Glossary

3-2-1 backup rule — 3 copies of data, on 2 different media types, with 1 copy off-site
3DES — Triple Data Encryption Standard: legacy symmetric cipher applying DES three times; deprecated in favor of AES
802.1X — IEEE standard for port-based network access control; uses EAP for authentication

A

AES — Advanced Encryption Standard: symmetric block cipher (128/192/256-bit keys); the current standard for data encryption
AES-256 — Advanced Encryption Standard 256-bit: AES with a 256-bit key; considered quantum-resistant for symmetric encryption
Access badges — RFID or smart card-based identification for building entry
Access control lists (ACLs) — Defining explicit allow/deny rules for network traffic and resource access
Access control vestibules (mantraps) — Dual-door chambers allowing only one door open at a time; prevents tailgating
Account indicators — Multiple failed logins, privilege escalation attempts, account lockouts, new admin accounts
Accounting — Logging and tracking user activities for audit and forensic purposes
Active-active vs. active-passive — active-active uses all nodes; active-passive has standby nodes for failover
Ad hoc vs. recurring vs. continuous — assessments may be triggered by events, scheduled, or ongoing
Adaptive identity — Authentication and authorization that adjust based on real-time risk assessment
Administrative controls — Policies, procedures, training, background checks
Advisary emulation — Simulating known threat actor behavior to test detection capabilities
After-action review — lessons learned documented after each test or actual incident
AH — Authentication Header: IPSec protocol providing integrity and authentication but not confidentiality
Air gap — complete physical isolation with no network connectivity; highest security, used for critical systems
AIS — Automated Indicator Sharing: DHS system for real-time exchange of cyber threat indicators
ALE — Annualized Loss Expectancy: expected yearly monetary loss from a risk; ALE = SLE x ARO
Always-on VPN — automatically connects when the device is powered on; ensures consistent policy enforcement
Amplification attack — Using protocols like DNS, NTP, or memcached to amplify a small request into a massive response
Reflection — Using third-party servers (DNS, NTP, memcached) to amplify and reflect traffic at the victim
Anonymization — irreversibly removes identifying information
Anonymization vs. pseudonymization — anonymization is irreversible; pseudonymization replaces identifiers but can be reversed with a key
Anti-forensics — Techniques attackers use to hinder forensic analysis (encryption, log wiping, timestomping)
Anti-phishing controls — URL rewriting, sandbox analysis of attachments, impersonation detection
Anti-malware — Signature-based and heuristic detection of known and unknown malware
API attacks — Exploiting insecure APIs through broken authentication, excessive data exposure, or lack of rate limiting
ARO — Annualized Rate of Occurrence: estimated frequency of a threat occurring per year
ARP — Address Resolution Protocol: maps IP addresses to MAC addresses on a local network; vulnerable to spoofing
API integration — Connecting security tools through REST APIs for orchestrated workflows
API security — cloud services are API-driven; securing APIs is critical to cloud security
Application allowlisting — Only permitting approved software to execute — stronger than blocklisting
allowlisting — Only approved applications can execute on the endpoint
Application-layer attacks — Targeting specific services with legitimate-looking requests to exhaust application resources
poisoning — Sending fake ARP messages to associate the attacker
ASLR — Address Space Layout Randomization: OS security feature that randomizes memory addresses to thwart buffer overflow exploits
ASP — Active Server Pages: Microsoft server-side scripting framework for dynamic web content
Attack surface management — Continuously identifying and reducing exposure across all attack vectors
Attestation — formal declaration by an auditor that controls are operating effectively
Attribute mapping — Translating identity attributes (role, department) between different organizational schemas
Attribute-Based Access Control (ABAC) — Access decisions based on attributes such as department, location, or time of day
Audit scope — defines what systems, processes, and controls are being examined
AUP — Acceptable Use Policy: defines permitted and prohibited uses of organizational IT resources
Authentication — typically uses certificates, MFA, RADIUS, or LDAP for VPN user authentication
Authorization vs. Authentication — Authentication proves identity; authorization defines permissions
Automated response — Predefined playbooks can kill processes, quarantine files, or block IPs without human intervention
Automation — Executing repetitive tasks without human intervention — enriching alerts, blocking IPs, disabling accounts
Availability — Ensuring systems and data are accessible to authorized users when needed

B

Rollback plan — Predefined steps to reverse a change if it causes problems
Baiting — Offering something enticing (USB drive, free download) to lure victims
Bandwidth monitoring — Detecting unusual spikes that may indicate DDoS attacks or data exfiltration
Baseline establishment — Defining normal network behavior to identify deviations and anomalies
BGP — Border Gateway Protocol: routing protocol that exchanges path information between autonomous systems on the internet
BIOS — Basic Input/Output System: legacy firmware interface for hardware initialization; largely replaced by UEFI
Baseline-driven hunting — Identifying deviations from known-good baselines in network traffic, process execution, or user behavior
Behavioral analysis — Detects threats based on anomalous behavior rather than known signatures
Behavioral indicators — Unusual login times, impossible travel, lateral movement patterns suggesting compromise
Bell-LaPadula Model — \
Benchmarks vs. frameworks — benchmarks are specific configuration guides; frameworks are broader programs
Benefits — Speed, consistency, scalability, reduced human error, better documentation
BIA as the foundation — the Business Impact Analysis identifies critical functions and sets recovery priorities
Biba Model — \
Biometric authentication — FAR vs. FRR; CER (Crossover Error Rate) measures biometric system accuracy
Birthday attack — Exploits the mathematics of hash collisions; finding two inputs that produce the same hash output
Blind SQL injection — Application does not return data directly; attacker infers information through true/false responses or time delays
Bluetooth attacks — Bluejacking (unsolicited messages), Bluesnarfing (data theft), Bluebugging (full device control)
Board and executive involvement — governance starts at the top; senior leadership sets the tone and approves risk appetite
Bollards — Short vertical posts preventing vehicle ramming attacks
Boot integrity — Secure Boot, Measured Boot, and TPM ensure the system hasn’t been tampered with
BPA — Business Partnership Agreement: formal agreement defining responsibilities and expectations between business partners
BPDU — Bridge Protocol Data Unit: frames used by Spanning Tree Protocol to prevent network loops
BSSID — Basic Service Set Identifier: MAC address of a wireless access point identifying a specific BSS
Botnet — Network of compromised devices controlled by an attacker to generate DDoS traffic
Brand impersonation — Creating fake websites, emails, or social media profiles mimicking trusted brands
Break-glass accounts — Emergency access accounts with heightened monitoring for use when normal access paths fail
Brute force — Trying all possible keys or password combinations until the correct one is found
Buffer overflow — Sending more data than a buffer can hold, overwriting adjacent memory to execute arbitrary code
Bug bounty programs — Crowdsourced testing where external researchers report vulnerabilities for rewards
Business continuity vs. disaster recovery — BCP keeps the business running during disruption; DR restores IT systems after disruption
Business Email Compromise (BEC) — Social engineering attacks where attackers impersonate executives to request wire transfers or sensitive data

C

Cable locks — Physically secure laptops and equipment to prevent theft
Caching — proxies store frequently accessed content to reduce bandwidth and improve response times
Capacity planning — ensuring sufficient resources to handle peak loads and growth
CAPTCHA — Completely Automated Public Turing Test to Tell Computers and Humans Apart: challenge-response test to distinguish humans from bots
CAR — Corrective Action Report: document detailing root cause analysis and remediation steps after an incident
CASB — Cloud Access Security Broker: policy enforcement point between users and cloud services for visibility and data protection
Case management — Tracking incidents from detection through resolution with full documentation
Centralized logging — Aggregating logs from all sources into a single repository for unified analysis
Centralized vs. decentralized governance — centralized offers consistency; decentralized gives business units flexibility
CBC — Cipher Block Chaining: block cipher mode where each plaintext block is XORed with the previous ciphertext block
CBT — Computer-based Training: security awareness training delivered via software or e-learning platforms
CCMP — Counter-Mode/CBC-MAC Protocol: AES-based encryption protocol used in WPA2 for wireless security
CERT — Computer Emergency Response Team: group responsible for coordinating response to cybersecurity incidents
Certificate formats — PEM (.pem, .crt), DER (.der), PKCS#12 (.pfx, .p12), PKCS#7 (.p7b)
Certificate lifecycle — request (CSR), issuance, usage, renewal, revocation
Certificate pinning — application hardcodes the expected certificate or public key to prevent MITM with rogue certs
Certificate-based authentication — Uses digital certificates from a PKI for mutual authentication
CFB — Cipher Feedback: block cipher mode that converts a block cipher into a self-synchronizing stream cipher
Chain of custody — Documented record of who handled the evidence, when, and what was done — breaks invalidate evidence
Chain of trust — each certificate is signed by the CA above it; browsers trust the root CA
Change Advisory Board (CAB) — Group of stakeholders who review and approve/deny change requests
CHAP — Challenge-Handshake Authentication Protocol: authentication protocol using a three-way handshake to verify identity
ciphertext attack — Attacker can encrypt or decrypt chosen data to extract information about the key
CIO — Chief Information Officer: executive responsible for IT strategy and information systems
CIRT — Computer Incident Response Team: team that handles investigation and remediation of security incidents
CIS Benchmarks — Industry-standard security configuration guidelines from the Center for Internet Security
CIS Controls — prioritized list of cybersecurity best practices (formerly SANS Top 20)
Classification criteria — regulatory requirements, business value, sensitivity, impact if disclosed
Cloud deployment models — public, private, hybrid, community, multi-cloud
CMS — Content Management System: software for creating and managing digital content (e.g., WordPress)
CN — Common Name: field in an X.509 certificate identifying the host name or entity
Collision attack — Specifically crafting two different inputs that produce an identical hash — compromises integrity verification
Command injection (OS injection) — Inserting operating system commands through application inputs to execute on the host system
private sector classifications — Confidential/Restricted, Private/Internal, Public
Common delivery methods — Phishing emails, exploited vulnerabilities (especially RDP), drive-by downloads, supply chain compromise
Common IaC tools — Terraform, AWS CloudFormation, Azure ARM/Bicep, Ansible, Puppet, Chef
Common SIEM platforms — Splunk, Microsoft Sentinel, IBM QRadar, Elastic Security
Communication plan — Who to notify (management, legal, law enforcement, customers, regulators)
Compensating controls — Alternative measures when the primary control cannot be implemented
COOP — Continuity of Operations Planning: plan to maintain essential functions during and after a disaster
Compliance automation — tools that continuously assess configurations against baselines and flag deviations
Compliance monitoring — ongoing checks to ensure controls remain effective and policies are followed
Compliance reporting — documentation submitted to regulators or auditors demonstrating adherence
Conditional access — Dynamic authorization based on risk signals (device compliance, location, behavior)
Confidence levels — Rating how reliable and accurate a piece of intelligence is
Confidentiality — Protecting data from unauthorized access or disclosure
Configuration drift — when running infrastructure diverges from its defined state; IaC detects and corrects this
Configuration management — Maintaining a consistent, secure baseline of system configurations and detecting drift
Consequences of non-compliance — fines, sanctions, loss of certifications, lawsuits, reputational harm
Containment — Short-term (isolate the system) and long-term (apply temporary fixes while building permanent solutions)
Content filtering — proxies can inspect and block traffic based on URLs, categories, or content types
CD) security — Embedding security checks into automated build and deployment pipelines
CP — Contingency Planning: preparing alternative procedures to maintain operations when primary systems fail
CRC — Cyclic Redundancy Check: error-detecting code used to verify data integrity during transmission or storage
Continuous monitoring — Agents on endpoints record process execution, file changes, registry modifications, and network connections
Contractual compliance — obligations defined in business agreements and SLAs
Control diversity — Combining different types of controls (technical + administrative + physical) at each security layer
Correlation rules — Logic that identifies patterns across multiple events that indicate an attack
Credential rotation — Automatically changing privileged passwords on a schedule or after each use
Credential stuffing — Using stolen username/password pairs from breached databases to log into other services
Credentialed vs. non-credentialed scans — Credentialed scans log into systems for deeper analysis; non-credentialed scans show the external attacker
Critical business functions — processes that, if disrupted, would cause significant harm to the organization
Cross-certification — two CAs trust each other
CSA — Cloud Security Alliance: organization that defines best practices for secure cloud computing
CSIRT — Computer Security Incident Response Team: specialized team for handling and coordinating security incident response
CSO — Chief Security Officer: executive responsible for physical and/or information security strategy
CSP — Cloud Service Provider: company offering cloud-based infrastructure, platforms, or software (e.g., AWS, Azure)
CSU — Channel Service Unit: device that connects a digital line to networking equipment at the demarcation point
Cryptocurrency payment — Bitcoin or Monero used to make ransom payments difficult to trace
CSA Cloud Controls Matrix (CCM) — cloud-specific security control framework
CSR (Certificate Signing Request) — generated by the applicant; contains the public key and identity information
CSRF Example — A hidden image tag that triggers a bank transfer while the victim is logged into their banking site
CSRF Mechanism — Attacker crafts a request using hidden forms or image tags that perform actions using the victim
CTM — Counter-Mode: block cipher mode that turns a block cipher into a stream cipher using a counter
CTO — Chief Technology Officer: executive responsible for technology development and innovation strategy
Culture of security — training should foster a culture where reporting suspicious activity is encouraged, not punished
CVE (Common Vulnerabilities and Exposures) — Unique identifiers for publicly known vulnerabilities
CVSS (Common Vulnerability Scoring System) — Standardized 0-10 scoring system for vulnerability severity
CYOD — Choose Your Own Device: policy allowing employees to select from pre-approved personal devices for work use

D

DAD Triad — Disclosure, Alteration, Destruction — the attacker
Dashboards and reporting
DBA — Database Administrator: professional responsible for database design, security, backup, and performance — Visual representation of security posture, trends, and compliance metrics
Data breach notification — regulations often require notifying affected individuals and authorities within a set timeframe
Data loss prevention (DLP) — tools that detect and prevent unauthorized data exfiltration
Data masking — obscures portions of data (e.g., showing only last 4 digits of a credit card)
Data ownership and processing agreements — clearly define who owns data and how it is handled, stored, and deleted
Data retention policies — define how long data must be kept and when it must be destroyed
Data sources — EDR telemetry, SIEM logs, network flow data, DNS logs, authentication logs
Data sovereignty — data stored in the cloud is subject to the laws of its physical location
Data states — data at rest, data in transit, data in use; each requires appropriate protection
Deauthentication attack — Sending forged 802.11 deauth frames to disconnect clients from a wireless network
DEP — Data Execution Prevention: OS feature that marks memory regions as non-executable to prevent code injection
DES — Data Encryption Standard: legacy 56-bit symmetric block cipher; considered insecure and replaced by AES
Deception platforms — Enterprise solutions that automate deployment and management of decoys across the network
Declassification — reducing the classification level when sensitivity decreases over time
Decommissioning — Properly retiring end-of-life systems that can no longer be patched
Default credentials — Factory-set usernames and passwords that are publicly documented and easily exploited
Defense in depth — layered security controls so that if one fails, others still protect the environment
Defenses — HTTPS everywhere, HSTS, certificate pinning, mutual TLS, encrypted protocols; anti-CSRF tokens, SameSite cookies
Dependencies — upstream and downstream systems that a critical function relies on
Deprecated algorithms — MD5, SHA-1, DES, RC4 — algorithms that are cryptographically weak and should not be used
DHE — Diffie-Hellman Ephemeral: key exchange using temporary keys per session; provides perfect forward secrecy
Detection and analysis — Identifying incidents through alerts, logs, user reports, and threat intelligence
Dictionary attack — Using a wordlist of common passwords and variations to guess credentials
Digital signatures — hash the message, then encrypt the hash with the sender
Directory services — LDAP, Active Directory — centralized authentication and identity stores
Directory traversal — Using \
Disable unnecessary services and ports — Reduce potential entry points by turning off what is not needed
Disk imaging — Creating a bit-for-bit copy of storage media for analysis without altering the original
Diversity — using different vendors, technologies, or paths to avoid common-mode failures
DKIM (DomainKeys Identified Mail) — Adds a digital signature to outgoing emails to verify the message was not altered in transit
DLL injection — Forcing a process to load a malicious dynamic-link library into its address space
DMARC (Domain-based Message Authentication, Reporting & Conformance) — Policy that tells receiving servers what to do when SPF/DKIM fail (none, quarantine, reject)
DMZ (Demilitarized Zone) — screened subnet between the internet and internal network for public-facing services
DNAT — Destination Network Address Translation: modifies the destination IP of packets as they pass through a router or firewall
DNS amplification — Using open DNS resolvers to amplify DDoS attacks — small queries generate large responses
DNS hijacking — Compromising a domain
DNS over TLS (DoT) — Encrypts DNS queries to prevent eavesdropping and manipulation
DNS cache poisoning — Injecting false DNS records into a resolver
DNS sinkholes — Redirect malicious domain requests to a controlled server to disrupt botnets and detect infected hosts
DNS spoofing — Forging DNS responses to redirect queries to malicious IP addresses
DNS tunneling — Encoding data within DNS queries and responses to exfiltrate data or establish C2 channels
DNSSEC (DNS Security Extensions) — Adds digital signatures to DNS records to verify authenticity and integrity
Documentation — recovery procedures, contact lists, system dependencies, vendor information
DOM-based XSS — Script executes by modifying the DOM in the victim
Domain hijacking — Taking control of a domain name through social engineering or exploiting weak registrar account security
Double extortion — Attackers exfiltrate data before encrypting — threaten to publish if ransom is not paid
Downgrade attack — Forcing a system to use a weaker, vulnerable cryptographic protocol or cipher
DPO — Data Protection Officer: role required under GDPR to oversee data protection strategy and compliance
DSA — Digital Signature Algorithm: FIPS standard for digital signatures using asymmetric cryptography
DSL — Digital Subscriber Line: broadband technology providing internet access over telephone lines
Due diligence vs. due care — Due diligence is researching and understanding risks; due care is acting responsibly to mitigate them

E

E-discovery — Legal process of identifying and collecting electronically stored information (ESI) for litigation
ECB — Electronic Code Book: simplest block cipher mode; encrypts blocks independently — insecure for most uses
ECC — Elliptic-curve Cryptography: asymmetric cryptography using elliptic curves; smaller keys with equivalent strength to RSA
ECDHE — Elliptic-curve Diffie-Hellman Ephemeral: key exchange combining ECC and ephemeral keys for perfect forward secrecy
ECDSA — Elliptic-curve Digital Signature Algorithm: digital signature algorithm using elliptic-curve cryptography
East-west traffic control — segmentation is essential for monitoring and controlling internal lateral movement
East-west vs. north-south traffic — east-west is internal lateral; north-south crosses the network boundary
Email encryption — Protects email content in transit and at rest; can be gateway-based or end-to-end
Email indicators — Phishing sender addresses, malicious attachment hashes, suspicious URLs in email bodies
Encryption — Protecting data at rest and in transit to ensure confidentiality even if intercepted
EFS — Encrypted File System: Windows feature for file-level encryption on NTFS volumes
EIP — Extended Instruction Pointer: CPU register pointing to the next instruction; a common target in buffer overflow attacks
Encryption modes — ECB (insecure, patterns visible), CBC, CTR, GCM (authenticated encryption)
Encryption-based ransomware — Encrypts files using strong cryptographic algorithms; data is unrecoverable without the key
Environmental controls — Fire suppression, HVAC, and humidity controls protecting physical infrastructure
EOL — End of Life: vendor no longer sells or actively develops a product; may still receive security patches
EOS — End of Service: vendor no longer provides patches or support; a significant security risk
Environmental factors — internal (staffing, technology) and external (regulatory, geopolitical)
Ephemeral keys — temporary keys used for a single session; provide perfect forward secrecy
Eradication — Removing the threat — deleting malware, closing vulnerabilities, resetting compromised credentials
ERP — Enterprise Resource Planning: integrated software for managing core business processes (finance, HR, supply chain)
ESN — Electronic Serial Number: unique identifier assigned to mobile devices for network authentication
ESP — Encapsulating Security Payload: IPSec protocol providing confidentiality, integrity, and authentication for packets
ESSID — Extended Service Set Identifier: name identifying a wireless network spanning multiple access points
Evidence collection — logs, configurations, policies, interviews, and observations gathered during audits
Evil twin — Rogue access point that mimics a legitimate network
Exception process — formal mechanism for requesting and approving deviations from policy
Exploitation — Attempting to gain unauthorized access using discovered vulnerabilities
External audit — performed by an independent third party; required for certifications and regulatory compliance

F

FACL — File System Access Control List: permissions list defining which users or groups can access specific files or directories
Failback — returning to the primary system after it is restored
Failover — automatic switching to a standby system when the primary fails
Fake telemetry — Generating false network data to confuse attackers performing reconnaissance
False positives — Legitimate activity that matches IoC patterns — tuning is essential to reduce alert fatigue
negatives — Validating scan results to avoid wasting resources or missing real vulnerabilities
Faraday cage — Blocks electromagnetic signals; prevents eavesdropping and signal leakage
Fencing — Perimeter barriers; height determines deterrence level for physical security
FERPA — US law protecting student education records
File integrity monitoring — comparing current file hashes to known-good baselines to detect tampering
File system permissions — Restricting access to sensitive files and directories
File-based indicators — Malicious file hashes, suspicious file names, unexpected file locations
Fileless malware — Operates entirely in memory using legitimate tools (PowerShell, WMI) — leaves no files on disk
Fileless malware detection — Identifies threats that operate in memory without writing to disk
Findings and remediation — audit results include findings (issues) and recommendations with timelines for remediation
Firmware updates — BIOS/UEFI and device firmware must be kept current
FPGA — Field Programmable Gate Array: reconfigurable integrated circuit; used in hardware security modules and custom crypto
FRR — False Rejection Rate: biometric metric measuring how often legitimate users are incorrectly denied access
FTP — File Transfer Protocol: protocol for transferring files over TCP; transmits credentials in cleartext
FTPS — FTP Secure: FTP with TLS/SSL encryption for secure file transfers
Fourth-party risk — risk from your vendor
Full disk encryption (FDE) — Encrypts the entire drive to protect data at rest (e.g., BitLocker, FileVault)

G

Gamification — using competitions, rewards, and interactive elements to increase engagement
GCM — Galois/Counter Mode: authenticated encryption mode combining CTR encryption with Galois MAC for integrity
GDPR — EU regulation protecting personal data; applies to any org processing EU residents
Geographic considerations — different jurisdictions have different requirements; data sovereignty matters
GLBA — US law requiring financial institutions to protect customer information
Governance committees — cross-functional groups that review security posture, approve policy changes, and allocate budgets
GPG — GNU Privacy Guard: open-source implementation of PGP for encrypting and signing data
GPS — Global Positioning System: satellite-based navigation; used in geofencing and mobile device tracking
GPU — Graphics Processing Unit: processor optimized for parallel computation; used in password cracking and AI
GRE — Generic Routing Encapsulation: tunneling protocol for encapsulating a wide variety of network layer protocols
military classifications — Top Secret, Secret, Confidential, Unclassified
Guardrails — Safety controls in automation to prevent unintended actions (approval gates, rollback capabilities)
Guest networking — NAC can direct unknown or personal devices to an isolated guest network

H

Handling procedures — storage, transmission, retention, and destruction rules per classification level
Hardening the hypervisor
HDD — Hard Disk Drive: magnetic storage device; requires degaussing or physical destruction for secure disposal — patching, disabling unnecessary services, restricting management access, enabling secure boot
Hardware Security Module (HSM) — tamper-resistant hardware device that manages keys and performs cryptographic operations
Hardware vulnerabilities — Side-channel attacks, firmware flaws (Spectre, Meltdown), end-of-life hardware
Hash verification — Using MD5/SHA-256 hashes to prove the forensic copy is identical to the original
Health checks — load balancers monitor backend server health and remove unhealthy nodes from rotation
HIDS — Host-based Intrusion Detection System: monitors a single host for suspicious activity and policy violations
HIPS — Host-based Intrusion Prevention System: monitors and blocks malicious activity on a single host in real time
High availability (HA) — measured in \
HIPAA — US law protecting health information (PHI); applies to covered entities and business associates
HMAC (Hash-based Message Authentication Code) — combines a hash with a secret key to provide integrity AND authentication
Honeyfiles — Fake files placed on systems to trigger alerts when accessed by attackers
Honeynets — Networks of honeypots simulating an entire environment to study attacker behavior
Honeypots — Decoy systems designed to attract and trap attackers for detection and analysis
Honeytokens — Fake data (credentials, database records, API keys) that alert when used
Host-based firewall — Controls inbound and outbound traffic at the individual device level
HIPS) — Monitors system activity and file integrity on the endpoint
Host-based indicators — Unexpected processes, registry changes, scheduled tasks, unauthorized accounts, modified system files
Host-based vs. network-based — host firewalls protect individual systems; network firewalls protect entire segments
HSMaaS — Hardware Security Module as a Service: cloud-based HSM offering cryptographic key management as a managed service
HVAC — Heating, Ventilation, and Air Conditioning: environmental controls critical for data center temperature and humidity management
HOTP (HMAC-based One-Time Password) — Counter-based OTP that remains valid until used
HTML injection — Inserting HTML markup into web pages to alter content or redirect users
HTTPS spoofing — Presenting a fraudulent certificate to intercept encrypted web traffic
Human factors — Lack of training, social engineering susceptibility, insider threats
Human vectors — Social engineering exploiting human psychology as an attack vector
Hunt maturity model — Levels from HM0 (initial, relies on automated alerts) to HM4 (leading, creates new detection content)
Hybrid attack — Combining dictionary words with brute-force modifications to crack common password patterns
Hybrid encryption — uses asymmetric to exchange a symmetric session key, then symmetric for bulk data (TLS uses this)
Hypothesis-driven hunting — Starting with an educated guess about attacker behavior and searching for evidence to confirm or deny it

I

IaaS — Infrastructure as a Service: cloud model providing virtualized computing resources (VMs, storage, networking)
ICS — Industrial Control Systems: hardware and software managing physical processes (SCADA, PLCs, DCS) in critical infrastructure
Identity and access management — federated identity, SSO, and strong IAM policies for cloud resources
Identity governance — Periodic access reviews and certification to ensure least privilege is maintained
Identity lifecycle management — Joiner-mover-leaver processes that track an identity from onboarding to offboarding
Identity Provider (IdP) — The organization that authenticates users and vouches for their identity
IDF — Intermediate Distribution Frame: cable rack connecting backbone cabling to horizontal cabling within a floor or area
IEEE — Institute of Electrical and Electronics Engineers: standards body for networking and electrical engineering (e.g., 802.1X, 802.11)
IKE — Internet Key Exchange: protocol that sets up security associations for IPSec VPN tunnels
IM — Instant Messaging: real-time text communication; potential vector for social engineering and data leakage
IMAP4 — Internet Message Access Protocol v4: email retrieval protocol that stores messages on the server; supports folder sync
Immutable infrastructure — servers are never modified after deployment; updates create new instances that replace old ones
Impact — Session cookie theft, account hijacking, defacement, keylogging, phishing via injected forms; unauthorized actions as authenticated user
Impact categories — financial loss, reputational damage, regulatory penalties, safety, operational disruption
Implicit deny — If no rule explicitly grants access, access is denied by default
Implicit trust zones — Zero Trust aims to eliminate these; every zone is treated as untrusted by default
Indicators of Attack (IoA) — Proactive behavioral signals suggesting an attack is in progress (more real-time than IoCs)
Industry standards — voluntary or contractually required frameworks (PCI DSS, ISO 27001, NIST CSF)
Influence campaigns — Large-scale disinformation operations to manipulate public opinion
Information Sharing and Analysis Centers (ISACs) — Industry-specific organizations for sharing threat intelligence
Infrastructure as Code (IaC) — Managing and provisioning infrastructure through code (Terraform, Ansible, Puppet)
Inherent risk — risk present before any controls
Inline vs. passive deployment — IPS must be inline to block; IDS can be passive via port mirroring
Input validation — Allowlisting acceptable characters and rejecting or sanitizing everything else
Insecure protocols — Using unencrypted protocols (Telnet, FTP, HTTP, SNMPv1/v2) that expose data in transit
Insider threat awareness — recognizing behavioral indicators of potential insider threats
Integer overflow — Exceeding the maximum value of an integer variable, causing unexpected behavior
Integration APIs — SOAR platforms connect to dozens of security tools to take coordinated action
Integrity — Ensuring data is accurate, complete, and unaltered by unauthorized parties
Intelligence-driven hunting — Using threat intelligence reports, IoCs, or known TTPs as starting points
Internal audit — conducted by the organization
Internal vs. external compliance — internal policies may exceed regulatory minimums
IP spoofing — Forging the source IP address of packets to impersonate another system or hide the attacker
IPSec — Internet Protocol Security: suite of protocols providing encryption, integrity, and authentication at the network layer
IRC — Internet Relay Chat: text-based communication protocol; historically used for botnet command and control
IRP — Incident Response Plan: documented procedures for detecting, analyzing, containing, and recovering from incidents
ISA — Interconnection Security Agreement: agreement specifying security requirements for connecting two organizations’ networks
ISFW — Internal Segmentation Firewall: firewall deployed inside the network to enforce zero-trust segmentation between zones
27002 — international standard for information security management systems (ISMS); 27001 is certifiable
ISO — International Organization for Standardization: standards body publishing frameworks like ISO 27001 for information security management
ISP — Internet Service Provider: company providing internet connectivity to customers
ISSO — Information Systems Security Officer: person responsible for maintaining the security posture of an information system
ITCP — IT Contingency Plan: plan for restoring IT systems and services after a disruption
IV — Initialization Vector: random value combined with a key to ensure identical plaintexts encrypt differently

J

Jamming — Flooding the wireless spectrum with noise to prevent legitimate wireless communication (DoS)
journald — Linux systemd journal for structured logging
jump server — hardened system used to access management networks securely
Just-in-time (JIT) access — Granting privileged access only when needed and automatically revoking it after a set period

K

KEK — Key Encryption Key: key used to encrypt other keys for secure key distribution and storage
Kerberoasting — Extracting and cracking service account ticket hashes from Active Directory
Kerberos — Ticket-based authentication protocol used in Active Directory environments; uses port 88
Key escrow — third party holds a copy of the key for recovery; controversial due to trust implications
Key length — longer keys = stronger encryption; AES-256 is the current gold standard
secret sharing — divide a key among multiple custodians; requires a threshold to reconstruct (Shamir
Key stretching — Techniques (PBKDF2, bcrypt, scrypt) that make brute force against passwords computationally expensive
Keylogger — Records keystrokes to capture passwords, credit card numbers, and other sensitive input
Keylogging — Capturing passwords as users type them using hardware or software keyloggers
Known plaintext attack — Attacker has both plaintext and corresponding ciphertext and uses them to derive the key
KRACK (Key Reinstallation Attack) — Exploiting a flaw in WPA2

L

L2TP — Layer 2 Tunneling Protocol: VPN tunneling protocol often paired with IPSec for encryption (L2TP/IPSec)
Labeling and marking — applying headers, footers, watermarks, or metadata tags to classified data
Lateral movement — Ransomware and attackers spread across the network before detonating to maximize impact
LDAP injection — Manipulating LDAP queries to bypass authentication or enumerate directory information
LEAP — Lightweight Extensible Authentication Protocol: Cisco proprietary EAP method; considered insecure due to weak MS-CHAPv2 usage
Least functionality principle — Systems should only have the minimum capabilities needed for their role
Least privilege — Users and processes should only have the minimum permissions necessary to perform their function
Least privilege enforcement — Ensuring even administrators only have access to what their role requires
Legal hold — Directive to preserve all relevant data when litigation is anticipated
Post-incident review — Documenting what happened, what worked, what failed, and how to improve
Lighting — Well-lit areas deter criminal activity and are critical for CCTV effectiveness
Live forensics vs. dead forensics — Live = analyzing a running system (captures volatile data); dead = analyzing powered-off media
Live migration security — encrypting VM data during migration between hosts to prevent interception
Locker ransomware — Locks the user out of the system entirely without necessarily encrypting files
Locks — Mechanical, electronic, and biometric locks as physical access control mechanisms
Log aggregation — Collecting logs from firewalls, servers, endpoints, applications, and cloud services into one platform
Log forwarding agents — Software installed on endpoints to collect and send logs to central systems
Log integrity — Protecting logs from tampering using write-once storage, hashing, or digital signatures
Log retention policies — Defining how long logs are stored based on regulatory and organizational requirements
Log sources — OS event logs, firewall logs, IDS/IPS alerts, authentication logs, application logs, DNS query logs, proxy logs
Logic bomb — Malicious code that triggers when specific conditions are met (date, user action, system event)
Logical segmentation — VLANs, subnets, and software-defined boundaries on shared infrastructure

M

MaaS — Monitoring as a Service: cloud-based service providing infrastructure and application monitoring
MAC flooding — Overwhelming a switch
Maintenance windows
MAM — Mobile Application Management: managing and securing specific apps on mobile devices without controlling the entire device
MAN — Metropolitan Area Network: network spanning a city or campus, larger than a LAN but smaller than a WAN — Scheduled periods for implementing changes with minimal user impact
Man-in-the-Browser (MitB) — Malware in the browser modifies transactions in real time (e.g., changing bank account numbers)
Maximum Tolerable Downtime (MTD) — the longest period a function can be unavailable before causing irreversible damage
MBR — Master Boot Record: first sector of a storage device containing boot code; target of bootkits and rootkits
MD5 — Message Digest 5: 128-bit hash algorithm; cryptographically broken and unsuitable for security use
MDF — Main Distribution Frame: primary cable rack connecting external lines to internal network cabling
Mean Time Between Failures (MTBF) — average time a system operates before failing
Mean Time to Repair (MTTR) — average time to fix a failed component
Memory vulnerabilities — Buffer overflows, use-after-free, memory leaks that can be exploited for code execution
MFD — Multifunction Device: device combining printing, scanning, faxing, and copying; a potential data leakage vector
MFP — Multifunction Printer: network printer with scanning and faxing capabilities; must be secured against unauthorized access
Metamorphic malware — Completely rewrites its own code while maintaining functionality to evade detection
Metrics — phishing click rates, training completion rates, incident report volumes, time to report
Metrics and reporting — Tracking MTTR, MTTD, analyst workload, and automation effectiveness
MFA fatigue attacks — Attackers bombard users with push notifications hoping they approve one
Micro-segmentation — granular segmentation within a network, often at the workload level
MMS — Multimedia Message Service: mobile messaging protocol for sending images, audio, and video; potential smishing vector
MOA — Memorandum of Agreement: formal document outlining mutual terms between parties; more binding than an MOU
MOU — Memorandum of Understanding: non-binding agreement between parties outlining intended cooperation and responsibilities
Misconfigurations — Default settings, open ports, unnecessary services, overly permissive rules — the most common vulnerability type
MITRE ATT&CK framework — Knowledge base of adversary tactics, techniques, and procedures (TTPs) used to structure hunts
Mobile Device Management (MDM) — Centralized control of mobile endpoints — remote wipe, enforce policies, manage apps
Monitoring and reporting — KPIs and KRIs measure governance effectiveness and communicate risk to leadership
MPLS — Multiprotocol Label Switching: high-performance routing technique using labels instead of IP lookups for packet forwarding
MS-CHAP — Microsoft Challenge-Handshake Authentication Protocol: Microsoft authentication protocol; v2 is used in VPNs but has known vulnerabilities
MSA — Measurement Systems Analysis: methodology for evaluating the accuracy and precision of measurement systems
MSP — Managed Service Provider: company providing outsourced IT management and support services
MSSP — Managed Security Service Provider: company providing outsourced security monitoring, SIEM management, and incident response
MTTF — Mean Time to Failure: average time a non-repairable component operates before failing
MTU — Maximum Transmission Unit: largest packet size that can be transmitted without fragmentation on a network segment
Multitenancy risks — data isolation between tenants; side-channel attacks; resource contention

N

NAS — Network-attached Storage: dedicated file storage device connected to a network; requires access controls and encryption
Nation-state actors — Advanced Persistent Threat (APT) groups sponsored by governments with significant resources and long-term objectives
NDA — Non-disclosure Agreement: legal contract preventing disclosure of confidential information
Need to know — Access to information is restricted to those who require it for their role
IPFIX — Protocols that collect metadata about network traffic flows without capturing full packets
Network segmentation — Dividing the network into isolated zones to limit lateral movement and blast radius
Network taps — Hardware devices that copy network traffic for monitoring without affecting the traffic flow
Network zones — segments with different trust levels (DMZ, internal, guest, management)
IPS — Inline or passive devices that inspect network traffic for known attack signatures and anomalies
Network-based indicators — Known malicious IPs, suspicious domains, unusual outbound connections, C2 traffic patterns
NFV — Network Function Virtualization: replacing dedicated network hardware (firewalls, IDS) with virtualized software instances
NFC attacks
NGFW — Next-generation Firewall: firewall combining traditional packet filtering with deep packet inspection, IPS, and application awareness
NG-SWG — Next-generation Secure Web Gateway: advanced web gateway combining URL filtering, DLP, CASB, and threat protection
NIC — Network Interface Card: hardware component connecting a device to a network
NIDS — Network-based Intrusion Detection System: monitors network traffic for suspicious patterns and policy violations
NIPS — Network-based Intrusion Prevention System: monitors and blocks malicious network traffic in real time
NIST Cybersecurity Framework (CSF) — Identify, Protect, Detect, Respond, Recover; voluntary, widely adopted in the US
NIST IR lifecycle — Preparation → Detection & Analysis → Containment, Eradication & Recovery → Post-Incident Activity
NIST SP 800-53 — comprehensive catalog of security and privacy controls for federal systems
NOC — Network Operations Center: centralized facility for monitoring and managing network infrastructure
Non-persistence — systems rebuilt from known-good images; live boot media, revert to snapshot
Non-repudiation — Ensures actions cannot be denied after the fact; achieved through digital signatures and audit trails
Normalization — Converting logs from different formats into a common schema for analysis
Notable examples — WannaCry, NotPetya, LockBit, BlackCat/ALPHV — major ransomware campaigns
NTP synchronization — All systems must use the same time source — accurate timestamps are critical for event correlation
NTFS — New Technology File System: Windows file system supporting permissions, encryption (EFS), and auditing
NTLM — New Technology LAN Manager: legacy Windows authentication protocol; vulnerable to pass-the-hash attacks
NTP — Network Time Protocol: protocol for clock synchronization; critical for log correlation and Kerberos authentication

O

OAuth 2.0 — Authorization framework for delegated access; issues access tokens (not authentication)
OCSP — Online Certificate Status Protocol: real-time protocol for checking the revocation status of an X.509 certificate
Offboarding
OID — Object Identifier: unique numeric identifier for objects in certificate and SNMP schemas — revoking access, retrieving data, and ensuring secure data destruction when a vendor relationship ends
Open design principle — Security mechanisms should not depend on secrecy of implementation
Open service ports — Unnecessary services listening on the network increase the attack surface
OpenID Connect — Modern federation protocol built on OAuth 2.0; uses JSON Web Tokens (JWT)
OpenID Connect (OIDC) — Authentication layer built on top of OAuth 2.0, commonly used for consumer-facing SSO
Operational intelligence — Details about specific campaigns or threat actor groups to inform security teams
Orchestration — Connecting and coordinating multiple security tools (SIEM, firewalls, EDR, ticketing) through APIs
OSI — Open Systems Interconnection: seven-layer reference model for network communication
OSINT — Open-source Intelligence: intelligence gathered from publicly available sources (social media, DNS, public records)
OSPF — Open Shortest Path First: link-state routing protocol for interior gateway routing within an autonomous system
OTA — Over-The-Air: wireless delivery of firmware or software updates to mobile and IoT devices
OTG — On-The-Go: USB specification allowing mobile devices to act as a host for peripherals
OVAL — Open Vulnerability and Assessment Language: XML-based language for expressing system configuration and vulnerability checks
OWASP — Open Web Application Security Project: community producing the OWASP Top 10 list of critical web application security risks
Order of restoration — critical systems first, based on BIA priorities and RTO requirements
Order of volatility — Collect the most volatile evidence first — CPU registers → RAM → swap → disk → logs → network → archival media

P

P12 — PKCS #12: file format for storing a certificate chain and private key in a single encrypted file
P2P — Peer-to-Peer: decentralized network model where nodes communicate directly without a central server
PaaS — Platform as a Service: cloud model providing a managed platform for developing and deploying applications
PAC — Proxy Auto Configuration: script that directs a browser to the correct proxy server for a given URL
Packet capture (PCAP) — Full capture of network packets for deep analysis using tools like Wireshark or tcpdump
PAP — Password Authentication Protocol: authentication protocol transmitting credentials in cleartext; highly insecure
Prepared statements — The primary defense against SQL injection — separates code from data so input is never executed as SQL
Pass-the-hash — Using a captured NTLM hash to authenticate without knowing the actual plaintext password
Password hashing — uses salting and key stretching to protect stored passwords
Password spraying — Trying a small number of common passwords against many accounts to avoid lockout thresholds
PAT — Port Address Translation: NAT variant mapping multiple private IPs to a single public IP using port numbers
PBKDF2 — Password-based Key Derivation Function 2: key stretching algorithm that applies a pseudorandom function iteratively to slow brute-force attacks
PBX — Private Branch Exchange: private telephone switching system within an organization; target for toll fraud and eavesdropping
Password vaulting — Storing privileged credentials in an encrypted vault; users check out passwords for time-limited sessions
Passwordless authentication — FIDO2/WebAuthn, passkeys — eliminates password-related vulnerabilities entirely
Patch management — Keeping OS and applications up to date to close known vulnerabilities
Patching — Applying vendor-supplied fixes to close known vulnerabilities — the most fundamental mitigation
PCI DSS — payment card industry standard; required for any organization handling cardholder data
PDU — Power Distribution Unit: device distributing electrical power to rack-mounted equipment in a data center
PEAP — Protected Extensible Authentication Protocol: EAP method that wraps EAP inside a TLS tunnel for secure wireless authentication
PED — Portable Electronic Device: mobile computing devices (laptops, tablets, phones) requiring endpoint security controls
Perfect forward secrecy (PFS) — compromising long-term keys does not compromise past session keys
Permission inheritance — Child objects inherit permissions from parent containers in access control systems
PGP — Pretty Good Privacy: encryption program providing cryptographic privacy and authentication for data and email
Phases — Planning/scoping → Reconnaissance → Scanning → Exploitation → Post-exploitation → Reporting
PHI (Protected Health Information) — health-related PII governed by HIPAA
Phishing — Fraudulent emails impersonating legitimate entities to steal credentials or deliver malware
Phishing simulations — controlled phishing emails sent to employees to test awareness and measure click rates
Physical controls — Locks, fences, mantraps, and security guards as physical access control mechanisms
Physical segmentation — separate physical network infrastructure for different zones
PII (Personally Identifiable Information) — data that can identify an individual (name, SSN, email, biometrics)
Pivoting — Using a compromised system as a launchpad to attack internal networks
PKCS — Public Key Cryptography Standards: set of standards for public-key cryptography published by RSA Laboratories
Runbooks — Predefined workflows that codify incident response procedures into automated steps
Policies, standards, baselines, guidelines, procedures — the governance hierarchy from most authoritative to most flexible
Policy actions — alert, block, encrypt, quarantine, log, notify manager
Policy administrator — Establishes and removes communication paths based on policy engine decisions in Zero Trust
Policy as code — defining security policies in code that automatically validates IaC templates before deployment
Policy enforcement point (PEP) — Gateway that enforces access decisions at the data plane level in Zero Trust
Policy engine — Evaluates access requests against policies, risk signals, and threat intelligence in Zero Trust
Policy lifecycle — create, approve, distribute, enforce, review, revise, retire
PoC — Proof of Concept: demonstration that a vulnerability or exploit is feasible
Polymorphic malware — Changes its code signature with each infection to evade signature-based detection
POP — Post Office Protocol: email retrieval protocol that downloads messages to a client and deletes them from the server
Port mirroring (SPAN) — Switch feature that copies traffic from one port to a monitoring port
Port scanning — Enumerating open ports and services on target systems during the reconnaissance phase
POTS — Plain Old Telephone Service: traditional analog telephone service; war dialing targets POTS-connected modems
Potentially Unwanted Programs (PUPs) — Adware, toolbars, and bundled software that degrades security without being strictly malicious
PPP — Point-to-Point Protocol: data link layer protocol for direct connections between two network nodes
PPTP — Point-to-Point Tunneling Protocol: legacy VPN protocol; considered insecure due to weak encryption
Preparation — Building the IR team, creating playbooks, deploying tools, conducting tabletop exercises
Pretexting — Creating a fabricated scenario to gain trust and extract information from a target
Preventive, Detective, Corrective — Security controls categorized by when they act relative to an incident
Principle of least privilege — Grant only the minimum access necessary for a role or task
Privacy by design — embedding privacy controls into systems from the beginning, not as an afterthought
Privacy Impact Assessment (PIA) — evaluates how a project or system will affect individual privacy
Privilege escalation — Exploiting flaws to gain higher-level access (vertical) or access other users
Privileged accounts — Service accounts, admin accounts, and root accounts require additional controls
Protocol analysis — Inspecting traffic to detect protocol misuse or tunneling (e.g., DNS tunneling for data exfiltration)
PSK — Pre-Shared Key: shared secret used in symmetric encryption and Wi-Fi authentication (WPA-PSK)
PTZ — Pan-Tilt-Zoom: camera capability for remote directional and zoom control in video surveillance systems
Protocol attacks — Exploiting protocol weaknesses to consume server resources (SYN flood, Ping of Death, Smurf attack)
Provisioning and deprovisioning — Creating, modifying, and removing user accounts throughout the identity lifecycle
Pseudonymization — replaces identifiers with pseudonyms; reversible with a key
Push notifications — Authentication apps send approve/deny prompts to registered devices

Q

QA — Quality Assurance: processes ensuring software and systems meet defined quality and security standards
Qualitative risk assessment — uses subjective ratings (high, medium, low) based on expert judgment; faster but less precise
Qualitative vs. quantitative analysis — qualitative uses categories (high/medium/low); quantitative uses dollar values (SLE, ALE, ARO)
Quantitative risk assessment — uses numerical values and formulas; more precise but requires reliable data
Quantum computing threat — Shor’s algorithm threatens RSA and ECC; driving transition to post-quantum cryptography
QoS — Quality of Service: network mechanism prioritizing traffic to ensure performance for critical applications

R

RA — Registration Authority: entity that verifies certificate requests before the CA issues certificates
TOCTOU — Exploiting the timing gap between checking a condition and using the result
Race conditions — Timing-dependent flaws where concurrent processes can interfere with each other
RADIUS — UDP-based AAA protocol that encrypts only the password; commonly used for Wi-Fi and VPN authentication
RAD — Rapid Application Development: software development methodology emphasizing quick prototyping and iterative delivery
RAID — Redundant Array of Inexpensive Disks: disk redundancy technique; RAID 1 mirrors, RAID 5 stripes with parity, RAID 10 combines both
Rainbow table attack
RAM — Random Access Memory: volatile memory; forensic imaging must capture RAM before power-off to preserve evidence
RAS — Remote Access Server: server providing authentication and connectivity for remote users — Using precomputed hash-to-password lookup tables to crack hashed passwords quickly
Ransomware-as-a-Service (RaaS) — Criminal developers provide ransomware tools to affiliates in exchange for a cut of profits
RAT (Remote Access Trojan) — Gives attackers full remote control of a compromised system
RC4 — Rivest Cipher version 4: stream cipher formerly used in WEP and TLS; deprecated due to known vulnerabilities
RCS — Rich Communication Services: enhanced messaging protocol succeeding SMS with multimedia and group chat features
Real-time alerting — Immediate notification when correlation rules or thresholds are triggered
Reconnaissance — Passive (OSINT, DNS lookups) and active (port scanning, service enumeration) information gathering
Recovery — Restoring systems to normal operations, monitoring for re-infection
Recovery Point Objective (RPO) — the maximum acceptable data loss measured in time (e.g., 4 hours of transactions)
Recovery Time Objective (RTO) — the target time to restore a function after disruption; must be less than MTD
Red team vs. pen test — Red teams simulate real adversaries over extended periods; pen tests are time-boxed technical assessments
Reflected XSS — Malicious script in a URL parameter is reflected back in the server
Registry and GPO hardening — Windows Group Policy Objects enforce security settings across domains
RFC — Request for Comments: IETF documents defining internet standards, protocols, and best practices
Regulatory audit — mandated by a governing body (e.g., PCI QSA audit for PCI DSS compliance)
Regulatory compliance — meeting requirements imposed by law (GDPR, HIPAA, SOX, GLBA, FERPA)
Relay attacks — Forwarding authentication exchanges between a victim and a legitimate service (common with NFC/RFID)
Remediation network — quarantine VLAN where non-compliant devices are placed to receive updates
Remediation vs. mitigation — Remediation fixes the vulnerability; mitigation reduces the risk without fully eliminating it
Remove default accounts and passwords — Default credentials are publicly known and easily exploited
Replay attack — Capturing and retransmitting valid network traffic to gain unauthorized access or duplicate transactions
Replication — real-time or near-real-time copying of data to a secondary location
Residual risk — risk remaining after controls are applied
Resource contention — VMs competing for shared CPU, memory, storage, and network resources
Resource exhaustion — Consuming all available memory, CPU, disk, or connections to cause denial of service
Retention and archival — Storing log data for compliance requirements and forensic investigations
Revocation — CRL or OCSP; reasons include key compromise, CA compromise, or affiliation change
RFID cloning — Copying RFID badge data to create unauthorized duplicate access cards
RIPEMD — RACE Integrity Primitives Evaluation Message Digest: family of cryptographic hash functions; RIPEMD-160 produces a 160-bit hash
ROI — Return on Investment: financial metric used to justify security spending by comparing cost vs. risk reduction
Right to audit — contractual clause allowing the organization to audit the vendor
IRM) — controls that persist with the data (who can view, edit, print, forward)
Risk = Threat x Vulnerability x Impact — all three factors must be present for risk to exist
Risk appetite vs. risk tolerance — appetite is the overall willingness to take risk; tolerance is the acceptable deviation from appetite
Risk identification — asset inventory, threat modeling, vulnerability scanning
heat map — visual tool plotting likelihood vs. impact
Risk register — a living document tracking identified risks, owners, responses, and status
Risk-based prioritization — Considering exploit availability, asset criticality, and exposure when deciding remediation order
Risks — Automation of bad processes amplifies mistakes; credential management for automated tools; single point of failure
Rogue access point — Unauthorized AP connected to the corporate network, creating a backdoor past perimeter security
Rogue DHCP server — Unauthorized DHCP server providing malicious gateway or DNS settings to clients
Role-Based Access Control (RBAC) — Assigning permissions based on job roles rather than individual users
Role-based training — different roles receive different training (developers learn secure coding; executives learn BEC threats)
Roles and responsibilities — CISO, data owner, data custodian, data steward, data processor, data controller
Root cause analysis — EDR tools trace the full attack chain from initial access to impact
Rootkit — Hides deep in the OS (kernel-level or boot-level) to maintain persistent, stealthy access
RSA — Rivest, Shamir, and Adleman: widely used asymmetric encryption algorithm based on the difficulty of factoring large primes
RTBH — Remotely Triggered Black Hole: DDoS mitigation technique that drops malicious traffic at the network edge via BGP
RTOS — Real-time Operating System: OS designed for time-critical embedded systems (industrial, medical, automotive)
RTP — Real-time Transport Protocol: protocol for delivering audio and video over IP networks; used in VoIP
Rules of engagement (ROE) — Legal document defining scope, timing, allowed techniques, and emergency contacts

S

MIME — Certificate-based encryption and digital signing of email content
SaaS — Software as a Service: cloud model delivering applications over the internet on a subscription basis
SAE — Simultaneous Authentication of Equals: password-based key exchange in WPA3 that resists offline dictionary attacks (Dragonfly)
Salting — Adding random data to passwords before hashing to defeat rainbow table attacks
SAML — Most common enterprise federation protocol; uses XML assertions exchanged via browser redirects
SAML (Security Assertion Markup Language) — XML-based standard for exchanging authentication and authorization data between an IdP and SP
Sandboxing — using VMs as isolated environments for testing suspicious code or malware analysis
SCADA — Supervisory Control and Data Acquisition: system for monitoring and controlling industrial processes; high-value target for attackers
Scalability
SCAP — Security Content Automation Protocol: NIST suite of standards for automated vulnerability management and compliance checking
SCCM — Microsoft System Center Configuration Manager: enterprise tool for software deployment, patch management, and endpoint configuration
SCEP — Simple Certificate Enrollment Protocol: protocol for automated certificate enrollment with a certificate authority — vertical (scale up: more resources) vs. horizontal (scale out: more instances)
Scan scheduling — Regular scans (weekly, monthly) plus ad-hoc scans after major changes
Scheduling algorithms — round-robin, least connections, weighted, IP hash, health-based
privacy screens — Physical filters that prevent shoulder surfing by limiting viewing angles
Screened subnet (DMZ) — uses firewalls to create a buffer zone for public-facing services
SDK — Software Development Kit: set of tools, libraries, and documentation for building applications on a specific platform
SDLC — Software Development Life Cycle: structured phases (planning, design, coding, testing, deployment) for developing software securely
SDLM — Software Development Life-cycle Methodology: framework guiding the SDLC process (Agile, Waterfall, DevSecOps)
SDV — Software-defined Visibility: programmable network visibility providing dynamic traffic monitoring and analysis
Scripting languages — Bash, PowerShell, Python are the most common in security operations
Secrets management — storing credentials, keys, and tokens securely in cloud environments
Secure Access Service Edge (SASE) — cloud-delivered convergence of network and security services
SED — Self-Encrypting Drive: storage drive with built-in hardware encryption that protects data at rest automatically
SEH — Structured Exception Handling: Windows mechanism for handling exceptions; can be exploited in buffer overflow attacks
Secure areas — Server rooms, data centers, and wiring closets requiring restricted physical access
Secure baseline images — Golden images with pre-hardened configurations for consistent deployment
Secure email gateway — Filters inbound and outbound email for spam, phishing, malware, and DLP violations
Security awareness training — Educating users to recognize and respond to social engineering and phishing attacks
SFTP — SSH File Transfer Protocol: file transfer protocol using SSH for encrypted, authenticated file transfers
Security baselines and hardening — Configuring systems according to CIS Benchmarks or STIGs before deployment
Security guards — Human element providing judgment-based physical access control
Security layers — From outer to inner: perimeter, network, host, application, data — the layers of defense-in-depth
Security through obscurity — Relying on secrecy of design rather than robust controls; considered insufficient on its own
Self-service capabilities — Password resets and profile updates reduce helpdesk burden while maintaining security
Separation of duties — Dividing critical tasks among multiple people to prevent fraud and detect errors
Server-Side Request Forgery (SSRF) — Tricking the server into making requests to internal resources on behalf of the attacker
Service account management — Tracking and securing non-human accounts used by applications and scripts
Service Level Agreements (SLAs) — contractual terms defining uptime, response times, and security obligations
Service Provider (SP) — The organization that accepts identity assertions from the IdP
Session hijacking — Stealing or predicting a valid session token to impersonate an authenticated user
SIM — Subscriber Identity Module: smart card storing mobile subscriber identity; target of SIM swapping attacks
SIP — Session Initiation Protocol: signaling protocol for initiating and managing VoIP and video calls
Session recording — Recording all actions taken during privileged sessions for audit and forensic purposes
Session replay — Capturing and retransmitting a valid authentication exchange to gain unauthorized access
Shared responsibility model — security \
Shoulder surfing — Physically observing someone entering their password or viewing sensitive information
Side-channel attacks — Exploiting physical characteristics (timing, power, EM emissions) rather than algorithmic weaknesses
Single point of failure (SPOF) — any component whose failure would bring down an entire system
SLE — Single Loss Expectancy: monetary loss expected from a single occurrence of a risk event; SLE = AV x EF
SMB — Server Message Block: Windows file sharing protocol; vulnerable to exploits like EternalBlue
SMS — Short Message Service: text messaging service; insecure for MFA due to SIM swapping and interception risks
SMTP — Simple Mail Transfer Protocol: protocol for sending email; can be secured with STARTTLS
SMTPS — Simple Mail Transfer Protocol Secure: SMTP over TLS for encrypted email transmission
Single point of failure risk — If SSO is compromised, all linked applications are at risk
Single-factor authentication (SFA) — Uses one authentication factor; least secure authentication method
Slowloris — Keeps many HTTP connections open by sending partial headers, exhausting the server
Smishing — SMS-based phishing via text messages
Smurf attack — Sending ICMP echo requests with spoofed source (victim
Snapshot management — snapshots capture VM state; old snapshots may contain outdated or vulnerable configurations
SNMP (Simple Network Management Protocol) — Used to monitor and manage network devices; SNMPv3 adds encryption and authentication
SOAP — Simple Object Access Protocol: XML-based messaging protocol for web services; vulnerable to XML injection attacks
SoC — System on Chip: integrated circuit combining CPU, memory, and peripherals on a single chip
SOC reports — SOC 1 (financial controls), SOC 2 (security/availability/confidentiality), SOC 3 (public summary)
Software-Defined Networking (SDN) — programmatic control of network infrastructure; separates control plane from data plane
Software-defined perimeter (SDP) — Creates one-to-one encrypted connections between users and resources; hides infrastructure
Something you are — Biometrics — fingerprint, facial recognition, iris scan, voice recognition
Something you do — Behavioral biometrics such as typing patterns or gait analysis (less common on exam)
Something you have — Smart cards, hardware tokens (YubiKey), mobile authenticator apps, OTP devices
Something you know — Passwords, PINs, security questions
Somewhere you are — Geolocation or IP-based restrictions (sometimes considered a factor)
SOX (Sarbanes-Oxley) — US law requiring financial reporting integrity and internal controls
SPF (Sender Policy Framework) — DNS TXT record that specifies which mail servers are authorized to send email for a domain
SPIM — Spam over Instant Messaging: unsolicited messages sent via IM platforms; vector for phishing and malware
Spyware
SRTP — Secure Real-time Transport Protocol: encrypted version of RTP for securing VoIP and video communications
SSD — Solid State Drive: flash-based storage; requires crypto-erase for secure disposal since degaussing is ineffective
SSID — Service Set Identifier: name of a wireless network broadcast by an access point — Secretly monitors user activity, capturing keystrokes, screenshots, or browsing habits
SQL injection (SQLi) — Inserting SQL commands into input fields to manipulate database queries — can read, modify, or delete data
TLS interception (SSL proxy) — Using a trusted certificate to decrypt, inspect, and re-encrypt TLS traffic
TLS offloading — load balancer handles encryption/decryption, reducing server workload
TLS stripping — Downgrading an HTTPS connection to HTTP so the attacker can read traffic in plaintext
STIG (Security Technical Implementation Guide) — DoD-specific hardening standards for government systems
STP — Shielded Twisted Pair: network cabling with shielding to reduce electromagnetic interference
STIX (Structured Threat Information eXpression) — Standardized language for describing cyber threat information
TAXII — Standards for formatting (STIX) and sharing (TAXII) IoC data between organizations
Stored (Persistent) XSS — Malicious script permanently stored on the server — affects all users who view the infected content
Stored procedures — Pre-compiled database queries that can limit injection surface when used correctly
Strategic intelligence — High-level trends and risks for executive decision-making
Succession planning — ensuring leadership continuity if key personnel are unavailable
Supply chain risk — compromised hardware, software, or services introduced through the supply chain (e.g., SolarWinds)
SWG — Secure Web Gateway: proxy that filters web traffic, enforces URL policies, and blocks malicious content
SYN flood — Sending many TCP SYN packets without completing the handshake, filling the target
Syslog — Standard protocol (UDP 514, TCP 514, or TLS 6514) for transmitting log data to a centralized server

T

Tabletop exercises — Discussion-based simulations that walk through IR scenarios without touching systems
TCP/IP — Transmission Control Protocol/Internet Protocol: foundational protocol suite for internet communication
TACACS+ — TCP-based AAA protocol that encrypts the entire payload; separates AAA functions independently
Tactical intelligence — TTPs (tactics, techniques, procedures) used by adversaries — informs detection rules
Piggybacking — Following an authorized person through a secured door without independent authentication
TAXII (Trusted Automated eXchange of Intelligence Information) — Protocol for exchanging STIX data
Technical controls — Firewalls, encryption, access control systems, IDS — technology-based security mechanisms
TGT — Ticket Granting Ticket: Kerberos token obtained during initial authentication; used to request service tickets
TKIP — Temporal Key Integrity Protocol: encryption protocol used in WPA; deprecated in favor of CCMP/AES in WPA2
Technical intelligence — Specific IoCs — IP addresses, file hashes, domain names — fed into security tools
Telemetry correlation (XDR) — Combines data from endpoints, network, cloud, and email to detect multi-vector attacks
Testing the DRP — same test types as BCP (tabletop, simulation, parallel, full interruption)
Testing types — Black box (no prior knowledge), white box (full knowledge), gray box (partial knowledge)
supply chain risks — Vulnerabilities in vendor software, libraries, or dependencies (e.g., Log4Shell)
Threat actor profiling — Understanding adversary motivation, capability, and intent
Threat assessment — evaluating threat sources and their capabilities
Threat containment — Ability to isolate a compromised endpoint from the network in real time
Threat feeds — Automated IoC data streams from commercial and open-source providers for security monitoring
Threat intelligence enrichment — Automatically querying threat feeds to add context to alerts before analysts review them
Threat intelligence integration — EDR/XDR platforms cross-reference activity with known threat indicators
Timeline analysis — Reconstructing the sequence of events using file timestamps, logs, and artifacts
Token-based authentication — SSO systems issue tokens (JWT, SAML assertions) that prove identity to relying parties
Tokenization — replaces sensitive data with non-sensitive tokens; original data stored in a secure vault
TOTP (Time-based One-Time Password) — Algorithm that generates codes valid for a short time window (e.g., Google Authenticator)
Training frequency — onboarding training plus regular refreshers (annual at minimum, quarterly preferred)
Transitive trust — If A trusts B and B trusts C, A may transitionally trust C — this can introduce risk
Triple extortion — Adds DDoS attacks or contacting victims
Trojan — Malware disguised as legitimate software; provides backdoor access or delivers additional payloads
TSIG — Transaction Signature: DNS authentication mechanism using shared secrets to verify DNS updates and zone transfers
Trust relationships — Formal agreements between identity providers and service providers defining how identity data is shared
Trusted Platform Module (TPM) — chip on the motherboard that stores keys and supports measured boot
Tuning — adjusting sensitivity and rules to reduce false positives without increasing false negatives
Typosquatting — Registering domains similar to legitimate ones to capture mistyped URLs
URL hijacking — Registering look-alike domains (e.g., googel.com) to capture users who mistype URLs

U

UAT — User Acceptance Testing: final testing phase where end users verify the system meets business requirements
UDP — User Datagram Protocol: connectionless transport protocol; faster but unreliable compared to TCP
UEFI — Unified Extensible Firmware Interface: modern firmware interface replacing BIOS; supports Secure Boot to prevent rootkits
Unified Threat Management (UTM) — all-in-one appliance combining firewall, IDS/IPS, antivirus, content filtering, VPN
Unpatched software — Known vulnerabilities with available fixes that have not been applied — one of the most exploited vulnerability types
Use cases — specific automation scenarios: user provisioning, alert triage, patch deployment, threat containment
User and Entity Behavior Analytics (UEBA) — uses ML to baseline normal user/entity behavior and detect anomalies indicating insider threats or compromise
URI — Uniform Resource Identifier: string identifying a resource by location (URL) or name (URN)
URL — Universal Resource Locator: web address specifying the protocol and location of an internet resource
USB OTG — USB On-The-Go: USB spec allowing mobile devices to act as host; potential vector for juice jacking
UTP — Unshielded Twisted Pair: common network cabling without shielding; susceptible to electromagnetic interference

V

VBA — Visual Basic for Applications: macro language in Microsoft Office; commonly exploited in malicious document attacks
VDE — Virtual Desktop Environment: centralized desktop delivery infrastructure for secure remote access
VDI — Virtual Desktop Infrastructure: hosting desktop environments on a centralized server; reduces endpoint data exposure
Vendor assessment — questionnaires, on-site audits, penetration test results, and SOC reports used to evaluate vendor security
Vendor diversity — Using products from multiple vendors so a vulnerability in one doesn
Vendor lock-in — dependency risk when switching providers is costly or technically difficult
Version control — Tracking changes to configurations, code, and documentation for accountability and rollback
Video surveillance (CCTV) — Continuous monitoring and recording of facility areas for physical security
Virtual Network Security — Virtual switches, virtual firewalls, and micro-segmentation within virtualized environments
Virus — Requires a host file to execute; spreads when the infected file is opened or executed
Vishing — Voice-based phishing via phone calls to trick victims into revealing information
VLAN hopping — Exploiting trunk port configurations to access traffic on VLANs other than the attacker
VLANs (Virtual LANs) — logically separate broadcast domains on a single switch; require a router or Layer 3 switch to route between VLANs
VLSM — Variable-length Subnet Masking: subnetting technique allowing different subnet sizes within the same network
VM escape — attacker breaks out of a VM and accesses the hypervisor or other VMs; a critical virtualization threat
VM isolation — ensuring one VM cannot access another VM
VM sprawl — uncontrolled proliferation of VMs that become unpatched, unmonitored, and forgotten security liabilities
VoIP — Voice over IP: transmitting voice calls over IP networks; requires encryption (SRTP) to prevent eavesdropping
Volumetric attacks — Flooding the target with massive traffic to saturate bandwidth (UDP floods, ICMP floods)
VPC — Virtual Private Cloud: isolated virtual network within a public cloud environment
VPN concentrator
VTC — Video Teleconferencing: real-time video communication; requires encryption and access controls to prevent eavesdropping — dedicated device that terminates large numbers of VPN tunnels, centralizing remote access management
Vulnerability assessment — identifying weaknesses that could be exploited
Vulnerability scanning — automated probing of systems to identify known vulnerabilities, misconfigurations, and missing patches

W

War driving — Scanning for wireless networks while moving through an area to map vulnerable access points
WAP — Wireless Access Point: device providing wireless connectivity to a wired network
Watering hole attack — Compromising a website frequently visited by the target group to infect visitors
Weak encryption — Using deprecated algorithms (DES, MD5, SHA-1, RC4) or insufficient key lengths
WEP — Wired Equivalent Privacy: legacy wireless encryption protocol; critically broken and should never be used
Windows Event Log — built-in Windows logging system capturing security, system, and application events; critical for SIEM ingestion
Worm — Self-replicating malware that spreads across networks without user interaction
WIDS — Wireless Intrusion Detection System: monitors wireless traffic for rogue access points and unauthorized activity
WIPS — Wireless Intrusion Prevention System: detects and automatically blocks wireless threats like rogue APs and deauth attacks
WPA2 handshake capture — Capturing the 4-way handshake to perform offline brute-force password cracking
WPS attacks — Exploiting Wi-Fi Protected Setup PIN vulnerability to recover the WPA key
WPS — WiFi Protected Setup: simplified wireless setup using a PIN; vulnerable to brute-force attacks
Write blockers — hardware or software devices that prevent any writes to digital evidence media, preserving forensic integrity
WS-Federation — web services federation standard for sharing identity across security domains using passive and active profiles

X

X.509 certificate fields — subject, issuer, serial number, validity period, public key, signature algorithm, and extensions
XaaS — Anything as a Service: umbrella term for cloud service models (IaaS, PaaS, SaaS, and beyond)
XXE — Injecting malicious XML to read files, perform SSRF, or cause denial of service
XML — Extensible Markup Language: markup language for structured data; vulnerable to XXE injection and XML bombs
XOR — Exclusive OR: bitwise operation fundamental to encryption; outputs true when inputs differ
XSRF — Cross-site Request Forgery: attack forcing authenticated users to submit unintended requests to a web application

Z

Zero trust architecture — never trust, always verify; authenticate and authorize every access request regardless of network location
Zero-day vulnerabilities — Flaws unknown to the vendor with no available patch — exploits are highly valued by attackers

SY0-701 Study Notes

Explorer

Glossary

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

S

T

U

V

W

X

Z

Graph View

Table of Contents

Backlinks