Managing the users of a computer or online service and the information it stores.
An Advanced Persistent Threat (APT) is a prolonged, aimed attack on a specific target with the intention to compromise their system and gain information from or about that target.
Something of value to a person, business or organization.
The process to verify that someone is who they claim to be when they try to access a computer or online service.
To make a copy of data stored on a computer or server to lessen the potential impact of failure or loss.
Ensuring all important data is stored in a secure, offline location to protect it from being lost, if a computer is hacked. It's important to routinely copy files to a USB flash drive, for example, or secure them in cloud storage.
A person who uses programming skills to cause damage to a computer system, steal data and in general conduct illegal cyber activities.
A botnet refers to the words robot and network and is a network of devices infected by an attacker. The network is then used together to perform tasks such as carrying out DDoS attacks (see below), mining Bitcoins, and spreading spam emails. Nearly any device connected to the internet, including home routers, can be infected and pulled into a botnet without its owner ever noticing.
The moment a hacker successfully exploits a vulnerability in a computer or device, and gains access to its files and network.
The authorized use of personally owned mobile devices such as smartphones or tablets in the workplace.
High-speed data transmission system where the communications circuit is shared between multiple users.
A technique a hacker may use when breaking into a computer system by trying to "guess" its password either manually or with a computer application.
Preparing for and maintaining continued business operations following disruption or crisis.
Declaration that specified requirements have been met.
An independent organization that provides certification services.
A payment card transaction where the supplier initially receives payment but the transaction is later rejected by the cardholder or the card issuing company. The supplier's account is then debited with the disputed amount. Frequently referred to in identity theft and credit card theft incidents, as well as under PCI standards.
The CIA is the foremost government agency responsible for collecting information on foreign state and non-state actors. Some of the tools used in obtaining this information are stolen or leaked to hackers to use for their own hacking purposes.
Certified Informations Systems Security Professional is a certification developed by the International Information Systems Security Certification Consortium (ISC). The CISSP designation is a globally recognized, vendor-neutral standard for attesting to an IT security professional's technical skills and experience in implementing and managing a security program. The CISSP certification is sought by IT professionals with job titles such as security auditor, security systems engineer, security architect and chief information security officer, among others.
A technology that allows users to access files through the internet from anywhere in the world. More technically, it is a collection of computers with large storage capabilities that remotely serve customer file requests.
Delivery of storage or computing services from remote servers online (i.e. via the internet).
An application that controls all bots in a botnet (see above). The hacker will send a command through this server, which then relays it to all compromised computers in the network.
A structure and series of requirements defined by the International Organization for Standardization, that are being incorporated in all management system International Standards as they are revised.
The systems and assets, whether physical or virtual, so vital to society that the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment, or any combination of these matters.
National Initiative for Cybersecurity Careers and Studies (Department of Homeland Security) https://niccs.us-cert.gov/glossary
Criminals, generally operating electronically, who steal identities, violate intellectual property, or distribute child pornography. Sometimes work with or as part of traditional organized crime syndicates.
The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.
National Initiative for Cybersecurity Careers and Studies (Department of Homeland Security) https://niccs.us-cert.gov/glossary
A data breach happens when a company's network is attacked and valuable data is stolen - usually customer login credentials, credit card details, and social security numbers. The stolen data can then be abused in myriad ways: held for ransom (see Ransomware below), sold on the darknet, and, of course, used to make purchases. Often hackers try to crack email passwords, then test those log-in details on other popular sites, since many people use the same credentials for multiple accounts - a big no-no.
The unauthorized movement or disclosure of sensitive information to a party, usually outside an organization, that is not authorized to have or see the information.
National Initiative for Cybersecurity Careers and Studies (Department of Homeland Security) https://niccs.us-cert.gov/glossary
The assurance that the confidentiality of, and access to, certain information about an entity is protected, and the ability of individuals to understand and exercise control over how information about themselves may be used by others.
A computer or program that provides other computers with access to shared files over a network.
An acronym that stands for distributed denial of service - a form of cyber attack. This attack aims to make a service such as a website unusable by "flooding" it with malicious traffic or data from multiple sources (often botnets).
Attackers use DDoS (Distributed Denial of Service) attacks to render a network unavailable. They do this by overwhelming the targeted machine with massive requests from multiple devices. The target suffers a severely clogged bandwidth, and legitimate connections become impossible. These attacks are typically carried out by botnets (see above).
Confirmation issued by the supplier of a product that specified requirements have been met.
One of the government agencies responsible for protecting against data breaches, the Commerce Department created the Internet Policy Task Force, which reviews the privacy and operational challenges of privacy and cybersecurity standards in the private and public sector. Additionally, the National Institute of Standards and Technology (NIST) under the Commerce Department develops minimum security standards for government agencies and guidelines for identifying information systems critical to national security.
The Department of Defense (DoD) has three missions under its cyber strategy: to defend DoD networks, defend the US and its national interest against cyberattacks of consequences, and provide cyber support to the military. The DoD is split into cyber teams that work to accomplish these missions. As Cyber Command (Cybercom) is elevated to a Unified Combatant Command, it will synchronize cyber efforts across DoD.
The Department of Homeland Security is one of the government agencies responsible for protecting against data breaches. There are three main components responsible for cybersecurity under DHS, National Cybersecurity and Communications Integrations Center, Cyber Crimes Center (C3), and the Secret Service Electronic Crimes Task Force.
The State Department is leading the US Government's efforts to promote and open, interoperable, secure, and reliable information and communications infrastructure that supports international trade and commerce, strengthens international security and fosters free expression and innovation. The Office of the Coordinator for Cyber Issues (S/CCI) coordinates the Department's global diplomatic engagement on cyber issues.
The analysis of digital clues (electronic data) left on computers or digital devices in relation to a crime.
Segment of a network where servers accessed by less trusted users are isolated. The name is derived from the term "demilitarized zone".
DNS stands for "domain name server," which uses the name of any common website to redirect traffic to its own IP address. Using a DNS hijack, cybercriminals can translate a website to their own IP address, redirecting you to malicious sites where they can collect your information or have you download malware. In an attempt to get you to click on a link. DNS hijacks can also deliver altered search results.
Example: For instance you'd expect "google.com" to take you to Google's IP address, but instead you are redirected to a website owned by cybercriminals that forces malware onto your computer.
A domain is a group of computers, printers and devices that are interconnected and governed as a whole. Your computer is usually part of a domain at your workplace.
An algorithmic technique that takes a file and changes its contents into something unreadable to those outside the chain of communication.
Network encryption enables encryption when the data is transmitted (e.g., the network carrying the data is encrypted); storage encryption enables the data to be encrypted at rest or when stored.
Example: If we use a Caesar cipher on the word "hello", for example, we can replace each letter with a fixed number of places in the alphabet. The encrypted form of "hello" would become "ifmmp".
Communications architecture for wired local area networks based upon IEEE 802.3 standards.
A malicious application or script that can be used to take advantage of a computer's vulnerability.
The Federal Trade Commission's principles form the backbone of the Privacy Act of 1974, and the concepts they include have played a significant role in the development of data protection laws globally. They are:
The FBI investigates cyberattacks and intrusions by cyber criminals, foreign adversaries, and terrorists. Their trained cyber squads, action teams, and computer crimes task forces investigate local state, state, national, and international data breaches.
In its role as a trade regulator, the FTC protects consumers. FTC consent decrees are public documents that demonstrate to the public baseline that corporation should abide by to protect customer data.
Federal Communications Commission is responsible for ensuring reliability and resiliency of the US communications network and to promote public safety through communications. The Communications Security, Reliability and Interoperability Council (CSRIC) suggests frameworks and recommendations to solve cybersecurity issues; the biggest threats being botnets, domain name fraud and internet route hijacking.
In January 2014, the Financial Industry Regulatory/ Authority ("FINRA") announced a "sweep" program, similar to OCIE's, whereby firms under FINRA's authority would be receiving targeted examination letters requiring them to respond to questions relating in general to their cyber preparedness. FINRA's targeted examination letters seek very similar information as the OCIE cybesecurity initiative.
Hardware or software designed to prevent unauthorized access to a computer or network from another computer or network. A "wall" or filter is created that judges each attempted interaction with a user's computer and internet connection to determine "should this be allowed entry or not?"
Federal Information Security Management Act, signed into law in 2002, defines the framework to protect government information, operations and assets against natural or man-made threats by assigning responsibilities of ensuring data security to various agencies in the federal government.
Federal Information Security Modernization Act of 2014 updates the Federal cybersecurity practices by (1) codifying DHS authority to administer the implementation of information security policies for non-national security federal Executive Branch systems, including providing technical assistance and deploying technologies to such systems and (2) amending and clarifying the Office of Management and Budget's (OMB) oversight authority over federal agency information security practices.
The Financial Services: Information Sharing and Analysis Center is an industry forum for collaboration on critical security threats facing the global financial sector. Members of the FS-ISAC receive notification and information regarding cyber attacks.
The comparison of actual performance against expected or required performance.
The National Cyber Security Centre (NCSC), a part of GCHQ, protects the vital interests of the UK by providing advice on cyber security to UK government, critical national infrastructure, the wider public sector and suppliers to UK government.
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The GDPR will move into force on May 28, 2018.
The American Institute of Certified Public Accountants and Canadian Institute of Chartered Accountants organized the Privacy Task Force to create a comprehensive framework for organizations to use to effectively manage privacy risks, and developed ten privacy principles to which companies should adhere. These include:
GLBA, also known as the Financial Services Modernization Act of 1999, has a cyber-data component that applies to "financial institutions," i.e. "any institution engaged in the business of providing financial services...credit, deposit, trust, or other financial account..." Financial institutions are required to standards to safeguard a customer's personal financial information, in order to insure the security and confidentiality of customer records and information; Financial institutions can be fined up to $100,000 for each violation, and directors/ officers could be held personally liable up to $10,000 for each violation.
Someone who violates computer security for malicious reasons, reknown or personal gain.
Hacks against organizations for political, non-financial reasons, perpetrated by a single hacker or a loose affiliation of hackers with no centralized leadership.
Examples: Anonymous, Lulz Security (LulzSec)
The permanent storage medium within a computer used to store programs and data.
HIPAA required Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. HHS published the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule establishes national standards for the protection of certain health information. The Security Rule established a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the Privacy Rule by addressing the technical/non-technical safeguards that covered entities must put in place to secure individuals' "electronic protected health information" (e-PHI). HHS Office of Civil Rights (OCR) enforces these rules.
The HITECH Act expands the scope of the institutions covered under HIPAA to now include any organization or individual who handles protected healthcare information, which could now include banks, businesses, schools and other organizations.
A defensive cybersecurity technique. This technology is essentially a computer (server) that is set up to look like a legitimate and high value target on a network. The aim is to entice hackers to focus on this computer and not on actual high value computers or data. The bonus is that administrators can watch hackers in the act and learn to protect against their techniques.
Versus http:// Two online standards that allow computers to communicate. The 's' in https stands for secure and means that the browser and the website are encrypted.
The International Association of Privacy Professionals in a resource for professionals wishing to develop and advance their careers by helping their organizations manage information security risks and protect their data.
The process of recognizing a particular user of a computer or online service.
Provision of computing infrastructure (such as server or storage capacity) as a remotely provided service accessed online (i.e. via the internet).
Current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization's information or information systems.
A declaration issued by an interested party that specified requirements have been met.
Chat conversations between two or more people via typing on computers or portable devices.
Company that provides access to the internet and related services.
INTERPOL is the world's largest international police organization, with 192 member countries, whose role is to enable police around the world to work together to make the world a safer place using a high-tech infrastructure of technical and operational support to meet the growing challenges of fighting crime in the 21st century. Most cybercrimes are transnational in nature, therefore INTERPOL is the natural partner for any law enforcement agency looking to investigate these crimes on a cooperative level. By working with private industry, INTERPOL is able to provide local law enforcement with focused cyber intelligence, derived from combining inputs on a global scale.
Program or device used to detect that an attacker is or has attempted unauthorized access to computer resources.
Intrusion detection system that also blocks unauthorized access when detected.
An internet version of a home address for your computer, which identifies it when it's connected to the internet.
An organization responsible for assisting information sharing between private and public about cyber threats. This information sharing allows these organizations to coordinate and mitigate response to these threats.
ISO/IEC 27000 family for information management systems is a set of over a dozen standards to help organizations manage security of assets, for example personnel information, financial information and intellectual property. The ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).
Communications link between two locations used exclusively by one organization. In modern communications, dedicated bandwidth on a shared link reserved for that user.
Communications network linking multiple computers within a defined location such as an office building.
Malware (i.e. malicious software) that uses the macro capabilities of common applications such as spreadsheets and word processors to infect data.
Software intended to infiltrate and damage or disable computers. Shortened form of malicious software.
A set of processes used by an organization to meet policies and objectives for that organization.
The data that provides information about other data, and provides information about an item's (the data container) content. An image file can contain metadata about the color depth, image resolution, date of creation, etc. A text file can contain metadata about how long the document is (how many words), the author, when the document was written or edited, etc.
Analogous to the FBI, the British Security Service, or MI5, work clandestinely to protect national security in Great Britain and reduce vulnerability of the nation's physical and electronic infrastructure.
Analogous to the CIA, the Secret Intelligence Service, or MI6 works outside of the UK to protect the security of the nation and gather intelligence on countering international terrorism, combating weapons proliferation, supporting stability overseas and securing the UK's cyber advantage. The MI6 focuses on identifying risks and opportunities at the earliest possible stage, shaping developments and preventing threats from emerging.
Appearing as a trusted banking application, but is in fact just an overlay. Underneath, a mobile banking Trojan virus tricks a user into entering financial credentials and personal information. It can also intercept SMS messages, making it possible to record two-factor authentication codes.
Countries who engage in cyber defense activities - sometimes implicated in attacks against other nation states, through the use of cyberattacks, as well as attacks against corporations seeking intellectual property and trade secrets.
Example: China - PLA Unit 61398, US - US Cyber Command (CyberCom)
An n-day exploits is a 0-day vulnerability that has been discovered and has an available patch.
National Electrical Reliability Corporation, Critical Infrastructure Protection (CIP) policy, is a set of regulations authorized by the Federal Electric Regulation Commission (FERC) that requires companies involved with electric energy production or transmission to implement controls to minimize the threat of cyber attacks. The cybersecurity plan and escorting visitors while on the premises.
Device that controls traffic to and from a network.
NY DFS 500 - Recently passed a set of comprehensive cybersecurity requirements that affect any financial entity doing business in New York. It has significant documentation and system control requirements, as well as third party risk controls.
A US public-private partnership to aide organizations in how they assess risks of protecting information security.
National Security Agency, responsible for surveillance of foreign targets, utilizing sophisticated cyber and other tools. These tools are sometimes co-opted by hackers for malicious purposes. Also assists in defending U.S. entities from attack through perimeter and other defense capabilities. A large portion of the NSA's surveillance capabilities were revealed by Edward Snowden in 2013. Currently the NSA and Cybercom are under the same director. The dual hat debate concerned whether these should be separate entities as one strives to open and maintain channels for espionage while the other seeks to find and exploit adversarial states' vulnerabilities.
Office of Management and Budget - responsible for the management of federal agencies. Promulgates memorandum compelling federal agencies to implement certain privacy and cybersecurity controls. Also suffered a major cybersecurity breach in 2015, resulting in the compromise of over 20 million federal records.
Open Wi-Fi networks are unencrypted, meaning data traveling through the open network is unprotected. Malicious actors can create a fake hotspot and trick devices into joining it automatically. This results in anyone on that network being able to see a user's browsed sites, log-in passwords, financial and personal data, and more. Hackers can even redirect unencrypted traffic to malicious sites.
Obtaining services by using someone else's resources. In the cybersecurity context, some malicious actors will "outsource" processes to computers they have enslaved to mine bitcoin or initiate DDoS attacks.
Making false representation that goods or services are those of another business. Frequently used in the cybersecurity context when users attempt to "pass off" their identities as another user or person to gain access to assets they otherwise would not have.
A secret series of characters used to authenticate a person's identity.
Most software requires thousands of lines of programming language to create, so it's difficult for a developer to ensure all possible vulnerabilities are covered. When entry points are discovered by hackers or the developer themselves, software vendors will often release new pieces of software as a fix.
The Payment Card Industry Data Security Standard is not a law but a list of cybersecurity standards applied to any U.S. company that processes credit cards. The standards focus on the need to "develop and maintain secure systems and applications," and "track and monitor...access to network resources..." PCI DSS 3.0, adopted in November 2013, enlarges the scope of data security requirements significantly.
Persistent storage is where most electronic data content is placed, such as on a hard drive, tape, DVD or flash drive.
Software running on a PC that controls network traffic to and from that computer.
Personal data relating to an identifiable living individual. This is defined very narrowly (first and last name, or Social Security Number) under some laws and standards, or very broadly, like under GDPR (any two pieces of information that can identify a real person.
Method used by criminals to try to obtain financial or other confidential information (including user names and passwords) from internet users, usually by sending an email that looks as though it has been sent by a legitimate organization (often a bank). The email usually contains a link to a fake website that looks authentic.
A technique used by hackers to obtain sensitive information, including passwords, bank accounts or credit cards.
PII - Personally Identifiable Information - information that on it's own, or when combined with other information, can identify a person.
The provision of remote infrastructure allowing the development and deployment of new software applications over the internet.
A small, easily transportable computing device such as a smartphone, laptop, or tablet computer.
Server that acts as an intermediary between users and others servers, validating user requests.
A form of malware that deliberately prevents you from accessing files on your computer. If a computer is infected by malware designed for this purpose, it will typically encrypt files and request that a ransom be paid in order to have them decrypted.
The recovery of data following computer failure or loss.
Something that could cause an organization not to meet one of its objectives. In the cyber and data privacy context, these could include the risk of a data breach occurring which would hurt consumer trust in a company, or the risk of fired employees taking data with them that they weren't supposed to. Risk mitigation is a key element of any cybersecurity program.
The process of identifying, analyzing and evaluating risk. Organizations are increasingly required by either data standards or cybersecurity laws to assess the risk of a data breach at their organization, and enact practices and controls to reduce those risks.
Device that directs messages within or between networks.
The Sarbanes Oxley Act (SOX) is a 2002 law which among civil and criminal penalties requires that companies have internal controls to avoid fraud and improper financial reporting. SOX also requires under section 404 that management and an external auditor perform a top down risk assessment which includes compliance with cybersecurity and privacy legislation.
A virus or physical device that logs information sent to a visual display to capture private or personal information.
On April 15, 2014, the OCIE issued a National Exam Program Risk Alert, entitled "OCIE Cybersecurity Initiative," announcing it would conduct examinations of more than 50 registered broker-dealers and investment advisors "designed to assess cybersecurity preparedness in the securities industry and to obtain information about the industry's recent experiences with certain types of cyber threats."  Importantly, this alert came with an extensive list of questions requiring registrants to respond to various areas of their cyber security preparedness. The list requires information such as the registrant's adoption of any "published cybersecurity risk management process standards, such as those issued by the National Institute of Standards and Technology (NIST),"  employee training, vendor management, the firm's practices to detect "unauthorized activity on its networks and devices," and specific information, if applicable, concerning any cyber breaches which the registrant experienced since January 1, 2013.
Something that modifies or reduces one or more security risks.
Process in which network information is aggregated, sorted and correlated to detect suspicious activities.
A well-defined boundary within which security controls are enforced.
Computer that provides data or services to other computers over a network.
A mobile phone built on a mobile computing platform that offers more advanced computing ability and connectivity than a standard mobile phone.
A set of instructions that tell a computer to perform a task. These instructions are compiled into a package that users can install and use. Software is broadly categorized into system software like Microsoft Windows and application software like Microsoft Office.
The delivery of software applications remotely by a provider over the internet; perhaps through a web interface.
Spear phishing is an email-spoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information. Spear-phishing attempts are not typically initiated by random hackers, but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.
A technique hackers use to hide their identity, pretend to be someone else or simply try to fool you over the internet.
Malware that passes information about a computer user's activities to an external party. Spyware is malware used by hackers to spy on you, so they can access personal information, banking account details, online activity, and anything else they may find valuable. On mobile devices, spyware can know your whereabouts, read your text messages, redirect calls, and much more.
Attorneys General in each state have an active role in information security, particularly in requiring companies within the state to comply with data regulation under state laws. States vary on information security laws, but Alabama and North Dakota lack information security laws altogether.
A set of organizations with linked resources and processes involved in the production of a product. The supply chain can be adversely affected when a cyber breach or attack occurs.
An ultra-portable, touch screen computer that shares much of the functionality and operating system of smartphones, but generally has greater computing power.
Something that could cause harm to a system or organization.
A person who performs a cyber attack or causes an accident.
Transient storage is used for storing electronic data with a short lifespan, like session cookies stored on a browser, the clipboard on a hard drive, or a shopping cart on online stores.
A piece of malware that often allows a hacker to gain remote access to a computer. The system will be infected by a virus that sets up an entry point for the perpetrator to download files or watch the user's keystrokes.
Obtaining evidence of identity by two independent means, such as knowing a password and successfully completing a smartcard transaction.
The United Nations (UN) International Telecommunications Union (ITU) announced the launch of the Global Cybersecurity Index (GCI) to measure the status of cybersecurity worldwide.
The record of a user kept by a computer to control their access to files and programs.
The short name, usually meaningful in some way, associated with a particular computer user.
A tool that allows the user to remain anonymous while using the internet. It does this by masking location and encrypting traffic as it travels between the user's computer and the website they're visiting.
Malware loaded onto a computer and then run without the user's knowledge or knowledge of its full effects. Viruses dating back to the days of floppy disks and typically aim to corrupt, erase or modify information on a computer before spreading to others. However, in more recent years, viruses like Stuxnet have caused physical damage.
A weakness in computer software that can be used to attack a system or organization. Eventually, if you do not keep your systems up to date, you will have vulnerabilities. Say you're using Microsoft Windows 7 but are failing to install updates - your system could exhibit vulnerabilities that can be attacked by a hacker because security safeguards are out of date.
A security exploit in which the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit. The goal is to infect a targeted user's computer and gain access to the network at the target's place of employment.
A person who uses their hacking skills for an ethical purpose, as opposed to a blackhat hacker, who typically has a malicious intent. Businesses will often hire these individuals to test their cybersecurity capabilities.
Wireless local area network based upon IEEE 802.11 (Institute for Electrical and Electronics Engineers) LAN/MAN Standards Committee standards.
Communications network linking computers or local area networks across different locations.
A piece of malware that can replicate itself in order to spread the infection to other connected computers. It will actively hunt out weak systems in the network to exploit and spread. Below is an example of a common worm, named the Win32 Conficker.
A particular form of software exploit, usually malware. What makes a zero day exploit unique is that they are unknown to the public or the software vendor. In other words, because few people are aware of the vulnerability, they have "zero days" to protect themselves from its use.
A computer system that has been infected by malware and is now part of a hacker's botnet.