This is a non-profit organization which specializes in information security education and certifications

This is an additional way to verify a user’s identity before granting login access. When logging in, Two-Factor authentication requires the user to prove their identity in two different ways, for example: Something you know (like a username and password) Something you have (like a smartphone with an authentication app such as SAASPASS installed with a PIN) Something you are (like your fingerprint or retina scan) There are many different methods of authentication, including via proximity, scan barcode, push notifications, SMS codes, phone calls, hard tokens etc...

This is a process that regulates who or what can view or use resources, either physical such as IT assets or virtual assets such as connections to networks, files, and data.

This is a type of spyware that displays advertising content on a user’s device and usually includes code that tracks browsing activity and all sorts of personal information, passing it on to a 3rd party without the user’s knowledge, consent or authorization.

This is software that independently performs a function on behalf of the user, such as analyzing data to identify trends or retrieving information about goods and services.

This is a user acting with malicious intent trying to compromise an information system in order to gain access.

The process of verifying the credentials of a user, device, or action, as well as the origin and integrity of data.

This is a hidden or disguised access point that bypasses an information system’s security measures which allows hackers or other unauthorized users to enter.

This is a record of entities, such as users, IP addresses, or countries, that are blocked or denied privileges or access. Implementing these precise controls over who can gain entry to a network increases the chances of keeping out remote attackers.

This is a type of automated malware that performs or simulates human actions online. There are some bots that are used for legitimate purposes such as instant messaging or search engine indexing but bots can also be used to compromise data, take control of devices, and launch attacks.

This is a network of devices connected to the internet and compromised by malware, often without its users’ knowledge, which are used to transmit malware or spam, or to launch attacks. When bad actors have control of hundreds or thousands of devices, they can carry out attacks like sending spam or flooding a network as a denial of service.

This is a machine that researchers use to collect data about a particular botnet. They can be used maliciously or benignly, most often to redirect bots to machines designated to research them.

This is an incident that exposes data to an unauthorized party. Multi-Factor authentication is used to prevent breaches by providing a secure second layer of defense, protecting the various types of accounts a user logs into, and offering authentication through a second device or mobile apps.

This is a trial and error-based technique of decoding passwords or other encrypted data. This is akin to a criminal attempting to break into a safe by attempting various possible combinations, a brute force attack exhaustively runs through all possible character combinations for a password.

This is a policy permitting employees to carry personal devices into their workplace for business use.

This is an entity that issues digital certificates as part of a Public Key Infrastructure (PKI). Certificates issued by CAs verify the identity of the "issued-to" object to third-parties. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) rely on CA certificate verification when establishing secure communications.

This is technology that acts as a gatekeeper between an organization’s on-site infrastructure and a cloud provider's infrastructure, enforcing access control, auditing and monitoring, and data encryption. This allows the organization to broaden the reach of their security standards beyond their own infrastructure.

This is an information security certification developed by the International Information Systems Security Certification Consortium, also known as (ISC)²

This is a joint program of the FBI, State Identification Bureaus, and CJIS Systems Agency, the Criminal Justice Information Services (CJIS) Security Policy outlines the security precautions that must be taken to protect sensitive information like fingerprints and criminal backgrounds gathered by local, state, and federal criminal justice and law enforcement agencies.

This is a good-practice framework created by international professional association ISACA for information technology (IT) management and IT governance.

The practice of ensuring that information is disclosed only to authorized users, processes, and devices.

This is the strategy, policy, and standards that govern the safety of and operations across the internet. This includes but is not limited to reducing threats, detecting vulnerabilities, and responding to and recovering from incidents.

This is an information security strategy that employs multiple layers of security to set barriers against failure.

Processes and procedures that prevent sensitive data from being sent beyond a secure boundary, like through email, instant messaging, or other applications.

This is the mechanism by which user-friendly domain names are converted into IP addresses which ensures that users are routed to the correct site.

Manipulating a domain name in order to associate a legitimate, trusted URL with a malicious, imposter website, to phish and perpetrate other online scams. This is achieved by blocking access to the domain’s DNS server and replacing it with their own, but could be prevented by implementing multi-factor authentication.

This is an attack against a computer, network, or website in which bandwidth is flooded or resources are overloaded to the point that it is rendered unavailable to users. Can also be carried out by malicious code that simply shuts down resources.

This is a security measure that uses an algorithm to convert plaintext to a format that is readable only to authorized users with a key to decipher it.

This is any device that connects to a network and runs network-based applications, e.g., laptops, desktop computers, servers, and mobile devices.

This is a set of regulations that give medical practitioners the option of prescribing controlled substances electronically and allow pharmacies to receive, dispense, and archive this data. By authenticating prescribers before they issue the medications, these policies help to reduce fraud and abuse of controlled substances, and ensure that prescriptions are transmitted without alteration.

An attack on a network that takes advantage of a vulnerability, compromising its integrity, availability, or confidentiality.

This is a set of tools used to take advantage of vulnerabilities in software and spread malware, which can be easily deployed by inexperienced attackers. Adobe Reader and Flash Player, as well as Java, are common targets.

U.S. government security standards for document processing, encryption algorithms, and other technology practices used by government agencies and adjacent contractors and vendors, issued and recognized by the National Institute of Standards and Technology (NIST).

This is a hardware- or software-based gateway that limits and protects the traffic coming into and out of a network. All data that enters or leaves a network must pass through a firewall, which analyzes the information and based on its security policy either grants or denies access.

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU)

HIPAA, the US Health Insurance Portability and Accountability Act of 1996, created the legal framework and standards for the electronic transfer of health information to an online format. In March 2006, HIPAA compliance was made mandatory for all US healthcare organizations.

Hypertext Transfer Protocol Secure (http) is a protocol without a security layer such as SSL/TLS used in browsers and web servers. It is associated with insecure browsing.

This is a convention for transferring information to a server that is secured with encryption and/or authentication, often used on websites where users access classified information or make payments. URLs that begin with HTTPS, which additionally are designated by a padlock icon in the browser’s status bar, indicate the presence of this additional layer of security, and often users are asked to provide a password or other authentication method to access the site.

This is an authentication infrastructure that lives in the cloud such as SAASPASS

This is a device that monitors network activities for malicious behavior, logs information, blocks or stops attempted intrusions, and reports it.

The practice of protecting information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction, in order to provide confidentiality, integrity, and availability — having control of your information and trusting that those you’ve provided it to can keep it safe.

The assurance that information is only accessible or editable by authorized users. Methods used to ensure integrity include strict authentication practices, limiting access to data, and managing physical properties.

This is an international professional association focused on IT governance. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only.

ISO/IEC 27001 is an information security management system (ISMS) with formal specifications to bring information security under defined control. Organizations that claim to have adopted this system can be formally audited and certified compliant with eleven standards

This is a series of letters, numbers, or symbols used to encode or decode encrypted data.

This is a policy of granting users or applications only the permissions necessary to perform their official duties. Limiting their amount of access decreases the chances of unauthorized activity and security breaches.

Software usually installed covertly, designed to compromise systems or data, invade privacy, or steal information without permission. Some examples of malware include adware, bots, keyloggers, Trojan horses, viruses, and worms.

The process of optimizing the function and security of mobile devices within an organization while protecting the organization’s network. One of the best known methods is BYOD, in which users provide a personal mobile device for business purposes.

This is an additional way to verify a user’s identity before granting login access. When logging in, Multi-Factor authentication requires the user to prove their identity in two different ways, for example: Something you know (like a username and password) Something you have (like a smartphone with an authentication app such as SAASPASS installed with a PIN) Something you are (like your fingerprint or retina scan) There are many different methods of authentication, including via proximity, scan barcode, push notifications, SMS codes, phone calls, hard tokens etc...

Reducing the likelihood of a vulnerability being exploited, or lessening its impact after a breach.

This is an attack in which a hacker intercepts the communication between two sources, like a client and a server, and impersonates both parties to gain access to sensitive information. For example, a malicious router in a public location offering free wi-fi, or a fake website masquerading as legitimate in order to capture a user’s login credentials.

This is an internet service provider that offers network security tools, like virus blocking, spam filtering, intrusion detection, firewalls, and VPN/Multi-Factor Authentication management, saving organizations money by outsourcing these functions.

Policies and procedures that govern what an individual or component can do on a network. In addition to granting access to trusted users and devices, it also monitors and regulates their activity on the network, and implements protections like firewalls, antivirus software, and spyware detection tools.

The National Institute of Standards and Technology is a measurement standards laboratory, and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness.

This is an update to an operating system, application, or other software, released by the manufacturer to repair an identified bug or vulnerability.

Policies and procedures for organizations that process, transmit, or store payment cardholder data that ensure it is protected and secured.

This is a security test that mimics real-world attacks in attempt to bypass or defeat an application, network, or system’s security features.

This is an attempt to deceive users and illegally acquire sensitive information by contacting them under the guise of a trusted source. Phishing typically employs emails or instant messages that appear to be legitimate, combined with imposter websites, to make bogus requests for personal details such as names, passwords, Social Security numbers, or financial credentials.

This is a set of services that uses a public and private cryptographic key pair to allow users on an unsecured network to securely exchange data. Typically, this is composed of a certificate authority, which verifies users’ identities; a registration authority, approved by the certificate authority to issue certificates for specific uses; a certificate database, which stores requests and issues and revokes certificates; and a certificate store, which houses issued certificates and private keys.

The time when a retail transaction is completed. Because various retail situations call for customized software for devices like cash registers, scanners, touch screens, and cloud-based solutions, POS is a large target for breaches and malware. With two-factor authentication, POS vendors and other retail companies can add a second layer of security to their logins to keep unauthorized remote users out of their systems.

The ability to understand and control how others use your information, and the assurance that the confidentiality of and access to your information is protected.

This is a server acting as an intermediary between a user and the internet, accepting connections, making requests, and ensuring security.

This is a type of malware that locks a computer, encrypts documents, or otherwise prevents the user from accessing it, demanding a payment from the user in order to regain access.

The top-level directory in an operating system, or an account used for system administration that by default has access to all commands and files.

Tools that an attacker uses to crack a password or exploit a vulnerability in order to gain administrator-level access to a computer or network, designed to avoid detection and conceal the attacker’s activities.

This is an open standard for providing SSO (Single Sign-On). Service providers defer authentication to an identity provider through the use of cryptographically signed messages passed back and forth by the user's browser between the two entities.

This is a method of issuing digital certificates from a certificate authority via an automated HTTP response to properly formatted certificate requests.

This is a derogatory term for a person with limited knowledge of cybersecurity, motivated by mischief, who uses code or scripts developed by more experienced hackers to crack passwords and deface websites.

The process of monitoring, identifying, analyzing, and recording security incidents and events in real time, giving a comprehensive snapshot of an organization’s security status. This is implemented with some combination of software, systems, and appliances. A SIEM system generally includes six attributes: retention - storing data; dashboards - analyzing data; correlation - sorting data; alerting - activating protocols to alert users after data triggers certain responses; aggregation - gathering data from various sources, and consolidating it before archival or analysis; compliance - collecting data in accordance with organizational or government policies.

This is a method of monitoring and recording the flow of data between two communication points while not altering or otherwise disrupting it. Because of its passive nature, sniffing allows hackers to gain information directly, or assess the technical details of a network and plan for a future attack, while garnering less suspicion than a more overt approach.

Taking advantage of people’s tendency to trust others, this method of deception uses communication online or by phone to trick users into disclosing personal information such as passwords. Examples include sending an email under the guise of a legitimate institution and asking the user to reply to update or confirm their password, or providing a download to a file that appears to be benign but actually is malicious.

Manipulating a domain name in order to associate a legitimate, trusted URL with a malicious, imposter website, to phish and perpetrate other online scams. This is achieved by blocking access to the domain’s DNS server and replacing it with their own, but could be prevented by implementing multi-factor authentication.

This is a program that installs on a user’s computer without their consent, often bundled with a legitimate application, that gathers personal data and relays that information to a third party. Some spyware monitors web browsing activity, while others record keystrokes to steal sensitive information.

This is an exploit in which an attacker inserts malicious SQL code into a database’s queries to manipulate data or gain access to resources.

is an entry-level information security certification, and it is the precursor for the CISSP

This is a communications protocol that uses a certificate's paired public and private keys to establish encrypted connections to HTTP services.

This is an authentication process that allows a user to enter one username and password to access multiple applications, eliminating re-authentication and reducing helpdesk requests to improve productivity, as well as minimizing phishing and improving compliance. Credentials are stored on a dedicated server that authenticates the user for all of the applications where they have been granted access, eliminating additional prompts between applications during the same session.

This is an individual or group that acts, or has the power to, exploit a vulnerability or conduct other damaging activities.

The process of identifying or evaluating the types of vulnerabilities that an organization could be exposed to.

This is a mechanism evolved from Secure Sockets Layer (SSL) for encrypting data communicated over a network to ensure no eavesdropping or tampering, used for web browsers, file transfers, VPN connections, instant messaging, and VoIP. TLS is composed of two layers: a record protocol, which provides a secure connection; and a handshake protocol, which allows the server and client to authenticate each other before exchanging any data.

This is a physical tool or device that a user carries to authenticate their identity and authorize access to a network. Tokens are often in the form of a smart card, or embedded in an everyday object like a keyring.

This is a program that appears legitimate, but also contains malicious functions which when installed can access personal information, delete files, or possibly allow attackers to gain control of a computer remotely.

Verifying the authenticity of users and security of their devices before they connect to applications.

The evaluation of an information system or device to determine the strength of security measures, identify deficiencies, analyze data to estimate the effectiveness of new security measures, and verify the effectiveness of these measures after implementation.

This is a known weakness in a system, application, network, or security procedures that leaves an organization vulnerable to exploitation or misuse.

This is a list of entities that are deemed trustworthy by a user or administrator and are granted access to specified privileges.

The day when a new vulnerability is reported or becomes general knowledge. A zero-day attack attempts to exploit this vulnerability on the same day, before the software developer is able to provide a patch.