Information Security Terminology and IT Security - Glossary
In opposite to the medical or chemical discipline, technology has no common terminology within the various fields of practice.
Information Security lacks a standard in terms and definitions as well, which can create confusion, uncertainty and doubt. Let’s change that, one term at a time. In the following I add a layer of plain English upon a layer of ISO-based definitions and combine it with accepted and concise definitions from information security practice.
- Penetration Test
- Vulnerability Assessment
- Security Audits
- Information Security Management (ISM)
A Penetration Test is a testing scenario to model actions of present threats to discover and exploit vulnerabilities in a controlled fashion. The results of the Penetration Test have to include the reporting of present Business Risks as well as recommendations of appropriate defenses, that can be integrated into the Operations of the target organization.
In opposite to a Vulnerability Assessment a Penetration Test aims to exploit the target systems.
Other spellings: Pentest, Pen Testing, Pen-test…
Red Teaming involves similar activities associated with a Penetration Test. It’s about mounting an attack against (internal or external) targets or target organizations.
The goal of Red Teaming is to determine whether the defensive (Blue Team’s) detection and response policies and procedures are effective. Red Teaming is meant to improve the Blue Team’s capabilities.
Types of Penetration Tests
Some types of Penetration tests are:
- Network Surface Penetration Test - the most common scenario
- Client-Side Penetration Test - the most important scenario for Enterprise Security
- Web-Application Penetration Test
- Social Engineering Engagement Penetration Test
- Wireless Security Penetration Test
- Physical Security Exploration and Penetration Test
- Product Security Penetration Test - to limit risk exposure for new technology
- Compliance-Focused Penetration Test (PCI DSS e.g.)
A Penetration Test focuses on breaking into a target organization and to exfiltrate the data in a covert manor. Red Teaming is proportionally covert, to improve the Blue Team. In a Vulnerability Assessment target systems do not get exploited.
A Vulnerability Assessment focuses on finding security vulnerabilities, which may or may not be used to steal data. The assessments have a broader scope and may include explicit policy and procedure reviews.
Security Audits test information or IT security aspects against a rigorous set of standards or benchmarks. These audits are usually being conducted with detailed checklists.
If the policy and procedure review is a primary concern, we speak of a Security Audit. If finding vulnerabilities, and rating them is a primary concern, we speak of a Vulnerability Assessment.
Risk has two components: Impact and Likelihood… These two components get weighted depending on credibility and magnitude.
In technical Information Security a Risk is the overlap between a Threat and a Vulnerability. This definition is most present during a Penetration Test.
Qualitative Risk Assessment
A qualitative risk analysis focuses on likelihood and impact of identified risks. Ultimately businesses do not care about information security per se, but they care about risks to the business. In order to treat risks, in order to mitigate risks, information security professionals aim to understand both threats and vulnerabilities, as well as their interaction.
Quantitative Risk Assessment
A quantitative risk analysis typically is more desirable from a business standpoint, because it explicitly quantifies potential losses. This can be used for a prioritization of risks to be addressed, and to be selected to be confined to an acceptable level via the selection of countermeasures. The prioritization of risk reduction depends on the specific business.
Business Risk abbreviations for reports
Single Loss Expectancy - SLE
Annualized Rate of Occurrence - ARO
Annualized Loss Expectancy - ALE
Total Cost of Ownership - TCO
Return Of Investment - ROI
Agent or Actor, that can cause harm.
Flaw someone can exploit to cause harm; via manual or automated means.
Information Security Management (ISM)
Confidentiality, Integrity, Availability, (Resilience and Privacy)
This is often called the CIA triad, although commonly we see 5 aspects.
Other spellings: CIARP, CIAP, CIAR … aspects.
Quality Management aspects in Information Security Management
Capability Maturity Models Integration - CMMI
Auditing terms and abbreviations
System Access Control List - SACL
Data Privacy terms and abbreviations
Data Privacy Agency - DPA
Windows Security specific abbreviations
Discretionary Access Control List - DACL
Domain Controller - DC
Flexible Single Mode Operations - FSMO
Mode of a Domain Controller.
Global Catalog - GC
The Active Directory index.
Naming Context - NC
Part of the Active Directory database.
Organizational Unit - OU
Sub-division of a Domain in LDAP and AD.
Read-Only Domain Controller - RODC
Distributed File System - DFS
Group Policy Object - GPO
A shared folder with scripts and GPOs.
MMC tools function set, e.g. AD Users and Computers.
Business Communication abbreviations
Memorandum of Understanding / Agreement - MO U/A
Business Partnership Agreement - BPA
Operating Level Agreements - OLA
25.09.2017 - initial definitions
26.09.2017 - added Red Teaming, and more infos
01.11.2017 - added ISO 27001 related information
05.01.2018 - widened scope