Information Security Terminology and IT Security - Glossary

Tags: #<Tag:0x00007f0cb35f94e0> #<Tag:0x00007f0cb35f93a0>


Information Security Terminology and IT Security - Glossary

In opposite to the medical or chemical discipline, technology has no common terminology within the various fields of practice.

Information Security lacks a standard in terms and definitions as well, which can create confusion, uncertainty and doubt. Let’s change that, one term at a time. In the following I add a layer of plain English upon a layer of ISO-based definitions and combine it with accepted and concise definitions from information security practice.


Penetration Test

A Penetration Test is a testing scenario to model actions of present threats to discover and exploit vulnerabilities in a controlled fashion. The results of the Penetration Test have to include the reporting of present Business Risks as well as recommendations of appropriate defenses, that can be integrated into the Operations of the target organization.

In opposite to a Vulnerability Assessment a Penetration Test aims to exploit the target systems.

Other spellings: Pentest, Pen Testing, Pen-test…

Red Team(ing)

Red Teaming involves similar activities associated with a Penetration Test. It’s about mounting an attack against (internal or external) targets or target organizations.

The goal of Red Teaming is to determine whether the defensive (Blue Team’s) detection and response policies and procedures are effective. Red Teaming is meant to improve the Blue Team’s capabilities.

Types of Penetration Tests

Some types of Penetration tests are:

  • Network Surface Penetration Test - the most common scenario
  • Client-Side Penetration Test - the most important scenario for Enterprise Security
  • Web-Application Penetration Test
  • Social Engineering Engagement Penetration Test
  • Wireless Security Penetration Test
  • Physical Security Exploration and Penetration Test
  • Product Security Penetration Test - to limit risk exposure for new technology
  • Compliance-Focused Penetration Test (PCI DSS e.g.)

Vulnerability Assessment

A Penetration Test focuses on breaking into a target organization and to exfiltrate the data in a covert manor. Red Teaming is proportionally covert, to improve the Blue Team. In a Vulnerability Assessment target systems do not get exploited.

A Vulnerability Assessment focuses on finding security vulnerabilities, which may or may not be used to steal data. The assessments have a broader scope and may include explicit policy and procedure reviews.

Security Audits

Security Audits test information or IT security aspects against a rigorous set of standards or benchmarks. These audits are usually being conducted with detailed checklists.

If the policy and procedure review is a primary concern, we speak of a Security Audit. If finding vulnerabilities, and rating them is a primary concern, we speak of a Vulnerability Assessment.


Risk has two components: Impact and Likelihood… These two components get weighted depending on credibility and magnitude.

In technical Information Security a Risk is the overlap between a Threat and a Vulnerability. This definition is most present during a Penetration Test.



{1} ISO 31000 - Risk Management
{2} Plain English Management Dictionary about Risk
{3} ISO 27000 Infosec Definitions translated into Plain English

Qualitative Risk Assessment

A qualitative risk analysis focuses on likelihood and impact of identified risks. Ultimately businesses do not care about information security per se, but they care about risks to the business. In order to treat risks, in order to mitigate risks, information security professionals aim to understand both threats and vulnerabilities, as well as their interaction.

Quantitative Risk Assessment

A quantitative risk analysis typically is more desirable from a business standpoint, because it explicitly quantifies potential losses. This can be used for a prioritization of risks to be addressed, and to be selected to be confined to an acceptable level via the selection of countermeasures. The prioritization of risk reduction depends on the specific business.

Business Risk abbreviations for reports

Single Loss Expectancy - SLE

Annualized Rate of Occurrence - ARO

Annualized Loss Expectancy - ALE

Total Cost of Ownership - TCO

Return Of Investment - ROI


Agent or Actor, that can cause harm.


Flaw someone can exploit to cause harm; via manual or automated means.

Information Security Management (ISM)

Confidentiality, Integrity, Availability, (Resilience and Privacy)

This is often called the CIA triad, although commonly we see 5 aspects.

Other spellings: CIARP, CIAP, CIAR … aspects.

Quality Management aspects in Information Security Management

Capability Maturity Models Integration - CMMI

Auditing terms and abbreviations

System Access Control List - SACL

Data Privacy terms and abbreviations

Data Privacy Agency - DPA

Windows Security specific abbreviations

Active Directory

AD / ntds.dit

Discretionary Access Control List - DACL

Domain Controller - DC


Flexible Single Mode Operations - FSMO

Mode of a Domain Controller.

Global Catalog - GC

The Active Directory index.

Naming Context - NC

Part of the Active Directory database.

Organizational Unit - OU

Sub-division of a Domain in LDAP and AD.

Read-Only Domain Controller - RODC

Distributed File System - DFS

Group Policy Object - GPO


Part of SYSVOL.


A shared folder with scripts and GPOs.


MMC tools function set, e.g. AD Users and Computers.

Business Communication abbreviations

Memorandum of Understanding / Agreement - MO U/A

Business Partnership Agreement - BPA

Operating Level Agreements - OLA

Version history

25.09.2017 - initial definitions
26.09.2017 - added Red Teaming, and more infos
01.11.2017 - added ISO 27001 related information
05.01.2018 - widened scope