The process of granting or denying specific requests: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities

​

 

A written notice of the existence of an exploitable vulnerabiltiy

​

​

​

An interface between two systems at which (a) they are not connected physically and (b) any logical connection is not automated (i.e., data is transferred through the interface only manually, under human control).

​

​

​

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors across time

​

​

​

An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity, availability, or confidentiality.

​

​

​

The set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment.

​

​

​

A party who intends to compromise an information system.

​

​

​

The process of identifying the identity of an attacker using distinctive features, characteristics, or properties that can be identified or isolated quantitatively or qualitatively by either human or automated means.

​

​

​

Independent review and examination of a system’s records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures.

​

​

​

The process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a system.

​

​

​

The system property of ensuring timely and reliable access to and use of information.

​

​

​

An undocumented way of gaining access to computer system. A backdoor is a potential security risk/ A malicious program that listens for commands on a certain Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port.

​

​

​

A copy of files and programs made to facilitate recovery, if necessary.

​

​

​

A legal notice of a compromise or loss of control of the confidentiality of a system that has impacted consumer information

​

​

​

In cryptography, an attack that involves trying all possible combinations to find a match.

 

​

​

A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Adversaries exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.

​

​

​

Programs that provide financial rewards to independent security researchers who identify and report valid security vulnerabilities,, flaws or "bugs" in accordance with the published scope and rules of the program.

​

​

​

Completely Automated Public Turing test to tell Computers and Humans Apart; one way of managing bot activity.

​

​

​

Computer Crime and Intellectual Property Section of the Department of Justice

​

​

​

​

A Computer Emergency Response Team (CERT) is a group of information security experts responsible for the protection against, detection of and response to vulnerabilities and attacks.

​

​

​

​

Computer Fraud and Abuse Act

​

​

​

Confidentiality, integrity, and availability - the three core properties of security in any system

​

​

​

​

Data in its encrypted form.

​

​

​

Cybersecurity and Infrastructure Security Agency

​

​

​

Chief Information Security Officer - the corporate or governmental official in an organization responsible for the management of security

​

 

 

 

A successful attack on the confidentiality, integrity or availability of a system.

​

 

 

 

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

​

 

 

Children's Online Privacy Protection Act security requirements

​

 

 

An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a card or token possessed and controlled by a cardholder or subscriber.

​

 

 

The discipline that embodies the principles, means, and methods for the providing information security, including confidentiality, data integrity, non-repudiation, and authenticity.

​

 

 

The science that deals with hidden, disguised, or encrypted communications. It includes communications security and communications intelligence.

​

 

 

A list of entries-each containing an identification number, a description, and at least one public reference-for publicly known vulnerabilities.

​

 

 

A system for measuring the relative severity of software flaw vulnerabilities.

​

 

 

Interacting digital, analog, physical, and human components engineered for function through integrated physics and logic.

​

 

 

A distributed Denial of Service technique that uses numerous hosts to perform the attack.

​

 

 

The process of transforming ciphertext into plaintext using a cryptographic algorithm and key.

​

 

 

An unauthorized integrity change in the user-visible appearance of a website user interface

​

 

 

The situation where correct functionality of a security control is contingent on the correct functionality of another component.There are three types of dependencies: data, name, and control.

​

 

 

Obsolete technology

​

 

 

An attempted illegal entry to a computer system that uses a dictionary headword list to generate possible passwords.

​

​

​

A written plan for processing critical applications in the event of a major hardware or software failure or destruction of facilities.

​

 

 

An attack that grants the attacker additional levels of control over a system

​

 

 

World War II German encryption machine

​

 

 

The unauthorized transfer of information from an information system.

​

 

 

The implemented use of a vulnerability to attack the confidentiality, integrity, or availabilty of a system

​

 

 

The state where a system is vulnerable to the violation of the security policy governing an information system and is usable or detectable by subjects external to the trusted computing base

​

 

 

A mode of termination of system functions that prevents loss of secure state when a failure occurs or is detected in the system (but the failure still might cause damage to some system resource or system entity). See fail safe and fail soft for comparison.

 

 

A gateway that limits access between networks in accordance with local security policy.

​

 

 

Imperfection or defect

​

 

 

Similar to fault injection in that invalid data is input into the application via the environment, or input by one process into another process. Fuzz testing is implemented by tools called fuzzers, which are programs or script that submit some combination of inputs to the test targets

​

 

 

EU General Data Protection Regulation: Recital 49 – Network and Information Security as Overriding Legitimate Interest; Art. 32 GDPR – Security of processing; Recital 83 – Security of Processing

​

 

 

Gramm-Leach-Bliley Act, 15 U.S. Code § 6801 - Protection of nonpublic personal information and implementing agency rules

​

 

 

A person who repurposes a tool or system to perform in a new way, either legally or illegally

​

 

 

Attacks launched with the intent of furthering political or social activism

​

 

 

Credentials that cannot be changed from default by a user or operator, rendering a system more vulnerable to attack

​

 

 

A process intended to eliminate a means of attack by patching vulnerabilities and turning off nonessential services.

​

 

 

Health Insurance Portability and Accountability Act Security Rule

​

 

 

 

Actions taken through the use of an information system or network that result in an actual or potentially adverse effect on an information system, network, and/or the information residing therein.

​

 

 

 

The mitigation of violations of security policies and recommended practices.

​

 

 

An attack where an insider uses her/his authorized access, wittingly or unwittingly, to do harm to the security of an organization or system.

​

 

 

 

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

​

 

 

A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or system resource without having authorization to do so.

​

 

 

International standard of requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services

​

 

 

International standard regarding internal organizational handling of security vulnerabilities

​

 

 

A parameter (limit) used in the block cipher algorithm that determines the forward cipher function.

​

​

​

A program designed to record which keys are pressed on a computer keyboard used to obtain passwords or encryption keys and thus bypass other security measures.

​

 

 

The process of an attack escalating through using one vulnerability to move inside a system to compromise additional points of vulnerability

​

 

 

The principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.

​

 

 

Incompatibilities in security generated by last generation systems and design

​

 

 

Studying log entries to identify events of interest or suppress log entries for insignificant events.

​

 

 

Authentication using two or more different factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

​

 

 

Defensive measures intended to blunt the impact of a compromise or incident

 

 

An attack where the adversary is positioned in the middle - between the user and the system to intercept and alter data traveling between them.

​

 

 

A representation of the internal network topologies and components down to the host/device level to include but not limited to: connection, sub-network, enclave, and host information.

​

 

 

A tiered set of security guidelines designed to assess the extent of a culture of security inside an organization

​

 

 

A software component that, when installed, directly modifies files or device settings related to a different software component without changing the version number or release details for the related software component.

​

 

 

A method of testing where testers target individual binary components or the application as a whole to determine whether intra or intercomponent vulnerabilities can be exploited to compromise the application, its data, or its environment resources.

​

 

 

A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.

​

 

 

Historical repurposing of telephone systems

​

 

 

The architecture, organization, techniques, practices, and procedures that collectively support the implementation and operation of a certificate-based public key cryptographic system. Framework established to issue, maintain, and revoke public key certificates.

​

 

 

Unencrypted data

​

 

 

A technique that sends client requests to a range of service port addresses on a host.

​

 

 

The demonstration of the existence of a security vulnerability as a theoretical matter

​

 

 

An application that “breaks” the connection between client and server. The proxy accepts certain types of traffic entering or leaving a network and processes it and forwards it.

​

 

 

An undesirable situation that occurs when a device or system attempts to perform two or more operations at the same time, but because of the nature of the device or system, the operations must be done in the proper sequence.

​

 

 

An attack that exploits an existing security vulnerability in a system to render the system unavailable and where the attackers demand ransom in exchange for allegedly providing the key to restoring availability

​

 

 

A group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture.

​

 

 

The ability of an information system to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs.

​

 

 

A class of attacks in which attackers remotely execute commands to place malware or other malicious code on a computer or network without user input or  physical access to the network.

​

 

 

Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information.

​

 

 

The process of permanently ending the binding between a certificate and the identity asserted in the certificate from a specified time forward.

​

 

 

A set of tools used by an attacker after gaining root-level access to a host to conceal the attacker’s activities on the host and permit the attacker to maintain root-level access to the host through covert means.

​

 

 

Sarbanes Oxley Act Section 404 as interpreted by agency guidance

​

​

 

 

Software Bill of Materials

​

 

 

 

Supervisory Control and Data Acquisition system: systems used in critical infrastructure

​

 

 

 

Defensive strategy of dividing a system into self-contained pieces in order to mitigate vulnerability to lateral movement by an attacker

​

 

 

 

A form of physical credential acquisition through visual observation of credential input. e.g. watching a user's typing over the user's shoulder

​

 

 

 

Phishing through SMS

​

 

 

 

Observing and recording network traffic.

​

 

 

The act of deceiving an individual into revealing sensitive information by associating with the individual to gain confidence and trust.

​

 

 

 

Faking the sending address of a transmission to gain illegal entry into a secure system

​

 

 

Software that is secretly or surreptitiously installed into an information system to gather information on individuals or organizations without their knowledge; a type of malicious code.

​

 

 

An attack in which malicious code is injected in a poorly-designed application and then passed to the backend database. The malicious data then produces database query results or actions that should never have been executed.

​

​

​

The art and science of communicating in a way that hides the existence of the communication. For example, a child pornography image can be hidden inside another graphic image file, audio file, or other file format.

​

 

 

An intentional but unauthorized act resulting in the modification of a system, components of systems, its intended behavior, or data.

​

 

 

The automatic recording and transmission of data from remote or inaccessible sources to an IT system in a different location for monitoring and analysis.

​

 

 

An individual or a group posing a threat.

​

 

 

Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.

​

 

 

A form of risk assessment that models aspects of the attack and defense sides of a logical entity, such as a piece of data, an application, a host, a system, or an environment. The formal process of identifying and mitigating an organization's attack surface in light of the state of the art in security

​

 

 

Crossing over a security boundary

​

 

 

A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.

​

 

 

The state of technical dependency, regardless of whether components are trustworthy

​

 

 

The degree to which an information system (including the information technology components that are used to build the system) can be correctly expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the system across the full range of threats. A trustworthy information system is a system that is believed to be capable of operating within defined levels of risk despite the environmental disruptions, human errors, structural failures, and purposeful attacks that are expected to occur in its environment of operation.

​

 

 

Extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency, and satisfaction in a specified context of use.

​

 

 

Vulnerability database: an index of known vulnerabilities

​

 

 

Predefined signatures for known malware used by antivirus detection algorithms.

​

 

 

 

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

​

 

 

The internal organizational process of receiving third-party vulnerability reports

​

 

 

Sniffing historically carried out through mobile physical proximity to open networks, e.g. in a car.

​

A security exploit where the attacker infects websites that are frequently visited by members of the group being attacked, with a goal of infecting a computer used by one of the targeted group when they visit the infected website.

 

A self-replicating program that propagates itself through a network onto other computer systems without requiring a host program or any user intervention to replicate.

 

Cross site scripting: A vulnerability that allows attackers to inject malicious code into an otherwise benign website. These scripts acquire the permissions of scripts generated by the target website and can therefore compromise the confidentiality and integrity of data transfers between the website and client. Websites are vulnerable if they display user-supplied data from requests or forms without sanitizing the data so that it is not executable.

​

An attack that exploits a previously unknown hardware, firmware, or software vulnerability.