Advanced Persistent Threat (APT)

APT is a security acronym for Advanced Persistent Threat. APT is a network-intrusive cyber-attack in which an attacker gains unauthorized access to an organization's network system. The aim of the attacker is to remain stealthily hidden from existing Intrusion Detection System for a longer duration of time. APT attacks usually target organizations connected to confidentiality and those that maintain confidential information about users, such as:

• National defense
• Top corporations
• Financial organizations
• Social media companies

The attacker can use the data they acquire to extort money from the owner, strike high-paying deals with other organizations, or for other forms of personal gain.

Advanced Threat Protection (ATP)

Advanced Threat Protection is a category of software, practices, or services that are employed to protect confidential information from advanced malware attacks, bots, honeypots, and other cyber intrusion attacks. ATPs vary greatly in methodology and effectiveness. However, the common purpose of standard ATP solutions is to seal potential loopholes in network, firewall, and email systems.

The core objective when installing an ATP solution is to achieve faster detection of intrusions and more efficient deployment of corrective measures. ATPs are supposed to understand which attacks are most probable and ensure that all vulnerabilities are fixed.

Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)

According to MITRE, ATT&CK, “…is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.” This knowledge base was created help improve cybersecurity measures and boasts a large number of threat mitigation tactics available to the public.

Learn how to use the MITRE ATT&CK framework for repeatable threat hunting success from our VP of Cybersecurity, Tim Bandos, in this webinar.

Cloud Access Security Broker (CASB)

Cloud services are slowly becoming the most preferred data storage methods for corporations. Cloud Access Security Brokers (CASB) are software programs or dedicated service providers that act as a security agent between the on-site network infrastructure and the cloud service provider. This ensures that a company’s security policy extends to both on-site transactions and off-site assets like the cloud servers.

Monitoring traffic to and from internal servers and the cloud is one vital task performed by the CASB. Advanced CASBs also employ an automation algorithm to detect high-risk applications and users, along with other key risk factors. CASBs help enforce security measures like encryption, which protects data if it ever reaches unauthorized hands.

Chief Compliance Officer (CCO)

The Chief Compliance Officer is a leadership position given to the individual tasked with managing compliance in an organizational setup. Corporations are beginning to understand the need for stringent policies to protect against data theft and data loss. Research has shown that employees within an organization are knowingly or unknowingly responsible for over 80% of data theft and misuse. Social engineering attacks are one way that employees can unintentionally divulge sensitive data, and they often lead to compromise.

It is essential for organizations to upgrade to the latest Intrusion Detection and Prevention System (IDS and IPS) to decrease chances of vulnerability. Periodic vulnerability assessment and penetration testing (VAPT) by in-house or hired experts helps an organization to understand its security flaws and work on fixing them before an intruder gets access to confidential data. The CCO is entrusted with handling this task.

Chief Information Officer (CIO)

The Chief Information Officer has many responsibilities and plays a similar role to the CTO, apart from operational duties.

The CIO is responsible for:

Facilitating security training and development of the employees
• Assisting the CTO and other upper management in assessing IT infrastructures
• Recommending changes for better employee productivity

Chief Information Security Officer (CISO)

A Chief Information Security Officer (CISO) is another emerging leadership position across top corporations. The CISO usually reports to the CEO. Companies have identified cyberattacks as a potential mechanism capable of serious and detrimental outcomes. A CISO leads a team dedicated to take remedial and preventive steps to keep hackers away from confidential and classified information.

The CISO also acts as an information security advisor to other members of leadership and facilitates the proper risk-identification, IT infrastructure development, and implementation of safe IT practices across the organization.

Chief Risk Officer (CRO)

A Chief Risk Officer (CRO) is a managerial and leadership role within an organization that likely reports to the CTO or directly to the CEO. This person is entrusted with assessing potential risks within the organization's existing infrastructure and planning for future expansion. From the perspective of an IT-enabled company, the CRO has a vital and instrumental role in business expansion and growth.

For example, if an organization decides to set up offices in remote locations, it is the duty of the CRO to identify the critical vulnerabilities and shortcomings that this expansion process might bring to the overall IT infrastructure. By using predictive analytics and other advanced techniques, the CRO critically accesses every management decision before implementation.

Chief Security Officer (CSO)

A Chief Security Officer (CSO) is the executive responsible for both physical and virtual security. The job of a CSO is to safeguard company assets, including:

• Physical and IT infrastructures
• Proprietary technology
• Intellectual and physical property

Assets can be physical, such as reserve cash and confidential documents, or digital, which may include software, patents, and trademarks. A Chief Security Officer (CSO) often has the additional task of maintaining the overall physical security of the organization along with Information Security.

Chief Technology Officer (CTO)

The Chief Technology Officer (CTO) is a long-standing leadership position in many tech and software companies. CTOs usually either work independently or report directly to the CEO.

The CTO assesses existing policies within the company and modifies them as needed to fit with the company's financial conditions and technology needs. This role is usually in charge of every technical aspect of the company and leads the technology or engineering department.

Computer Emergency Response Team (CERT)

A computer emergency response team (CERT) is a group of cyber security professionals that handles security breaches within an organization. Although there might be systems in place to prevent security issues, most established and emerging organizations have a dedicated team to handle threats that successfully penetrate the security systems.

The CERT team can consist of, but is not limited to:

• Senior management staff
• Networking professionals
• Information security experts
• Security auditors
• Legal advisors
• Financial advisors

Together, the team completes the necessary steps to protect sensitive data after a security breach and takes measures to prevent similar attacks in the future.

Computer Incident Response Team (CIRT)

CIRT is an alternate name for a computer emergency response team with the same responsibilities.

Data-Centric Audit and Protection (DCAP)

Data-centric audit and protection, or DCAP, (coined by Gartner, a marketing and analysis consulting company) is a security policy with data protection at its core. DCAP's goal is to keep data secure by identifying where critical data is, who has access to it, and noting when modifications are made.

The critical areas of data-centric examination and protection are:

• Classification and discovery of sensitive data
• Collecting and processing data
• Data Access Control User performance analytics
• Real-time monitoring and auditing alterations to performance and data

Data Loss Prevention (DLP)

Data loss prevention (DLP) is a policy that restricts unauthorized users from transmitting sensitive or crucial data outside the company network. The DLP security acronym is also used to define software products that aid a network administrator in supervising what information unauthorized users can transfer.

Data Loss Prevention software products apply business rules to analyze and protect sensitive data so that unauthorized users cannot intentionally or unintentionally share information that could put the business at risk.

For example, if an employee tried to send a private company email outside the corporate domain or upload a company file to a user cloud storage service like Google Drive, the employee's permission would be denied.

Data Protection Officer (DPO)

A Data Protection Officer (DPO) is a business security management position required by the General Data Protection Regulation (GDPR). These officers are accountable for supervising information protection strategies and applications in accordance with GDPR terms.

The GDPR was proposed by the European Commission, the European Parliament, and the European Council to establish and modernize data protection for EU citizens. The GDPR calls for the compulsory appointment of a DPO in every company that handles or records vast amounts of personal information on EU citizens, whether for individuals or employees.

Digital Rights Management (DRM)

Digital rights management (DRM) is a well-regulated policy for digital media copyright protection. The goal of DRM is to block illegal redistribution of digital media and limit the ways customers can duplicate content they've bought. DRM products were produced in response to the accelerated rise in online piracy of commercially sold content, which increased through the use of peer-to-peer file transfer programs.

Generally, DRM is implemented by adding code that blocks copying, specifying a period of time that a piece of content can be obtained, or restricting the number of devices that the media can be installed in. DRM technology aims to make it difficult to steal content in the first place, which is a better way to solve the problem than hunting down online pirates after the content is already stolen.

Distributed Denial of Service (DDOS Attack)

A distributed denial of service (DDoS) is a type of attack in which many computer networks collectively strike a targeted website, server, or online service. A DDoS attack aims to flood systems with more traffic than the servers or networks can handle, drastically slowing or even shutting down the site. These attacks prevent genuine users from accessing the targeted resource.

The excess traffic usually includes fraudulent packets, messages, or connection requests. DDoS attacks have been executed by several entities, varying from lone hackers to organized crime groups and state bureaus.

Endpoint Detection and Response (EDR)

Endpoint Detection and Response (EDR) is an endpoint security tool that tackles the need for constant monitoring and response to high-level threats. EDR differs from other endpoint protection platforms like antiviruses and anti-malware in that its primary focus is not to automatically stop threats in the pre-execution stage on an endpoint. Instead, EDR focuses on assisting security analysts in finding, analyzing, and removing high-level threats and extensive attack operations that span multiple hosts.

Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act (FISMA) is one of the most significant laws for federal data security measures and guidelines. It was signed into law as part of the Electronic Government Act of 2002. FISMA was passed in order to decrease the security risk to federal information and data while controlling federal spending on data security.

Under FISMA, federal agencies must keep a record of their information systems, use security controls, manage risk evaluations, and verify their systems.

Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool

In an effort to help organizations secure digital information, the Federal Financial Institutions Examination Council (FFIEC) created a resource called the Cybersecurity Assessment Tool. This helps financial institutions measure how secure their systems are over a period of time.

The first part deals with an organization’s inherent risk profile while part two assesses the “cybersecurity maturity” of individual institutions. After the assessment is complete, the final step is for the organization to “interpret and analyze” the results.

File Transfer Protocol (FTP)

File Transfer Protocol (FTP) is a client/server protocol that is used for transferring or exchanging files with a host computer. FTP may be verified with passwords and usernames. Anonymous FTP enables users to get files or other data from the internet without the need for a password or username.

Publicly available data is usually located in an index called /pub and uses FTP to send files to the user's computer. File Transfer Protocol is also the Internet protocol for exchanging or moving data from one network to another using IP or TCP networks.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation is a set of laws that gives citizens of the European Union more power over their personal information. GDPR sets clear regulatory conditions for data protection so that both EU nationals and companies can benefit.

Some of the essential privacy and data protection conditions of GDPR include:

• Asking citizens for the consent of data processing
• Encrypting collected information to protect privacy
• Providing data breach warnings
• Securely managing the transfer of data across boundaries
• Requiring specific businesses to have a Data Protection Officer to supervise GDPR compliance

In a nutshell, the General Data Protection Regulation regulates the collection and use of European Union citizens’ data to better protect the handling and transfer of private information.

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) was passed into law by Congress in 1996. The primary goal of this law is to make it easier to protect healthcare information and assist the healthcare sector in regulating managing costs.

HIPAA also does the following:

• Gives American workers the ability to transfer and continue their health insurance coverage when they shift or lose their jobs
• Decreases healthcare scams
• Regulates the use of healthcare data on electronic billing and other processes
• Mandates the protection of health information

Health Information Technology for Economic and Clinical Health (HITECH)

The HITECH Act was signed into law in 2009 to encourage the use of healthcare information technology, including electronic health record systems among other things.

The act is part of the American Recovery and Reinvestment Act (ARRA) of 2009. HITECH's major data security components include requiring copies of records, demonstrating accountability, conducting more audits, restricting marketing, and adhering to minimum necessary disclosures.

Health Information Trust Alliance (HITRUST)

Abbreviated as HITRUST, this private US company works with healthcare, technology, and other information security leaders that generate, access, store, and share sensitive data to ensure various security standards and regulations are met. HITRUST created the Common Security Framework (CSF) to achieve this goal.

The HITRUST security council consists of a team that is made of leaders from the entire industry, including IMS Health, Highmark, Anthem Inc., UnitedHealth Group, and Hospital Corporation of America.

Incident Response Team (IRT)

IRT is an alternate name for a computer emergency response team with the same responsibilities.

Industrial Control System (ICS)

Industry Control System (ICS) is a blanket term for control systems used in industrial process control. ICS’s are used in conjunction with automation and operational processes in industrial systems such as devices, networks, and controls. The systems are used in industries such as telecommunications, paper manufacturing, and power generation. The systems that ICS’s interacts with can include modular panel-mounted controllers, distributed control systems, and others.

Intrusion Detection System (IDS)

Intrusion Detection Systems (IDS) are devices or programs that are used to monitor a network or system for policy violations and malicious behavior. The systems use various techniques to identify any illicit activity while also distinguishing it from any false alarms. IDS’s can range from a single terminal to a network of computers, and some are focused on networks alone. Certain IDS’s can even respond to intrusions and prevent them.

Intrusion Prevention System (IPS)

Intrusion Prevention Systems (IPS) are used to stall or thwart any attacks on a network or a system. Essentially, these systems are more advanced versions of IDS’s in that they can both detect and mitigate security issues. These systems are used to prevent malware and other attacks from causing any harm to the network. For instance, an IPS can stop an illegal access attempt on a network. Intrusion Prevention Systems are essentially Intrusion Detection Systems (IDS) with the ability to handle the potential damage done to the system once they are identified.

Man-in-the-Middle (MITM Attack)

The term man-in-the-middle is used in security to describe a situation where an attacker inserts himself into a private conversation between two parties while controlling or manipulating the conversation. For instance, eavesdropping is an example of a man-in-the-middle attack.

In a MITM attack, the attacker can simply watch the conversation unfold or even add their own messages without either party realizing that there is an intruder.

Managed Service Provider (MSP)

A managed service provider is usually a company or entity that provides IT services to a user. A managed service provider is used when a company does not have the resources to bring the services in-house.

Common managed services include security, hosting, and other web-based IT services. Normally, managed service providers work use a subscription-based model and provide their service through the web.

Managed Security Services Provider (MSSP)

MSSP is an alternate term for a managed service provider (MSP).

National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology (NIST) is an organization that promotes standards, measurement science, and technology to help spur economic development. NIST improves the ability of the US to compete on the global stage by promoting industrial technology like computer chips, atomic clocks, and electronic health records.

NIST was established in 1901 and is currently part of the U.S. Department of Commerce. It was established to address the country’s challenges with industrial competition at the time. One example of a standard set forth by NIST is NIST SP 800-53, which was developed to enhance the security of information systems within the federal government.

New York Department of Financial Services (NYDFS) Cybersecurity Regulation

The NYDFS Cybersecurity Regulation is a compliance requirement for financial institutions including licensed lenders, private banks, insurance companies, service providers and foreign banks licensed to operate in New York. The rules were released in 2017 and went into effect in phases. Institutions that have less than 10 people and have gross revenues of less than $5 million are not covered by this regulation.

Payment Card Industry Data Security Standard (PCI DSS)

Also written as PCI DSS, it is an information security standard that applies to companies that handle credit card data. Compliance with these standards is measured on a quarterly basis by an external Qualified Security Assessor (QSA).

The purpose of these standards is to reduce credit card fraud by increasing the number of controls around cardholder data. The standards were put in place by major stakeholders such as Visa, Discover, MasterCard, American Express and JCB. PCI DSS aims to create additional security for credit card companies as they store, process, or transmit credit card data.

Personally Identifiable Information (PII)

Personally identifiable information (PII), or sensitive personal information, is a security term for any information that can be used to contact, identify, or locate a specified individual. Personally identifiable information is often unique to a particular individual.

Sensitive personal information could include:

• Demographic information
• Full names
• Birth dates
• Social security number
• Email addresses
• Passwords
• Financial accounts
• Tax information
• Biometric identification records
• Medical records
• Any other personal information

Personally identifiable information can be used to single out an individual from millions. Protecting personally identifiable information should be a priority because identity thieves can use this personal information to open various accounts, take out mortgages, and conduct other illegal activities for financial gain. Once compromised, it can be hard for the victim to restore their reputation and in some cases to prove their innocence.

Protected Health Information (PHI)

Protected health information (PHI), or personal health information, includes any information related to:

• An individual's past, present, or future mental or physical health condition
• Health care provisions, lab tests and results, insurance, or payment for health care services
• Records that were transmitted, maintained, or stored

Protected health information contains a track record of an individual's medical data from birth. Medical organizations can use this information to identify an individual's needs and determine the appropriate healthcare options for the best results. PHI can be anonymized and used for scientific or clinical research, strategic population health management, and value-based healthcare programs.

The Health Insurance Portability and Accountability Act (HIPAA) oversees the access, use, and disclosure policies of protected health information. It also regulates organizations that are required to adhere to this law. Preserving the privacy of PHI is necessary for security measures because this information is valuable to hackers.

Role-Based Access Control (RBAC)

Role-based access control assigns a set of permissions, security access rights, and protocols to employees based their role and authorization in an organization. Role-based access control enables employees to access the information they need to do their work efficiently while limiting access to sensitive information not relevant for their job.

Role-based access controls are used to restrict network access based on an employee's position in an organization. An employee’s access rights depend on factors like authorization, job competency, and responsibilities. Limiting network access and some capabilities like viewing, editing, and deleting files is essential for large organizations because it can help protect sensitive information and system applications from damage or theft.

RBAC also help to enhance compliance, improve operational efficiency and reduce the risk of breaches or leaks. All organizations should implement best practices when adopting RBAC.

Security as a Service (SECaaS)

Security as a service is a form of managed security where an organization outsources security management services to an external organization through cloud computing technologies.

A security service provider offers organizations subscription-based security services such as:

• Antivirus
• Anti-spyware and anti-malware protection
• Penetration testing
• Intrusion detection
• Authentication
• Security event management

Security as a service can help organizations prevent cyberattacks and security threats that compromise workflows and cloud computing databases.

Implementing security as a service can reduce operating costs, ensure consistent and uniform online protection, update virus definitions, provide more credible security expertise, and allow outsourcing of some administrative tasks like website or log management.

Security Information Management (SIM)

Security information management (SIM) is a term used to describe the collection methods and analysis of all security data in computer logs. Data harvested by SIM software can be sourced from many places, including:

• Antivirus software
• Files
• Firewalls
• Routers
• Servers

Security Information and Event Management (SIEM)

Security information and event management combines security information management (SIM) and security event management (SEM) into one system that collects, analyzes, reports, and sends alerts about log and event data in real time.

Security information and event management systems work by:

• Collecting and aggregating relevant data from multiple sources
• Identifying any abnormal activities
• Taking the appropriate actions based on data

SIEM’s can be software, an application system, or a combination of both. Security information and event management systems can be used to collect logs from applications, network devices, and other systems for analysis, presentation, or retention purposes. They can help monitor compliance with IT policies and detect anomalies.

Security Operations Center (SOC)

A security operations center is a centralized team of IT experts in an organization who are responsible for monitoring, analyzing, detecting, and containing potential security threats on an regular basis. A SOC team responds to cybersecurity incidents and threats using a combination of technological solutions.

Security operation centers help IT experts to monitor networks, analyze servers, applications, databases, websites and endpoints for any abnormal activities. This ensures that potential threats are identified quickly, investigated and defended or reported. Security Operation Centers improve incident detection through continuous monitoring and analysis of data.

Security Operations and Analytics Platform Architecture (SOAPA)

A security operations and analytics platform architecture (SOAPA) is a system that combines and aggregates logs, third-party intelligence systems, and vulnerability scanning platforms to:

• Create smart alerts
• Make decisions based on data
• Help adjust quality analysis of information

It performs the same functions as a security information and event management system at a higher level. SOAPA can be used to improve operational efficiency and threat detection, which can have a significant impact on data security in cloud computing.

An advantage of SOAPA over other systems is its dynamic nature. New system controls, applications, and additional panels can be added to improve its efficiency. A well-structured SOAPA minimizes the risk of data loss from cyber attacks by providing security alerts and preventing potential attacks.

Security Orchestration, Automation, and Response (SOAR)

Security orchestration, automation, and response (SOAR) is a security term used to describe a system that combines security orchestration and automatic response systems. SOAR systems detect potential cybersecurity threats and prevent them once flagged.

SOAR converges three distinct technologies:

• Security orchestration and automation
• Threat intelligence platforms
• Security incident response systems

SOAR’s enable business entities and organizations to collect, aggregate, and analyze vast quantities of security threats and alerts to identify and stop attacks. SOAR’s accelerate response though efficient investigation and reduced escalations.

A SOAR system can automatically terminate unusual processes, monitor suspicious software, generate incident reports, and suspend accounts with abnormal behaviors or policy violations. It is a system which replaces slow human intervention with machine-speed decision making.

User and Entity Behavior Analytics (UEBA)

User and entity behavior analytics is a cybersecurity term for a process that monitors a system’s regular user activity over time. This information is then used to detect any abnormal behavior and deviations from the usual pattern.

Specifically, UEBA uses machine learning software and algorithms to analyze systems and detect any deviations from the norm. It can then predict which anomalies may result in a potential threat. UEBA also aggregates log data, files, packet data, and flows. User entity and behavior analytics systems can be used to identify insider threats and targeted attacks to help avoid data breaches and to uncover critical user-based risks that would have gone undetected.

User Behavior Analytics (UBA)

Much like software which searches for anomalies and malicious behavior, user behavior analytics (UBA) seeks out patterns to find potentially malicious users. In many cases, massive amounts of data are monitored and examined by complex algorithms. UBA programs find indicators that could point to potential threats before problematic activity occurs.