Access Control

The methods of permitting or prohibiting requests or attempts to:

  • View or use data stored on an information system.
  • Perform a task or function on an information system.
  • Enter secured physical facilities.


An application or feature installed or enabled by a hacker after they have compromised an information system. A backdoor allows the hacker to return to the compromised system — even after the organization fixes the security flaw through which they originally entered — while avoiding detection by security mechanisms.


A bot is a compromised computer on which a hacker has installed malicious command and control software without the knowledge or permission of the computer’s owner. A hacker can then control the compromised machine through a network connection and use the machine to perform potentially illegal actions unknown to the owner.


A collection of compromised computers controlled through a network connection by a single hacker or hacking group. A hacker will use a botnet to create and send spam or viruses or to cause denial of service attacks.

Brute Force

A password-cracking technique where the attacker will attempt every possible combination of characters, one-by-one, to guess a user’s password.


An unexpected and relatively small defect, fault, flaw, or imperfection in an information system, application, or device.

Cloud Computing

A model for enabling on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.


A set of rules requiring that information disclosed to users, processes, or devices only if authorized to access the information.

Cyber Exercise

A planned exercise during which an organization simulates a security incident to evaluate the effectiveness of the current security plan such as preventing, detecting, mitigating, responding to or recovering from the event.

Data Breach

The unauthorized copying or disclosure of information to an individual or group that is not authorized to have or see the information. This usually is a disclosure outside of the organization but a breach can occur simply from personnel viewing data that they are not authorized to view.

Data Mining

The process or techniques used to analyze databases to reveal patterns between the sets of data.

Denial of Service

An attack that prevents or limits the ability of users to use information system resources or services by flooding the supporting infrastructure with invalid requests.

Dictionary Attack

A password-cracking technique that tries all of the phrases or words in a dictionary. A dictionary attack uses a predefined list of words compared to a brute force attack that tries all possible combinations.

Digital Forensics

The activities and specialized techniques for gathering, retaining, and analyzing system-related data (digital evidence) for investigative purposes.

Dumpster Diving

Dumpster Diving is obtaining sensitive information by searching through discarded media.


Cryptographic transformation of data (called “plaintext”) into a form (called “cipher text”) that conceals the data’s original meaning to prevent it from being known or used.


A technique to breach the security of a network or information system in violation of security policy.


A digital or physical appliance in a network to prevent unauthorized access to data or resources.


An unauthorized user who attempts to or gains access to an information system.


The process of identifying and fixing vulnerabilities on a system.


An action performed on an information system that indicates a violation or imminent threat of violation of security policies or procedures, or acceptable use policies.

Information Assurance

The controls that protect and defend information and information systems by ensuring their availability, integrity, and confidentiality.

Insider Threat

A person or group of persons within an organization who pose a potential risk through violating security policies.


The state in which data has remained unchanged from the point it was produced by a valid source, during transmission, storage, and eventual receipt by the destination.

Intrusion Detection

The process and methods for analyzing information from networks and information systems to determine if a security breach or security violation has occurred.


Software or hardware that tracks and records keystrokes and keyboard events, usually without a user’s knowledge, to monitor actions by the user of an information system.

Least Privilege

The principle of allowing users or applications the least amount of permissions necessary to perform their intended function.



Malicious Code

Software (e.g., Trojan horse) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic.


The application of one or more measures to reduce the likelihood of an unwanted occurrence and/or lessen its consequences.


Provides the capability to determine whether a given individual took a particular action such as creating information, sending a message, approving information, and receiving a message.

Passive Attack

An actual assault perpetrated by an intentional threat source that attempts to learn or make use of information from a system, but does not attempt to alter the system, its resources, its data, or its operations.


A combination of words or other text used to gain access to a computer system or application. A passphrase is comparable to a password in terms of use but in general is much longer than a typical password — making it more difficult for hackers to crack.


A patch is a small update released by a software manufacturer to fix bugs in existing programs.

Penetration Testing

An evaluation methodology whereby assessors search for vulnerabilities and attempt to circumvent the security features of a network and/or information system.

Personal Information (PI)

The information that permits the identity of an individual to be directly or indirectly inferred.


A digital form of social engineering to deceive individuals into providing sensitive information.


The assurance that the confidentiality of, and access to, certain information about an entity is protected.




Additional or alternative systems, subsystems, assets, or processes that maintain a degree of overall functionality in case of loss or failure of another system, subsystem, asset, or process.

Reverse Engineering

Acquiring sensitive data by disassembling and analyzing the design of a system component.


The potential for an unwanted or adverse outcome resulting from an incident, event, or occurrence, as determined by the likelihood that a particular threat will exploit a particular vulnerability, with the associated consequences.

Risk Assessment

The appraisal of the risks facing an entity, asset, system, or network, organizational operations, individuals, geographic area, other organizations, or society, and includes determining the extent to which adverse circumstances or events could result in harmful consequences.

Separation of Duties

Separation of duties is the principle of splitting privileges among multiple individuals or systems.

Social Engineering

A euphemism for non-technical or low-technology means — such as lies, impersonation, tricks, bribes, blackmail, and threats — used to attack information systems.

Software Assurance

The level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle, and that the software functions in the intended manner.


The abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.


The deliberate inducement of a user or resource to take incorrect action.


Software that is secretly installed into an information system without the knowledge of the system user or owner.

SQL Injection

SQL injection is a type of input validation attack specific to database-driven applications where SQL code is inserted into application queries to manipulate the database.


A circumstance or event that has or indicates the potential to exploit vulnerabilities and to adversely impact (create adverse consequences for) organizational operations, organizational assets (including information and information systems), individuals, other organizations, or society.

Trojan Horse

A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.


A computer program that can replicate itself, infect a computer without permission or knowledge of the user, and then spread or propagate to another computer.


A characteristic or specific weakness that renders an organization or asset (such as information or an information system) open to exploitation by a given threat or susceptible to a given hazard.

War Driving

War driving is the process of traveling around looking for wireless access point signals that can be used to get network access.

Zero Day

“Day Zero” or “Zero Day” is the day a new vulnerability is made known. In some cases, a “zero day” exploit refers to an exploit for which no patch is available yet. (“Day one” refers to the day when the patch is made available.)