The Language of Cybersecurity Table of Contents eBook Introduction Foreword Preface Acknowledgments Vulnerabilities Exploits Defenses Planning, Management, and Controls Compliance Glossary of Security Terms Additional Contributors Contributor Index Subject Index Copyright and Legal Notices The Language of Cybersecurity Maria Antonieta Flores This book is dedicated to my daughter Shalewa and grandson Akinsheye who make the world more beautiful through their art and to my fellow systems engineers and technical communicators who through their art make it easier for technical and not-so-technical people to understand each other eBook Introduction Thank you for purchasing The Language of Cyber Security I hope you enjoy the book and find it useful Best Regards, Maria Antonieta Flores July 2018 Foreword Speak in such a way that others love to listen to you Listen in such a way that others like to speak to you Unknown Author Language: It is the basis for how we communicate, how we coordinate, and how we find common ground It is also the basis for conflict and confusion And that is why a common understanding of terminology matters Tonie Flores and the dozens of subject matter experts who contributed to this book know the realities of the language of cybersecurity In this book, the contributors define 52 terms that every business professional should not only know but also be able to communicate clearly to the organizations they support One definition that is not contained in the defined terms, but which all professionals need to live up to, is accountability We need to realize: 1) who we are accountable to, and 2) what we are accountable for Digital transformations are embedding technology into the fabric of our lives Typically, these technologies are meant to help or assist us, but one key element is often overlooked: exploits that take advantage of technological vulnerabilities will increasingly affect the well-being of almost everyone in our society Therefore, it is incumbent upon all of us to properly shape the way we design, develop, and implement digital transformations to best manage and mitigate information security, privacy, and other risks, while still challenging ourselves to create technology that helps people This is what we need to be accountable to The World Economic Forum 2017 Global Risk Report[1] listed “cyber dependence” in its top five risk trends, just below climate change and polarization of societies It also indicated that “… technology is a source of disruption and polarization.” I believe technology is a tremendous opportunity for economic and societal benefit I believe that technology can connect and enrich people’s lives − if done correctly and for the right reasons If we carelessly implement technology in order to chase opportunities or simply prove that we can, we won’t be successful in realizing the digital transformations that can change lives and protect people Instead, we will be setting ourselves up for a digital disaster By focusing on the opportunities along with our obligations to implement them in the right way, we can achieve digital transformation and digital safety to ensure tomorrow is better than today for everyone So, ultimately, not only information security professionals but also business professionals are accountable to the organizations they support, the customers they serve, and society And they are accountable for making sure we achieve digital transformation and digital safety Malcolm Harkins Chief Security and Trust Officer Cylance Corporation [1] http://reports.weforum.org/global-risks-2017 Preface The RIGHT perspective makes the impossible POSSIBLE Unknown Author It’s a matter of perspective The Language of Cybersecurity tackles a communication gap in cybersecurity As a technical communicator, I have been explaining technology to the not-so-technically inclined for decades – not the innards and workings, just what they need to get their work done To them, technology is a set of tools to improve the productivity, quality, and joy that they get from their work I make that possible and easy The Language of Cybersecurity came about when I was researching for a PCI DSS procedure documentation project I have written user procedures in dozens of realms I had the confidence to take on this one, but I needed a little domain knowledge and context It was a challenge to find general information at the very high level that I needed to the work There were glossaries, Wikipedia, and many blog posts and articles to read, but nothing I found defined the subject with just enough context to point me in a useful direction This book intends to help to fill that gap It presents a set of cybersecurity terms that every business professional should know – a first level of context for the uninitiated Each term has a definition, a statement of why it is important, and an essay that describes why business professionals should know the term Many of the essays use metaphors or examples that help you to apply what you already know to understanding the cybersecurity term and its use This book is not exhaustive It highlights 52 terms that are useful to know whether you are confused by a report from your IT professionals, contemplating working in a security environment, or just need to present security matters to others in understandable terms In addition, there is a glossary of additional terms and a set of references to give you further information about the term The contributors to this book are thought leaders, educators, experts, regulators, bloggers, and everyday practitioners who work in their own way to communicate important security information They share my desire to make these important concepts accurate and accessible Most people know more about cybersecurity today than they did last year I started this book to hasten the time when we can talk about cybersecurity with the same fluency that we have when we talk about other complex technical things, such as automobiles or cell phones We might not know how to build them or exactly how they work, but we can sure use them The content is divided into digestible chunks of related terms: Vulnerabilities: weaknesses that can threaten your information Exploits: methods used to attack your systems and information Defenses: steps you can take to safeguard your information Planning, Management, and Controls: tools that you can put in place to mitigate security risks Compliance: rules of the road for cybersecurity The Language of Cybersecurity is both an easy read and a handy reference for business professionals and cybersecurity specialists A note on the term cybersecurity: Over the last several years, this term has been spelled in several different ways, including cyber security, cyber-security, and cybersecurity along with variations in capitalization We chose to consistently spell the term as cybersecurity, because this form is now preferred by the Merriam-Webster dictionary and the Associated Press (AP) style guide Although common usage does vary in different countries – for example, you may be more likely to see Cyber Security in the UK – we decided to stick with one form for this book, unless the term appears differently in a company name or the title of a publication Taylor Stafford Taylor Stafford has more than 10 years of experience across consulting, security implementation, and networking for multinational corporations, governments, and the US Department of Defense His experience includes conducting risk assessments, writing security advisories, authoring policies, and implementing controls His areas of expertise include information security, risk assessment, and network engineering Email Taylor.Stafford@nccgroup.trust LinkedIn linkedin.com/in/taylor-stafford-32518369 Kathy Stershic Kathy Stershic is principal consultant at Dialog Research & Communications Serving senior executives in leading-edge IT organizations, her specialty is creating order and driving results in complex environments In addition to providing strategic research and communication services, Kathy also guides clients on managing data privacy risk through improved organizational practices A privacy enthusiast, she is a Certified Information Privacy Manager (CIPM) and Certified Information Privacy Professional-US (CIPP/US) Email kstershic@dialogrc.com Website dialogrc.com Twitter @kstershic LinkedIn linkedin.com/in/kathystershic Contributor Index A Armstrong, John, 25.3 B Baker, Debra, Preface, A.1 Beta, Jay, 49.3 Bonneau, Regine, 52.3 Bonnett, Dovell, 15.3 Brager, Jr., Paul, 11.3 Brager, Keirsten, 26.3 Brown, Luis, Glossary, B.1 Burton, Phil, Preface, B.2 C Carey, Thomas, 5.3 Carfi, Christopher, Preface, Glossary, B.3 Charlebois, Dennis, Preface, Glossary, B.4 Connelly, Shawn, 12.3 Cromwell, Clarence, 41.3 D de Souza, Evelyn, 16.3 Diamant, John, 39.3 Diaz, Terrie, 38.3 DiPiazza, Frank, Preface, Glossary Dombo, Michael, 14.3 E Elliott, John, 51.3 F Falkl, John, 22.3 Fernandez, Jessica, Preface, B.5 Fitzgerald, Todd, 34.3 Fleck, Graeme, 29.3 Fleming Magana, Danyetta, 20.3 Fuerst, Neal, 13.3 G Gendreau, Audrey, 42.3 Gibson, Steve, Preface, Glossary, B.6 Gida, Chris, Preface, Glossary, B.7 Granger, Sarah, 24.3 H Harrison, Holli, 21.3 Harrison, Vanessa, 48.3 Helmer, Guy, Preface, B.8 K Kartchner, Dave, 9.3 Kelly, Matt, Preface, B.9 Kirlappos, Iacovos, 3.3 L LaPedis, Ron, 45.3 Leber, Dennis, 4.3 Lilliestam, Emma, 23.3 M Maepa, Linda, 27.3 Mattsson, Ulf, 47.3 McBorrough, William, 31.3 McQuiggan, James, 6.3, Glossary Melone, Michael, Preface, Glossary, B.10 Moorman, Michael, 44.3, Glossary O Onireti, Tolu, 10.3 Orcutt, Justin, 19.3 P Palmore, M.K., 33.3 Puleo, Simon, 36.3 R Richardson, Rodney, 46.3 Rogers, Jeffrey, 8.3 S Schaffzin, Jeff, 30.3 Sears, Mark, 50.3 Shipley, David, 1.3 Shulmistra, Dale, 32.3 Simchak, Stephen, 18.3 Stafford, Taylor, Preface, Glossary, B.11 Stershic, Kathy, Preface, Glossary, B.12 T Theofanos, Mary Frances, 2.3 Trosper, Bob, 35.3 V Valenzuela, Flavio, 28.3 Vickery, Chris, 7.3 von Stockhausen, Lucas, 40.3 W Williams, Keyaan, 37.3 Wynn, Chris, 17.3 Z Ziesmer, Daniel, 43.3 Subject Index A ABB Robotics, 45.2 access-level classification scheme, 23.2 advanced persistent threat, 11 adware, Glossary AMD, 12.2 anomaly detection, 21.1 anti-malware signature, Glossary antivirus, 10.2, Glossary application programming interface (API), 40.2 application risk governance, 29 architectural threat analysis, 39.2 ARM, 12.2 assurance, Glossary level of, 13.2 asymmetric-key cryptography, Glossaryattack surface, Glossaryattack vector, Glossaryaudit, 38authentication, 13 multi-factor, 15.1.1 single double-factor, 15.2 availability, 44 B backdoor, Glossary backups, Vulnerabilities-intro, Glossary Baidu, 24.2 Bailie, Rahel Anne, Preface behavioral monitoring, 21 biometrics, 15.2, 18 bitcoin, Glossary black box, 30.2 black hat, Glossary Black Hat Conference, 15.2 blockchain, Glossary bot-master, 10.2 botnet, 10 buffer overflow attack, 12 bug-bounty project, 41.2 build environments, 40.2 business continuity plan, 32 business impact assessment (BIA), 31 C Center for Internet Security, Planning-intro certification, Glossary, Glossary Chief Information Security Officer (CISO), 33.2, 34 Children’s Online Privacy Protection Act (COPPA), 42.2 China, Great Firewall of, 24.2 chop, 45.2 CIA, Glossary classification, Glossary classified information, 42.2 clearnet, Glossary click fraud, Glossary Cofense, Vulnerabilities-intro Common Criteria (CC), 47.2, Glossary compliance, 3.2, Compliance-intro computer security incident response team (CSIRT), 33.1 confidentiality, 42 confidentiality, integrity, and availability (CIA), Glossary Consortium for IT Software Quality (CISQ), 47.2 container permissions, Glossary controls, 50 credentials, 15.2, 17.2, 21.2, Glossary credit cards, 47.2, 51.2 cryptocurrency, Glossary cryptography, 47.2, Glossary asymmetric-key, Glossary private-key, Glossary public-key, Glossary symmetric-key, Glossary currency, digital, Glossarycyclic redundancy check (CRC), Glossary D dark web, darknet, Glossary data leak, debit cards, 47.2, 51.2 deep web, Glossary defenses, Defenses-intro DeGrassi, Trey, Preface Democratic National Committee, Exploits-intro Department of Homeland Security, 29.2 detection controls, Glossary Diamant, John, Preface digital certificate, Glossary digital currency, Glossary digital signature, Glossary disaster recovery plan, Glossary distributed denial-of-service (DDoS) attack, Glossary domain name server, 10.2 Dyn, 10.2 E education, 1.2 education, security, Vulnerabilities-intro encryption, 25 asymmetric-key, Glossary private-key, Glossary public-key, Glossary symmetric-key, Glossary endpoint security, 14Equifax, 4.2, 39.2, 49.2EternalBlue, 6.2Ethereum, GlossaryEuropean Union, 52.2exfiltration, Glossaryexploit, Exploits-intro, Glossary F Federal Information Processing Standards (FIPS), 47.2 federated identity management, 16.2 file permissions, Glossary fingerprints, 18.2 firewall, 24 forensic analysis, 22.2 G Gartner Group, 21.2 General Data Protection Regulation (GDPR), 30.2, 42.2, 49.2, 52 Geneseo, New York, 38.2 governance, risk management, compliance (GRC), 28 Great Firewall of China, 24.2 grey box, 30.2 H hacker, Glossary handwriting analysis, 22.2 hardening, 27 hash function, Glossary HBO, 4.2 HIPAA, 19.2, 30.2, 42.2, 49.2, Glossary Homeland Security US Department of, 29.2 HTTPS, GlossaryHumphreys, Edward, Planning-intro I I2P, Glossary IDE, Glossary identity management, 16 incident response plan, 33 indicators of compromise (IOC), Glossary information asset, Glossary Information Security Forum (ISF), 47.2 insider threat, integrated development environment (IDE), 40.2 integrity, 43 Intel, 12.2 internet hygiene, Glossary ISO/IEC 27000, Planning-intro, 47.2 IT GRC, 28.1 K key-based access system, 17.2 kill chain, 36 L least privilege, 16.2, 23.2, Glossary level of assurance, 13.2 Linux, 39.2 M MacEwan University, 1.2 malware, Glossary malware signature, Glossary man-in-the-middle attack, Glossary Meltdown, 12.2 metrics, 37 Mirai botnet, 10.2 multi-factor authentication, 15 N National Information Assurance Partnership (NIAP), Glossary National Institute of Standards and Technology (NIST), 50.2 National Security Agency (NSA), 6.2 NIAP (National Information Assurance Partnership), Glossary NIST 800, Planning-intro NIST Cybersecurity Framework (NIST CSF), 47.2 non-repudiation, 22 notarization, 22.2 O onion routing, Glossary Open Web App Security Project (OWASP), 29.2 P password-based security, 15.2, 18.2, 18.2, 42.2 patching, Vulnerabilities-intro, 6.2, 10.2, 12.2, Glossary Payment Card Industry Data Security Standard (PCI DSS), 30.2, 41.2, 42.2, 47.2, 51 PayPal, 51.2 penetration testing, 41 permissions, Glossary personally identifiable information (PII), Glossary Petya, 6.2, Glossary phishing, 1.2, PhishMe Research, 8.2 physical access control, 17 plaintext, Glossary policy, 13.2, 46, Glossary potentially unwanted program (PUP), Glossary privacy, 49 private-key cryptography, Glossary privilege, 23 least, 16.2, 23.2 ProPublica, 7.2protected health information, Glossarypublic-key cryptography, Glossary R ransomware, Reddit, 27.2 regulation, 48 Republican National Committee, 4.2 risk analysis, 39.1 risk management, 20.2, Planning-intro Risk Management Framework (RMF), 50.2 risk register, 35 role-based access control (RBAC), Glossary S safe harbor, Glossary SAFECode (Software Assurance Forum), 39.2 sandboxing, 26 script kiddie, Glossary seal, 45.2 security assessment, 30.1 security awareness, 19 security fatigue, security training, Vulnerabilities-intro, 1.2, 5.2 security triad, Glossary sensitive personal information (SPI), Glossary separation of duties, 45 Shadow Brokers, 6.2 shadow security, Shine the Light Law, 42.2 single sign-on (SSO), 16.2 situational awareness, 20 Snowden, Edward, 42.2 social engineering, Software Assurance Forum (SAFECode), 39.2 spam, Glossary spear phishing, Glossary Spectre, 12.2 spyware, Glossary SSL/TLS, Glossary standards, 47 static application security testing, 40 Symantec, 9.2 symmetric-key cryptography, Glossary T Target, 20.2, 27.2 threat actor, Glossary threat analysis, 39.1 threat awareness, 5.2 threat modeling, 39 Time Warner Cable, 4.2 Tor, Glossary training, Vulnerabilities-intro training, security, Vulnerabilities-intro, 1.2, 5.2 trojan horse, Glossary Twitter, 27.2 U US Department of Defense (DoD), 41.2 US Office of Personnel Management (OPM), 18.2 user and entity behavior analytics (UEBA), 21.1.1 V Verizon, 1.2, 4.2, 5.2, 9.2 version control, Glossary virtual private network (VPN), Glossary virus, Glossary virus signature, Glossary VPN (virtual private network), 21.2, Glossary vulnerabilities, Vulnerabilities-intro vulnerability assessment, 30 W WannaCry, Vulnerabilities-intro, 6.2, 9.1.1, Glossary watering hole exploit, Glossary whaling, 1.2, Glossary white box, 30.2 white hat, Glossary WikiLeaks, 36.2 worm, Glossary Z zero-day exploit, Glossary zero-day vulnerability, zombie, Glossary Colophon About the Book This book was authored in expeDITA, a DITA-based wiki developed by Don Day Contents were converted to DocBook, and the book was generated using the DocBook XML stylesheets with XML Press customizations and, for the print edition, the RenderX XEP formatter With the exception of this colophon and the advertisement at the back of the book, the interior of this book was generated directly from the wiki with no manual intervention About the Content Wrangler Content Strategy Book Series The Content Wrangler Content Strategy Book Series from XML Press provides content professionals with a road map for success Each volume provides practical advice, best practices, and lessons learned from the most knowledgeable content strategists and technical communicators in the world Visit the companion website for more information about the series: contentstrategybooks.com We are always looking for ideas for new books in the series If you have any suggestions or would like to propose a book for the series, send email to proposal@xmlpress.net About XML Press XML Press (xmlpress.net) was founded in 2008 to publish content that helps technical communicators be more effective Our publications support managers, social media practitioners, technical communicators, and content strategists and the engineers who support their efforts Our publications are available through most retailers, and discounted pricing is available for volume purchases for educational or promotional use For more information, send email to orders@xmlpress.net or call us at (970) 231-3624 The Language of Cybersecurity Maria Antonieta Flores Copyright © 2018 The Content Wrangler, Inc All rights reserved No part of this book may be reproduced or transmitted in any form or by any means without the prior written permission of the copyright holder, except for the inclusion of brief quotations in a review Credits Series Producer: Scott Abel Copy Editor: Trey DeGrassi Series Cover Designer: Marc Posch Publishing Advisor: Don Day Publisher: Richard Hamilton Disclaimer The information in this book is provided on an “as is” basis, without warranty While every effort has been taken by the authors and XML Press in the preparation of this book, the authors and XML Press shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained herein This book contains links to third-party websites that are not under the control of the authors or XML Press The authors and XML Press are not responsible for the content of any linked site Inclusion of a link in this book does not imply that the authors or XML Press endorse or accept any responsibility for the content of that third-party site Trademarks XML Press and the XML Press logo are trademarks of XML Press All terms mentioned in this book that are known to be trademarks or service marks have been capitalized as appropriate Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark ISBN: 978-1-937434-62-5 (print) ISBN: 978-1-937434-63-2 (ebook) XML Press Laguna Hills, California http://xmlpress.net ... rules of the road for cybersecurity The Language of Cybersecurity is both an easy read and a handy reference for business professionals and cybersecurity specialists A note on the term cybersecurity: ... co-convener of Working Group 28 on the usability of software systems Email mary.theofanos@nist.gov Website nist.gov/topics /cybersecurity References Security Fatigue by Mary Frances Theofanos [Theofanos... they need to get their work done To them, technology is a set of tools to improve the productivity, quality, and joy that they get from their work I make that possible and easy The Language of