Glossary of Key Terms

Numerics

5-tuple Term that refers to the following five elements: source IP address, source port, destination IP address, destination port, and protocol.

A

access control The process of granting, preventing, or revoking access to an object.

accounting The process of auditing and monitoring user operations on a resource.

ACLs Access control lists—a set of predetermined rules against which stateful and traditional firewalls can analyze packets and judge them. They inspect the following elements within a packet: source address, destination address, source port, destination port, and protocol. ACLs are typically configured in firewalls, but they also can be configured in network infrastructure devices such as routers, switches, wireless LAN controllers (WLCs), and others.

adversary An attacker, hacktivist, disgruntled employee, and so on.

AES Advanced Encryption Standard—a symmetric-key encryption algorithm used by most modern crypto implementations. AES is defined in FIPS PUB 197: “Advanced Encryption Standard (AES)” and ISO/IEC 18033-3: “Block ciphers.”

AMP Advanced malware protection—a Cisco solution for detecting and mitigating malware in the corporate network.

antivirus and antimalware Terms generally used interchangeably to indicate software that can be used to detect and prevent the installation of computer malware and in some cases quarantine affected computers or eradicate the malware and restore the operation of the system.

Apache Mesos A distributed Linux kernel that provides native support for launching containers with Docker and AppC images. You can download Apache Mesos and access its documentation at https://mesos.apache.org.

asset Anything that has value for an organization. In simple terms an asset can be any organization resource, including personnel, hardware, software, building, and data.

asset classification In information security, the process of classifying an asset or data based on the potential damage a breach to the confidentiality, integrity, or availability of that data could cause.

asset handling In information security, procedures and technologies that allow the secure storage, use, and transfer of an asset.

asset inventory The collection and storage of information about assets, such as location, security classification, and owner.

asset management In information security, policies, processes, and technologies to manage and protect organization assets during their life cycle.

asset ownership The process of assigning an owner to an asset. Each asset within the organization needs an owner. The owner is responsible for the security of the asset during its life cycle.

asymmetric algorithms Encryption algorithms that use two different keys: a public key and a private key. Together they make a key pair.

Atomic Red Team An open-source framework created by Red Canary that provides a list of machine-readable adversarial tactics and techniques that can be integrated with other tools to perform automated simulated attacks.

ATT&CK A framework developed and maintained by MITRE that provides a collection of matrices of adversarial tactics and techniques.

attribute-based access control ABAC—an access control model where the access decision is based on the attributes or characteristics of the subject, object, and environment.

authentication The process of proving the identity of an entity.

authorization The process of providing access to a resource with specific access rights.

B

backdoor A piece of malware or configuration change that allows an attacker to control the victim’s system remotely. For example, a backdoor can open a network port on the affected system so that the attacker can connect and control the system. A backdoor application can be installed by the attacker either to allow future access or to collect information to use in further attacks.

block cipher A symmetric key cipher that operates on a group of bits called a block. A block cipher encryption algorithm may take a 64-bit block of plaintext and generate a 64-bit block of ciphertext. With this type of encryption, the same key is used to encrypt and decrypt.

botnet A collection of compromised machines that the attacker can manipulate from a command and control (C2 or CnC) system to participate in a DDoS, send spam emails, or perform other illicit activities.

buffer overflow A situation that occurs when a program or software puts more data in a buffer than it can hold or when a program tries to put data in a memory location past a buffer. This is done so that data outside the bounds of a block of allocated memory can corrupt other data or crash the program or operating system. In a worst-case scenario, this can lead to the execution of malicious code. Buffer overflows can occur in many ways and, unfortunately, many error-prone techniques are often used to prevent them.

C

Caldera An open-source tool developed by MITRE to perform automated adversarial emulations.

certificate authority A system that generates and issues digital certificates to users and systems.

change Any modification, addition, or removal of an organizational resource, for example, of a configuration item. A common categorization includes Standard, Emergency, and Normal changes.

change management A process concerned with all policies, processes, and technologies that handle a change on an asset life cycle.

clientless VPN A type of virtual private network that provides remote access services without requiring a host client. Typically, this is based on providing access to a secure network segment also known as a sandbox.

command and control (C2 or CnC) Software that an attacker could use to manipulate (control) a compromised system by sending commands to perform different actions, such as performing denial of service (DoS) attacks, compromising other systems, exfiltrating data, and more.

Common Vulnerabilities and Exposures (CVE) A dictionary of vulnerabilities and exposures in products and systems maintained by MITRE. A CVE-ID is the industry standard method to identify vulnerabilities.

Common Vulnerability Scoring System (CVSS) An industry standard used to convey information about the severity of vulnerabilities.

configuration item (CI) An identifiable part of the system that is the target of the configuration control process.

configuration management A process concerned with all policies, processes, and technologies used to maintain the integrity of the configuration of a given asset.

configuration management database A database that stores configuration items and configuration records.

configuration record A collection of attributes and relationship of a configuration item.

Continuous Delivery (CD) A software engineering approach that sits on top of CI and provides a way to automate the entire software release process.

Continuous Integration (CI) A software development practice where programmers merge code changes in a central repository multiple times a day.

CSRF Cross-site request forgery—a vulnerability that forces an end user to execute malicious steps on a web application. This is typically done after the user is authenticated to the application. CSRF attacks generally target state-changing requests, and attackers cannot steal data because they have no way to see the response to the forged request. CSRF attacks are generally combined with social engineering when carried out.

CVSS See Common Vulnerability Scoring System (CVSS).

CWE Common Weakness Enumeration—a specification developed and maintained by MITRE to identify the root cause (weaknesses) of security vulnerabilities. You can obtain the list of CWEs from cwe.mitre.org.

CWSS Common Weakness Scoring System—a specification developed and maintained by MITRE to provide a way to prioritize software weaknesses that can introduce security vulnerabilities. You can obtain the list of CWSS from cwe.mitre.org/cwss.

Cyber Kill Chain Model A model representing the steps taken by an adversary to accomplish an intrusion.

CybOX Cyber Observable eXpression—a standard to document cyber threat intelligence observables in a machine-readable format. The OASIS Cyber Threat Intelligence (CTI) Technical Committee (TC) decided to merge the CybOX and the Structured Threat Information Expression (STIX) specifications into one standard. CybOX objects are now called STIX Cyber Observables. You can find additional information about the migration of CybOX to STIX at https://oasis-open.github.io/cti-documentation/stix/compare.html.

D

data normalization The process of capturing, storing, and analyzing data so that it exists in only one form. One of the main goals of data normalization is to purge redundant data while maintaining data integrity.

delivery The stage in the cyber kill chain where an attacker sends a malicious payload through email, transferring across a network, or physically plugging in a device on the affected system.

Diamond Model of Intrusion A trusted approach to categorizing security incidents.

Diffie-Hellman A key agreement protocol that enables two users or devices to authenticate each other’s preshared keys without actually sending the keys over the unsecured medium.

digital certificate A digital entity used to verify that a user is who he or she claims to be, and to provide the receiver with the means to encode a reply. Digital certificates also apply to systems, not just individuals.

directory Repository used by an organization to store information about users, systems, networks, and so on. Information stored in directories can be used with the purpose of identifying and authenticating users, as well to apply security policies and authorization.

directory service A service that uses directories to provide an organization with a way to manage identity, authentication, and authorization services.

discretionary access control DAC—an access control model where the access decision and permission are decided by the object owner.

DLP Data loss prevention—a software or cloud solution for making sure that corporate users do not send sensitive or critical information outside the corporate network.

DNS tunneling A method by which attackers can encapsulate chunks of data into DNS packets to steal sensitive information such as personal identifiable information (PII) information, credit card numbers, and much more.

Docker Swarm A container cluster management and orchestration system integrated with the Docker Engine. You can access the Docker Swarm documentation at https://docs.docker.com/engine/swarm.

downloader A piece of malware that downloads and installs other malicious content from the Internet to perform additional exploitation on an affected system.

dynamic memory allocation A process that allocates memory at runtime.

E

Enterprise Mobile Management (EMM) Policies, processes, and technologies that allow the secure management of mobile devices. Technologies that enable BYOD, Mobile Device Management (MDM), and Mobile Applications Management (MAM) are examples of areas covered by an organization’s EMM.

exploit A malicious program designed to “exploit” or take advantage of a single vulnerability or set of vulnerabilities. An exploit can be software or a sequence of commands that take advantage of a vulnerability to cause harm to a system or network.

exploitation A process that involves attacking a weakness or vulnerability within a system, application, network, and so on.

Ext4 One of the most-used Linux file systems. It has several improvements over its predecessors Ext3 and Ext2. Ext4 not only supports journaling but also modifies important data structures of the file system, such as the ones destined to store the file data. This is done for better performance, reliability, and additional features.

F

false negative A term used to describe a network intrusion device’s inability to detect true security events under certain circumstances—in other words, a malicious activity that is not detected by the security device.

false positive A broad term that describes a situation in which a security device triggers an alarm but no malicious activity or actual attack is taking place. In other words, false positives are false alarms. They are also called benign triggers. False positives are problematic because by triggering unjustified alerts, they diminish the value and urgency of real alerts. If you have too many false positives to investigate, it becomes an operational nightmare, and you most definitely will overlook real security events.

FAT The default file system of the Microsoft disk operating system (DOS) back in the 1980s. Then other versions were introduced, including FAT12, FAT16, FAT32, and exFAT. Each version overcame some of the limitations of the file system until the introduction of the New Technology File System (NTFS). One of the FAT file system limitations is that no modern properties can be added to the file, such as compression, permissions, and encryption. The number after each version of FAT, such as FAT12, FAT16, or FAT32, represents the number of bits that are assigned to address clusters in the FAT table.

Federated SSO A further evolution of a single sign-on (SSO) model within one organization. In this model a user could authenticate once and then obtain access to resources across multiple organizations. This type of authentication is built upon trust between two different domains that are not managed under the same IAM system. An example is when you authenticate to a website using the credentials of a social networking platform or a well-known platform such as Facebook, Google, Amazon, or GitHub.

H

handle An abstract reference value to a resource.

hashing algorithm An algorithm used to verify data integrity.

heap Memory set aside for dynamic allocation, meaning where you put data on the fly.

HeapAlloc A function that allocates any size of memory that is requested, meaning it allocates by default.

hives Hierarchal folders within the Windows Registry.

host-based intrusion prevention system HIPS—specialized software that interacts with the host operating system to provide access control and threat protection. In most cases, it also includes network detection and protection capabilities on the host network interface cards. If there are no prevention capabilities but the system can only detect threats, it is referred to as a host-based intrusion detection system (HIDS).

I

identification The process of providing identity to the access control policy enforcer.

Identity and Access Management (IAM) A collection of policies, processes, and technology to manage identity, authentication, and authorization to organization resources.

IKE Internet Key Exchange—the protocol used by IPsec to negotiate and establish secured site-to-site or remote-access VPN tunnels. IKE is a framework provided by the Internet Security Association and Key Management Protocol (ISAKMP) and parts of two other key management protocols: namely, Oakley and Secure Key Exchange Mechanism (SKEME). There are two versions of the IKE protocol (IKEv1 and IKEv2). IKEv1 Phase 1 has two possible exchanges: main mode and aggressive mode. There is a single exchange of a message pair for IKEv2 IKE_SA. IKEv2 has a simple exchange of two message pairs for the CHILD_SA. IKEv1 uses an exchange of at least three message pairs for Phase 2.

incident response The process and tools that defenders use to respond to a cybersecurity incident.

information or data owner The person who maintains ownership and responsibility over a specific piece or subset of data. Part of the responsibility of this role is to determine the appropriate classification of the information, ensure that the information is protected with controls, periodically review classification and access rights, and understand the risk associated to the information he or she owns. Together with senior management, the information or data owner holds the responsibility for the security on the asset.

Infrastructure as a Service (IaaS) A cloud solution through which you rent infrastructure. You purchase virtual power to execute your software as needed. This is much like running a virtual server on your own equipment, except you are now running a virtual server on a virtual disk. This model is similar to a utility company model because you pay for what you use. Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Digital Ocean all provide IaaS solutions.

installation In terms of the kill chain, what is delivered by a successful exploitation. Examples might be ransomware and remote access tools.

IoC Indicator of Compromise—one aspect of threat intelligence, which is the knowledge about an existing or emerging threat to assets, including networks and systems.

IPS Intrusion prevention system—a network security appliance or software technology that inspects network traffic to detect and prevent security threats and exploits.

ITU-T X.500 A collection of standards including information on the organization of directories and protocols to access the information within the directories.

J–K

job object Processes grouped together to be managed as a unit.

journaling A type of file system that maintains a record of changes not yet committed to the file system’s main part. This data structure is referred to as a “journal,” which is a circular log. One of the main features of a file system that supports journaling is that if the system crashes or experiences a power failure, it can be restored back online a lot quicker while also avoiding system corruption.

key logger A piece of malware that captures the user’s keystrokes on a compromised computer or mobile device. It collects sensitive information such as passwords, PINs, personal identifiable information (PII), credit card numbers, and more.

Kubernetes One of the most popular container orchestration and management frameworks. Originally developed by Google, Kubernetes is a platform for creating, deploying, and managing distributed applications. You can download Kubernetes and access its documentation at https://kubernetes.io.

L

LDAP Lightweight Directory Access Protocol—a protocol based on X.500 that maintains the same directory structure and definition. It simplifies the directory queries, and it has been designed to work with the TCP/IP stack.

log collection The process of collecting and organizing logs for analysis. A log collector is software that is able to receive logs from multiple sources and in some cases offers storage capabilities and logs analysis functionality.

log parser A versatile tool that provides universal query access to text-based data.

logic bomb A type of malicious code that is injected into a legitimate application. An attacker can program a logic bomb to delete itself from the disk after it performs the malicious tasks on the system. Examples of these malicious tasks include deleting or corrupting files or databases and executing a specific instruction after certain system conditions are met.

M

mailer and mass-mailer worm A type of worm that sends itself in an email message. Examples of mass-mailer worms are Loveletter.A@mm and W32/SKA.A@m (a.k.a. the Happy99 worm), which sends a copy of itself every time the user sends a new message.

Malloc A standard C and C++ library function that allocates memory to a process using the C runtime heap.

mandatory access control MAC—an access control model where the access decision is enforced by the access policy enforcer (for example, the operating system). MAC uses security labels.

master boot record MBR—the first sector (512 bytes) of the hard drive. It contains the boot code and information about the hard drive itself. The MBR contains the partition table, which includes information about the partition structure in the hard disk drive. The MBR can tell where each partition starts, its size, and the type of partition.

metadata Data about data, such as who created a file and the last time it was opened.

Microsoft Windows services A long-running executable application that operates in its own Windows session.

Mobile Device Management (MDM) A type of software that manages the deployment, operations, and monitoring of mobile devices used to access organization resources. It is used to enforce organizational security policy on mobile devices.

N

NetFlow A Cisco technology that provides comprehensive visibility into all network traffic that traverses a Cisco-supported device. NetFlow is used as a network security tool because its reporting capabilities provide nonrepudiation, anomaly detection, and investigative capabilities. As network traffic traverses a NetFlow-enabled device, the device collects traffic flow information and provides a network administrator or security professional with detailed information about such flows.

network address translation NAT—a method often used by firewalls; however, other devices such as routers and wireless access points provide support for NAT. By using NAT, the firewall hides the internal private addresses from the unprotected network and exposes only its own address or public range. This enables a network professional to use any IP address space as the internal network.

network firewall A firewall that provides key features used for perimeter security. The primary task of a network firewall is to deny or permit traffic that attempts to enter or leave the network based on explicit preconfigured policies and rules. Firewalls are often deployed in several other parts of the network to provide network segmentation within the corporate infrastructure and also in data centers.

network-based intrusion prevention A system or software designed to detect and prevent cybersecurity threats by analyzing network traffic.

Nomad A container management and orchestration platform by HashCorp. You can download and obtain detailed information about Nomad at https://www.nomadproject.io.

NTFS The default file system in Microsoft Windows since Windows NT; it is a more secure, scalable, and advanced file system when compared to FAT. NTFS has several components. The boot sector is the first sector in the partition, and it contains information about the file system itself, such as start code, sector size, cluster size in sectors, and the number of reserved sectors. The file system area contains many files, including the master file table (MFT), which includes metadata of the files and directories in the partition. The data area holds the actual contents of the files, and it is divided into clusters with a size assigned during formatting and recorded in the boot sector.

O–P

object The passive entity that is, or contains, the information needed by the subject. The role of the subject or object is purely determined on the entity that requests the access.

OCSP Online Certificate Status Protocol—a protocol used to perform certificate validation. A client such as a web browser OCSP client (i.e., a browser) can send a request to an OCSP responder to verify whether a digital certificate is valid or it has been revoked.

one-time password A password, randomly generated, that can be used only once.

password management A collection of processes, policies, and technologies that help an organization and users improve the security of their password authentication systems. It includes policies and technologies around password creation, password storage, and password reset.

patch management The process of identifying, acquiring, installing, and verifying patches for products and systems.

peer-to-peer (P2P) communication The distributed architecture that “divides tasks” between participant computing peers. In a P2P network, the peers are equally privileged, which is why it’s called a peer-to-peer network of nodes.

penetration assessment Also called a Pen test. It is used to test an exploit of a vulnerability. Besides trying to exploit known vulnerabilities, a penetration test may also be able to find unknown vulnerabilities in a system.

pivoting Attacking other systems on the same network. Also known as island hopping.

Platform as a Service (PaaS) A cloud service that provides everything except applications. Services provided by this model include all phases of the system development life cycle (SDLC) and can use application programming interfaces (APIs), website portals, or gateway software. These solutions tend to be proprietary, which can cause problems if the customer moves away from the provider’s platform.

PRE-ATT&CK An elemental part of the ATT&CK framework developed and maintained by MITRE. PRE-ATT&CK is used to document the tactics and techniques used by real-world adversaries before they compromise a system or a network. You can obtain information about the MITRE ATT&CK framework and PRE-ATT&CK at https://attack.mitre.org.

process A running instance of a program.

protocol misinterpretation attack An attack where protocols are manipulated to confuse security devices from properly evaluating traffic.

R

rainbow table A lookup table into which an attacker computes possible passwords and their hashes in a given system and puts the results. This allows an attacker to get a hash from the victim system and then just search for that hash in the rainbow table to get the plaintext password. To mitigate rainbow table attacks, you can disable LM hashes and use long and complex passwords.

ransomware A type of malware that compromises a system and then often demands a ransom from the victim to pay the attacker for the malicious activity to cease or for the malware to be removed from the affected system.

reconnaissance Research on a target, such as available network ports, data on social media sources, learning about people at an organization, and so on.

regular expression A text string for describing a search pattern. Sometimes referred to as regex.

remote-access VPN A virtual private network that connects a remote host to a trusted network.

request for change (RFC) A formal request that usually includes a high-level description of the change, the reason for the change, and other information.

resource exhaustion attack An attack that consumes the resources necessary to perform an action.

role-based access control RBAC—an access control model where the access decision is based on the role or function of the subject.

rootkit A set of tools used by an attacker to elevate his or her privilege to obtain root-level access to completely take control of the affected system.

S

script kiddies People who use existing “scripts” or tools to hack into computers and networks; however, they lack the expertise to write their own scripts.

Secure Shell (SSH) A protocol that encrypts traffic between a client and SSH server and uses public-key cryptography to authenticate the remote computer and permit it to authenticate the user.

security baseline configuration A set of attributes and configuration items related to a system that has been formally reviewed and approved. It can be changed only with a formal change process.

security incident A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

Security Information and Event Manager (SIEM) A specialized device or software for security event management. It typically includes logs collection, normalization, aggregation and correlation capabilities, and built-in reporting.

Security Orchestration, Automation, and Response (SOAR) A system that provides automation and security orchestration capabilities for the security operations center (SOC).

session hijacking A type of attack that occurs when the attacker can sniff and intercept traffic to take over a legitimate connection to a cloud service.

single sign-on (SSO) An authentication system that allows users to authenticate with only one system and only once to get access to organization resources.

site-to-site VPN A virtual private network that connects one or more hosts over a secure connection.

sniffer A full packet capture software.

Software as a Service (SaaS) SaaS—A cloud service designed to provide a complete packaged solution. The software is rented out to the user. The service is usually provided through some type of front end or web portal. While the end user is free to use the service from anywhere, the company pays a per-use fee. Examples of SaaS offerings include Cisco WebEx, Office 365, and Google G-Suite.

spammer An attacker who uses a type of malware and whose sole purpose is to send unsolicited messages with the primary goal of fooling users into clicking malicious links or replying to emails or such messages with sensitive information. The attacker seeks to perform different types of scams with the main objective being to make money.

SQL injection An attack where the attacker inserts or “injects” a SQL query via the input data from the client to the application or database. An attacker can exploit SQL injection vulnerabilities to read sensitive data from the database, modify or delete database data, execute administration operations on the database, and even issue commands to the operating system.

stack Memory set aside as spare space for a thread of execution.

static memory allocation A process in which a program allocates memory at compile time.

STIX Structured Threat Information Expression—a standard used to create and share cyber threat intelligence information in a machine-readable format.

subject Any active entity that requests access to a resource (also called an object). The subject usually performs the request on behalf of a principal.

swap space Extra memory on the hard disk drive or SSD that is an expansion of the system’s physical memory.

symmetric algorithm An encryption algorithm that uses the same key to encrypt and decrypt the data.

T

TAXII Trusted Automated Exchange of Indicator Information—a standard that provides a transport mechanism (data exchange) of cyber threat intelligence information in STIX format. In other words, TAXII servers can be used to author and exchange STIX documents among participants.

tcpdump An open-source packet capture utility.

thread A basic unit that an operating system allocates process time to.

thread pool A group of worker threads that efficiently execute asynchronous callbacks for the application.

threat hunting The process of iteratively looking for threats that could have probably bypassed security technology and monitoring capabilities. Threat hunters assume that an attacker has already compromised the network.

Tor A free tool that enables its users to surf the web anonymously. Tor works by “routing” IP traffic through a free, worldwide network consisting of thousands of Tor relays. It then constantly changes the way it routes traffic to obscure a user’s location from anyone monitoring the network. Tor’s name was created from the acronym for the original software project name, “The Onion Router.”

Tor exit node Basically the last Tor node or the “gateway” where the Tor-encrypted traffic “exits” to the Internet.

traffic fragmentation attack A method of avoiding detection by breaking up a single Internet Protocol or IP datagram into multiple smaller size packets.

traffic substitution and insertion attack A method of substituting the payload data with data in a different format but with the same meaning, with the goal of being ignored due to not being recognized by the security device.

traffic timing attack An attack in which the attacker performs actions slower than normal while not exceeding thresholds inside the time windows the detection signatures use to correlate different packets together.

Trojan horse A type of malware that executes instructions, determined by the nature of the Trojan, to delete files, steal data, or compromise the integrity of the underlying operating system. Trojan horses typically use a form of social engineering to fool victims into installing such software on their computers or mobile devices. Trojans can also act as backdoors.

true negative A term used to describe when the intrusion detection device identifies an activity as acceptable behavior and the activity is actually acceptable.

true positive A term used to describe successful identification of a security attack or a malicious event.

tshark A command-line tool used to capture and analyze IP packets. You can obtain detailed information about tshark from https://www.wireshark.org/docs/man-pages/tshark.html.

V

virtual address space The virtual memory used by processes.

virtual private network (VPN) A type of network used to hide or encode something so that the content is protected from unwanted parties.

VirtualAlloc A specialized allocation of OS virtual memory that allocates straight into virtual memory via reserved blocks.

virus Malicious software that infects a host file or system area to perform undesirable actions such as erasing data, stealing information, and corrupting the integrity of the system. In numerous cases, the virus multiplies again to form new generations of itself.

VM escape attack An attack where the attacker can manipulate the guest-level VM to attack its underlying hypervisor, other VMs, and/or the physical host.

vulnerability management The process of identifying, analyzing, prioritizing, and remediating vulnerabilities in software and hardware.

vulnerability scanner Software that can be used to identify vulnerabilities on systems.

W–Z

war driving A methodology used by attackers to find wireless access points wherever they may be. The term comes from the fact that the attacker can just drive around and get a huge amount of information over a very short period of time.

weaponization The process of developing and testing how an attack will be executed.

Windows Management Instrumentation (WMI) A scalable system management infrastructure that was built around a single consistent, standards-based, extensible, object-oriented interface.

Windows process permission User authentication data that is stored in a token and used to describe the security context of all processes associated with the user.

Windows registration A hierarchical database used to store information necessary to configure the system for one or more users, applications, and hardware devices requested, meaning it allocates by default.

Wireshark An open-source packet capture sniffer.

worm A virus that replicates itself over the network, infecting numerous vulnerable systems. On most occasions, a worm will execute malicious instructions on a remote system without user interaction.

XSS A type of web application vulnerability where malicious scripts are injected into legitimate and trusted websites. An attacker can launch an attack against an XSS vulnerability using a web application to send malicious code (typically in the form of a browser-side script) to a different end user. XSS vulnerabilities are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. There are several types of XSS vulnerabilities: reflected, stored, and so on.

Yeti An open-source tool used to organize and analyze threat intelligence.