Fatskills
Practice. Master. Repeat.
Study Guide: CompTIA CySA+ Cybersecurity Analyst Certification: Glossary of Important Concepts
Source: https://www.fatskills.com/comptia-cysa-cybersecurity-analyst-certification/chapter/comptia-cysa-cybersecurity-analyst-certification-glossary-of-important-concepts

CompTIA CySA+ Cybersecurity Analyst Certification: Glossary of Important Concepts

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~28 min read

acceptable use policy (AUP) A policy that dictates which actions users may and may not take with regard to resources on an organization’s networks
access control list (ACL): A list of containing actions, network traffic, or software that can be used to allow or deny actions based on criteria such as user, IP address, port, protocol, service, or executable
Address Resolution Protocol (ARP): Protocol residing at the network layer of the OSI model that maps media access control (hardware) addresses to logical addresses
Advanced Encryption Standard (AES): National encryption standard published by NIST for encryption suitable for all commercial and government applications; it is a block cipher based on the Rijndael algorithm, having key sizes of 128, 192, and 256 bits with 128-bit block sizes.
advanced persistent threat (APT): Threat actor characterized by unlimited resources, advanced attack techniques, and the ability to engage a target for long periods. Typically seen as nation-states or large criminal organizations.
allow list: List of entries containing network traffic ports, protocols, services, applications, users, and other subjects to grant permissions. Replaces the outdated term whitelisting.
anti-tamper: The management program and set of technologies used to ensure hardware authenticity and integrity along the supply chain
application programming interface (API): Method of interacting with and accessing software code between applications, including interfaces and data exchange
application stress testing: Method of testing application resilience by sending large volumes or unusual traffic to an application to determine how it reacts
asset tagging: Software and hardware method of embedding inventory information into an asset
atomic execution: A method for controlling program run so that processes must execute in a specific sequence and cannot be interrupted between the time the process starts and when it ends
attack surface: Level of exposure of an asset to potential attacks from various means
attack vector: Method of attack that takes advantage of specific vulnerabilities
attribute-based access control: Access control method that determines resource access based on specific characteristics or attributes of the subject or object, such as group membership, role, time of day, location, and so on
blacklisting: An outdated term used to describe a deny list, in which the elements of the list are denied access to the network, a resource, or security privileges. See also deny list.
blue team: Name for the team of cybersecurity professionals charged with network defense during a security assessment
bring your own device (BYOD): Method of infrastructure management where users can bring personally owned devices and connect them to the organization’s network
buffer overflow attack: An attack where the memory contents of an application are overwritten, causing the application to behave erratically or unexpectedly
bus encryption: A method for encrypting/decrypting data at the CPU, rather than on a storage media, to prevent data from being intercepted and decrypted as it traverses between the media and the CPU
business e-mail compromise (BEC): Compromise of an organizational e-mail infrastructure through direct attack or phishing attempts
business impact analysis: Process in which an organization’s business processes, as well as the information technology assets that support them, are inventoried and prioritized for criticality in the event of an incident
carving: The forensics process of locating and removing files, artifacts, or other usable data from deleted or damaged data
Center for Internet Security (CIS): A community-driven nonprofit organization that produces and promulgates cybersecurity standards, including the CIS Controls and Benchmarks
central processing unit (CPU): The primary processing chip and associated circuitry responsible for all logic, arithmetic, and control functions within a computer system
Certificate Authority (CA): Entity granting a digital certificate and public/private key pair to another entity based on validated identity and other requirements
change management: The process and associated activities of carefully planning and executing authorized changes within an infrastructure
closed source intelligence: Information that is unavailable to the general population and only obtainable by being a member of a closed group authorized access to such information
cloud access security broker (CASB): An intermediate layer of security management technology used to consolidate and communicate with an organization’s cloud services
code review: The process of reviewing and validating software code to ensure that it is functional and secure
commodity malware: Malware produced and sold as a commodity to various malicious actors
Common Vulnerability Scoring System (CVSS): Provides for specific characteristics of a security weakness (for example, software vulnerabilities and security configuration issues) and, based on those characteristics, generates a score that reflects their relative severity
community cloud: The cloud model used when multiple organizations have similar infrastructure requirements and may need to share data at some level
compensating controls: Controls used on a short-term basis when preferred controls cannot be implemented.
confidence rating: A ranking of how confident an organization is that a threat rating is accurate. This rating is often measured on a scale of 0–100, with 100 representing the highest level of confidence
containment: Process of curtailing an incident in preventing further damage to an organization’s assets.
continuous integration/continuous delivery (CI/CD): Concept describing the continuous integration and delivery of secure, functional software code to the production environment
Control Objectives for Information and Related Technology (COBIT): Control framework published by ISACA that covers business management of IT resources
controller area network (CAN): A standardized architecture protocol used in vehicles to facilitate communications between internal components
corrective controls: Controls that are implemented in a temporary and possibly urgent situation to strengthen existing weak or faulty controls
credential stuffing attack: An attack technique that allows an attacker to make use of credentials previously compromised in another data breach
cross-site scripting (XSS) attack: A web-based attack involving the injection of malicious scripts into a vulnerable website. These scripts are then run by a victim who visits the website.
customer relations management (CRM): Unified processes, activities, and tools designed to manage all aspects of customers and their data
cyber intelligence: Aggregated cyber threat information, including threat intelligence from government, industry, and open source sources
cyber kill chain: A framework that identifies the various stages of a cyberattack
data enrichment: Process of adding additional context to a single piece of threat data, enabling an analysis of all aspects of the threat
data loss prevention (DLP): Collection of policies, programs, and technologies that allow an organization to prevent sensitive data from leaving the organization through the network, storage media, and other means
data masking: Obfuscation of parts of certain data elements (such as a Social Security number) from a record in order to ensure that authorized individuals can see only the data required for their job
deidentification: Removal of specific identifiers from a dataset so that the subjects of that data cannot be identified
demilitarized zone (DMZ): Security zone within an organization’s network that isolates and controls access to specific hosts and network segments
deny list: A list containing entries of network traffic, applications, or subjects used to deny permissions or actions to those elements. Replaces the outdated term blacklisting.
detective controls: Security controls designed to detect malicious actions or violations of policy
deterrent controls: Security controls designed to be known to a potentially malicious actor to deter them from performing a malicious act or violation of policy
DevSecOps: Integration of the development, security, and operational personnel and processes to develop software that is more usable, meets functional requirements, and is more secure
Diamond Model of Intrusion Analysis: An analytical methodology for cybersecurity analysts to utilize prior to, during, and after cybersecurity intrusions. The model demonstrates the relationships and characteristics of an attack’s four main components: adversary, capabilities, infrastructure, and victim.
digital rights management (DRM): Processes designed to integrate mechanisms into digital media to prevent its unauthorized access or use
directory traversal attack: An attack in which the attacker can navigate through sensitive directory structures on a server or network that they should not usually be allowed to access
discretionary access control: Access control model allowing the creator or owner of a resource, such as a file or a folder, to grant access to others based on their own criteria
distributed denial of service (DDoS): Denial-of-service attack characterized by multiple, simultaneous attacks on a host from various other hosts
Document Object Model (DOM): A standard dictating how client browsers interact with HTML presented from a web server
domain generation algorithm (DGA): Method of dynamically generating random domain names and URLs. Primarily used to obfuscate malware command-and-control servers.
Domain Keys Identified Mail (DKIM): A standard developed to detect e-mail spoofing, thereby preventing phishing and other impersonation attacks. DKIM uses a digital signature linked to an organization’s domain name.
Domain Name System (DNS): Internet-wide system that allows Internet Protocol (IP) addresses to be translated to a common human-understandable name
Domain-based Message Authentication, Reporting, and Conformance (DMARC): An e-mail authentication protocol designed to ensure the authenticity of e-mail sent from the organization. DMARC uses either Domain Keys Identified Mail (DKIM) or the Sender Policy Framework (SPF) as its method to ensure authenticity.
dynamic analysis: Method of code analysis that requires the software code to be executed in a secure environment to observe how it interacts with the operating system and other elements of the network
Dynamic Host Configuration Protocol (DHCP): TCP/IP protocol responsible for issuing IP addresses and other critical network information dynamically to hosts on a network
Elasticsearch, Logstash, Kibana (ELK): Open source, comprehensive security information and event management (SIEM) solution
endpoint: Individual device on a network; typically, an end-user host or individual host dedicated to a single function
endpoint detection and response (EDR): Process focused on detecting and responding to malicious events on an endpoint device
enterprise resource planning (ERP): Comprehensive management of primary business processes through carefully orchestrated processes, tasks, activities, and dedicated software tools
Extensible Markup Language (XML) attack: Attack in which the attacker manipulates an XML application or service logic by injecting XML content or structures into a web application to bypass the program logic of the application
false negative: A result from an assessment tool that neglects to indicate a specific vulnerability that is in fact present
false positive: A result from an assessment tool that indicates a vulnerability that actually does not exist
federated authentication: An authentication model in which multiple organizations either trust each other so that authentication mechanisms and credentials are transitive across organizations or they all use a centralized authentication provider
field-programmable gate array (FPGA): An improved version of a system-on-chip configuration used in a wide variety of electronic devices, including medical devices, automotive electronics, industrial control systems, and consumer electronics. FPGA is more flexible and allows programmers and end users to install firmware updates to reconfigure the hardware so that new software functionality, as well as security mitigations, can be implemented on it.
File Transfer Protocol (FTP): TCP/IP protocol used to transfer basic files from one host to another. FTP is inherently insecure, as it offers no encryption or authentication mechanisms and transmits all data in cleartext. It uses TCP port 21 for control and port 20 for data.
Firewall as a Service (FaaS): Cloud-based service offering that provides firewall and other perimeter security services for client organizations
Forensic Toolkit (FTK): Comprehensive commercial forensics application available from AccessData
frameworks: Overarching architecture of processes, activities, and tasks that provide a method for implementing a program
Function as a Service (FaaS): Cloud service that offers customers a serverless architecture that only provides specifically defined functions abstracted from a server infrastructure
fuzzing: Method of software testing where large volumes of a random or unexpected input are sent to the application to observe its reactions for the purposes of gauging its resilience, functionality, and security
hacktivist: Activist individual or group that conducts cyber attacks on organizations as part of a self-defined moral or ethical cause
hardware security module (HSM): Hardware device responsible for generating and storing cryptographic keys. It is often implemented as an add-on card or device installed separately from the computing device.
heap overflow attack: An attack in which the attacker attempts to exhaust the memory dynamically available for the application in the heap portion of system memory
heuristics: Method of detection and analysis that offers a best guess of behaviors based on characteristics of previously known attacks
honeynet: A network of honeypot devices
honeypot: A networked host designed to be inherently insecure to attract an attacker for the purposes of observing the attack without the attacker’s knowledge. Honeypots are also used to distract an attacker from an organization’s sensitive network.
host-based intrusion detection/prevention system (HIDS/HIPS): A software intrusion detection/prevention system installed and focused on a single host
hybrid cloud: A cloud solution having combined characteristics of other cloud deployment models, such as private, public, and community clouds
impersonation attack: An attack that attempts to impersonate a specific user or host
indicator of compromise (IoC): A piece of data or other artifact that may indicate that a system or the network has been attacked or otherwise compromised
Information Sharing and Analysis Center (ISAC): A nonprofit organization that collects, analyzes, and distributes threat intelligence to public and private sector organizations with critical infrastructures
Information Technology Infrastructure Library (ITIL): A library of practices and standards used for IT service management that focuses on aligning IT services with business needs
Infrastructure as a Service (IaaS): Cloud service model in which the cloud provider offers the hardware, network, and storage assets so that the organizational user can install and use its own operating system and applications
Infrastructure as Code (IaC): A functionality offered by cloud service providers that allows developers to dynamically change the infrastructure based on changes in their code rather than relying on servers and networks
integer overflow attack: Attack method in which an attacker creates a mathematical operation using a numerical value that is larger than the application’s memory space assigned for it and injects it through invalid input
International Organization for Standardization (ISO): Organization (often seen in conjunction with the International Electrotechnical Commission, or IEC) engaged in developing and implementing international standards for engineering, information technology, and many other areas
Internet Message Access Protocol (IMAP): TCP/IP application layer protocol used by e-mail clients to retrieve e-mail messages from an e-mail server and defined by RFC 3501. IMAP uses TCP port 143 (non-secure) or TCP port 993 for the secure version (IMAP over SSL, called IMAPS).
Internet of Things (IoT): Name given to the paradigm of Internet-connected end devices that have very minimal resources and operating systems and serve very specific functions, such as consumer electronics devices and industrial control systems
Internet Protocol (IP): TCP/IP protocol responsible for logical addressing, routing, diagnostics information, and troubleshooting
intrusion detection system (IDS): Network- or host-based system designed to detect an active attack in progress. An IDS is often combined with an intrusion prevention system (IPS).
intrusion prevention system (IPS): Network-or host-based system designed to prevent or stop an active attack in progress. An IPS is often combined with an intrusion detection system (IDS).
Lightweight Directory Access Protocol (LDAP): Primary protocol used in directory services infrastructures to enable integrated resource location. LDAP is an X.500-compatible protocol and uses TCP and UDP ports 389, or port 636 for LDAPS (LDAP over SSL).
local area network (LAN): Network infrastructure that uses locally routed resources and does not traverse a wide area network (WAN) link
machine learning: A discipline of computer science that can be used to expand data analytics significantly beyond simple pattern searching or correlation. In addition to predetermined criteria, machine learning can allow an analysis to extrapolate beyond its programmed pattern analysis and combine elements of behavior analysis with complex algorithms.
magnitude: In risk management, the level of impact that a negative event has on the organization or an asset
managerial controls: Controls focused on security management measures, such as policies and procedures
mandatory access control (MAC): Access control model based on a subject’s clearance and objects labels. Access can only be assigned by an administrator.
man-in-the-middle attack: An attack characterized by a malicious entity who intercepts communications from both the sender and receiver and impersonates both parties to access, alter, and redirect communications
measured boot and attestation: Measured boot is the process of collecting hashes of startup or boot files when booting in a mode other than secure boot. Attestation is the process of comparing those same hashes to known-good ones to validate the startup or boot files.
memorandum of agreement (MOA): An agreement between two entities, usually within the same organization, that specifies levels of service or other commitment
memorandum of understanding (MOU): An agreement between two parties, usually within the same organization, that outlines specific points of understanding or agreement, such as guaranteed service levels, between the two parties. See also memorandum of agreement.
Message Digest 5 (MD5): Deprecated hashing algorithm that produces a 128-bit hash in the form of a 32-digit hexadecimal number
microservices: A popular service-oriented architectural method that consists of individualized deployable application services that are focused on business transactions and perform very specific functionality
MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework: A public knowledge base of threat tactics and techniques developed by the nonprofit MITRE Corporation. The ATT&CK framework describes the tactics, techniques, and procedures threat actors use to penetrate networks, move laterally across the network, escalate privileges, and evade the target defenses.
mobile device management (MDM): The overarching management infrastructure for all mobile devices, such as smartphones, tablets, and laptops within an organization to integrate their interoperability and security functions
MODBUS: A widely used communication protocol originally developed in 1979 by Schneider Electric for use in industrial electronic automation systems
Monitoring as a Service (MaaS): A cloud service model that allows for monitoring systems, networks, devices, users, and other aspects of an organization for security, function, and performance
multifactor authentication (MFA): An authentication model that uses more than one factor, such as a smartcard and PIN, to authenticate a user to a system or facility
Multi Router Traffic Grapher (MRTG): Cross-platform network traffic monitoring and measurement software that allows the user to see traffic in graphic form. MRTG is written in the Perl scripting language and can be run on Windows, Linux, and macOS platforms.
National Institute of Standards and Technology (NIST): U.S. government agency under the Department of Commerce tasked with developing formal U.S. standards and technologies
network access control (NAC): Method of ensuring that any host joining the network is subject to inspection and required security measures, such as antimalware, secure configuration, and patching
network address translation (NAT): Method of mapping private Internet Protocol (IP) addresses to public IP addresses for the purposes of security and efficiently using the limited IP version 4 address space
network interface card (NIC): Hardware attached to a system through an external interface card, USB device, or chip on a motherboard that allows communications between the host and a network
network intrusion detection systems (NIDS): Network-based system designed to detect potential network attacks or compromises; often combined with an intrusion prevention system
nondisclosure agreement (NDA): Agreement signed between individuals or organizations requiring each signatory to maintain confidentiality of any sensitive or proprietary information exchange between the agreeing parties
open source intelligence: Intelligence derived from public or nonproprietary sources, such as the Internet, public directories, and so on
Open Source Security Information Management (OSSIM): A Linux-based, open source security information and event management system
Open Web Application Security Project (OWASP): A nonprofit organization focused on software and web application security. OWASP has developed several open source software projects, including Zed Attack Proxy (ZAP) and the OWASP Top 10 Web Application Security Risks.
operational controls: Controls focused on the physical and operational environment and associated procedures
original equipment manufacturer (OEM): The manufacturer or vendor who originally provides a device or software application
packet capture (PCAP): File containing network traffic capture, typically generated from a network protocol analyzer such as tcpdump or Wireshark
passive footprinting: Process of gathering all available information about an organization, its personnel, structure, network, and other characteristics. Passive footprinting uses techniques that allow someone to gather information without actively interacting with the organization or its infrastructure.
password spraying attack: Attack in which the attacker uses one or only a few passwords across many different accounts in an organization in hopes of compromising an account
Payment Card Industry (PCI): Professional trade industry composed of the major credit card issuers, including Visa, MasterCard, and American Express. PCI publishes the data security standards that are levied upon credit card merchants.
personally identifiable information (PII): Personal information that can be used to uniquely identify an individual; this includes information such as name, address, driver’s license number, passport number, Social Security number, and so on.
physical controls: Security measures that apply to the physical environment, such as fencing, gates, guards, closed-circuit television cameras, and environmental controls
platform: Term describing the architecture of a computing device and includes elements such as the operating system and CPU
Platform as a Service (PaaS): Cloud-based service in which providers offer computing platforms on which an organization can run their applications
pluggable authentication module (PAM): A mechanism that allows multiple authentication schemes to be used in an operating system or application. PAMs allow concurrent use and management of authentication mechanisms such as username/password and multifactor authentication and are primarily seen in Linux systems.
port security: Term used to describe the authentication mechanisms used in the IEEE 802.1X standard
preventative controls: Security measures used to prevent a violation of policy or malicious action
privacy: The exercise of control of personal information by an individual, to include its use, distribution, and disposition
private cloud: Cloud computing resources dedicated to the sole use of an organization
privilege escalation attack: Goal of an attacker in which a compromised user account is used to gain higher privileges on the host or network
privilege management: Processes and activities used for comprehensive management of user accounts and their authorized access to resources
probability: In risk management, the likelihood of a threat exercising a vulnerability
processor security extensions: Specialized components found in modern CPUs that work together to create a trusted execution environment by setting up a reserved area of memory for the application’s process to execute securely and through dynamic memory encryption/decryption
protected health information (PHI): Specific personal health information protected under statute such as the Health Insurance Portability and Accountability Act (HIPAA)
public cloud: A cloud model in which the cloud provider owns all of the resources, including hosts, network infrastructure, and applications, used to provide services to any organization. Each organization has its own unique piece of the public cloud infrastructure and therefore is logically separate from other organizations’ portions of the infrastructure.
public key infrastructure (PKI): The management infrastructure involved in controlling the secure lifecycle of public and private key pairs, including identity verification, issuing, maintaining, and retirement of digital certificates
real-time operating system (RTOS): A specialized operating system, sometimes developed from an existing operating system such as Windows or Linux, that is installed on an electronic chip and run on a variety of special-purpose devices, such as system or industrial controllers and Internet of Things devices
red team: Team of cybersecurity specialists tasked with exploiting found vulnerabilities during the security testing of an organization’s infrastructure
Remote Authentication Dial-in User Service (RADIUS): A TCP/IP protocol that provides centralized authentication, authorization, and accounting (AAA) services to remote hosts accessing a network. RADIUS uses TCP and UDP ports 1812.
remote code execution: A goal of an attack in which the attacker can remotely execute any arbitrary code of their choosing on a compromised system
Remote Desktop Protocol (RDP): TCP/IP protocol used to remotely access and control the resources and user interface of a system. RDP uses TCP port 3389 by default.
Representational State Transfer (REST): An architectural method used to overcome some of the limitations with the older SOAP protocol. REST is designed to allow stateless communications between services, applications, and web-based resources.
reverse engineering: The process of decomposing a piece of hardware or software down to its component elements to understand how it is constructed, its underlying functions, and its security mechanisms
role-based access control: Access control model that assigns privileges, rights, and permissions to a specified role rather than an individual. Individuals must be assigned to the roles in order to gain access to the resource or be able to perform the specified actions.
rootkit: Sophisticated malware that replaces an operating system’s critical files with compromised copies, allowing an attacker to control all aspects of the system and potentially go undetected.
sandboxing: The process of executing unknown or suspicious software in a controlled and secure environment to prevent its interaction with the underlying operating system or network
Secure Hash Algorithm (SHA): A family of hashing algorithms published as a set of standards by the National Institute of Standards and Technology (NIST)
Secure Shell (SSH): A TCP/IP protocol designed to secure remote sessions between hosts by offering encryption and authentication services. SSH uses TCP port 22.
Secure Sockets Layer (SSL): A deprecated TCP/IP protocol designed to protect communications across networks using encryption and authentication services. SSL was replaced by Transport Layer Security (TLS) and used TCP port 443.
Security Assertions Markup Language (SAML): A markup language that has specific tags in its structure that allow applications to use formatted information about the user, including their identity and other authentication and authorization information
Security Content Automation Protocol (SCAP): A framework developed by NIST used to assist in the overall risk management of systems by providing a consistent, open data format that can be used across different security tools and platforms. SCAP includes various languages and formats to describe security vulnerabilities, exposures, and assets, as well as reporting formats, identification schemes, measurement and scoring, and data integrity.
security information and event management (SIEM): The centralized collection, aggregation, correlation, and analysis of disparate forms of data from across the network infrastructure. SIEM devices typically use agents to collect data for consolidation analysis.
security operations center (SOC): A centralized security operations center that serves to consolidate security personnel and management activities for an organization
Security Orchestration, Automation, and Response (SOAR): The name given to suites of tools dedicated to unifying your security tools, processes, and methods used across the enterprise
security regression testing: A type of test that integrates new application code with existing infrastructure and tests for security issues that may result from the new code, including incompatible security technologies
segmentation: The process of separating sensitive hosts and network segments from nonsensitive ones using physical and logical means, such as virtual LANs, encryption, and physically separated networks
self-encrypting drive: Permanent storage media implemented as a hardware-based cryptographic solution, as a cryptographic module is part of the drive hardware and is typically built into the disk controller itself
Sender Policy Framework (SPF): E-mail authentication method that checks to ensure that e-mail has been sent from an authorized IP address, as published in the organization’s DNS server
sensitive personal information (SPI): Information of a personal nature that could include PII and PHI but also may include information beyond the two categories
Server Message Block (SMB): A TCP/IP application layer protocol primarily used in Windows networks for file and print sharing. SMB is considered deprecated.
service level agreement (SLA): An agreement between two organizations, typically a customer and a service provider, where defined levels of service are agreed upon and included in the contract
service set identifier (SSID): The human-readable name of a wireless network that uses common security protocols and credentials
service-oriented architecture: An architecture describing software components that interface and interact with each other to provide services via standardized components. These components include application programming interfaces (APIs) and markup languages.
session hijacking attack: An attack that interrupts an established communications session between two parties and effectively takes over the session. This often includes a man-in-the-middle or impersonation attack.
signature-based detection: An attack detection method that looks for known patterns or signatures
Simple Object Access Protocol (SOAP): A messaging protocol used to facilitate communications and interactions that take place between different services and applications, and allows clients to access services over HTTP, regardless of the application server platform
single sign-on (SSO): A method of authenticating to multiple disparate resources using a single set of credentials. SSO is designed to make security administration and authentication processes simplified and streamlined.
sinkholing: A method for sending potentially malicious traffic, such as botnet command-and-control traffic, to an internal host rather than to an external Internet address.
Software as a Service (SaaS): A cloud model where customers access and use common or line-of-business applications provided by a cloud service provider
Software Development Lifecycle (SDLC): A process that describes how software is planned, designed, created, tested, implemented, and maintained throughout its useable life. SDLC is a formalized framework consisting of steps, tasks, and processes that drive all activities associated with software development and use.
Secure File Transfer Protocol (SFTP): A method of securely transferring files by using ordinary FTP over SSH.
static analysis: A method of software code analysis that uses predetermined libraries of issues to automatically check for in code, examining it line by line, looking at different objects, checking their properties, references, and so on. Static analysis tools can check for a wide variety of known issues, such as input validation weaknesses and code injection.
Structured Query Language (SQL) injection attack: An attack using invalid input in the form of SQL statements that can access an underlying database and return or update data that the attacker does not have access for
Structured Threat Information eXpression (STIX): STIX is a standardized language developed by MITRE, now maintained by the OASIS Cyber Threat Intelligence (CTI) Technical Committee, for describing characteristics of threat data, such as threat motivations, capabilities, and response.
supervisory control and data acquisition (SCADA): Automated information systems that control a wide variety of geographically separated systems, including critical infrastructure and utilities such as transportation systems, power grids, water treatment plants, and nuclear power plants
supply chain attack: An attack on an organization’s producers, vendors, warehouses, transportation companies, distribution centers, and retailers to steal or destroy data or to compromise an organization’s infrastructure
system-on-chip (SoC): An embedded system in which software and hardware are integrated into a single computer chip. The chip is self-contained and consists of a processor, system RAM, and other critical components miniaturized into a single integrated circuit.
tabletop exercise: A paper-based exercise that presents scenarios to which participants state how they would conceptually respond.
technical controls: Security measures that apply to the technical aspects of an organization’s infrastructure; examples include authentication and encryption mechanisms, network security devices, and access control lists.
Terminal Access Controller Access Control System Plus (TACACS+): A Cisco-proprietary extension to the original TACACS remote access and authorization protocol, which provides for authentication, authorization, and accounting (AAA) services for remote hosts. TACACS+ uses TCP port 49.
threat: An event that takes advantage of a vulnerability and has negative consequences for an asset or organization
threat actor: An entity that initiates a threat event
threat hunting: The activities involved with actively searching for potential threats in the infrastructure
threat modeling: The process of using available threat capability and motivation information combined with comprehensive information about the organization, its assets, and its vulnerabilities to accurately determine the existence of specific threats acting against the organization
threat rating: A ranking of a threat’s potential danger level on a defined scale
tokenization: A method used to protect certain data elements from disclosure by substituting a value generated as a placeholder to take the place of that information
Transmission Control Protocol (TCP): A protocol in the TCP/IP suite that operates at the transport layer of the OSI model and provides connection-oriented sequencing and acknowledgment of data
Transport Layer Security (TLS): An application protocol in the TCP/IP protocol suite designed to protect communications over a network through encryption and authentication. TLS replaces its outdated predecessor, SSL, and uses TCP port 443.
trend analysis: The process of examining a broad range of data to determine causes, patterns, and behaviors; two important types of trend analysis are temporal analysis and spatial analysis.
Trivial File Transfer Protocol (TFTP): Simplified version of the File Transfer Protocol suitable for moving small files, such as configuration files, between hosts and network devices. TFTP uses UDP port 69.
true negative: Results verifying that a vulnerability does not exist
true positive: Results verifying that a vulnerability does in fact exist
Trusted Automated eXchange of Intelligence Information (TAXII): A cyber threat standard that describes how threat data can be shared. TAXII uses a flexible communications API to make it compatible with multiple cyber-threat-sharing models such as hub and spoke, peer-to-peer, and source/subscriber models.
trusted execution/secure enclave: An environment in which a software abstraction layer creates containers where several applications can run protected from the underlying operating system and any potential vulnerabilities inherent to the OS (and vice versa)
Trusted Foundry: A Department of Defense program for vetting and approving vendors of trusted hardware
Trusted Platform Module (TPM): A specialized chip embedded in a device that handles cryptographic functions, such as key generation and storage
unified endpoint management (UEM): Term given to the collective processes, activities, tasks, and tools used to exercise comprehensive management over all end users and devices
Unified Extensible Firmware Interface (UEFI): Firmware implemented on a host used for handling its hardware, security, and integration with its operating system. UEFI replaces the older Basic Input/Output System (BIOS) firmware used on legacy devices.
unified threat management (UTM): Comprehensive process and software solution spanning network security devices and processes, including threat intelligence management, firewalls, proxies, and intrusion detection/prevention systems
Uniform Resource Locator (URL): An identifier that helps locate an Internet resource based on its hostname and location
Universal Serial Bus (USB): A technology allowing peripherals such as printers, cameras, and external media to be easily plugged into a host device based on a set of standardized interfaces
user acceptance testing: Software test in which the end-user community tests the performance and functionality of a software application against its stated requirements for possible acceptance
user and entity behavior analytics (UEBA): A method of analysis that focuses on end-user behavior patterns
User Datagram Protocol (UDP): Connectionless protocol that works at the transport layer of the OSI network model. UDP is appropriate for transporting network traffic that does not require an establish connection, sequencing, or acknowledgment of receipt, such as audio and video protocols.
virtual desktop infrastructure (VDI): Virtualization method that allows users to have a desktop running VDI software to make remote connections to shared network resources without requiring intense computing power for the client
virtual local area network (VLAN): A local area network infrastructure implemented at the software level, typically on layer 3 switches, which allows connected hosts to join specific virtual networks. VLANs are used to segment and segregate sensitive hosts as well as eliminate the need for separately routed subnets.
virtual private cloud (VPC): A set of cloud-based dedicated resources, set aside for one organization’s use, either in their own data center or in the service provider’s infrastructure
virtual private network (VPN): Two private networks separated by a larger public network, such as the Internet, implemented so that users can logically connect to a private network using a secure tunneling protocol
virtualization: The name given to a variety of technologies allowing organizations to create and manage multiple dynamic instances of hosts and networks through software
vulnerability: A weakness inherent in an asset, or a lack of security measures implemented to protect an asset
watermarking: Process of embedding an identifying piece of information, such as a logo, into a media file or document
web application firewall (WAF): Network security device designed specifically to protect web application servers from potentially malicious activities
white team: A team tasked with providing exercise support, liaison, and oversight between offensive and defensive teams during a security assessment
whitelisting: An outdated term for a list that contains entries of allowed traffic, applications, or subjects. See also allow list.
wide area network (WAN): Network characterized by using wide area network protocols and devices. A WAN typically spans larger geographic areas and connects multiple local area networks together.
workflow orchestration: Method of unifying security processes, tasks, activities, and tools for centralized management, scheduling, and data flow
Zed Attack Proxy (ZAP): Web proxy tool developed by OWASP that allows an analyst to send and receive carefully crafted traffic to and from a web server for security testing purposes
zero day: Name for a previously unknown attack that has not been addressed by a software vendor or for which there is no known patch or mitigation
 



ADVERTISEMENT