APPENDIX H
Glossary

This appendix is a collection of all terms used in the chapters. Note that they are alphabetically ordered so they are easier to find.

A

advanced persistent threat (APT)
An adversary that possesses sophisticated levels of expertise and significant resources, which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). This term originated as a way to refer to nation state actors but has become a general term to describe organized adversaries.
adversary
An individual, group, organization, or government that conducts or has the intent to conduct cybersecurity attacks.
AI (artificial intelligence)
The simulation of human intelligence in machines that are programmed to think like humans and mimic their actions. The term may also be applied to any machine that exhibits traits associated with a human mind such as learning and problem-solving.
alert
A notification that a specific attack, anomaly, or suspicious activity has been detected or directed at an organization's information systems. Alerts frequently trigger investigations by security operations/analysts.
analyst
Also known as a cybersecurity analyst, a common role within an organization's SOC team that investigates, alerts, or hunts for adversarial activities.
asset
An entity or value that could take the form of a person, structure, facility, information and records, IT systems and resources, material, process, relationships, or reputations.
attachment (as in malicious email)
During phishing campaigns, cybercriminals attempt to trick users into clicking an email attachment, which then downloads a malicious executable, infecting the user's computer or mobile device, or, upon opening the attachment the user might be redirected to a fraudulent login site. Attachments can come in various forms, such as a Microsoft Office document, a PDF file, .zip files, etc.
attack
Any attempt to defeat the security assurances of a system or data, including confidentiality, integrity, or availability.
attack path
The steps that an adversary takes or might take to plan, prepare for, and execute an attack.
attack pattern
Similar cyber events or behaviors that might indicate that an attack has occurred or is occurring, resulting in a security violation or a potential security violation.
attack surface
An information system's characteristics that permit an adversary to probe, attack, or maintain presence in the information system.
attacker
An individual, group, or organization that executes an attack. An attacker might also refer to an adversary or an individual attack operator.
authentication
The process of verifying the identity of an entity (user, process, or device).
authorization
A process of determining whether a subject is allowed to have the specified types of access to a particular resource. This action is typically done by evaluating applicable access control information such as access control lists. In modern cybersecurity approaches, authorization could also incorporate other risk factors such as behavioral analytics and evaluation of threat intelligence.
availability
One of three primary cybersecurity assurances, the property of being accessible and usable upon demand. The other two are confidentiality and integrity.

B

banking Trojan
A type of malware designed to obtain credentials to banking and other financial services. These Trojans use a variety of techniques, including interception of web communications as users access financial services on infected devices. Many known banking Trojans are part of botnets that provide cybercrime organizations with persistent access to large numbers of devices.
blast radius
A machine learning method to identify the most impactful users, based on the level of risk to the organization if they become compromised.
botnet
A collection of computers compromised by malicious code and controlled across a network.
breach
Any incident that results in unauthorized access of data, applications, services, networks, and/or devices by bypassing their underlying security mechanisms. A security breach occurs when an individual or an application illegitimately enters a private, confidential, or unauthorized logical IT perimeter.
brownfield
Existing deployed IoT/IIoT devices that might not have modern hardware or functionality. For example, these devices might not have support for over-the-air updates or remote administration. Compare to greenfield.
brute force
An attack technique that uses systematic guessing, static or dynamic lists of passwords, dumped credentials from previous breaches, or other similar methods to forcibly authenticate to a device or service.
business email compromise (BEC)
A technology-facilitated social engineering scam that targets business email accounts and enables cybercriminals to unlawfully redirect and intercept money wires, exfiltrate documents, and launch other cybercrime. BEC is often initiated through some form of credential phishing.

C

ciphertext
Data or information in its encrypted form used primarily by cryptology experts. Sometimes referred to as encrypted data.
cleartext
Data that is unencrypted in its raw format. This format is highly discouraged due to lowering the security posture in light of not applying any encryption at rest or at transit.
Cloud Access Security Broker (CASB)
A software tool or service that sits between an organization's on-premises infrastructure and a cloud provider's infrastructure. They might also provide other services such as credential mapping when single sign-on isn't available.
confidentiality
An assurance that information isn't disclosed to unauthorized users, processes, devices, or other entities. One of the three primary cybersecurity assurances (confidentiality, integrity, and availability).
critical infrastructure
The systems and assets, whether physical or virtual, so vital to society that the incapacity or destruction of such might have a debilitating impact on the security, economy, public health or safety, environment, or any combination of these areas.
cybersecurity
The discipline of preserving and rapidly restoring the primary security assurances of confidentiality, integrity, and availability for systems, data, and identities.

D

dark web
The Internet content that operates using dark nets (i.e., networks that are not publicly accessible). They are accessed only by specialized closed-network protocols. Through the dark web, private computer networks can communicate and conduct business anonymously without divulging identity information. This term is associated with criminal activities in general.
data estate
The procedures, services, and infrastructure used to manage corporate data in the digital estate.
data loss prevention (DLP)
A set of procedures and mechanisms to stop sensitive data from leaving a security boundary.
denial of service
An attack that prevents or impairs the authorized use of information system resources or services. A distributed denial of service (DDoS) is a type of attack that uses multiple networked machines to overwhelm a host connected to the Internet, temporarily or permanently disrupting service or preventing access.
digital estate
An abstract reference to a collection of tangible owned assets. Those assets include virtual machines (VMs), servers, applications, data, containers, apps, and so on. Essentially, a digital estate is the collection of IT assets that powers business processes and supporting operations.
DLL
Dynamic link library is Microsoft's implementation of the shared library concept in the Microsoft Windows. In a conventional non-shared static library, sections of code are simply added to the calling program when its executable is built at the linking phase; if two programs call the same routine, the routine is included in both the programs during the linking stage of the two. With dynamic linking in DLLs, shared code is placed into a single, separate file.
drop account
An email account set up by a criminal to receive credentials provided by an unsuspecting victim.

E-F

encryption
The process of transforming plaintext into ciphertext.
event
An observable occurrence in an information system or network.
exfiltration
The unauthorized transfer of information from an information system.
exploit
A technique to breach the security of a network or information system in violation of security policy.
exposure
The condition of being unprotected, thereby allowing access to information or access to capabilities that an attacker can use to enter a system or network.
firewall
A capability to limit network traffic between networks and/or information systems.
fusion
A technology for finding threats that would otherwise fly under the radar. Fusion uses machine learning to combine disparate data from Enterprise and partner datasets, by combining low-fidelity “yellow” anomalous activities with high-fidelity “red” incidents.

G-K

greenfield
New or planned IoT/IIoT deployments that support the latest advances in security and technology management. Compare to brownfield.
honeypot
A computer or computer system intended to mimic likely targets of cybercriminals.
human-operated ransomware
A type of ransomware attack that's performed by human operators. During these attacks, human operators use various tools and techniques to compromise and traverse targeted networks, ultimately deploying ransomware on multiple devices on the compromised networks.
hunting
Proactively looking for active adversaries.
identity and access management (IAM)
The methods and processes used to manage subjects and their authentication and authorizations to access specific objects.
indicators of compromise (IOC)
Pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network.
insider threat
A person or group of persons within an organization who pose a potential risk through violating security policies.
integrity
The accuracy and completeness of data. Security controls focused on integrity are designed to prevent data from being modified or misused by an unauthorized party.
International Organization for Standardization (ISO)
An international standard-setting body composed of representatives from various national standards organizations. Founded in 1947, the organization promotes worldwide proprietary, industrial, and commercial standards.
intrusion
An unauthorized act of bypassing the security mechanisms of a network or information system.
Intrusion Detection Systems (IDS)
The process and methods for analyzing information from networks and information systems to determine if a security breach or security violation has occurred.
Intrusion Prevention Systems (IPS)
Intrusion Prevention Systems (IPS) also analyze packets, but they can also stop the packet from being delivered based on what kind of attacks it detects—helping to stop the attack.
just in time (JIT)
Provides temporary (measured in hours) elevated access to internal engineers to debug production issues or support customer cases to ensure limited access based on least privilege principles.
keylogging
Also referred to as keyboard capturing, this is the action of recording the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored by threat actors.
keypair
Consisting of a private key and a public key, is a set of security credentials that you use to prove your identity when connecting to an instance. The cloud provider stores the public key, and you store the private key. You use the private key, instead of a password, to securely access your instances.
kill chain
A cyber kill chain reveals the phases of a cyberattack: from early reconnaissance to the goal of data exfiltration. The kill chain is also a model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.

M-P

machine learning
A type of artificial intelligence focused on enabling computers to use observed data to evolve new behaviors that haven't been explicitly programmed.
macro virus
A type of malicious code that attaches itself to documents and uses the macro programming capabilities of the document's application to execute, replicate, and spread or propagate itself.
maintainer (as in GitHub)
Someone who manages a repository. This person might help triage issues and use labels and other features to manage the work of the repository. This person might also be responsible for keeping the README and contributing files updated.
malware
Software intentionally designed to cause damage to a computer, server, client, or computer network.
model inversion
An activity whereby an attacker uses careful queries to recover the secret features used in a machine learning model.
model stealing
An activity whereby an attacker constructs careful queries to recover a machine learning model.
nation state activity group
Cyberthreat activity that originates in a particular country with the apparent intent of furthering national interests.
National Institute of Standards and Technology (NIST)
A physical sciences laboratory and a nonregulatory agency of the U.S. Department of Commerce. Its mission is to promote innovation and industrial competitiveness.
npm (as in GitHub)
npm is the package manager for Node.js and the world's largest software registry.
obfuscation
A method used to hide or obscure an attack payload from inspection by information protection systems.
operator, or attack operator
An individual person who is executing an attack operation. This person might be acting alone, acting on behalf of an organization, or acting in concert with multiple other attack operators in a coordinated campaign.
password spray
High-volume attempts using a large number of common passwords to compromise sourced account information to authenticate and gain access to a network, often leveraging big data algorithms and extensive automation for rapid execution.
phishing
A digital form of social engineering to deceive individuals into providing sensitive information.
phishing kit
A collection of tools assembled to make it easier for individuals with little or no knowledge of phishing practices to launch a phishing exploit.
playbook
A set of rules that allows SOAR platforms to automatically take action when an incident occurs. Using SOAR playbooks, security teams can handle alerts, create automated responses for different incident types, and resolve issues more effectively and consistently.
poisoning attack
Contamination in the training phase of machine learning systems to get an intended result.

R

ransomware
A type of malware that uses cryptographic algorithms to encrypt a victim's data and block access. The bad actors threaten to publish the victim's data or block access perpetually unless a ransom is paid.
red team
A group authorized and organized to emulate a potential adversary's attack or exploitation capabilities against an enterprise's cybersecurity posture.
red team exercise or red team testing
An exercise, reflecting real-world conditions, that's conducted as a simulated attempt by an adversary to attack or exploit vulnerabilities in an enterprise's information systems.
remote desktop protocol (RDP)
A protocol for remotely connecting to computers running Windows.
resilience
The ability to adapt to changing conditions and prepare for, withstand, and rapidly recover from disruption.
reverse engineering
The reproduction of another manufacturer's product following detailed examination of its construction or composition.

S

secrets (as in GitHub secrets)
Tokens, credentials, private keys, or other authentication identifiers that might be used in a service at build or runtime. For example, secrets might be used by an application to access an external service.
Security Development Lifecycle (SDL)
The Microsoft SDL introduces security and privacy considerations throughout all phases of the development process, helping developers build highly secure software, address security compliance requirements, and reduce development costs. The guidance, best practices, tools, and processes in the Microsoft SDL are practices used internally to build more secure products and services. Since first shared in 2008, Microsoft has updated the practices as a result of its growing experience with new scenarios, like the cloud, IoT, and artificial intelligence.
Security Information and Event Management (SIEM)
An approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system.
Security Operations Center (SOC)
A centralized function within an organization employing people, processes, and technology to continuously monitor and improve an organization's security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents.
Security Orchestration, Automation, and Response (SOAR)
A solution stack of compatible software programs that allow an organization to collect data about security threats from multiple sources and respond to low-level security events without human assistance.
SMiShing (SMS phishing)
An attack method via a text or SMS message received on a mobile device. An attacker uses SMiShing to trick a user into downloading malware or revealing private information through a fraudulent link.
spoofing
Faking the sending address of a transmission to gain illegal (unauthorized) entry into a secure system. Website spoofing involves creating a duplicate version of a website that appears to be the original. Hackers use legitimate logos, fonts, colors, and functionality to make the spoofed site look realistic. Even the URL can appear genuine.
supply chain
A system of organizations, people, activities, information, and resources, for creating and moving products, including product components and/or services from suppliers through to their customers.
supply chain risk management
The process of identifying, analyzing, and assessing supply chain risk and accepting, avoiding, transferring, or controlling it to an acceptable level considering associated costs and benefits of any actions taken.

T-Z

threat variant
New or modified strains of an existing virus or malware program; malware family.
TTP
An acronym for the Tactics, Techniques, and Procedures that attackers use to infiltrate IT systems.
UEBA (user and entity behavior analytics)
Previously known as User Behavior Analytics (UBA). This mechanism uses large datasets to model typical and atypical behaviors of humans and machines within a network. By defining such baselines, it can identify suspicious behavior, potential threats, and attacks that traditional antivirus may not detect.
vishing (voice phishing)
The telephone equivalent of phishing. It's the act of using the telephone to scam the user into surrendering private information that will be used for identity theft. It can take shape as a phone call or voice message from a live or automated person.
Zero Trust
A security model based on the principle of maintaining strict access controls and not trusting anyone by default, even those already inside the network perimeter.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset