Over the course of the last year or so I have explained to colleagues and clients who’s roles are not in Cybersecurity what certain phrases or abbreviations mean. After a while I started to drop them into a word document so I could reuse them. Then I decided to make this post so I can easily share the explanations.

There are bound to be things missing, please drop a comment if I have missed something and I will add them. Updated 16/7/25.

Acceptable Use Policy. A policy every company has but is only ever shared when the user is going through their induction or when they have fouled up.

Access Control List (ACL). An ACL allows or denies users or systems access to certain systems, networks or data depending on who they are or where they are.

Access Point. A device to connect users to a WIFI or if it is a Public WIFI, like a café or hotel, it can connect the user to a hacker lurking on the same network. Also see VPN.

Access Rights define what privileges or permissions a user has which governs what they can access. User rights can be problematic, if users keep their rights as they change roles and departments, effectively collecting more access rights a compromise or mischievous activity could have a far greater impact.

Accountability, the only thing that organisations cannot outsource no matter how hard they try.

Active Directory (AD). Microsoft’s directory service for managing identities in Windows domain networks.

Active Directory Federation Services (ADFS). Microsoft’s secured identity federation, and Web Single Sign- On (SSO) capabilities.

Advanced Persistent Threat (APT) is anything that causes a data breach or a compromise, even if it is a simple attack because every breached organisation and their PR people will claim it was an APT.

Adware. Adware is like malware but with more colours.

Air-Gapped Networks. An interface between two systems that are not physically connected physically and/or has no automated connectivity i.e. the transfer of data is a manual process.

Anti-Malware is like Anti-Virus but costs more.

Anti-Virus (AV) is the mostly widely deployed security tool and whilst it has its detractors is has an important role in the protection of data. Especially now the AV vendors have incorporated other defence products e.g. firewalls into the home user versions.

App Attack. An app attack occurs when Google and Apple do not bother vetting the apps they let into their “stores.”

Application Firewall. A firewall specifically designed for applications or service, rather than network traffic.

Application Penetration Test. An application Penetration Test is a Penetration Test of an Application. Sounds simple until someone tests a production application then they should have the right skills and escalation contacts otherwise things can go pear shaped very quickly.

Application Programming Interface (API). A way for two or more applications to talk to each other. It provides efficiencies and if done right additional security benefits. However, many APIs are part of a tool kit for connecting applications and like most tools, it can be dangerous in the wrong hands. APIs are also under tested so weaknesses can be left open for long periods. This provides a window of opportunity for a criminal.

Application Vulnerability Scanning (ASV). Application vulnerability scanning is not simple. Scanning for vulnerabilities in applications needs to take into account configurations as well as code-based vulnerabilities and the person scanning needs to understand the difference between the in-development application and the production application. Then there are different methodologies and technologies, for example, Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST). All of this means scanning for vulnerabilities in applications needs to be planned and executed by a trained individual.

Asset Management. It is impossible to know about all IT and OT assets there are so many ways an organisation acquires technology, for example, Shadow IT, however, trying to be as disciplined as possible and to hold all business units and departments to account is a good start. There are some excellent asset management tools as well as the tried and tested Excel but without attempting it makes it harder to secure all the things.

ASV. Approved Scanning Vendor (ASV). Company approved by the PCI Security Standards Council (see PCI SSC) to conduct external vulnerability scanning services to identify common weaknesses in system configuration.

Asymmetric Encryption. Two mathematically related keys, a Public Key and a Private Key, are generated. The encryption key (Public Key) and the decryption key (Private Key) are different. The Public key is used to digitally sign the data and encrypt and can only be decrypted with the corresponding Private Key.

Attack Mechanism. A marketing description of how an attacker could deploy an attack.

Attack Surface refers to the footprint an organisation has on the internet, known to them or not known to them along with other external connections.

Attack Surface Management (ASM or External ASM aka EASM). Some versions include credentials and data on the Dark Web which could be used to compromise an organisation and some versions are just a cobbled together jumble of tools with a human wrap around pretending to be a joined up offering, in the same way a lot of Pen Testing as a Service (PTaaS) do.

Attack Vector. The possible ways an attacker could gain access. Knowing this allows organisations to apply the right protection in the right place. See Attack Surface.

Audit Management. Every organisation is faced with multiple regulations, GDPR being the most common, but they are also faced with a myriad of organisational based audits, from the more day to day Fire and Health and Safety to the specific contractual or compliance related, for example, ISO27001 and PCI DSS. Dealing with them all separately increases the workload, the costs of maintenance as well as the audit costs themselves which is why an Audit Management Plan is needed, as per Asset Management, it can be achieved through software tools and Excel but whichever method is chosen it should be a priority as compliance is getting harder and harder each year due to the growing requirements.

Audit Trail. Used for a range of purposes e.g. Forensics after a breach or to understand where something went wrong and when it went wrong. An Audit Trail makes it easier to pin the blame on someone as well as to help avoid it happening again.

Authentication is how the right software and users are accepted onto a network, typically with a username and password. That is when the fun starts, especially as some users will use not very secure passwords, write them down and even share them. It has been a problem for decades, despite RSA and other Multi Factor Authentication products being around for almost 30 years.

AWS EC2. Amazon Web Service’s EC2 offering provides scalable cloud compute capabilities and has a range of Security services either included or can be added on. Simple to set up and simple to compromise if the right steps are not taken.

Backdoor. A backdoor is code left in a program that can be used at a later date.

Baseline Security, the bare minimum level of security needed to tick boxes, often combined with crossed fingers and prayers.

Bastion is a hardened server or appliance, normally with one function. A Bastion sits outside the firewall or between networks.

BCP (Business Continuity Plan). BCP is essential with the volume of attacks (a hacker only needs to be lucky once) as it lays down what to do when things go wrong and is used along side an Incident Response Plan.

Biometrics is a way of making logging on to systems more secure because it takes the usual username and password and adds something from the user e.g. a fingerprint, retina, or voice. This was an expensive way to add additional security but was seen as a strong method, until AI…! Also see Multi Factor Authentication.

Blended Attack. A blended attack is one where the organisation being attacked is normally being specifically targeted rather than a random attack because it involves work for the attacker. Hackers only do extra work if they have a reason, theft, ransomware, or hacktivism being the main reasons.

Blue Teaming, see red Teaming.

Botnet. A botnet is when an individual or group have control of multiple computers, either their own or someone else’s they have infected with their malware. They can then use the power of the combined computers to launch more impactful attacks e.g. higher volumes of spam or phishing or to take up the bandwidth of a company or website, see DDoS.

Brute Force. As the name sounds it is not a subtle way to do something but can be effective e.g. cracking passwords.

Business Impact Analysis is something often lumped onto Cybersecurity when in reality it is the whole business that should be calculating the impact of an Incident, cyber or not. IT and Security can calculate the potential likelihood (very) of an attack and the potential impact to systems, networks, etc in time but the monetary value has to be on the Organisation as a whole.

BYOD. Bring Your Own Device has been around for a long time. However during the Covid years organisations allowed a greater number of employees to use their own devices e.g. smartphones. BYOD should be surrounded by policies and additional security solutions to avoid simple data leakages. The “Bring Your Own” is not restricted to the obvious of phones, home workers have their own Technology (BYOT), for example routers, people can leverage different Cloud Providers (BYOC), the list goes on but essentially it is where the organisation does not own or directly rent/subscribe to something but an employee does.

Capability Maturity Model (CMM). A Software Capability Maturity Model (CMM) is a framework for evaluating and improving the software development process.

Certificates and Certificate Authority (CA). A Certificate, also known as a Digital Certificate, guarantees that the sender is verified and they are who they claim to be. The CA is an independent third party that verifies that the certificate is genuine, they often manage the certification process which includes revoking certificates.

Clear Desk Policy. Having a clear desk policy reduces the chance of someone finding the Post-It with the passwords on as well as those piles of older but still sensitive confidential documents. It is good corporate policy and often part of a GRC requirement but how effective is it when people are working from home?

Cloud Security Posture Management (CSPM). The “Cloud” as a broad term includes Public, Private and Hybrid as well as Software as a Service (SaaS) which is why CSPM is important as it should provide continuous monitoring of an organisation’s cloud infrastructure for gaps in their security policies.

Compliance. see GRC.

Computer Forensics, also known as Digital Forensics, is like the Forensics you see in films and on the TV, except it is for computer and a lot less exciting. Skilled individuals with the appropriate software tools will analyse a computer device, including smartphones, for suspicious software, files, or activity. Not all forensics are looking for cybercrime, sometimes it is an investigation into the activity of an employee. Forensics has to follow strict Chain Of Custody/Chain Of Evidence processes as the evidence or details found could be used in a court of law.

Configuration management and patch management are part of an overall change management process, or should be. The process needs to ensure that everything is recorded to help with any forensics, systems roll backs, etc and of course to make everything more secure.

Containers. Containers are packages of software that contain all of the necessary components to run in any environment, mostly in the cloud, and should include security.

Content Filtering and management has been an effective way of blocking bad content from getting in and out for decades. Content filtering searches emails and websites for the wrong things and based on agreed rules blocks them from the user or blocks the uses from getting there. However, one user’s work requirements e.g. a Security person needing to look at hacking tools is another user’s malicious activity, see Access Rights.

Continuous Integration/Continuous Delivery (CI/CD). “Continuous integration (CI) refers to the practice of automatically and frequently integrating code changes into a shared source code repository. Continuous delivery and/or deployment (CD) is a 2 part process that refers to the integration, testing, and delivery of code changes” (definition source – RedHAT). As you can imagine continuous and automated can potentially impact security if the code has vulnerabilities.

Critical Infrastructure has always been a target but in 2018 with the passing on the NIS Directive specific sectors of business were officially classified as being Critical infrastructure and were therefore under European and UK law obliged to meet certain Cybersecurity standards. The upgraded NIS2 added more categories across Europe with the UK making parallel rules. The USA and other counties have their own laws and requirements.

Cross Site Scripting abbreviated to XSS, is a 20 year old method of attacking websites. Despite being around for 20 years it is consistently in the Top 10 of potential software weaknesses (OWASP List)

Cryptography, see Encryption.

Cyber Awareness. Raising the knowledge and skill set of every employee within and organisation to form another barrier to the bad guys. Gartner coined the term “Human Risk” awareness reduces those risks and using another term it turns employees into “Human Firewalls“.

Cyber Insurance is a specific insurance policy to cover cyber risks. Some B&I and D&O insurance policies will cover Cyber costs but the amounts are typically lower that a specific cyber policy. Having insurance does not avoid taking Cybersecurity seriously because like a domestic home policy, if the windows or doors are not locked you will not be paid out, if you have not implemented the right security and maintained it you might not get your costs covered by the insurance policy.

Data Breach. When someone, criminal or not, has gained access to data that they should not have access to. They could steal, copy, share or just look at the data but whatever they have done or going to do with the data it could prove to be a problem for the data owner either for a variety of reasons, for example Intellectual Property theft or data theft for sale which could cause commercial or regularity problems.

Dark Web. The Dark Web is the part of the internet that is anonymous to the general user and as the “dark” implies is where criminal or anti-social activities happen. From the sale of stolen data to drugs and weapons. The Dark Web and Cryptocurrencies are why the Cyber Crime industry is so large and profitable.

Data Classification was initially used by the Military, then Government departments and eventually almost everyone else. Once a piece of data or data type has been categorised an organisation can take steps to apply appropriate protection. Some protection will be via software, but it will also be via training employees to understand why some data is more sensitive than others and what they should or should not do with it. After 2018 and GDPR there was a lot more attention on data classification.

Data Encryption, see Encryption.

Data Flow is where does data go and how does it get there. This is important if data is to be protected properly, it is also important in many areas of compliance e.g. PCI DSS. Also see Data Classification.

Data Leakage is as it sounds, when data is leaked, often accidently but occasionally maliciously e.g. when someone leaves to go to a competitor. Data Leakage Prevention (DLP) is trying to stop data getting out, usually by Content filtering and management (see Content filtering and management) but also with specific DLP tools.

Data Retention varies from industry to industry and country to country as well as the type of data e.g. no one should retain credit card data, but everyone should retain accounting data. The best rule of thumb is if you do not have to and do not need to retain the data, delete it. If you do need to retain data, encrypt it.

DDoS, see Distributed Denial Of Service

Defence In Depth or Castle and Moat is putting multiple barriers in the way of the attackers. Sometimes the barriers are security solutions and sometime network solutions like segmented or virtual networks. Whatever is used they are designed to slow down or block a hacker whilst alerting the right people that an attack is underway.

DevOpsSec. Essentially a set of processes, technologies and methodologies to ensure security is embedded into Software Development Operations (DevOps).

Disaster Recovery Plan (DRP) is often part of a Business Continuity Plan (BCP) and sits alongside an Incident Response Plan (IR). All of these plans are created to provide an organisation with the best chances of recovering from an attack. They will have a series of policies and procedures to cover what to do in the case of a series of specific issues.

Distributed Denial Of Service (DDoS) is an attack method where the attackers use the combined power of a lot of computers, potentially thousands to send requests to a computer, network, or website with the intention of stopping it working or stopping it doing what it is supposed to do. A DDoS can last for minutes, hours or days. In the past it was used to extort money from website owners whose businesses would suffer financial losses if their websites stopped transacting e.g. Gambling or Pornography. Now it is often a distraction as part of an attack so they can exploit a vulnerability.

DMZ or Demilitarized Zone is based on the same idea as the Military DMZ, a line drawn between our side and their side. In computing terms it is a software/network that sits between an untrusted network e.g. the Internet and the trusted network e.g. a local network and then works with security tools e.g. a Firewall to provide access, inbound and out bound to trusted sources.

Embedded software, see firmware.

Encryption uses cryptography to protect data from unauthorised access. Encryption is everywhere and can be used almost anywhere e.g. in transit via HTTPS or at rest for whole hard drives. If someone starts talking about Military Grade Encryption make sure your BS detectors is turned on full power, just in case.

Enterprise Risk Management (ERM) has an organisation view of risk, although it is most commonly used to focus on the IT and OT sides of an organisation. Standards like NIST’s Cybersecurity Framework (NIST CSF) provide a framework that can be used to manage the risk but can also provide the baseline for a Cybersecurity Maturity Review so an organisation can understand where the whole organisation is as well as individual divisions or subsidiaries.

ESG, Environmental, social and governance, is often seen as being an organisational issue than a Cybersecurity one, however, where there are policies and processes there needs to be management, monitoring and enforcement. Whenever management, monitoring and enforcement are involved there has to be a Cybersecurity element, even if it is just to provide forensics when things go wrong.

Exploit. An exploit is where an attacker takes advantage of a software vulnerability or misconfiguration to gain access to a system or a network. In most cases they are exploiting a known vulnerability which is why a Vulnerability Management Programme is so important.

False Positives are alerts of something going wrong when nothing is actually going wrong but looks like something is going wrong. They are a problem because they can lead to complacency but also like the Boy and the Wolf, one time it might be real.

Federal Information Processing Standard (FIPS)
A NIST (see NIST) developed set of standards covering codes and encryption.

Federated Security. Federated security provides authentication and authorisation procedures and security across multiple systems, networks, domains and organizations.

The Department of Homeland Security defines Federated as – “Federated Security combines several aspects of the former Moving Target Defense (MTD) and Security for Cloud-based Systems projects with the goal of improving cyber-defensive capabilities through the use of cyber intelligence sharing and incorporating various defensive technologies into federations of enterprises.”

PING ID’s comparison between SSO and Federated – “Although you may hear SSO and FIM frequently used together, they are not synonymous. Single sign-on enables access to applications and resources within a single domain. Federated identity management enables single-sign on to applications across multiple domains or organizations.”

Firewalls are a security solution than manage inbound and out bound traffic based on rules. Firewalls can be used to protect an entire organisation as well as devices such as Laptops.

Firmware or Embedded software are programs that sit on various forms of hardware e.g. cars, manufacturing robots, etc and in general are not designed to be accessed by a user or a regular basis. With Internet connected devices (IoT and IIoT) the number of the devices running embedded software is running into the billions which is why there are now laws being passed to ensure these devices are secure. Also see IEC62443.

Gold Teaming. Gold teaming takes the results of a real world assessment, for example after a Red Teaming exercise or a Threat Modelling workshop. Also see Red Teaming and Threat Modelling.

Governance, see GRC.

GRC, Governance, Risk and Compliance, is a catch all term for a range off statutory and contractual requirements an organisation may have to adhere to in order to not breach the law or be in breach of a contract. They are often run as a single programme because of the number of cross overs between the various standards and by running them together it avoids duplication processes, policies and control which will save time and money. There are hundreds of laws and standards across the world which may, or may not apply, to an organisation which is why it is important to do your research. Examples being GLBA, BASEL, MiFID, NIS D, NIS2, DORA, GDPR (and dozens of other privacy and data protection laws), PCI DSS, FedRAMP, DFARS, etc.

Hacker, someone with an interest in seeing how things work and how they can be changed or broken. Normally this us when it applies to computer hardware and software but with the Internet of Things (IoT and IIoT) it can be practically anything. Hackers are not all criminals which is why people started to refer to White hat Hackers (good guys) and Black Hat Hackers (bad guys) but even then, there are blurred lines.

HBOM, Hardware Bill of Materials. “The HBOM Framework offers a consistent and repeatable way for vendors and purchasers to communicate about hardware components, enabling effective risk assessment and mitigation in the supply chain. With standardized naming, comprehensive information, and clear guidance, organizations can safeguard against economic and security risks, enhancing overall resilience,” said CISA National Risk Management Center Assistant Director and ICT SCRM Task Force Co-Chair Mona Harrington.

Honeypot is a program designed to attract an attacker either away from real data or to trick them into creating an alert so they can be found and/or locked out of the network.

HTTPS is secure and HTTP is not as secure.

Industrial Control System (ICS). ICSs are used for industrial process control and have huge variances in scales, from a simple panel mounted controller to entire factories. Also see OT, PLCs, and SCADA.

Insider Threats. When someone within an organisation poses a threat to the security or risk profile of the organisation. This could be intentional or accidental but if it is not planned for with appropriate controls (policies and technologies) it could result in a significant problem.

IEC62443 is an International standard for Operational Technology (OT), specifically Automation and Control systems. The standard is made up of different sections that covers People, Process and Technology for the operators (end users), Service Providers (Integrators and Maintainers) as well as the Manufacturer.

Incident Response (IR). How an organisation responds to an incident makes all the difference when it comes to reducing downtime, political and reputational damage, and the actual cost of the incident. The speed of response comes down to having a custom and appropriate plan in place and of course the testing of the plan.

Infrastructure Penetration Test. A Penetration Test on Infrastructure, also see Application Penetration Test and Penetration Test.

IoT, Internet of Things, also know as IIOT which is the Industrial Internet of Things. IoT/IIoT are network and internet connected devices. They can be a headache for a security team as they are often cheap and easily deployed and help users in their personal lives, for example tracking tags which require and app on the phone as well as having a website, both of which could be compromised and provide a gateway to compromise and organisations asset and allow a malicious person to do malicious things.

IP Spoofing, see spoofing.

ISO27001 is an international standard for information security with the most recent version being revised in 2022. The core of ISO27001 is the Information Security Management System (ISMS) which, along with various controls helps to govern, maintain, and continually improve the way an organisation manages their Cybersecurity. ISO27001 can be traced back to an older British Standard called BS 7799 from 1995.

Malware is software used for malicious purposes. It is a broad description which includes Viruses, Worms, Trojan Horses, and Ransomware. Theses software programs have been around for almost 40 years and by volume have been the number one cause of damage and losses to businesses.

Multi Factor Authentication (MFA). A more secure way of identifying a user and granting them access to the network or applications. MFA is typically TWO factor, something you know i.e. your username and password with something you have such as a random generated code from your phone or token. MFA and Biometrics have been around for almost 30 years with Tokens.

NIS2, see Critical Infrastructure.

NIST, The National Institute of Standards and Technology, creates and manages multiple cybersecurity standards and guidance documents. NIST have a Special Publication 800 which is a series of guidelines around security. These guidelines are often bundled together to create a specific standard e.g. NIST 800-53 are the controls required to attain and maintain FedRAMP and NIST 800-171 provides guidance for contractors working on Federal and how they should be securing their Supply Chains. Think of NIST 800 as big bucket of controls that can be pulled together to create a standard or to support one e.g. PCI DSS.

One Time Password (OTP), is a single use numeric or alphanumeric password. They can be generated by and application or a provider, for example Google.

OSINT. Open Source Intelligence (OSINT) is used to support Red Team engagements as well as criminals. It is a collection of data used to provide a better profile of an individual or organisations and can be sourced from Public sources, but some users will have access to Government and less scrupulous data sources. The more intel a tester/hacker has the better or worse the outcomes will be.

OT or Operational Technology. Firstly, it is a completely different world to IT. OT sits at the production and industrial end of an organisation’s technology spectrum or to put it another way, it is nothing like managing a windows environment. OT does use terms and descriptions used in the IT world the way they are used and how they are configured are very different and this means the risks and approaches to mitigating the risks are different. Also see PLCs and SCADA.

Patching is the process of updating software to a different version for additional functionality but for the purpose of this glossary it is to fix a potential vulnerability in the software. Patches are issued all the time which is why organisations need to have a Patch Management Programme as well as an appropriate Vulnerability Management Programme. Microsoft have a Patch Tuesday, when once a month, they distribute their latest patches. Other vendors have similar programmes.

Patch Tuesday, also see Patching above, is the Second Tuesday of a Month and the point when Microsoft issues new patches, some security but mostly functional. Several Lots of other vendors, for example Oracle and Adobe, issue their patches. The problem for security teams is deciding what is critical and what is not as well as which systems to upgrade first.

PCI Approved Payment Terminal. A Payment terminal that has been approved per the PCI PIN Transaction Security (PTS) standard and is listed on the PCI SSC website.

PCI DSS. The Security Standard that contractually mandates what security every organisation that takes payments from Credit card or transmits, processes or stores credit cards must adhere to. Some businesses complete the compliance questionnaire (SAQ) and blindly and hope for the best, whilst some invest as they see the commercial benefits of not picking up the bill for a data breach. NOTE: every credit card data breach is a privacy breach which compounds the costs and the reputational damage.

PCI DSS Report on Compliance v4.0 and v4.0.1 has two routes for completion

• Customized Approach – Focuses on the Customized Approach Objective of each PCI DSS Requirement (if applicable), allowing entities to implement controls to meet the requirement’s stated Customized Approach Objective in a way that does not strictly follow the defined requirement. The customized approach supports innovation in security practices, allowing entities greater flexibility to show how their current security controls meet PCI DSS requirements. Note: Compensating Controls are not an option for the Customized Approach

• Defined Approach – The traditional method for implementing and validating PCI DSS and uses the Requirements and Testing Procedures defined within the standard.

PCI PIN. PCI introduced a specific assessment for organizations that accept, process or transmit payment card personal identification numbers (PIN).

PCI Point-to-Point Encryption Solution (P2PE). An Encryption solution that has been validated per the PCI Point-to-Point-Encryption (P2PE) standard and is listed on the PCI SSC website.

PCI DSS QSA – See Qualified Security Assessor.

PCI SSC. Payment Card Industry PCI Security Standards Council. The people who work with the industry to create, implement and maintain the various standards.

Penetration Testing. The testing of computer systems, networks, WIFI, applications, websites, and mobile app to identify vulnerabilities and whether an attackers could exploit those vulnerabilities. Penetration Testing is human driven and whilst they use tools it is their skills in using the tools and the knowledge gained from the tools that makes this the true replication of a hackers endeavours. It is not a vulnerability scan.

Pen Testing as a Service (PTaaS), as it sounds, a more automated approach to Penetration Testing. Some are really useful but some are not worth their perceived savings.

Pharming is an attempt to redirect the traffic of a legitimate website to a hackers not so great site. It follows the security naming convention of putting a Ph in front of anything that sounds like an F…

Phishing as the name sounds is fishing in e-waters. Phishing uses emails, SMS, websites, etc to entice people to click on links that allows the hacker the chance to obtain data that could be valuable to them on the Dark Web, e.g. usernames, passwords, and credit card numbers. The content they create looks like legitimate Banks, Utility companies, Charities, etc is often very realistic which is why so many people are caught out and why it is one of the leading hacking and Social engineering methods. Sometimes it is also called Vishing and Smishing but there will be other variations in the future.

PLCs. Programmable Logic Controllers (PLCs) are part of a manufacturing process and are designed to monitor and regulate machines and automation.

Purdue Model, also known as Purdue Enterprise Reference Architecture (PERA) was developed through the 199os as a reference model for enterprise architecture and was developed by Theodore J. Williams and members of the Industry Purdue University Consortium for Computer Integrated Manufacturing. It has five levels 0 to 4 covering all aspects of an industrial architecture, for example, Level 0 covers the physical aspects whilst level 4 covers a business logistics systems. Also see IEC62443.

Purple Teaming, see red Teaming.

Qualified Security Assessor (QSA). An individual who has passed the QSA exam and is approved to provided advisory and assessment services around PCI DSS. The QSA has to work for a PCI DSS Qualified Security Assessment Company (QSAC) in order to be a QSA.

Reconnaissance. Unless it is part of a Red Team it rarely involves binoculars. If an organisation is a specific target, it will have had some form of reconnaissance by the attackers, for example scanning for weaknesses, social engineering around the users etc.

Red Teaming is an exercise where ethical hackers try to gain access or data by the use of Physical hacking such as lock picking, social engineering, or phishing, alongside the usual efforts to exploit software through unpatched software, misconfigured software or by being very clever.

Reverse Engineering is a method used by a hacker to breakdown software to see if there are any faults in the code or configurations and occasionally usable information like username and passwords or they just do it for fun.

Risk Assessments is a methodology to identify and analyse threats and risks to an organisation, product, or environment. They can create a baseline on which future assessments can be measured and should include plans to mitigate the risks.

Sandboxing. A Sandbox is safe area where code, emails, etc can be tested to ensure they are not harmful.

SASE, Secure Access Service Edge, is used to deliver Wide Area Network (WAN, also SD-WAN) and Security via the Cloud to users and their devices. Identity Management and Compliance play a big part in any SASE implementation.

SBOM (Software Bill of Materials) is a method of proving how a software solution has been built and how it is maintained from a security and supply chain perspective.

SCADA. Supervisory Control And Data Acquisition (SCADA) is an architecture made up of PLCs, Computers, Sensors, and similar devices to provide high-level supervision of machines and processes.

Security Plans, see Disaster Recovery Plan

Security policy, see GRC.

Self Assessment Questionnaire (SAQ). A questionnaire covering a set of PCI DSS requirements that is completed by the organisation itself to confirm it is meeting those requirements.

Scanning means looking for issues such as vulnerabilities. However, scans are run by attackers as well as security professionals. Unauthorised or unplanned scans can be detected and could be a warning for a potential future attack and organisations should be continually scanning for external vulnerabilities and problems in their code if they develop code. Scanning will find issues and that is where a Patch Management programme will become important.

Scoping is one of the hardest areas of security. Whether it is hardware, software, managed services, or professional services getting it wrong can be very painful. Projects that are under scoped will not work and over scoped could result in an excessive price. Ensuring the correct scope is used is the only way to make sure all parties in the project or programme happy with the outcome.

Scoping guidance is normally something issued as part of a specific standard e.g. PCI DSS, ISO27001 or IEC62443 although it can be used for the testing side of security e.g. Penetration Testing and Red/Blue/Purple Teaming.

SD-WAN, Software Defined Wide Area Network, is a wide area network that uses software defining networking technology. SD-WANs offer higher performace and lower cost to many traditional WAN offerings.

Security Controls, see GRC.

Security Impact, see Business Impact Analysis

Security Information And Event Management (SIEM) is a highly valued tool in the Cybersecurity toolbox that gathers information from software, hardware and networks and correlates them into a central location. Then based on the rules it provides alerts on a dashboard with flashing lights.

Single Sign On (SSO) – see Federated Security

Social Engineering is essentially human hacking. In general and by nature people are trusting and it is this trust that is exploited by Social Engineers to gain an advantage or access when they are trying to hack an organisation. See also Red Teaming.

SOC. SOC can confuse people as it is an acronym used by two groups of people involved in security,

1. Compliance people will talk about Service Organisation Controls aka a SOC Report or Audit
2. Security people will talk about a Secure Operations Centre, a centralised location or set of services that pulls all of the Security reporting, alerting, and responding together.

Spoofing (spoof) is pretending to be someone else with malicious intent.

SQL Injection is an often used hacking method that has been around for over 25 years and yet still figures in the Top 10 of potential software weaknesses (OWASP List) a hacker could exploit.

Third Party Risk is a risk to an organisation from another organisation that your organisation works for or undertakes work for you. The third party is normally the only party where there is a direct contract and where you can stipulate your security and compliance requirements. However, parties to your party, for example, the fourth party could be the one that causes the issue so it is important that they a required to undertake the security and compliance requirement you have with your direct party. Confused? You will be.

Third Party Risk Management (TPRM). How you manage the risks posed by your Third Party and nth Party suppliers on a day to day basis. This should go before technology and include geopolitical, weather and other risks that could impact your Supply Chain and the abilities of your suppliers to deliver the goods or services your organisations needs to operate.

Third Party Risk Assessments (TPRA). How you assess the risks posed by your Third Party and nth Parties. Like TPRM it is a wider picture than just the technology the people who would be reading this post are concerned about. Compliance is often the driver for TPRA because a none compliant supplier often means a no compliant organisation.

Threat Modelling is understanding the possible threats and risks to the business and mapping them against possible assets and processes that could be impacted. Then modelling the threat scenarios to see if there a risk from that threat and how high that risk should be rated. Knowing more about the specific threats to the organisation allows an organisation to focus its resources and investments in the right places.

TIBER. A European Framework for Red Teaming and provides guidance on White, Blue and Purple Teams as well.

Tokenisation and anonymisation. Turning something known e.g. credit card or bank details into something unknown e.g. a stream of characters and numbers making them valueless to cybercriminals but still usable to the organisation. The PCI DSS Tokenization Guidance can be found here.

TPRA. See Third Party Party Risk Assessment.

TPRM. See Third Party Party Risk Management (TPRM).

VPN. A Virtual Private Network lets you connect to securely to the organisation’s networks. A VPN lets you use a less secure WIFI safely.

Zero-Day Attacks and Zero Day Vulnerabilities and other variations of Zero Day are the first time a threat or exploit has been discovered or used. A zero-day vulnerability can be valuable to cybercriminals as they can sell them to hackers, so they have a head start on the cybersecurity industry. However, Zero-days at not exclusive to hackers. Nation states develop them as well, including western nations like the USA’s NSA.

Zero Trust. Not the attitude of a paranoid Cybersecurity professional but a framework that requires all users, systems, assets, basically everything and anything that connects to networks, other devices, or data whether they are internal or external to the organisation has to be authenticated, be continuously validated to ensure that connection is trusted and are allowed to only access data or systems they are allowed to connect to.