Terms and definitions from Course 5
Cybersecurity Glossary
A
Access controls: Security controls that manage access, authorization, and
accountability of information
Adware: A type of legitimate software that is sometimes used to display digital
advertisements in applications
Advanced persistent threat (APT): An instance when a threat actor maintains
unauthorized access to a system for an extended period of time
Algorithm: A set of rules used to solve a problem
Angler phishing: A technique where attackers impersonate customer service
representatives on social media
Application programming interface (API) token: A small block of encrypted code
that contains information about a user
Asset: An item perceived as having value to an organization
Asset classification: The practice of labeling assets based on sensitivity and
importance to an organization
Asset inventory: A catalog of assets that need to be protected
Asset management: The process of tracking assets and the risks that affect them
Asymmetric encryption: The use of a public and private key pair for encryption and
decryption of data
Attack surface: The characteristics and features of the areas where an attack can
come from
Attack tree: A diagram that maps threats to assets
Attack vector: The pathways attackers use to penetrate security defenses
B
C
Cipher: An algorithm that encrypts information
Common Vulnerabilities and Exposures (CVE®) list: An openly accessible dictionary
of known vulnerabilities and exposures
Common Vulnerability Scoring System (CVSS): A measurement system that scores
the severity of a vulnerability
Compliance: The process of adhering to internal standards and external regulations
Computer virus: see “virus”
Cross-site scripting (XSS): An injection attack that inserts code into a vulnerable
website or web application
Cryptojacking: A form of malware that installs software to illegally mine
cryptocurrencies
Cryptographic key: A mechanism that decrypts ciphertext
Cryptography: The process of transforming information into a form that unintended
readers can’t understand
CVE Numbering Authority (CNA): An organization that volunteers to analyze and
distribute information on eligible CVEs
D
Data: Information that is translated, processed, or stored by a computer
Data at rest: Data not currently being accessed
Data in transit: Data traveling from one point to another
Data in use: Data being accessed by one or more users
Data custodian: Anyone or anything that’s responsible for the safe handling,
transport, and storage of information
Data owner: The person that decides who can access, edit, use, or destroy their
information
Defense in depth: A layered approach to vulnerability management that reduces risk
Digital certificate: A file that verifies the identity of a public key holder
DOM-based XSS attack: An instance when malicious script exists in the webpage a
browser loads
Dropper: A type of malware that comes packed with malicious code which is delivered
and installed onto a target system
E
Encryption: The process of converting data from a readable format to an encoded
format
Exploit: A way of taking advantage of a vulnerability
Exposure: A mistake that can be exploited by a threat
F
Fileless malware: Malware that does not need to be installed by the user because it
uses legitimate programs that are already installed to infect a computer
H
Hacker: Any person who uses computers to gain access to computer systems,
networks, or data
Hash collision: An instance when different inputs produce the same hash value
Hash function: An algorithm that produces a code that can’t be decrypted
Hash table: A data structure that's used to store and reference hash values
I
Identity and access management (IAM): A collection of processes and technologies
that helps organizations manage digital identities in their environment
Information privacy: The protection of unauthorized access and distribution of data
Information security (InfoSec): The practice of keeping data in all states away from
unauthorized users
Injection attack: Malicious code inserted into a vulnerable application
Input validation: Programming that validates inputs from users and other programs
Intrusion detection system (IDS): An application that monitors system activity and
alerts on possible intrusions
L
Loader: A type of malware that downloads strains of malicious code from an external
source and installs them onto a target system
M
Malware: Software designed to harm devices or networks
MITRE: A collection of non-profit research and development centers
Multi-factor authentication (MFA): A technology that requires at least two distinct
forms of identification
N
National Institute of Standards and Technology (NIST) Cybersecurity Framework
(CSF): A voluntary framework that consists of standards, guidelines, and best
practices to manage cybersecurity risk
Non-repudiation: The concept that the authenticity of information can’t be denied
O
OAuth: An open-standard authorization protocol that shares designated access
between applications
P
Process of Attack Simulation and Threat Analysis (PASTA): A popular threat
modeling framework that’s used across many industries
Payment Card Industry Data Security Standards (PCI DSS): A set of security
standards formed by major organizations in the financial industry
Personally identifiable information (PII): Any information used to infer an individual's
identity
Phishing: The use of digital communications to trick people into revealing sensitive
data or deploying malicious software
Phishing kit: A collection of software tools needed to launch a phishing campaign
Policy: A set of rules that reduce risk and protect information
Potentially unwanted application (PUA): A type of unwanted software that is
bundled in with legitimate programs which might display ads, cause device slowdown,
or install other software
Prepared statement: A coding technique that executes SQL statements before
passing them onto the database
Principle of least privilege: The concept of granting only the minimal access and
authorization required to complete a task or function
Procedures: Step-by-step instructions to perform a specific security task
Protected health information (PHI): Information that relates to the past, present, or
future physical or mental health or condition of an individual
Public key infrastructure (PKI): An an encryption framework that secures the
exchange of online information
Q
Quid pro quo: A type of baiting used to trick someone into believing that they’ll be
rewarded in return for sharing access, information, or money
R
Rainbow table: A file of pre-generated hash values and their associated plaintext
Ransomware: Type of malicious attack where attackers encrypt an organization’s data
and demand payment to restore access
Regulations: Rules set by a government or other authority to control the way
something is done
Reflected XSS attack: An instance when malicious script is sent to a server and
activated during the server’s response
Risk: Anything that can impact confidentiality, integrity, or availability of an asset
Rootkit: Malware that provides remote, administrative access to a computer
S
Salting: An additional safeguard that’s used to strengthen hash functions
Scareware: Malware that employs tactics to frighten users into infecting their device
Security assessment: A check to determined how resilient current security
implementations against threats
Security audit: A review of an organization's security controls, policies, and
procedures against a set of expectations
Security controls: Safeguards designed to reduce specific security risks
Security hardening: The process of strengthening a system to reduce its vulnerability
and attack surface
Separation of duties: The principle that users should not be given levels of
authorization that would allow them to misuse a system
Session: A sequence of network HTTP basic auth requests and responses associated
with the same user
Session cookie: A token that websites use to validate a session and determine how
long that session should last
Session hijacking: An event when attackers obtain a legitimate user’s session ID
Session ID: A unique token that identifies a user and their device while accessing a
system
Single sign-on (SSO): A technology that combines several different logins into one
Smishing: The use of text messages to trick users to obtain sensitive information or to
impersonate a known source
Social engineering: A manipulation technique that exploits human error to gain
private information, access, or valuables
Spear phishing: A malicious email attack targeting a specific user or group of users,
appearing to originate from a trusted source
Spyware: Malware that’s used to gather and sell information without consent
SQL (Structured Query Language): A programming language used to create, interact
with, and request information from a database
SQL injection: An attack that executes unexpected queries on a database
Standards: References that inform how to set policies
Stored XSS attack: An instance when a malicious script is injected directly on the
server
SQL (Structured Query Language): A programming language used to create, interact
with, and request information from a database
Symmetric encryption: The use of a single secret key to exchange information
T
U
User provisioning: The process of creating and maintaining a user's digital identity
V
Virus: Malicious code written to interfere with computer operations and cause damage
to data and software
Vishing: The exploitation of electronic voice communication to obtain sensitive
information or to impersonate a known source
Vulnerability: A weakness that can be exploited by a threat
Vulnerability scanner: Software that automatically compares existing common
vulnerabilities and exposures against the technologies on the network
Vulnerability assessment: The internal review process of a company’s security
systems
Vulnerability management: The process of finding and patching vulnerabilities
W
Watering hole attack: A type of attack when a threat actor compromises a website
frequently visited by a specific group of users
Whaling: A category of spear phishing attempts that are aimed at high-ranking
executives in an organization
Web-based exploits: Malicious code or behavior that’s used to take advantage of
coding flaws in a web application
Worm: Malware that can duplicate and spread itself across systems on its own
Z
Zero-day: An exploit that was previously unknown