard for software applications that store, process, or transmit cardholder data.


Payment Application Qualified Security Assessor (PA QSA): Individual or organization qualified by the PCI SSC to conduct PA DSS audits.


Payment Card Industry Security Standards Council (PCI SSC): Established in 2006 by Visa, MasterCard, American Express, Discover Financial Services, and JCB International to regulate cardholder data security.


Payment Card Industry Data Security Standard (PCI DSS): Requirements put together by the PCI SSC, required of all businesses that process, store, or transmit payment card data, to prevent cardholder data theft.


Pen Test: A colloquial term for penetration test or penetration testing.


Penetration: Gaining unauthorized logical access to sensitive data by circumventing a system's protections.


Penetration Testing: An evaluation methodology whereby assessors search for vulnerabilities and attempt to circumvent the security features of a network and/or information system.


Permutation: Keeps the same letters but changes the position within a text to scramble the message.


Personal Firewalls: Firewalls that are installed and run on individual PCs.


Personal Identifying Information (PII): The information that permits the identity of an individual to be directly or indirectly inferred.


Pharming: This is a more sophisticated form of MITM attack. A user’s session is redirected to a masquerading website. This can be achieved by corrupting a DNS server on the Internet and pointing a URL to the masquerading website’s IP. 

Phishing: The use of e-mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site looks like they are part of a bank the user is doing business with.


Ping of Death: An attack that sends an improperly large ICMP echo request packet (a "ping") with the intent of overflowing the input buffers of the destination machine and causing it to crash.


Ping Scan: A ping scan looks for machines that are responding to ICMP Echo Requests.


Ping Sweep: An attack that sends ICMP echo requests ("pings") to a range of IP addresses, with the goal of finding hosts that can be probed for vulnerabilities.


Plaintext: Ordinary readable text before being encrypted into ciphertext or after being decrypted.


Point-to-Point Encryption (P2PE): credit/debit card data encryption from the point of interaction to a merchant solution provider.


Point-to-Point Protocol (PPP): A protocol (set of communication rules) that allows corporations to extend their own corporate network through private "tunnels" over the public Internet.


Poison Reverse: Split horizon with poisoned reverse (more simply, poison reverse) does include such routes in updates, but sets their metrics to infinity. In effect, advertising the fact that there routes are not reachable.


Policies and Procedures (P&P): In HIPAA compliance, guidelines and principles adopted by an entity with respect to the security of PHI.


Polyinstantiation: The ability of a database to maintain multiple records with the same key. It is used to prevent inference attacks.


Polymorphism: The process by which malicious software changes its underlying code to avoid detection.


Port: A port is nothing more than an integer that uniquely identifies an endpoint of a communication stream. Only one process per machine can listen on the same port number.


Port Scan: A series of messages sent by someone attempting to break into a computer to learn which computer network services, each associated with a "well-known" port number, the computer provides. Port scanning, a favorite approach of computer cracker, gives the assailant an idea where to probe for weaknesses. Essentially, a port scan consists of sending a message to each port, one at a time. 


Possession: The holding, control, and ability to use information.


Post Office Protocol, Version 3 (POP3): An Internet Standard protocol by which a client workstation can dynamically access a mailbox on a server host to retrieve mail messages that the server has received and is holding for the client.


Practical Extraction and Reporting Language (Perl): A script programming language that is similar in syntax to the C language and that includes a number of popular Unix facilities such as sed, awk, and tr.


Preamble: A preamble is a signal used in network communications to synchronize the transmission timing between two or more systems. Proper timing ensures that all systems are interpreting the start of the information transfer correctly. A preamble defines a specific series of transmission pulses that is understood by communicating systems to mean "someone is about to transmit data". This ensures that systems receiving the information correctly interpret when the data transmission starts. The actual pulses used as a preamble vary depending on the network communication technology in use.


Precursor: An observable occurrence or sign that an attacker may be preparing to cause an incident.


Preparedness: The activities to build, sustain, and improve readiness capabilities to prevent, protect against, respond to, and recover from natural or manmade incidents.


Pretty Good Privacy (PGP)™: data encryption computer program that provides privacy for encrypting emails, files, directories, and disks.


Primary Account Number (PAN): The 12 to 19 digits that identify a payment card. Also called a bank card number or payment card number.


Privacy: The assurance that the confidentiality of, and access to, certain information about an entity is protected.


Private Addressing: IANA has set aside three address ranges for use by private or non-Internet connected networks. 


Private Key: A cryptographic key that must be kept confidential and is used to enable the operation of an asymmetric (public key) cryptographic algorithm.


Proactive Security: A proactive security approach is the practice of taking measures to predict and prevent a breach before it ever happens. Proactive security teams fix security gaps before they can be exploited and mitigate their highest risks to stay ahead of potential attackers. 


Program Infector: A piece of malware that attaches itself to existing program files.


Program Policy: A high-level policy that sets the overall tone of an organization's security approach.


Promiscuous Mode: When a machine reads all packets off the network, regardless of who they are addressed to. This is used by network administrators to diagnose network problems, but also by unsavory characters who are trying to eavesdrop on network traffic (which might contain passwords or other information).


Proprietary Information: Information unique to a company and its ability to compete, such as customer lists, technical data, product costs, and trade secrets.


Protected Health Information (PHI): Information that can be linked to a particular person (i.e., past, present, or future health condition or healthcare provision) such as patient name, social security number, and medical history.


Protect & Defend: A NICE Framework category consisting of specialty areas responsible for the identification, analysis, and mitigation of threats to internal IT systems or networks.


Protocol: A formal specification for communicating; an IP address the special set of rules that end points in a telecommunication connection use when they communicate. 


Protocol Stacks (OSI): A set of network protocol layers that work together.


Proxy Server: A server that acts as an intermediary between a workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching service. A proxy server is associated with or part of a gateway server that separates the enterprise network from the outside network and a firewall server that protects the enterprise network from outside intrusion.


Public Key: The publicly-disclosed component of a pair of cryptographic keys used for asymmetric cryptography.


Public Key Cryptography: A branch of cryptography in which a cryptographic system or algorithms use two uniquely linked keys: a public key and a private key (a key pair).


Public Key Encryption: The popular synonym for "asymmetric cryptography".


Public Key Infrastructure (PKI): A PKI (public key infrastructure) enables users of a basically unsecured public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates.

Public-Key Forward Secrecy (PFS): For a key agreement protocol based on asymmetric cryptography, the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future.



QAZ: A network worm.


Qualified Integrator or Reseller (QIR): Third party qualified by the PCI SSC to use security best practices while installing or maintaining payment systems.

Qualified Security Assessor (QSA): The individuals and firms certified by the PCI SSC to perform PCI compliance assessments.



Race Condition: A race condition exploits the small window of time between a security control being applied and when the service is used.


Radiation Monitoring: The process of receiving images, data, or audio from an unprotected source by listening to radiation signals.


Ransomware: A type of malware that is a form of extortion. It works by encrypting a victim's hard drive denying them access to key files. The victim must then pay a ransom to decrypt the files and gain access to them again.


Reconnaissance: The phase of an attack where an attackers finds new systems, maps out networks, and probes for specific, exploitable vulnerabilities.


Recovery: The activities after an incident or event to restore essential services and operations in the short and medium term and fully restore all capabilities in the longer term.


Red, Blue, and Purple Teams: Red, Blue, and Purple Teams consist of security professionals who are integral to maintaining and improving an organization’s security posture. Red Teams are “attackers” who deploy ethical hacking methods such as penetration testing to simulate an attack and improve defenses.


Red Team: A group authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s cybersecurity posture.


Red Team Exercise: An exercise, reflecting real-world conditions, that is conducted as a simulated attempt by an adversary to attack or exploit vulnerabilities in an enterprise's information systems.


Redundancy: Additional or alternative systems, sub-systems, assets, or processes that maintain a degree of overall functionality in case of loss or failure of another system, sub-system, asset, or process.


Reflexive ACLs (Cisco): A step towards making the router act like a stateful firewall. The router will make filtering decisions based on whether connections are a part of established traffic or not.


Registry: The Registry in Windows operating systems in the central set of settings and information required to run the Windows computer.


Regression Analysis: The use of scripted tests which are used to test software for all possible input is should expect. Typically developers will create a set of regression tests that are executed before a new version of a software is released. Also see "fuzzing."


Report on Compliance (ROC): A report documenting a company’s results from their PCI assessment, usually written by a QSA.


Report on Validation (ROV): A report on a company’s security that must be submitted to the PCI SSC.


Request for Comment (RFC): A series of notes about the Internet, started in 1969 (when the Internet was the ARPANET). An Internet Document can be submitted to the IETF by anyone, but the IETF decides if the document becomes an RFC. Eventually, if it gains enough interest, it may evolve into an Internet standard.


Resilience: The ability to adapt to changing conditions and prepare for, withstand, and rapidly recover from disruption.


Resource Exhaustion: Resource exhaustion attacks involve tying up finite resources on a system, making them unavailable to others.


Response: Information sent that is responding to some stimulus.


Response Plan: Synonym(s): incident response plan

Reverse Address Resolution Protocol (RARP): (Reverse Address Resolution Protocol) is a protocol by which a physical machine in a local area network can request to learn its IP address from a gateway server's Address Resolution Protocol table or cache. 


Reverse Engineering: Acquiring sensitive data by disassembling and analyzing the design of a system component.


Reverse Lookup: Find out the hostname that corresponds to a particular IP address. Reverse lookup uses an IP (Internet Protocol) address to find a domain name.


Reverse Proxy: Reverse proxies take public HTTP requests and pass them to back-end web servers to send the content to it, so the proxy can then send the content to the end-user.


Risk: The likelihood a threat will trigger or exploit a vulnerability and the resulting impact on an organization.


Risk Analysis: an assessment of the potential vulnerabilities, threats, and possible risk to the confidentiality, integrity, and availability of ePHI held by the covered entity or business associate.


Risk Assessment: The product or process which collects information and assigns values to risks for the purpose of informing priorities, developing or comparing courses of action, and informing decision making.


Risk Averse: Avoiding risk even if this leads to the loss of opportunity. For example, using a (more expensive) phone call vs. sending an e-mail in order to avoid risks associated with e-mail may be considered "Risk Averse"


Risk Management Plan (RMP): The strategy to implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level.


Risk-Based Data Management: A structured approach to managing risks to data and information by which an organization selects and applies appropriate security controls in compliance with policy and commensurate with the sensitivity and value of the data.


Risk-Based Vulnerability Management: A process that emphasizes prioritizing the most severe security vulnerabilities and remediating according to the risk that they pose to the organization. This approach is being more widely adopted as organizations realize they have far more vulnerabilities than they can remediate, and they need a way to prioritize which to fix first.


Rivest-Shamir-Adleman (RSA): An algorithm for asymmetric cryptography, invented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman.


Role Based Access Control (RBAC): The act of restricting users’ access to systems based on their role within the organization.


Root: The name of the administrator account in Unix systems.


Rootkit: A collection of tools (programs) that a hacker uses to mask intrusion and obtain administrator-level access to a computer or computer network.


Router: Routers interconnect logical networks by forwarding information to other networks based upon IP addresses.


Routing Information Protocol (RIP): A distance vector protocol used for interior gateway routing which uses hop count as the sole metric of a path's cost.


Routing Loop: Where two or more poorly configured routers repeatedly exchange the same packet over and over.


RPC Scans: Determine which RPC services are running on a machine.


Rule Set Based Access Control (RSBAC): Targets actions based on rules for entities operating on objects.




S/Key: A security mechanism that uses a cryptographic hash function to generate a sequence of 64-bit, one-time passwords for remote user login. The client generates a one-time password by applying the MD4 cryptographic hash function multiple times to the user's secret key. For each successive authentication of the user, the number of hash applications is reduced by one.


Safety: The need to ensure that the people involved with the company, including employees, customers, and visitors, are protected from harm.


Scavenging: Searching through data residue in a system to gain unauthorized knowledge of sensitive data.


Secret Key: A cryptographic key that is used for both encryption and decryption, enabling the operation of a symmetric key cryptography scheme.


Secure Electronic Transactions (SET): A protocol developed for credit card transactions in which all parties (customers, merchant, and bank) are authenticated using digital signatures, encryption protects the message and provides integrity, and provides end-to-end security for credit card transactions online.


Secure File Transfer Protocol (SFTP): A secure way to encrypt data in transit.


Securely Provision: A NICE Framework category consisting of specialty areas concerned with conceptualizing, designing, and building secure IT systems, with responsibility for some aspect of the systems' development.


Secure Shell (SSH): A program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another.


Secure Sockets Layer (SSL): Internet security standard for encrypting the link between a website and a browser to enable the transmission of sensitive information (predecessor to TLS).


Security Automation: The use of information technology in place of manual processes for cyber incident response and management.


Security Program Management: In the NICE Framework, cybersecurity work where a person: Manages information security (e.g., information security) implications within the organization, specific program, or other area of responsibility, to include strategic, personnel, infrastructure, policy enforcement, emergency planning, security awareness, and other resources (e.g., the role of a Chief Information Security Officer).


Security Policy: A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources.


Segment: Another name for TCP packets.


Self-Assessment Questionnaire (SAQ): A collection of questions used to document an entity’s PCI DSS assessment results, based on their processing environment.


Sensitive Information: As defined by the federal government, is any unclassified information that, if compromised, could adversely affect the national interest or conduct of federal initiatives.


Separation of Duties: The principle of splitting privileges among multiple individuals or systems.


Server: A system entity that provides a service in response to requests from other system entities called clients.


Session: A virtual connection between two hosts by which network traffic is passed.


Session Hijacking: Take over a session that someone else has established.


Session Key: In the context of symmetric encryption, a key that is temporary or is used for a relatively short period of time. Usually, a session key is used for a defined period of communication between two computers, such as for the duration of a single connection or transaction set, or the key is used in an application that protects relatively large amounts of data and, therefore, needs to be re-keyed frequently.


SHA1: A one way cryptographic hash function. Also see "MD5"


Shadow IT: The use of web apps, cloud-services, software, and other IT resources without the knowledge of an organization’s IT or security teams. There may be hundreds or thousands of these resources and services used throughout an enterprise that have been provisioned by lines of business, individuals, or third parties without being vetted or deployed by IT or security teams. The prevalence of this self-service IT introduces new security gaps that could put the organization as well as customer data and systems at-risk.


Shadow Password Files: A system file in which encryption user password are stored so that they aren't available to people who try to break into the system.


Shadow Risk: The risk associated with the unknown assets within an organization’s attack surface. Shadow risk includes the assets and attack vectors that are part of the organization’s IT ecosystem but may be unseen or unmanaged by the organization because the assets are in cloud, partner, subsidiary and abandoned environments. It is a risk that most organizations are blind to, but sophisticated attackers can easily exploit.


Share: A resource made public on a machine, such as a directory (file share) or printer (printer share).


Shell: A Unix term for the interactive user interface with an operating system. The shell is the layer of programming that understands and executes the commands a user enters. In some systems, the shell is called a command interpreter. A shell usually implies an interface with a command syntax (think of the DOS operating system and its "C:>" prompts and user commands such as "dir" and "edit").


Shift Left: In cybersecurity, the phrase “shift left” refers to the process of focusing security practices as early as possible in a given activity or process. “Left” is a reference to the idea that a timeline runs from left to right, with “earlier” to the left, so “shift left” means to start earlier. This is analogous to the principle that “an ounce of prevention is worth a pound of cure,” meaning it’s better to catch problems earlier when they are easier or cheaper to fix, and their impact is lower. For example, for software security testing, it means beginning the process when the code is first being written, or performance tests are being run, rather than waiting until it is deployed into production.


Signals Analysis: Gaining indirect knowledge of communicated data by monitoring and analyzing a signal that is emitted by a system and that contains the data but is not intended to communicate the data.


Signature: A distinct pattern in network traffic that can be identified to a specific tool or exploit.


Simple Integrity Property: In Simple Integrity Property a user cannot write data to a higher integrity level than their own.


Simple Network Management Protocol (SNMP): The protocol governing network management and the monitoring of network devices and their functions. A set of protocols for managing complex networks.


Simple Security Protocol: In Simple Security Property a user cannot read data of a higher classification than their own.


Situational Awareness: Comprehending information about the current and developing security posture and risks, based on information gathered, observation and analysis, and knowledge or experience.


Smartcard: An electronic badge that includes a magnetic strip or chip that can record and replay a set key.


Smurf: The Smurf attack works by spoofing the target address and sending a ping to the broadcast address for a remote network, which results in a large amount of ping replies being sent to the target.


Sniffer: A sniffer is a tool that monitors network traffic as it received in a network interface.


Sniffing: A synonym for "passive wiretapping."


Social Engineering: A euphemism for non-technical or low-technology means - such as lies, impersonation, tricks, bribes, blackmail, and threats - used to attack information systems.


Socket: The socket tells a host's IP stack where to plug in a data stream so that it connects to the right application.


Socket Pair: A way to uniquely specify a connection, i.e., source IP address, source port, destination IP address, destination port.


SOCKS: A protocol that a proxy server can use to accept requests from client users in a company's network so that it can forward them across the Internet. SOCKS uses sockets to represent and keep track of individual connections. The client side of SOCKS is built into certain Web browsers and the server side can be added to a proxy server.


Software: Computer programs (which are stored in and executed by computer hardware) and associated data (which also is stored in the hardware) that may be dynamically written or modified during execution.


Software Assurance: The level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle, and that the software functions in the intended manner.


Software Assurance and Security Engineering: In the NICE Framework, cybersecurity work where a person: Develops and writes/codes new (or modifies existing) computer applications, software, or specialized utility programs following software assurance best practices.


Source Port: The port that a host uses to connect to a server. It is usually a number greater than or equal to 1024. It is randomly generated and is different each time a connection is made.


Spam: Electronic junk mail or junk newsgroup postings.


Spanning Port: Configures the switch to behave like a hub for a specific port.


Spillage: Synonym(s): data spill, data breach


Split Horizon: An algorithm for avoiding problems caused by including routes in updates sent to the gateway from which they were learned.


Split Key: A cryptographic key that is divided into two or more separate data items that individually convey no knowledge of the whole key that results from combining the items.


Spoofing: Faking the sending address of a transmission to gain illegal [unauthorized] entry into a secure system.


Spyware: Software that is secretly or surreptitiously installed into an information system without the knowledge of the system user or owner.


SQL Injection: A type of input validation attack specific to database-driven applications where SQL code is inserted into application queries to manipulate the database.


Stack Mashing: The technique of using a buffer overflow to trick a computer into executing arbitrary code.


Standard ACLs (Cisco): Standard ACLs on Cisco routers make packet filtering decisions based on Source IP address only.


Star Property: In Star Property, a user cannot write data to a lower classification level without logging in at that lower classification level.


State Machine: A system that moves through a series of progressive conditions.


Stateful Inspection: Also referred to as dynamic packet filtering. Stateful inspection is a firewall architecture that works at the network layer. Unlike static packet filtering, which examines a packet based on the information in its header, stateful inspection examines not just the header information but also the contents of the packet up through the application layer in order to determine more about the packet than just information about its source and destination.


Static Host Tables: Text files that contain hostname and address mapping.


Static Routing: Static routing means that routing table entries contain information that does not change.


Stealthing: A term that refers to approaches used by malicious code to conceal its presence on the infected system.


Steganalysis: The process of detecting and defeating the use of steganography.


Steganography: Methods of hiding the existence of a message or other data. This is different than cryptography, which hides the meaning of a message but does not hide the message itself. An example of a steganographic method is "invisible" ink.


Stimulus: Is network traffic that initiates a connection or solicits a response.


Store-and-Forward: A method of switching where the entire packet is read by a switch to determine if it is intact before forwarding it.


Straight-Through Cable: Where the pins on one side of the connector are wired to the same pins on the other end. It is used for interconnecting nodes on the network.


Strategic Planning and Policy Development: In the NICE Framework, cybersecurity work where a person: Applies knowledge of priorities to define an entity.


Stream Cipher: A stream cipher works by encryption a message a single bit, byte, or computer word at a time.


Strong Star Property: A user cannot write data to higher or lower classifications levels than their own.


Subject: An individual, process, or device causing information to flow among objects or a change to the system state.


Sub Network: A separately identifiable part of a larger network that typically represents a certain limited number of host computers, the hosts in a building or geographic area, or the hosts on an individual local area network.


Subnet Mask: A subnet mask (or number) is used to determine the number of bits used for the subnet and host portions of the address. The mask is a 32-bit value that uses one-bits for the network and subnet portions and zero-bits for the host portion.


Supervisory Control and Data Acquisition: A generic name for a computerized system that is capable of gathering and processing data and applying operational controls to geographically dispersed assets over long distances.


Supply Chain Risk Management: Supply chain risk can be thought of as a specific type of third-party risk, where the risk stems from the fact that vendors and partners in an organization’s supply chain increase its attack surface yet the organization may not have sufficient visibility or awareness of the suppliers’ security posture.


The process of identifying, analyzing, and assessing supply chain risk and accepting, avoiding, transferring or controlling it to an acceptable level considering associated costs and benefits of any actions taken.


Switch: A networking device that keeps track of MAC addresses attached to each of its ports so that data is only transmitted on the ports that are the intended recipient of the data.


Switched Network: A communications network, such as the public switched telephone network, in which any user may be connected to any other user through the use of message, circuit, or packet switching and control devices. Any network providing switched communications service.


Symbolic Links: Special files which point at another file.


Symmetric Cryptography: A branch of cryptography involving algorithms that use the same key for two different steps of the algorithm (such as encryption and decryption, or signature creation and signature verification). Symmetric cryptography is sometimes called "secret-key cryptography" (versus public-key cryptography) because the entities that share the key.


Symmetric Key: A cryptographic key that is used in a symmetric cryptographic algorithm.


SYN Flood: A denial of service attack that sends a host more TCP SYN packets (request to synchronize sequence numbers, used when opening a connection) than the protocol implementation can handle.


Synchronization: Synchronization is the signal made up of a distinctive pattern of bits that network hardware looks for to signal that start of a frame.


Syslog: The system logging facility for Unix systems.


System Administration: cybersecurity work where a person: Installs, configures, troubleshoots, and maintains server configurations (hardware and software) to ensure their confidentiality, integrity, and availability; also manages accounts, firewalls, and patches; responsible for access control, passwords, and account creation and administration.


System Integrity: The attribute of an information system when it performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.


Systems Development: In the NICE Framework, cybersecurity work where a person: Works on the development phases of the systems development lifecycle.


System Requirements Planning: In the NICE Framework, cybersecurity work where a person: Consults with customers to gather and evaluate functional requirements and translates these requirements into technical solutions; provides guidance to customers about applicability of information systems to meet business needs.


Systems Security Analysis: In the NICE Framework, cybersecurity work where a person: Conducts the integration/testing, operations, and maintenance of systems security.


Systems Security Architecture: In the NICE Framework, cybersecurity work where a person: Develops system concepts and works on the capabilities phases of the systems development lifecycle; translates technology and environmental conditions (e.g., law and regulation) into system and security designs and processes.


System Security Officer (SSO): A person responsible for enforcement or administration of the security policy that applies to the system.


System-Specific Policy: A policy written for a specific system or device.



T1, T3: A digital circuit using TDM (Time-Division Multiplexing).


Tabletop Exercise: A discussion-based exercise where personnel meet in a classroom setting or breakout groups and are presented with a scenario to validate the content of plans, procedures, policies, cooperative agreements or other information for managing an incident.


Tailored Trustworthy Space: A cyberspace environment that provides a user with confidence in its security, using automated mechanisms to ascertain security conditions and adjust the level of security based on the user's context and in the face of an evolving range of threats.


Tamper: To deliberately alter a system's logic, data, or control information to cause the system to perform unauthorized functions or services.


Targets: In the NICE Framework, cybersecurity work where a person: Applies current knowledge of one or more regions, countries, non-state entities, and/or technologies.


TCP Fingerprinting: The use of odd packet header combinations to determine a remote operating system.


TCP Full Open Scan: Checks each port by performing a full three-way handshake on each port to determine if it was open.


TCP Half Open Scan: Works by performing the first half of a three-way handshake to determine if a port is open.


TCP Wrapper: A software package which can be used to restrict access to certain network services based on the source of the connection; a simple tool to monitor and control incoming network traffic.


TCP/IP: A synonym for "Internet Protocol Suite;" in which the Transmission Control Protocol and the Internet Protocol are important parts. TCP/IP is the basic communication language or protocol of the Internet. It can also be used as a communications protocol in a private network (either an Intranet or an Extranet).


TCPDump: A freeware protocol analyzer for Unix that can monitor network traffic on a wire.


Technology Research and Development: In the NICE Framework, cybersecurity work where a person: Conducts technology assessment and integration processes; provides and supports a prototype capability and/or evaluates its utility.


TELNET: A TCP-based, application-layer, Internet Standard protocol for remote login from one host to another.


Test and Evaluation: cybersecurity work where a person: Develops and conducts tests of systems to evaluate compliance with specifications and requirements by applying principles and methods for cost-effective planning, evaluating, verifying, and validating of technical, functional, and performance characteristics (including interoperability) of systems or elements of systems incorporating information technology.


Third-Party Risk: Refers to the potential security risks to an organization stemming from the use of third-party vendors, including those vendors in the supply chain as well as groups that may not typically perform security investigations such as law firms, building infrastructure maintenance and services, accounting firms, or even catering. Third-party risk is also posed by business partners and subsidiaries as well as the vendors that they work with.


Threat: The potential for a person, event, or action to exploit a specific vulnerability


Threat Actor: An individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.


Threat Analysis: The detailed evaluation of the characteristics of individual threats.


Threat Assessment: The product or process of identifying or evaluating entities, actions, or occurrences, whether natural or man-made, that have or indicate the potential to harm life, information, operations, and/or property.


Threat Model: Is used to describe a given threat and the harm it could to do a system if it has a vulnerability.


Threat Vector: The method a threat uses to get to the target.


Ticket: In access control, data that authenticates the identity of a client or a service and, together with a temporary encryption key (a session key), forms a credential.


Time to Live: A value in an Internet Protocol packet that tells a network router whether or not the packet has been in the network too long and should be discarded.


Tiny Fragment Attack: With many IP implementations it is possible to impose an unusually small fragment size on outgoing packets. If the fragment size is made small enough to force some of a TCP packet's TCP header fields into the second fragment, filter rules that specify patterns for those fields will not match. If the filtering implementation does not enforce a minimum fragment size, a disallowed packet might be passed because it didn't hit a match in the filter. STD 5, RFC 791 states: Every Internet module must be able to forward a datagram of 68 octets without further fragmentation. This is because an Internet header may be up to 60 octets, and the minimum fragment is 8 octets.


Token Ring: A local area network in which all computers are connected in a ring or star topology and a binary digit or token-passing scheme is used in order to prevent the collision of data between two computers that want to send messages at the same time.


Token-Based Access Control: Associates a list of objects and their privileges with each user. (The opposite of list based.)


Token-Based Devices: Is triggered by the time of day, so every minute the password changes, requiring the user to have the token with them when they log in.


Topology: The geometric arrangement of a computer system. Common topologies include a bus, star, and ring. The specific physical, i.e., real, or logical, i.e., virtual, arrangement of the elements of a network. Note 1: Two networks have the same topology if the connection configuration is the same, although the networks may differ in physical interconnections, distances between nodes, transmission rates, and/or signal types. Note 2: The common types of network topology are illustrated


Traceroute (tracert.exe): A tool the maps the route a packet takes from the local machine to a remote destination.


Traffic Light Protocol: A set of designations employing four colors (RED, AMBER, GREEN, and WHITE) used to ensure that sensitive information is shared with the correct audience.


Transmission Control Protocol (TCP): (see IP)


Transport Layer Security (TLS): (See SSL)


Triple Data Encryption Standard (3DES): a secure encryption standard that encrypts data three times.


Triple-Wrapped: S/MIME usage: data that has been signed with a digital signature, and then encrypted, and then signed again.


Trojan Horse: A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.


Trunking: C​​onnecting switched together so that they can share VLAN information between them.


Trust: Determines which permissions and what actions other systems or users can perform on remote machines.


Trusted Ports: Ports below number 1024 usually allowed to be opened by the root user.


Tunnel: A communication channel created in a computer network by encapsulating a communication protocol's data packets in (on top of) a second protocol that normally would be carried above, or at the same layer as, the first one. Most often, a tunnel is a logical point-to-point link - i.e., an OSI layer 2 connection - created by encapsulating the layer 2 protocol in a transport protocol (such as TCP), in a network or inter-network layer protocol (such as IP), or in another link layer protocol. Tunneling can move data between computers that use a protocol not supported by the network connecting them.


Two-Factor Authentication: Two out of three independent methods of authentication are required to verify a computer or network user. The three possible factors are:

  • Something you know (such as a username and password)

  • Something you have (such as an RSA token or cell phone which gives you a new code for each login)

  • Something you are (such as fingerprint or iris scan)



UDP Scan: Perform scans to determine which UDP ports are open.


Unauthorized Access: Any access that violates the stated security policy.


Unicast: Broadcasting from host to host.


Uniform Resource Identifier: The generic term for all types of names and addresses that refer to objects on the World Wide Web.


Uniform Resource Locator (URL): The global address of documents and other resources on the World Wide Web. The first part of the address indicates what protocol to use, and the second part specifies the IP address or the domain name where the resource is located. 


United States Department of Health and Human Services (HHS): The federal organization that created HIPAA.


Unix: A popular multi-user, multitasking operating system developed at Bell Labs in the early 1970s. Created by just a handful of programmers, Unix was designed to be a small, flexible system used exclusively by programmers.


Unknown Unknowns: The phrase “unknown unknowns” was popularized by former United States Secretary of Defense Donald Rumsfeld, and has its origins in psychological research. In the world of cybersecurity, “unknown unknowns” are the risks that the security team doesn’t know about and that they know how to discover or anticipate. Unknown unknowns are typically the most dangerous to an organization because security and IT teams have no awareness that these assets or resources even exist, let alone details about them. Because IT and security teams are unaware of these assets or resources, it is impossible to secure them.


Unprotected Share: In Windows terminology, a "share" is a mechanism that allows a user to connect to file systems and printers on other systems. An "unprotected share" is one that allows anyone to connect to it.


User: A person, organization entity, or automated process that accesses a system, whether authorized to do so or not.


User Contingency Plan: The alternative methods of continuing business operations if IT systems are unavailable.


User Datagram Protocol (UDP): A communications protocol that, like TCP, runs on top of IP networks. Unlike TCP/IP, UDP/IP provides very few error recovery services, offering instead a direct way to send and receive datagrams over an IP network. It's used primarily for broadcasting messages over a network. UDP uses the Internet Protocol to get a datagram from one computer to another but does not divide a message into packets (datagrams) and reassemble it at the other end. Specifically, UDP doesn't provide sequencing of the packets that the data arrives in.



Virtual Local Area Network (VLAN): computers, servers and networks on the same LAN, even though they may be geographically dispersed.


Virtual Private Network (VPN): a strategy of connecting remote computers to send and receive data securely over the Internet as if they were directly connected to the private network.


Virus: A computer program that can replicate itself, infect a computer without permission or knowledge of the user, and then spread or propagate to another computer.


Voice Firewall: A physical discontinuity in a voice network that monitors, alerts and controls inbound and outbound voice network activity based on user-defined call admission control (CAC) policies, voice application layer security threats or unauthorized service use violations.


Voice Intrusion Prevention System (IPS): A security management system for voice networks which monitors voice traffic for multiple calling patterns or attack/abuse signatures to proactively detect and prevent toll fraud, Denial of Service, telecom attacks, service abuse, and other anomalous activity.


Vulnerability: A flaw or weakness in procedures, design, implementation, or security control that could result in a security breach.


Vulnerable: A state in which a weakness in a system, environment, software, or website could be exploited by an attacker.


Vulnerability Assessment and Management: In the NICE Framework, cybersecurity work where a person: Conducts assessments of threats and vulnerabilities, determines deviations from acceptable configurations, enterprise or local policy, assesses the level of risk, and develops and/or recommends appropriate mitigation countermeasures in operational and non-operational situations.


Vulnerability Scanners: A tool that inspects applications, systems, networks, and software for potential vulnerabilities and compares details about the assets encountered to a database of information about known security holes in those assets that may involve services and ports, anomalies in packet construction, and potential paths to exploitable programs or scripts.

Vulnerable: A state in which a weakness in a system, environment, software, or website could be exploited by a threat actor.



War Chalking: Marking areas, usually on sidewalks with chalk, that receive wireless signals that can be accessed.


War Dialer: A computer program that automatically dials a series of telephone numbers to find lines connected to computer systems, and catalogs those numbers so that a cracker can try to break into the systems.


War Dialing: A simple means of trying to identify modems in a telephone exchange that may be susceptible to compromise in an attempt to circumvent perimeter security.


War Driving: The process of traveling around looking for wireless access point signals that can be used to get network access.


Weakness: A shortcoming or imperfection in software code, design, architecture, or deployment that, under proper conditions, could become a vulnerability or contribute to the introduction of vulnerabilities.


Web Application Firewall (WAF): An application firewall that monitors, filters, and blocks HTTP traffic to and from a web application.


Web of Trust: The trust that naturally evolves as a user starts to trust other's signatures, and the signatures that they trust.


Web Server: A software process that runs on a host computer connected to the Internet to respond to HTTP requests for documents from client web browsers.


White Team: A group responsible for refereeing an engagement between a Red Team of mock attackers and a Blue Team of actual defenders of information systems.


WHOIS: An IP for finding information about resources on networks.


Wi-Fi Protected Access (WPA): security protocol designed to secure wireless computer networks.


Wi-Fi Protected Access II (WPA2): a more secure version of WPA (see WPA)


Windowing: A windowing system is a system for sharing a computer's graphical display presentation resources among multiple applications at the same time. In a computer that has a graphical user interface (GUI), you may want to use a number of applications at the same time (this is called task). Using a separate window for each application, you can interact with each application and go from one application to another without having to reinitiate it. Having different information or activities in multiple windows may also make it easier for you to do your work. A windowing system uses a window manager to keep track of where each window is located on the display screen and its size and status. A windowing system doesn't just manage the windows but also other forms of graphical user interface entities.


Windump: A freeware tool for Windows that is a protocol analyzer that can monitor network traffic on a wire.


Wired Equivalent Privacy (WEP): an outdated and weak security algorithm for wireless networks.


Wireless Application Protocol: A specification for a set of communication protocols to standardize the way that wireless devices, such as cellular telephones and radio transceivers, can be used for Internet access, including e-mail, the World Wide Web, newsgroups, and Internet Relay Chat.


Wireless Local Area Network (WLAN): network that links to two or more devices wirelessly.


Wiretapping: Monitoring and recording data that is flowing between two points in a communication system.


Work Factor: An estimate of the effort or time needed by a potential adversary, with specified expertise and resources, to overcome a protective measure.


World Wide Web (“the Web”, WWW, W3): The global, hypermedia-based collection of information and services that is available on Internet servers and is accessed by browsers using Hypertext Transfer Protocol and other information retrieval mechanisms.


Worm: A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively.



XXS: See Cross site scripting



No current terms.



Zero Day: The "Day Zero" or "Zero Day" is the day a new vulnerability is made known. In some cases, a "zero day" exploit is referred to an exploit for which no patch is available yet. ("day one" - day at which the patch is made available).


Zero-Day Attack: A computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer. Zero-day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software developer knows about the vulnerability.


Zero Trust: A model for security centered on the belief that organizations should not automatically trust anything, whether inside or outside their network perimeters. Zero Trust instead specifies that in order to maintain an effective security posture, any entity or asset must be authenticated or otherwise validated before it is granted any access to an organization. Zero Trust has implications for almost every element of your IT infrastructure. Blueprints for implementing a Zero Trust architecture have been developed by Forrester (who created the model in 2010) and NIST, to name a few.  

Zombies: A computer connected to the Internet that has been compromised by a hacker, a computer virus, or a trojan horse. Generally, a compromised machine is only one of many in a botnet, and will be used to perform malicious tasks of one sort or another under remote direction. Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to zombies.

Related Links

  • Guide SecurityMetrics Guide to PCI DSS Compliance

    The SecurityMetrics Guide to PCI DSS Compliance will help you understand current PCI requirements and trends, so that you can better protect data from inevitable future attacks.

  • Academy SecurityMetrics Academy

    Academy contains videos, quizzes, and external resources on topics like security policies and encryption. Our intent is to help SMBs like franchisees, small merchants, and healthcare practices address specific cybersecurity risks businesses may face.

  • Guide SecurityMetrics Guide to HIPAA Compliance

    We intend our guide to be a “deskside” reference for the day-to-day and recurring demands of HIPAA compliance. It’s meant to strike a balance between generally informative and specifically practical. Those who use our guide report that it is “thorough and detailed-oriented. Very helpful.”

  • Podcast SecurityMetrics Podcast

    The SecurityMetrics Podcast is intended to help businesses of all sizes as well as individuals–whether security professionals or not. We want to break security concepts down well enough that anyone can understand the top cybersecurity threats and how to deal with them.


  • SecurityMetrics Summit

    This recorded event is for all businesses that need solutions for cybersecurity, data protection, PCI DSS, HIPAA, and other types of compliance (HITRUST, GDPR, CCPA). Summit is ideal for those working in universities, retail, government, acquiring banks, and the healthcare industry. If your job includes anything related to compliance, payment card data, or cybersecurity, this is a must-watch event.


  • Threat Intelligence Center Feed

    SecurityMetrics Threat Intelligence Center analysts monitor current cybercriminal trends to give you weekly news reports and trending threat insights straight to your inbox, including: bi-monthly cybersecurity video-podcast, current data breaches, cybersecurity news, and technical advice to keep your system hacker-free.

Discover Your Cybersecurity and Compliance Needs