Cyber security glossary

This is a useful glossary of cyber security acronyms and terms if you’re just getting into the cyber security space.


AES — Advanced Encryption Standard

APTAdvanced Persistent Threat is a stealthy threat actor (nation state) which gains unauthorised access and may remain undetected for an extended period.

CCMP — Counter Mode Cipher Block Chaining Message Authentication Code Protocol which is based on AES (replaced the TKIP protocol in WEP with AES)

DPF — Dynamic Packet Filtering, used by most modern firewalls so that you only block outbound traffic. If inbound traffic is a response to an outbound request, that inbound traffic is automatically allowed (also called SPI)

DPI Deep Packet Inspection, generally used just by hardware firewalls. Looks at the data being sent over the network — alerts, blocks, re-routes or logs it. Used to analyse and troubleshoot performance issues, or check for malicious code

E2EE — End to end encryption — where the data is encrypted by the sender and decrypted only be the receiver — e.g. ZRTP, OTR, PGP Programs include Signal messaging, ChatSecure — encrypted messenger for iOS

EC — Elliptic-curve algorithm
DH — Diffie-Helman algorithm

HLD — High Level Domain that has no slash to the left of it e.g. .COM, .ORG, .CO, .GOV

HMAC — Hash Message Authentication Code — including a pre-arranged secret into the message

ICS/OT Industrial Control Systems/Operations Technology — Systems that are used to manage industrial operations such as oil refineries, energy grids. Many ICS’s are managed via Programmable Logic Controllers (PLCs) or a Discrete Process Control System (DPC)

IOC Indicators Of Compromise — a piece of digital forensics that suggests an endpoint or network may have been breached — generally reactive, meaning if it’s found, it indicates the system has been compromised

OFAC — Office of Foreign Assets Control (US)— produces and publishes lists that contain sanctioned individuals or companies to prevent prohibited transactions by US citizens.

OPC UA Open Platform Communications Unified Architecture — cross platform open source standard for data exchange from sensors to cloud applications (used in industrial automation)

PKIPublic Key Infrastructure —roles, policies, hardware, software & procedures used to create, manage, distribute, use, store and revoke digital certificates and manage public key encryption

PLCProgrammable Logic Controller — the most important component embedded in Industrial Control Systems (ICS). First developed within the automobile industry. See Stuxnet.

PUA — Potentially unwanted application — a type of privacy-invasive software

PUPs — potentially unwanted programs

RAT — remote access tool, can be challenging to detect as it may mimic commercial remote admin tools and can open legitimate ports & therefore appears to be benign

RSA — Rivest-Shamir-Adleman algorithm

SPI — Stateful Packet Inspection, used by most modern firewalls so that you only block outbound traffic. If inbound traffic is a response to an outbound request, that inbound traffic is automatically allowed (also called DPF)

SSL — Secure Sockets Layer

SNI — Server Name Indication — a TLS extension that can allow an eavesdropper to see what sites you are going to. The hostname is not encrypted, and this can be used to implement censorship & block sites.

TLP — e.g. TLP(RED) — Traffic Light Protocol — many governments use the Traffic Light Protocol to classify documentation access as un-restricted or restricted. For example TLP(CLEAR) means the documentation is not restricted for public use. The other TLP’s are RED (restricted to specific individuals), AMBER (limited to the organisation only), GREEN (limited to the organisation and peers, but not publicly available). More info here.

TLS — Transport Layer Security

TOTP — Time-based One Time Password — using a multi-factor authentication system to produce a code as added protection once you have signed in to a system, app or website, such as LinkedIn

TTP — Tactics, Techniques & Procedures — Identify patterns of behaviour to defend against specific strategies and threat vectors used by malicious actors.

X.509 — is a poorly designed standard is a digital certificate that uses the X.509 public key infrastructure (PKI) standard to verify that a public key belongs to the user, computer or service identity in the certificate

— DH — Diffie-Helman algorithm
— RSA — Rivest-Shamir-Adleman algorithm
— EC — Elliptic-curve algorithm


Anonymity — not knowing who you are but may know what you do e.g. non-attribution of your name — e.g. if used TOR to create a post about women’s rights and logged in using a VPN

ANT catalogue — a leaked NSA document listing the technology and tools available for passive & active listening

Asymmetric algorithm
Public & private key — two keys (RSA ECC, DH, El Gamal) — better key distribution, scalable, authentic & non repudiated, slow, mathematically intensive 1024-bit RSA keys is as strong as an 80-bit symmetric key

Availability — providing timely access to information

Authentication —a system that verifies the user of a system

Authorisation — what the user is allowed to do

Blue team — internal cyber security staff, red teams test the effectiveness of blue teams. Purple teams act as both red and blue teams

CIA Trio — Confidentiality, Integrity, Availability

Confidentiality — who can get what kind of information

Digital signatures — provide authentication, non-repudiation, integrity

Doxing — to do research to find personal or private info — and either releasing it or threatening to release it. If someone has been doxed, they have had info released to the public

Egress filtering — filters outbound traffic (via a firewall) (see also ingress filtering)

Escrow keys — the keys needed to decrypt encrypted data are held in escrow so that under certain circumstances (e.g for official purposes) an authorized third party may gain access to those keys

Encryption — provides confidentiality

Forward security — a new key is negotiated with each transaction & long-term keys are used only for authentication, these session keys are discarded after each transaction.

Hashes — provides encryption integrity

Homomorphic encryption — allows you to perform calculations on encrypted data without decrypting it first

Ingress filtering — filters inbound traffic (via a firewall) (see also egress filtering)

Integrity — correct or consistent with the intended state of information (e.g. not modified)

Interdiction — hardware devices are intercepted prior to delivery and monitoring devices are placed in side the device before you get them

MITRE ATT&CK Framework —MITRE Adversary Tactics, Techniques, & Common Knowledge (ATT&CK). A knowledge base that tracks cyber adversary tactics, and links adversary groups to campaigns.

Non-repudiation — one party can’t deny having received it, and the other party can’t deny having sent the message.

Obfuscate — make obscure, unclear or unintelligible

Parkerian HexaidPossession (e.g. loss of control or possessions, that doesn’t involve a breach of confidentiality), Authenticity (veracity of the claim of origin, authorship), Utility (usefulness e.g. ransomware removes usefulness) + Confidentiality, Integrity, Availablility

Privacy — nobody sees what you do but may know who you are. Systems that support privacy are Signal or an encrypted Dropbox for example

Pseudoanonymity — retaining an alias and are able to post content (creating a false identity) e.g. Satoshi Nakamoto —which is a pseudonym for the bitcoin creators

Purple team — security professionals who act as both adversaries & internal teams to help with testing and securing a company.

Red team — security professionals who act as adversaries to overcome cyber security controls — often ethical hackers who provide objective evaluations of a system. See also, blue team & purple team.

Risk — the Risk calculation is (Vulnerabilities x Threats x Consequences)

SABSA business attributes — speaking business language

Social engineering — attacks that centre on weakness in the human being

Stateless — e.g. stateless laptop — lacks any persistent storage, no firmware-carrying flash memory chips. All state is kept on an external device

Steganography — hiding data in plain site, concealing information or files inside — the best carriers are videos, images and audio files — generally they are not encrypted.

Symmetric algorithim — one which uses one key only — Advanced Encryption Standard, fast and strong.

Zero day — computer software vulnerability that is unknown (especially to the vendor). It refers to the number of days since the software was released or updated — hence zero days.

Zero Trust Model — the less you trust, the lower your risk. The Zero Trust security model assumes that a breach may already have occurred, and so access is limited to only what is needed



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store