Advanced Persistent Threat (APT): A term to describe the most capable offensive cyber actors, often nation-states, that are able to maintain long-term campaigns against even the most hardened targets.
Authentication: A procedure that verifies a user is who he or she claims to be.
Backdoor: A pathway to maintain access to a computer system or network whose existence is known only to a small number of individuals. A backdoor can be implanted in software intentionally by its developers for debugging purposes or under the compulsion of a government, or can be created by a threat actor that has successfully exploited a vulnerability in the system or software.
Border Gateway Protocol (BGP): An internet protocol that is used to make decisions regarding the routing of information among major ISPs (also called Tier 1 information service providers) such as Verizon, AT&T, China Telecom, British Telecom, Deutsche Telekom, and Japan Telecom. BGP tables posted by those providers list to which corporations and institutions they connect and for whom traffic should be routed to them. BGP is an insecure system subject to manipulation.
Botnet: A network of devices that have been co-opted by a malicious actor and can be used to execute large-scale operations in a coordinated fashion, such as distributed denial-of-service (DDoS) attacks. Devices that belong to a botnet generally “phone home” to a command-and-control server many times each day to receive instructions.
Chief Information Officer (CIO): The most senior information technology executive in an organization, a position that has become more and more commonplace since the 1980s. The CIO generally reports to the CEO, but may instead report to the COO.
Chief Information Security Officer (CISO): The most senior cybersecurity executive in an organization. The CISO should report to either the chief risk officer or CEO and is usually responsible for managing security technologies and ensuring compliance with the applicable cyber regulatory regimes.
Cloud: Computing infrastructure usually managed and maintained by a third party. Use of the cloud permits organizations to purchase only the data storage and computational power that they need at any given time. Cloud service providers exploit economies of scale to minimize the cost of their services, and use of the cloud also allows their customers to avoid expending capital on their own computing infrastructure.
Cyber Command: A unified military command within the U.S. Department of Defense tasked with managing and coordinating the U.S. military’s offensive and defensive cyber operations. The U.S. Cyber Command was created in 2009 and consists of personnel from the Army, Navy, Air Force, and Marine Corps branches of the U.S. armed forces.
Cybersecurity and Infrastructure Security Agency (CISA): A unit in the U.S. Department of Homeland Security created in late 2018 out of the National Protection and Programs Directorate (NPPD) to assist the private sector and civilian U.S. government agencies with their cybersecurity. CISA also has some responsibility for the physical security of key infrastructure components unrelated to information technology.
Cyber War Risk Insurance Act (CWRIA): A proposal made in this book for a Cyber War Risk Insurance Act modeled along the lines of an existing government program to backstop commercial insurance in the event of a major terrorist attack.
Data Lake: A virtual repository in which current and perhaps past data is stored. The information contained within a data lake can be queried and is often useful for business intelligence or analytical purposes.
Defense Advanced Research Projects Agency (DARPA): A U.S. Defense Department office that funds university and laboratory investigations and experiments into new concepts, and known, inter alia, for funding the research that led to the creation of the internet.
Defense Industrial Base (DIB): Those privately owned and operated corporations that manufacture weapons and supporting systems utilized by the armed forces.
Direct-Recording Electronic (DRE): A term used to describe a class of electronic voting machines that do not create a paper trail to permit auditing of votes cast.
Distributed Denial-of-Service (DDoS) Attack: An offensive cyber operation in which a network is paralyzed by an inundation of requests by a large number of devices. DDoS attacks are generally executed by a botnet consisting of tens of thousands of machines, which allows threat actors to overwhelm websites or networks, making them unusable.
Domain Name System (DNS): A system underpinning the internet that converts domain names into numerical IP addresses needed for routing. DNS exists as a distributed directory, whereby low-level DNS servers contain only routing information for small organizations, and the highest-level DNS servers contain routing information for major websites, services, and top-level domains such as .com, .net, or .org.
D-Trip: Nickname of the Democratic Congressional Campaign Committee (DCCC), an organization of the Democratic Party devoted to the election of members to the lower house of the U.S. Congress.
Encryption: The scrambling of information so that it is unreadable to those who do not have the encryption key needed to unscramble it. Encrypting traffic prevents those who intercept it from being able to read it. Most encryption today is achieved by using public-key encryption, whose strength resides in the fact that one must determine the prime factors of a very large number in order to break the code. Even employing all computational resources on Earth, modern encryption now cannot be broken on a time scale meaningful to human life.
Endpoint: A device connected to a network, typically a desktop or laptop computer. Endpoint security software monitors activity of the device for unusual or prohibited activity. EDR software (endpoint detection and response) is typically an agent installed on the device.
Exploit: A method by which an actor can take advantage of a vulnerability in a piece of software, hardware, or a computing system. Exploits can take the form of a short script, intricately developed software, or a sequence of commands. They are generally used to gain unauthorized persistence on a network, or escalate administrative privileges for the threat actor to enable them to carry out espionage or other forms of cybercrime.
Financial Action Task Force (FATF): An international organization of nation-state governments created to combat international money laundering through the creation of banking and legal standards.
GRU: The Main Directorate of the General Staff of the Armed Forces of the Russian Federation. The GRU is a Russian military-intelligence and special-operations service, whose head reports to the Ministry of Defense. The GRU has been responsible for a number of high-profile cyber activities, most notably the hacking and disinformation campaign related to the 2016 U.S. presidential election.
Honeypots: Files on a network designed to attract hackers so that their activities and techniques can be observed. Such files are usually populated with data that looks real, but is actually fake.
Identity and Access Management (IAM): A class of software used to authenticate network users in order to prevent unauthorized access to data or services. Modern identity and access management products often integrate with user directory databases to manage permissions, and utilize multifactor authentication for an extra layer of security.
Industrial Control System (ICS): A blanket term used to describe a collection of programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems, and various other control devices used to manage industrial processes. Industrial control systems interpret data from sensors with command functions and translate these inputs into actions that manipulate devices such as valves, regulators, actuators, relays, or switches.
Information Sharing and Analysis Center (ISAC): A consortium of companies in a particular industry created for the purpose of sharing data about computer security threats and security best practices.
Information Technology (IT): Hardware and software that create, store, retrieve, transmit, and manipulate data.
Intercontinental Ballistic Missile (ICBM): A land-based, guided missile capable of traveling in excess of five thousand kilometers to deploy and detonate one or more nuclear weapons on an enemy target(s).
Internet of Things (IoT): The expanding network of devices that are internet connected. This includes, but is not limited to, devices such as “smart” appliances, networked health-care equipment, and infrastructure monitoring electronics. In the context of cybersecurity, Internet of Things devices are notoriously insecure, and when used in an enterprise or otherwise sensitive setting, can present a significant security risk to an organization.
Islamic State in Syria (ISIS): A name widely used to denote a terrorist organization that calls itself simply Islamic State, and that Arab governments call Daesh. The group occupied and controlled major cities during the 2013–2017 period in Libya, Syria, and Iraq, and had cells elsewhere, including in Yemen and Afghanistan. As of 2019, it continues to exist in underground cells and in remote areas in the Middle East.
Machine Learning (ML): The employment of algorithms to progressively train software models to complete a specific task more effectively. Machine learning is often used to identify spam email, classify images, or, in the case of cybersecurity, detect malicious network traffic.
Malware: Software that causes computers or networks to behave in an unintended manner. Examples of malware include ransomware, Trojans, viruses, keyloggers, and worms.
Managed Security Service Provider (MSSP): A company to which other firms outsource some security of their network.
Multifactor Authentication (MFA): An authentication process that employs more than one authenticating factor to grant a user access to a device, application, network, or database. Multifactor authentication usually requires that users provide something they know, something they have, and something they are. Examples of these factors are passwords (which satisfy the knowledge requirement), one-time log-in codes sent to a user’s phone (which satisfy the possession requirement), and fingerprints (which satisfy the inherence requirement). Modern identity and access management software uses multifactor authentication to prevent threat actors from maliciously gaining authenticated access to a network.
National Institute of Standards and Technology (NIST): An agency within the U.S. Department of Commerce known for creating generally accepted norms and procedures (standards), formerly called the Bureau of Weights and Measures.
North American Electric Reliability Council (NERC): An association of electric power generation and distribution companies that issues standards and self-regulatory guidelines for the power industry in the United States and Canada. NERC seeks to preempt and prevent significant government regulation, which, in the United States, would be issued by the Federal Energy Regulatory Commission (FERC).
Operations Technology (OT): Hardware and software designed to facilitate manufacturing processes and infrastructure operations.
P5+1: The five permanent members of the United Nations Security Council (China, France, Russia, the United Kingdom, and the United States) and Germany were the nations that negotiated the nuclear development restrictions agreement with Iran.
Patch: A software update pushed over the internet by the software developer, usually to correct a mistake in code, including errors that may create the possibility of misuse of the software.
People’s Liberation Army (PLA): The armed forces of the People’s Republic of China.
Personally Identifiable Information (PII): Information about an individual that can be used either on its own or in conjunction with information from other sources to identify the individual. Examples of PII are Social Security numbers, addresses, dates of birth, passport numbers, and more.
Presidential Decision Directive (PDD): A formal policy statement signed by the President of the United States, articulating decisions on a set of national security issues. Traditionally, presidents from the Democratic Party use acronyms beginning with P for this purpose and those from the Republican Party use similar acronyms beginning with N, as in NSPM 13 for National Security Policy Memorandum 13. Bush-era documents are National Security presidential directives and Homeland Security presidential directives. Obama-era documents are presidential policy directives (PPDs).
Privileged Access Management (PAM): See “Identity and Access Management.” PAM software protects extremely sensitive data and involves more extensive proof of identity to access that data.
Quantum Computing: Computation that exploits quantum-mechanical phenomena such as superposition performed on particles called qubits. Classical computing operates digitally with bits that are in either an on or off state, 1 or 0. Qubits can be in many states simultaneously, allowing greater computational power.
Ransomware: A form of malware that encrypts critical system files or user data and holds it for ransom, often instructing the user to send a payment in cryptocurrency to the malware author before the encryption key will be released.
ReallyU: A system proposed in this book to verify an identity online or in person using a federated multifactor system created by consortiums of private companies and government agencies.
RSA: The RSA Corporation, now a division of Dell, is a cybersecurity and encryption vendor, which created one of the first public key-encryption systems. Also used to describe a series of annual conferences and exhibitions on cybersecurity. The acronym is derived from the cofounders’ names: Rivest, Shamir, and Adleman.
Schengen Accord: A 1985 treaty signed by five of the then ten member states of the European Economic Community that abolished internal border checks, and is the basis for the free movement of EU citizens within the EU. The original agreement was superseded by the Schengen Convention in 1990, which adopted a common visa policy. The Schengen rules were incorporated into EU law in 1999.
Secure Development Life Cycle (SDLC): A set of procedures first developed by Microsoft to ensure that software was developed and then maintained in a secure manner.
Secure Segmented Diverse-Source Microgrid (SSDM): A proposal made in this book to create a system to generate electricity locally, including using alternative energy sources. The SSDM would not be connected to regional or national networks.
Security Operations Center (SOC): A physical location in a corporation where computer security specialists monitor the company’s network for signs of intrusion or other threats.
Software as a Service (SaaS): A model in which a customer buys a subscription to use a piece of software for a finite period, contrasted with the license model in which the customer buys and then owns a copy of the software. For SaaS software models, the software may reside online rather than on the customers’ own machines.
Stuxnet: The popular name of software allegedly designed and utilized by the United States to destroy certain physical objects, specifically nuclear enrichment centrifuges at Natanz, Iran.
Supervisory Control and Data Acquisition (SCADA): Software for networks of devices that control systems of machines such as valves, pumps, generators, and transformers. SCADA software collects information about the condition and activities of the system, and can use this data to execute commands.
Tabletop Exercise (TTX): Usually a meeting around a large conference table utilizing a fictional scenario, meant to simulate a meeting that would occur if a real event or series of events happened, often called a crisis management event. TTXs are used to train personnel on their crisis roles and responsibilities and to identify gaps in an organization’s preparedness or security.
Tailored Access Operations (TAO): An office within the U.S. National Security Agency assigned the task of penetrating foreign information technology networks and targets of special significance or difficulty. TAO was reorganized and merged into Computer Network Operations in 2017.
Threat Actor: An entity that regularly engages in unauthorized penetration of computer networks to access and exfiltrate information or to engage in destructive activities on the network.
Two-Factor Authentication (2FA): A means of proving user identity in order to be granted access to a device, application, network, or database. Two-factor authentication usually requires that users provide something they know, and prove possession of something they have. Examples of these factors are passwords (which satisfy the knowledge requirement) and one-time log-in codes sent to a user’s phone (which satisfy the possession requirement). Multifactor authentication (MFA) sometimes takes this a step further and may include a biometric identification procedure such as a thumbprint, an iris scan, or facial recognition.
Virtual Private Network (VPN): An encrypted pathway or “tunnel” over the internet usually from a remote site, such as one’s home, to an organization’s primary network. VPNs are thought to be a secure means of accessing corporate databases and applications from off-site and may involve a corporate gateway that examines the security status of the remote computer before granting access.
Wiper: Sometimes rendered “wipr,” it is a software attack tool that erases all data found on a device or network in such a manner that the erased data is not recoverable. Wiperware may lurk on a network for days, waiting to be included in a network backup so that when the backup is mounted after an attack, the wiperware will activate and erase that too.
Year Two Thousand (Y2K): Refers to an international effort prior to January 1, 2000, to modify computer software in order to avoid an expected malfunction on that date. There was a belief that failure to modify such software in time would result in widespread failure of software-controlled devices and machinery at 12:01 A.M. of 01/01/2000.
Zero-day vulnerability: A software attack tool that has never been used before and for which, therefore, no defense currently exists. A zero-day attack tool is an exploit that utilizes a previously unused vulnerability in software or hardware. Zero Days is also the name of a 2016 documentary film about Stuxnet, directed by Alex Gibney.