Appendix B: Glossary
An alphabetical reference of every significant term, acronym, and concept used across all 37 chapters of this book. Where a term has multiple meanings in different contexts (such as MAC), each meaning is noted. Definitions aim to be precise enough to resolve ambiguity while remaining accessible to engineers encountering a term for the first time.
A
ABAC (Attribute-Based Access Control) — An access control model where authorization decisions are evaluated against attributes of the user (role, department, clearance), the resource (classification, owner), the action (read, write, delete), and the environment (time of day, location, device posture). More flexible than RBAC but significantly more complex to implement, audit, and debug.
ACL (Access Control List) — A set of rules that defines which users, systems, or network traffic are granted or denied access to a resource. In networking, ACLs filter traffic on routers and switches based on source/destination IP, port, and protocol. In operating systems, ACLs define file and directory permissions beyond the basic owner/group/other model.
AES (Advanced Encryption Standard) — A symmetric block cipher adopted as a US federal standard (FIPS 197) in 2001, replacing DES. Operates on 128-bit blocks with key sizes of 128, 192, or 256 bits. AES-256-GCM is the predominant cipher in TLS 1.3. Even against theoretical quantum attacks (Grover's algorithm), AES-256 retains an effective 128-bit security level.
AH (Authentication Header) — An IPsec protocol that provides connectionless integrity, data origin authentication, and optional replay protection for IP packets. Unlike ESP, AH does not provide confidentiality (encryption). AH authenticates the entire IP packet, including most header fields, which makes it incompatible with NAT.
Air Gap — A security measure where a computer or network is physically isolated from all unsecured networks, including the internet. Used to protect classified, industrial control, or other high-security systems. Stuxnet (2010) demonstrated that air gaps can be bridged via removable media and supply chain compromise.
APT (Advanced Persistent Threat) — A prolonged, targeted cyberattack in which a well-resourced adversary gains and maintains unauthorized access to a network, typically for espionage, sabotage, or intellectual property theft. APTs are usually attributed to nation-state actors. They are characterized by patience (dwell times of months or years), sophistication (custom tooling, zero-day exploits), and specific intelligence objectives.
Argon2 — A memory-hard key derivation function that won the Password Hashing Competition in 2015. Designed to resist GPU-based and ASIC-based brute-force attacks by requiring large amounts of memory. Argon2id (a hybrid of Argon2i and Argon2d) is recommended for password hashing. Considered state of the art alongside bcrypt and scrypt.
ARP (Address Resolution Protocol) — A Layer 2 protocol that maps IPv4 addresses to MAC addresses on a local network segment. ARP is inherently trustful — any device can claim any IP-to-MAC mapping. This makes it vulnerable to ARP spoofing/poisoning attacks, mitigated by Dynamic ARP Inspection (DAI) on managed switches.
ASLR (Address Space Layout Randomization) — A memory protection technique that randomizes the memory addresses used by a process for its stack, heap, libraries, and executable code. ASLR makes it significantly harder for attackers to exploit buffer overflows and other memory corruption vulnerabilities because jump targets are unpredictable.
Asymmetric Encryption — A cryptographic system using a mathematically related key pair: a public key (shared openly) and a private key (kept secret). Data encrypted with one key can only be decrypted by the other. Used for TLS handshakes, digital signatures, and key exchange. Also called public-key cryptography. Examples include RSA, ECDSA, and EdDSA.
Authentication — The process of verifying the claimed identity of a user, device, or system. Common methods include passwords, certificates, biometrics, and hardware tokens. Authentication answers "who are you?" and must precede authorization.
Authorization — The process of determining what an authenticated entity is permitted to do. Authorization answers "what are you allowed to do?" Implemented through ACLs, RBAC, ABAC, or policy engines. Always follows authentication.
Availability — One of the three pillars of the CIA triad. The assurance that systems, data, and services are accessible to authorized users when needed. Threats to availability include DDoS attacks, ransomware, hardware failure, and misconfiguration. High availability (HA) architectures use redundancy, load balancing, and failover to maintain uptime.
B
Backdoor — A method of bypassing normal authentication or security controls to gain unauthorized access to a system. Backdoors can be intentionally installed (by an attacker or insider) or unintentionally created (hardcoded credentials, debug interfaces left in production). Supply chain attacks often involve inserting backdoors into trusted software.
Bcrypt — A password hashing function based on the Blowfish cipher, introduced in 1999. Includes a configurable work factor (cost parameter) that makes computation exponentially more expensive as hardware improves. Widely recommended for password storage alongside Argon2 and scrypt. The cost factor should be tuned so that hashing takes at least 250ms on current hardware.
Beacon — In the context of malware and command-and-control (C2), a periodic communication from a compromised system to its C2 server. Beaconing patterns — regular intervals, consistent packet sizes, jitter characteristics — are a key behavioral indicator used by network security monitoring to detect implants.
BEC (Business Email Compromise) — A targeted social engineering attack that impersonates trusted business contacts (executives, vendors, lawyers) to redirect payments, steal credentials, or exfiltrate sensitive data. Variants include CEO fraud, invoice redirection, and payroll diversion. BEC is the most financially damaging form of cybercrime according to FBI IC3 data, causing billions in losses annually.
BGP (Border Gateway Protocol) — The path-vector routing protocol that manages how packets are routed between autonomous systems across the internet. BGP was designed without built-in authentication or integrity verification, making it vulnerable to route hijacking, route leaks, and prefix de-aggregation attacks. RPKI (Resource Public Key Infrastructure) provides cryptographic verification of route origin.
Blue Team — The defensive security team responsible for detecting, responding to, and preventing attacks. Activities include security monitoring, incident response, vulnerability management, threat hunting, and security architecture. Compare with Red Team and Purple Team.
Botnet — A network of compromised computers (bots or zombies) controlled remotely by an attacker via command-and-control infrastructure. Used for DDoS attacks, spam campaigns, credential stuffing, and cryptocurrency mining. Notable botnets include Mirai (IoT), Emotet, and Trickbot.
Brute Force Attack — An attack that systematically tries every possible combination of characters to guess a password or encryption key. Mitigated by strong passwords/passphrases, account lockout policies, progressive rate limiting, CAPTCHA, and computationally expensive hashing (bcrypt, Argon2).
Buffer Overflow — A vulnerability where a program writes data beyond the bounds of an allocated memory buffer, potentially overwriting adjacent memory containing return addresses, function pointers, or other critical data. Can be exploited for arbitrary code execution. Mitigated by bounds checking, stack canaries, ASLR, DEP/NX, and memory-safe languages.
C
C2 (Command and Control) — The infrastructure and communication channels used by an attacker to maintain control over compromised systems. C2 can operate over HTTP/HTTPS, DNS tunneling, social media, cloud services, WebSockets, or custom protocols. Detecting C2 traffic is a primary objective of network security monitoring.
CAA (Certificate Authority Authorization) — A DNS record type (RFC 8659) that specifies which Certificate Authorities are permitted to issue certificates for a domain. CAs are required to check CAA records before issuance. A domain with 0 issue "letsencrypt.org" only allows Let's Encrypt to issue certificates for it.
CA (Certificate Authority) — A trusted entity that issues digital certificates, cryptographically binding a public key to an identity (domain name, organization, or individual). CAs form the hierarchical trust model of PKI. Compromise of a CA undermines trust for every certificate it has issued, as demonstrated by the DigiNotar breach (2011).
CBC (Cipher Block Chaining) — A block cipher mode where each plaintext block is XORed with the previous ciphertext block before encryption. Provides confidentiality but requires careful implementation — vulnerable to padding oracle attacks (POODLE, Lucky Thirteen). Largely superseded by GCM mode in TLS 1.2+ configurations.
CDN (Content Delivery Network) — A geographically distributed network of servers that caches and delivers content from edge locations close to end users. CDNs improve performance, absorb DDoS traffic, and can terminate TLS at the edge. Security considerations include shared TLS certificates, domain fronting, and origin IP exposure.
Certificate Pinning — A technique where an application associates a specific certificate or public key with a server, rejecting connections presenting any other certificate — even if it is valid and signed by a trusted CA. Reduces the risk of CA compromise or MITM via rogue certificates. Must include backup pins to avoid self-inflicted outages during certificate rotation.
Certificate Transparency (CT) — An open framework requiring CAs to log all issued certificates to public, append-only, cryptographically verifiable logs. Domain owners can monitor these logs to detect unauthorized certificate issuance. Required by Chrome and Apple since 2018. Certificates not logged to CT are rejected by major browsers.
CIA Triad — The three foundational goals of information security: Confidentiality (data is accessible only to authorized parties), Integrity (data has not been tampered with), and Availability (systems and data are accessible when needed). Every security control maps to one or more of these goals.
CIDR (Classless Inter-Domain Routing) — A method for allocating IP addresses that replaced classful addressing. CIDR notation (e.g., 10.0.0.0/24) specifies an IP address and its associated prefix length, indicating that the first 24 bits identify the network and the remaining 8 bits identify hosts within it.
Cipher Suite — A named combination of cryptographic algorithms used in a TLS connection, specifying the key exchange, authentication, bulk encryption, and hash algorithms. Example: TLS_AES_256_GCM_SHA384 (TLS 1.3) uses AES-256-GCM for encryption and SHA-384 for the hash.
CORS (Cross-Origin Resource Sharing) — A browser security mechanism that uses HTTP headers to control which origins can make cross-origin requests. The key header Access-Control-Allow-Origin specifies permitted origins. Misconfigured CORS (e.g., reflecting any origin, allowing credentials with wildcard) can expose APIs to unauthorized access from malicious sites.
Credential Stuffing — An automated attack that uses username/password pairs leaked from one service's data breach to attempt logins on other services, exploiting password reuse. Mitigated by MFA, breach-password detection (e.g., Have I Been Pwned), rate limiting, and CAPTCHA.
CRL (Certificate Revocation List) — A signed list published by a CA containing the serial numbers of certificates that have been revoked before their expiration date. CRLs can grow large and introduce latency. OCSP provides a more efficient, real-time alternative.
CSP (Content Security Policy) — An HTTP response header that restricts which sources a browser can load scripts, styles, images, fonts, and other resources from. A well-configured CSP is one of the most effective defenses against XSS attacks. Directives include default-src, script-src, style-src, img-src, and connect-src.
CSR (Certificate Signing Request) — A message containing a public key, identity information (subject), and a self-signature, sent to a Certificate Authority to request issuance of a digital certificate. Generated using tools like openssl req.
CSRF (Cross-Site Request Forgery) — An attack that tricks a user's browser into making unintended HTTP requests to a web application where the user is authenticated, exploiting the browser's automatic inclusion of cookies. Mitigated by anti-CSRF tokens (synchronizer tokens), SameSite cookie attribute, and Origin header validation.
CTI (Cyber Threat Intelligence) — Evidence-based knowledge about existing or emerging cyber threats, including indicators of compromise (IOCs), tactics/techniques/procedures (TTPs), threat actor profiles, and campaign attribution. CTI is consumed at strategic (executive), operational (SOC), and tactical (detection rule) levels.
CVE (Common Vulnerabilities and Exposures) — A standardized identifier system for publicly disclosed security vulnerabilities. Each vulnerability receives a unique ID (e.g., CVE-2021-44228 for Log4Shell). Maintained by MITRE Corporation and used globally for vulnerability tracking, patch prioritization, and communication.
CVSS (Common Vulnerability Scoring System) — A standardized framework for rating vulnerability severity on a 0.0–10.0 scale. Scores consider attack vector, complexity, privileges required, user interaction, scope change, and impact on confidentiality, integrity, and availability. CVSS 3.1 is the current widely-used version.
ChaCha20-Poly1305 — An authenticated encryption algorithm combining the ChaCha20 stream cipher with the Poly1305 message authentication code. Supported in TLS 1.3 as an alternative to AES-GCM. Particularly efficient on devices without AES hardware acceleration (mobile, IoT). Designed by Daniel J. Bernstein.
Confidentiality — One of the three pillars of the CIA triad. The assurance that data is accessible only to authorized parties. Achieved through encryption (at rest and in transit), access controls, and data classification. Breaches of confidentiality include data leaks, eavesdropping, and unauthorized database access.
D
DAC (Discretionary Access Control) — An access control model where the resource owner decides who can access their resources. Standard Unix file permissions (owner/group/other) are a form of DAC. Less restrictive than MAC (Mandatory Access Control), which enforces system-wide policies regardless of owner preferences.
DAI (Dynamic ARP Inspection) — A switch security feature that validates ARP packets against the DHCP snooping binding table. DAI intercepts and verifies ARP requests and responses, discarding those with invalid IP-to-MAC mappings. Prevents ARP spoofing/poisoning attacks on the local network.
DDoS (Distributed Denial of Service) — An attack that overwhelms a target with traffic from many distributed sources, rendering it unavailable to legitimate users. Categories include volumetric attacks (bandwidth flooding via DNS amplification, NTP reflection), protocol attacks (SYN floods, Ping of Death), and application-layer attacks (HTTP floods, Slowloris).
Defense in Depth — A security strategy employing multiple independent layers of defense so that failure of one layer does not compromise the system. Layers typically span physical security, network security (firewalls, segmentation), host security (EDR, patching), application security (WAF, input validation), data security (encryption, DLP), and user awareness training.
DGA (Domain Generation Algorithm) — An algorithm embedded in malware that periodically generates large numbers of pseudo-random domain names, a small subset of which the attacker registers for C2 communication. DGA makes domain-based blocking ineffective because new domains are constantly generated. Detection relies on identifying the statistical characteristics of algorithmically generated names.
DH (Diffie-Hellman) — A key exchange algorithm that allows two parties to establish a shared secret over an insecure channel without transmitting the secret itself. Based on the discrete logarithm problem. DH alone does not provide authentication. See ECDHE for the modern, ephemeral elliptic curve variant.
DHCP (Dynamic Host Configuration Protocol) — A protocol that automatically assigns IP addresses, subnet masks, default gateways, and DNS server addresses to devices joining a network. DHCP is unauthenticated by design, making it vulnerable to rogue DHCP server attacks. DHCP snooping on managed switches mitigates this by only allowing DHCP responses from trusted ports.
DKIM (DomainKeys Identified Mail) — An email authentication standard that allows a sending domain to cryptographically sign outgoing messages using a private key. The receiving server retrieves the corresponding public key from a DNS TXT record and verifies the signature. Proves the message was sent by an authorized server and was not modified in transit.
DLP (Data Loss Prevention) — Technologies and processes that detect and prevent unauthorized transmission of sensitive data outside an organization. DLP systems inspect email, web traffic, endpoints, and cloud services for patterns matching regulated or sensitive data (credit card numbers, SSNs, source code, credentials).
DMARC (Domain-based Message Authentication, Reporting, and Conformance) — An email authentication protocol built on SPF and DKIM that gives domain owners control over how unauthenticated email is handled. A DMARC policy of p=reject instructs receiving servers to reject emails failing authentication. DMARC also provides aggregate and forensic reporting.
DMZ (Demilitarized Zone) — A network segment positioned between an organization's internal network and the internet, hosting public-facing services such as web servers, email gateways, and DNS servers. Firewalls restrict traffic flow between the DMZ, internal network, and internet, limiting the blast radius of a compromise.
DNS (Domain Name System) — The hierarchical, distributed naming system that translates human-readable domain names (e.g., example.com) to IP addresses. DNS operates primarily over UDP port 53 and is a critical infrastructure service. Often described as "the phonebook of the internet."
DNSSEC (DNS Security Extensions) — Extensions that add cryptographic signatures (RRSIG records) to DNS responses, enabling resolvers to verify that responses are authentic and unmodified. DNSSEC protects against DNS spoofing and cache poisoning but does not encrypt queries — that requires DoH or DoT.
DoH (DNS over HTTPS) — A protocol that encrypts DNS queries by transmitting them over HTTPS on port 443, making them indistinguishable from regular web traffic. Provides privacy from on-path observers but can bypass organization-level DNS security controls. Supported by major browsers, Cloudflare (1.1.1.1), and Google (8.8.8.8).
DoT (DNS over TLS) — A protocol that encrypts DNS queries using TLS on dedicated port 853. Provides similar privacy benefits to DoH but uses a distinct port, making it easier for network administrators to identify, manage, and allow or block encrypted DNS traffic.
Drive-by Download — An attack where malware is automatically downloaded and executed when a user visits a compromised or malicious website, often without any user interaction beyond loading the page. Exploits vulnerabilities in browsers, browser plugins, or operating system components. Mitigated by browser sandboxing, automatic updates, and Content Security Policy.
E
EdDSA (Edwards-curve Digital Signature Algorithm) — A digital signature scheme based on twisted Edwards curves, offering high performance and resistance to implementation pitfalls (e.g., no need for a random nonce). Ed25519 (using Curve25519) is the most widely used variant. Used in SSH keys, TLS certificates, and cryptocurrency systems.
eBPF (Extended Berkeley Packet Filter) — A Linux kernel technology enabling sandboxed programs to run in the kernel without modifying kernel source code or loading kernel modules. Used in modern security and observability tools (Falco, Cilium, Tetragon) for high-performance network monitoring, runtime security enforcement, and system call tracing.
ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) — A key exchange protocol combining elliptic curve cryptography with ephemeral (per-session) keys. Provides perfect forward secrecy: if long-term signing keys are later compromised, past session keys cannot be derived. ECDHE is the mandatory key exchange mechanism in TLS 1.3.
ECDSA (Elliptic Curve Digital Signature Algorithm) — A digital signature algorithm based on elliptic curve cryptography. Produces shorter signatures than RSA at equivalent security levels, improving TLS handshake performance. A 256-bit ECDSA key provides security comparable to a 3072-bit RSA key. Widely used in TLS certificates and code signing.
EDR (Endpoint Detection and Response) — A security platform that continuously monitors endpoint activity for suspicious behavior, provides real-time alerting, and enables investigation and response capabilities including process isolation, file quarantine, and remote shell. Unlike traditional signature-based antivirus, EDR uses behavioral analysis to detect novel and fileless threats.
ESP (Encapsulating Security Payload) — An IPsec protocol providing confidentiality (encryption), data origin authentication, integrity, and anti-replay protection for IP packets. ESP can operate in transport mode (encrypts payload only) or tunnel mode (encrypts entire original IP packet, adds new outer header). The primary encryption protocol in IPsec VPNs.
Encryption at Rest — Protecting stored data by encrypting it on disk, in databases, or in cloud storage. Common implementations include full-disk encryption (LUKS, BitLocker), database-level encryption (TDE), and object storage encryption (SSE-S3, SSE-KMS). Protects against physical theft and unauthorized storage access.
Encryption in Transit — Protecting data as it moves between systems by encrypting the communication channel. TLS is the primary mechanism for encryption in transit. Also includes SSH tunnels, IPsec VPNs, and WireGuard. Prevents eavesdropping and tampering by on-path attackers.
Exfiltration — The unauthorized transfer of data out of an organization. Methods include direct network transfer, DNS tunneling, steganography, encrypted channels (HTTPS, cloud storage), removable media, and covert channels. Detecting exfiltration requires monitoring outbound traffic volumes, patterns, and destinations.
F
Fail Open / Fail Closed — Describes system behavior when a security component fails. Fail open allows traffic through when the security device fails (prioritizes availability). Fail closed blocks traffic when the device fails (prioritizes security). The choice depends on the risk profile — inline IPS and WAF must decide their failure mode.
FIDO2/WebAuthn — Standards for passwordless and phishing-resistant authentication using public-key cryptography. Users authenticate with hardware security keys (YubiKey, Titan) or platform authenticators (Touch ID, Windows Hello). Credentials are cryptographically bound to the origin domain, making phishing structurally impossible. The strongest available form of MFA.
Firewall — A network security device or software that monitors and filters network traffic based on rules. Types include stateless packet filters (examine individual packets), stateful firewalls (track connection state), and next-generation firewalls (NGFW — inspect application-layer content, integrate with threat intelligence).
Fuzzing — A testing technique that feeds random, unexpected, or malformed input to a program to discover crashes, memory errors, and vulnerabilities. Coverage-guided fuzzers (AFL, LibFuzzer, Honggfuzz) mutate inputs to maximize code coverage. An effective technique for finding buffer overflows, format string bugs, and parsing vulnerabilities.
G
GCM (Galois/Counter Mode) — An authenticated encryption mode that provides both confidentiality and integrity in a single operation, producing ciphertext and an authentication tag. AES-GCM is the predominant cipher mode in TLS 1.3. More efficient than separate encrypt-then-MAC constructions and avoids the pitfalls of CBC with separate HMAC.
GDPR (General Data Protection Regulation) — The European Union's comprehensive data protection regulation, effective since May 2018. GDPR grants individuals rights over their personal data (access, erasure, portability), requires data breach notification within 72 hours, mandates data protection by design, and imposes fines up to 4% of global annual revenue for violations.
Golden Ticket — A Kerberos attack where an attacker who has obtained the KRBTGT account hash can forge Ticket-Granting Tickets (TGTs) for any user, including domain administrators, with arbitrary lifetimes. Grants unrestricted access to all resources in the Active Directory domain. Detected by monitoring for TGTs with abnormal lifetimes or issued without corresponding AS-REQ events.
H
Hardening — The process of reducing a system's attack surface by removing unnecessary software, disabling unused services, applying security patches, configuring strong authentication, and following vendor-provided security benchmarks (CIS Benchmarks). Hardening applies to operating systems, network devices, databases, containers, and cloud configurations.
HKDF (HMAC-based Key Derivation Function) — A key derivation function based on HMAC, standardized in RFC 5869. HKDF operates in two stages: extract (concentrating entropy from input keying material) and expand (producing output keys of arbitrary length). Used extensively in TLS 1.3 for deriving handshake and application traffic keys.
HMAC (Hash-based Message Authentication Code) — A construction for computing a message authentication code using a cryptographic hash function and a secret key. HMAC provides both integrity and authentication — a valid HMAC proves the message was not tampered with and was produced by someone possessing the secret key. Used in TLS, API authentication (HMAC-SHA256), and JWT signing (HS256).
Honeypot — A decoy system designed to appear as a legitimate, vulnerable target to attract attackers. When an attacker interacts with a honeypot, their tools, techniques, and infrastructure are captured for analysis. Types range from low-interaction (emulated services) to high-interaction (real operating systems). Internal honeypots serve as canary alerts for lateral movement.
HSM (Hardware Security Module) — A physical, tamper-resistant device that generates, stores, and manages cryptographic keys and performs cryptographic operations within a secure boundary. Used to protect CA signing keys, payment card processing keys (PCI DSS), and cloud KMS root keys. Cloud equivalents include AWS CloudHSM and Azure Dedicated HSM.
HSTS (HTTP Strict Transport Security) — An HTTP response header (Strict-Transport-Security) that instructs browsers to access the site exclusively over HTTPS for a specified duration. Prevents SSL stripping attacks and accidental plaintext connections. The includeSubDomains directive extends protection to all subdomains. HSTS preloading embeds the policy in browser source code.
HTTP (Hypertext Transfer Protocol) — The stateless, application-layer protocol for transmitting web content. HTTP/1.1 is text-based; HTTP/2 uses binary framing and multiplexing; HTTP/3 runs over QUIC (UDP). In its original form, HTTP is unencrypted — all modern web traffic should use HTTPS.
HTTPS (HTTP Secure) — HTTP transmitted over a TLS-encrypted connection, providing confidentiality, integrity, and server authentication. HTTPS is the universal standard for web communication. Let's Encrypt made certificates free and automated, removing the last barrier to universal HTTPS adoption.
I
Integrity — One of the three pillars of the CIA triad. The assurance that data has not been tampered with or modified by unauthorized parties. Achieved through cryptographic hashes, MACs, digital signatures, and access controls. File integrity monitoring (FIM) tools detect unauthorized changes to critical system files.
IAM (Identity and Access Management) — The framework of policies and technologies for managing digital identities and controlling access to resources. In cloud contexts (AWS IAM, Azure Entra ID, GCP IAM), IAM policies govern who (principal) can perform what actions on which resources under what conditions. IAM misconfiguration is the leading cause of cloud security breaches.
IaC (Infrastructure as Code) — Managing infrastructure through machine-readable configuration files (Terraform, CloudFormation, Pulumi, Ansible) rather than manual processes. Security scanning of IaC templates (Checkov, tfsec, Trivy) catches misconfigurations — open security groups, unencrypted storage, missing logging — before deployment.
IDS (Intrusion Detection System) — A system that monitors network traffic or host activity for malicious behavior and policy violations, generating alerts. IDS is passive — it detects and alerts but does not block traffic. Signature-based IDS (Snort, Suricata) matches patterns; anomaly-based IDS detects deviations from baselines. Compare with IPS.
IKE (Internet Key Exchange) — The protocol used to establish Security Associations (SAs) in IPsec. IKE negotiates cryptographic algorithms, authenticates peers (pre-shared keys or certificates), and derives shared session keys. IKEv2 (RFC 7296) is the current version, offering improved reliability, built-in NAT traversal, and EAP authentication support.
IOC (Indicator of Compromise) — A forensic artifact indicating that a system or network has been compromised. IOCs include malicious IP addresses, domain names, file hashes (MD5, SHA-256), registry keys, mutex names, and email addresses. IOCs are shared through threat intelligence feeds (STIX/TAXII) and used to write detection rules.
IOA (Indicator of Attack) — A behavioral pattern indicating an active attack in progress, as opposed to an IOC (an artifact left after an attack). IOAs focus on adversary intent and technique — e.g., reconnaissance scanning, privilege escalation behavior, lateral movement patterns — rather than specific artifacts.
IPS (Intrusion Prevention System) — A system that monitors network traffic for malicious activity and automatically blocks or drops detected threats. IPS operates inline — all traffic passes through it — making it active rather than passive. Modern IPS is often integrated into next-generation firewalls (NGFW).
IPsec (Internet Protocol Security) — A protocol suite for securing IP communications by authenticating and encrypting each IP packet. Core components: IKE (key exchange and SA negotiation), ESP (encryption and authentication), and AH (authentication only). Commonly used for site-to-site VPNs and remote access VPNs. Operates in transport mode (host-to-host) or tunnel mode (gateway-to-gateway).
J
JWK (JSON Web Key) — A JSON data structure (RFC 7517) representing a cryptographic key. JWK Sets (JWKS) are used to publish public keys for JWT signature verification. Typically served from a well-known endpoint (e.g., /.well-known/jwks.json) by identity providers.
JWT (JSON Web Token) — A compact, URL-safe token format (RFC 7519) for transmitting claims between parties as a signed (JWS) or encrypted (JWE) JSON object. JWTs consist of a header, payload, and signature. Used extensively for API authentication and authorization. Common vulnerabilities include algorithm confusion (alg: none), missing signature verification, and weak signing keys.
K
KDF (Key Derivation Function) — A function that derives one or more cryptographic keys from a source of key material (password, shared secret, or random seed). Password-based KDFs (bcrypt, scrypt, Argon2, PBKDF2) are deliberately slow to resist brute-force attacks. Non-password KDFs (HKDF) derive keys from already-strong keying material.
KEX (Key Exchange) — The process by which two parties establish a shared cryptographic secret over an insecure channel. In TLS, the key exchange occurs during the handshake. TLS 1.3 supports only ephemeral key exchanges (ECDHE, DHE), ensuring perfect forward secrecy.
Kerberos — A network authentication protocol using tickets issued by a trusted Key Distribution Center (KDC) to authenticate users and services without transmitting passwords. The foundation of Active Directory authentication. Vulnerable to attacks including Kerberoasting (offline cracking of service tickets), Golden Ticket (forged TGTs), Silver Ticket (forged service tickets), and Pass-the-Ticket.
Kill Chain — A model describing the sequential stages of a cyberattack: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives (Lockheed Martin model). MITRE ATT&CK provides a more granular, non-linear alternative. Defenders aim to detect and disrupt attacks at the earliest possible stage.
KRACK (Key Reinstallation Attack) — A vulnerability (CVE-2017-13082) in the WPA2 four-way handshake that allows an attacker to force nonce reuse, enabling decryption and injection of packets on WPA2-protected Wi-Fi networks. Addressed by WPA3's SAE handshake and by vendor patches to WPA2 implementations.
L
LDAP Injection — An attack that manipulates LDAP queries by inserting special characters into user-supplied input that is incorporated into LDAP search filters without proper sanitization. Similar in concept to SQL injection but targeting directory services. Mitigated by input validation and parameterized LDAP queries.
Lateral Movement — Post-compromise techniques used by attackers to move through a network, accessing additional systems and escalating privileges. Common methods include Pass-the-Hash, Pass-the-Ticket, RDP, SMB, WMI, PowerShell Remoting, and SSH with stolen credentials. Network segmentation, PAM, and identity-based micro-segmentation limit lateral movement.
LDAP (Lightweight Directory Access Protocol) — A protocol for accessing and maintaining distributed directory services. Used extensively with Active Directory for authentication, user management, and group policy. LDAPS (LDAP over TLS, port 636) provides encryption. LDAP injection is a vulnerability in applications that construct LDAP queries from unsanitized user input.
Least Privilege — The security principle that every user, process, or system should operate with only the minimum permissions necessary to perform its function. Reducing privileges limits the blast radius of a compromise. Applied to IAM policies, file permissions, network access, database roles, and API scopes.
Log4Shell (CVE-2021-44228) — A critical remote code execution vulnerability in Apache Log4j 2.x, disclosed in December 2021. Exploitable through user-controlled strings containing JNDI lookup expressions (${jndi:ldap://...}) that appear in log messages. Affected millions of Java applications worldwide due to Log4j's ubiquitous use. CVSS 10.0.
M
Mandatory Access Control (MAC-OS) — An access control model where the operating system enforces access policies that cannot be overridden by resource owners. Implemented by security frameworks like SELinux (label-based) and AppArmor (path-based). More restrictive than DAC. Not to be confused with MAC addresses or Message Authentication Codes.
MAC (Media Access Control) Address — A 48-bit hardware identifier assigned to a network interface controller, operating at Layer 2. Formatted as six pairs of hexadecimal digits (e.g., aa:bb:cc:dd:ee:ff). MAC addresses can be spoofed and should not be relied upon for security in untrusted environments. See also MAC (Message Authentication Code).
MAC (Message Authentication Code) — A cryptographic tag computed from a message and a secret key, providing integrity and authentication. A valid MAC proves the message has not been tampered with and was produced by a holder of the key. HMAC is the most common construction. Not to be confused with MAC addresses.
MFA (Multi-Factor Authentication) — Authentication requiring two or more independent factors from different categories: something you know (password), something you have (hardware token, phone), or something you are (biometric). MFA dramatically reduces credential-based attack success. FIDO2/WebAuthn hardware keys provide the strongest, phishing-resistant MFA.
Microsegmentation — A network security technique that enforces access policies at the individual workload or application level rather than at network subnet boundaries. Enables zero-trust networking where every service-to-service communication is explicitly authorized. Implemented via software-defined networking, service mesh, or host-based firewalls.
MITM (Man-in-the-Middle) — An attack where an adversary intercepts and potentially alters communication between two parties who believe they are communicating directly. Defenses include TLS (server authentication), certificate pinning, mutual TLS, and DNSSEC. ARP spoofing, DNS spoofing, and rogue Wi-Fi access points are common MITM vectors.
MITRE ATT&CK — A globally accessible knowledge base of adversary tactics, techniques, and procedures derived from real-world observations. Organized by platform (Enterprise, Mobile, ICS), tactics (the adversary's goal), and techniques (the method). Used for threat modeling, detection gap analysis, red team planning, and incident classification.
mTLS (Mutual TLS) — A TLS configuration where both client and server authenticate each other using X.509 certificates, unlike standard TLS where only the server is authenticated. Used for service-to-service communication in microservices, API security, and zero-trust architectures. Certificate management at scale is the primary operational challenge.
N
NIDS (Network Intrusion Detection System) — An IDS deployed at network boundaries or span/tap points to monitor traffic for suspicious patterns. Signature-based NIDS (Snort, Suricata) match against known attack signatures. Anomaly-based NIDS establish traffic baselines and alert on deviations. Encrypted traffic (TLS) limits NIDS visibility unless TLS inspection is deployed.
Nonce — A number used once in a cryptographic operation to prevent replay attacks and ensure uniqueness. Nonces appear in TLS handshakes (ClientHello.random, ServerHello.random), authenticated encryption (AES-GCM initialization vectors), and authentication protocols (challenge-response). Reusing a nonce with the same key can catastrophically break security.
NAC (Network Access Control) — A security approach that enforces policy on devices attempting to access the network, checking identity, device health, patch level, and compliance posture before granting access. 802.1X is the most common NAC implementation, using RADIUS for authentication and VLAN assignment.
NACL (Network Access Control List) — In cloud computing (particularly AWS), a stateless firewall at the subnet level that evaluates inbound and outbound rules by rule number order. Unlike security groups, NACLs support explicit deny rules. Both allow and deny rules are processed, with the first matching rule taking effect.
NAT (Network Address Translation) — A method of remapping IP addresses by modifying packet headers as traffic passes through a router or firewall. NAT allows multiple devices on a private network to share a single public IP address. NAT provides obscurity but is not a security control — it should not be confused with firewalling.
NIST (National Institute of Standards and Technology) — A US government agency that publishes cybersecurity standards and guidelines, including the NIST Cybersecurity Framework (CSF), SP 800-53 (security and privacy controls), SP 800-61 (incident response), and cryptographic standards (AES, SHA-3, post-quantum algorithms).
NTP (Network Time Protocol) — A protocol for synchronizing system clocks across a network. Accurate time is critical for log correlation, TLS certificate validation, Kerberos ticket lifetimes, TOTP authentication, and forensic timelines. NTS (Network Time Security) adds cryptographic authentication to NTP, preventing spoofing.
O
OAuth 2.0 — An authorization framework (RFC 6749) that enables applications to obtain limited, scoped access to a user's resources on another service without receiving the user's password. OAuth issues access tokens. It is not an authentication protocol by itself — OIDC adds authentication on top. Key flows: Authorization Code (with PKCE), Client Credentials, and Device Code.
OCSP (Online Certificate Status Protocol) — A protocol for querying the revocation status of an X.509 certificate in real-time from the issuing CA. OCSP stapling allows the server to include a time-stamped, CA-signed OCSP response in the TLS handshake, improving both privacy (the client doesn't contact the CA) and performance.
OIDC (OpenID Connect) — An authentication layer built on OAuth 2.0 that adds an ID Token — a signed JWT containing user identity claims (subject, email, name). OIDC enables federated authentication ("Sign in with Google/Microsoft/Apple"). The combination of OAuth 2.0 (authorization) + OIDC (authentication) is the modern standard for web identity.
OSINT (Open Source Intelligence) — Intelligence gathered from publicly available sources: social media, websites, DNS records, certificate transparency logs, WHOIS data, job postings, code repositories, and public filings. Used by attackers for reconnaissance and by defenders for attack surface discovery and threat intelligence.
OWASP (Open Worldwide Application Security Project) — A nonprofit foundation producing freely available web application security resources. The OWASP Top 10 is a regularly updated ranking of the most critical web security risks. OWASP also publishes testing guides, cheat sheets, security verification standards (ASVS), and tools (ZAP, Dependency-Check).
P
Packet Sniffing — The practice of capturing and inspecting network packets as they traverse a network interface. Legitimate uses include network troubleshooting, security monitoring, and protocol analysis (Wireshark, tcpdump). Malicious uses include credential theft and eavesdropping on unencrypted traffic. TLS and network encryption eliminate the value of passive sniffing for attackers.
PBKDF2 (Password-Based Key Derivation Function 2) — A key derivation function (RFC 2898) that applies a pseudorandom function (typically HMAC-SHA256) iteratively to a password and salt. PBKDF2 is widely supported (FIPS-approved) but is less resistant to GPU attacks than memory-hard functions (bcrypt, scrypt, Argon2) because it has low memory requirements.
PAM (Privileged Access Management) — Technologies and processes for controlling, monitoring, and auditing privileged access to critical systems. PAM solutions provide credential vaulting (no standing access to passwords), session recording, just-in-time privilege elevation, and emergency break-glass procedures.
PDP (Policy Decision Point) — In access control architectures, the component that evaluates access requests against defined policies and returns a permit or deny decision. The PDP receives requests from Policy Enforcement Points (PEPs) and consults policy stores. Central to zero-trust and ABAC architectures.
PEP (Policy Enforcement Point) — The component that intercepts access requests and enforces the decision returned by the Policy Decision Point (PDP). PEPs are deployed at network boundaries, API gateways, service meshes, and application middleware. In zero-trust architectures, every access path has a PEP.
Penetration Testing — An authorized simulated attack against a system or organization to evaluate its security posture. Scoping types: black box (no prior knowledge), white box (full access to source code and architecture), and gray box (partial knowledge). Results are documented in a report with findings, risk ratings, evidence, and remediation recommendations.
PFS (Perfect Forward Secrecy) — A property of key exchange protocols ensuring that compromise of long-term keys (e.g., the server's private key) does not compromise past session keys. Achieved by using ephemeral keys for each session. TLS 1.3 requires PFS — all cipher suites use ephemeral key exchange (ECDHE or DHE).
Phishing — A social engineering attack using fraudulent communications — email, SMS (smishing), voice calls (vishing), QR codes (quishing) — to trick recipients into revealing credentials, clicking malicious links, or installing malware. The most common initial access vector for cyberattacks. FIDO2/WebAuthn provides structural resistance to phishing.
PKI (Public Key Infrastructure) — The framework of policies, procedures, hardware, software, and roles needed to create, manage, distribute, use, store, and revoke digital certificates. PKI enables trusted communication over untrusted networks by binding public keys to verified identities through Certificate Authorities.
PKCE (Proof Key for Code Exchange) — An extension (RFC 7636) to OAuth 2.0's Authorization Code flow that prevents authorization code interception attacks. The client generates a random code verifier, sends a code challenge (SHA-256 hash of the verifier) with the authorization request, and proves possession of the verifier when exchanging the code for tokens. Required for public clients and recommended for all OAuth clients.
PoS (Proof of Stake) — A blockchain consensus mechanism where validators are selected to create new blocks based on the amount of cryptocurrency they hold and "stake" as collateral. More energy-efficient than Proof of Work. Ethereum transitioned from PoW to PoS in September 2022 ("The Merge").
PoW (Proof of Work) — A blockchain consensus mechanism requiring participants (miners) to solve computationally expensive puzzles to validate transactions and create new blocks. Bitcoin uses PoW (SHA-256). The computational cost provides security but consumes significant energy.
R
RADIUS (Remote Authentication Dial-In User Service) — A networking protocol providing centralized Authentication, Authorization, and Accounting (AAA) for network access. Commonly used with 802.1X (NAC), VPN authentication, and Wi-Fi (WPA2/WPA3-Enterprise). RADIUS servers (FreeRADIUS, Microsoft NPS) integrate with directory services (LDAP, Active Directory).
Ransomware — Malware that encrypts a victim's data and demands payment (typically cryptocurrency) for the decryption key. Modern ransomware operations include data exfiltration before encryption (double extortion), DDoS threats (triple extortion), and contacting victims' customers. Ransomware-as-a-Service (RaaS) operates as a criminal franchise model with affiliates.
RAT (Remote Access Trojan) — Malware providing an attacker with persistent, covert remote control over a compromised system. Typical capabilities include command execution, file transfer, keylogging, screen capture, webcam/microphone access, and credential harvesting. RATs often use legitimate protocols (HTTPS, DNS) for C2 to blend with normal traffic.
RBAC (Role-Based Access Control) — An access control model where permissions are assigned to roles (e.g., "admin," "editor," "viewer"), and users are assigned to roles. Users gain permissions through their role membership. Simpler to manage than assigning permissions directly to users. Most cloud IAM systems and application frameworks support RBAC.
Red Team — An offensive security team that simulates realistic, multi-stage attacks against an organization to test its detection, prevention, and response capabilities. Red team engagements are broader and more adversarial than penetration tests, often spanning weeks and combining technical exploitation with social engineering and physical access attempts.
Rootkit — Malware designed to conceal the presence of other malware or unauthorized access from detection tools. Rootkits operate at various levels: user-mode (API hooking, library injection), kernel-mode (system call table modification), bootkits (MBR/UEFI firmware), and hypervisor-level. Detection often requires offline analysis or specialized tools.
RSA — A public-key cryptosystem (Rivest–Shamir–Adleman, 1977) based on the computational difficulty of factoring the product of two large prime numbers. Used for digital signatures and key exchange. Common key sizes: 2048-bit and 4096-bit. Being superseded by elliptic curve algorithms (ECDSA, EdDSA) for better performance at equivalent security levels. RSA key exchange was removed from TLS 1.3.
S
Salt — Random data added to a password before hashing to ensure that identical passwords produce different hash values. Salts defeat precomputed rainbow table attacks and prevent attackers from identifying users with the same password by comparing hashes. Each password should have a unique, randomly generated salt stored alongside the hash.
SASE (Secure Access Service Edge) — A network architecture converging wide-area networking (SD-WAN) with cloud-delivered security functions including SWG (Secure Web Gateway), CASB (Cloud Access Security Broker), FWaaS (Firewall-as-a-Service), and ZTNA. Designed for organizations with distributed workforces and cloud-first architectures.
SAE (Simultaneous Authentication of Equals) — The key exchange protocol used in WPA3, replacing the PSK (Pre-Shared Key) four-way handshake used in WPA2. SAE is based on the Dragonfly key exchange (a Password Authenticated Key Exchange / PAKE protocol). It provides forward secrecy and resists offline dictionary attacks, even if the Wi-Fi password is weak.
SAML (Security Assertion Markup Language) — An XML-based standard for exchanging authentication and authorization assertions between an Identity Provider (IdP) and a Service Provider (SP). Widely used for enterprise single sign-on (SSO). Being gradually superseded by OIDC for new implementations, though SAML remains prevalent in enterprise environments.
SBOM (Software Bill of Materials) — A machine-readable inventory of all components, libraries, and dependencies in a software artifact. SBOMs enable vulnerability tracking across the software supply chain — when a new CVE is disclosed, organizations can quickly determine which systems are affected. Standard formats include SPDX and CycloneDX.
Scrypt — A memory-hard password-based key derivation function designed to make brute-force attacks expensive by requiring large amounts of memory in addition to CPU time. Used alongside bcrypt and Argon2 for password hashing. Also used in some cryptocurrency proof-of-work systems (Litecoin).
Security Group — In cloud computing (AWS, Azure, GCP), a stateful virtual firewall controlling inbound and outbound traffic at the instance or network interface level. Security groups use allow-only rules — all traffic is denied by default. Return traffic for allowed connections is automatically permitted.
SHA (Secure Hash Algorithm) — A family of cryptographic hash functions published by NIST. SHA-1 (160-bit output) is deprecated and practically broken for collision resistance. SHA-2 (SHA-256, SHA-384, SHA-512) is widely used and secure. SHA-3 (Keccak) is a structurally different alternative based on a sponge construction. All SHA variants are one-way functions.
SIEM (Security Information and Event Management) — A platform that collects, normalizes, correlates, and analyzes log data from across an organization's IT infrastructure. SIEMs provide real-time alerting, dashboards, threat detection rules, and historical search for security investigation. Examples include Splunk, Elastic Security, Microsoft Sentinel, and Google Chronicle.
SIGMA — A generic, open signature format for describing log events and detection rules in a SIEM-agnostic way. SIGMA rules can be converted to queries for Splunk, Elastic, Microsoft Sentinel, and other platforms. Enables sharing detection logic across the security community without vendor lock-in.
SNI (Server Name Indication) — A TLS extension that allows a client to specify which hostname it is attempting to connect to during the TLS handshake. SNI enables a single IP address to serve TLS certificates for multiple domains (virtual hosting). SNI is transmitted in plaintext in TLS 1.2; Encrypted Client Hello (ECH) in TLS 1.3 addresses this privacy concern.
SOC (Security Operations Center) — The organizational function responsible for continuous security monitoring, threat detection, incident triage, and response. Typically staffed in tiers: Tier 1 (alert triage), Tier 2 (investigation and analysis), Tier 3 (advanced threat hunting and incident response). May be in-house or outsourced (MSSP).
SOC 2 — A compliance framework developed by the AICPA that evaluates an organization's controls across five Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type II reports cover the operating effectiveness of controls over a period (typically 6–12 months) and are commonly required by enterprise customers.
SOAR (Security Orchestration, Automation, and Response) — A platform that automates repetitive security workflows (alert enrichment, ticket creation, containment actions), orchestrates actions across multiple security tools, and manages incident response cases. Reduces mean time to respond (MTTR) by eliminating manual steps.
SPF (Sender Policy Framework) — An email authentication standard implemented as a DNS TXT record that specifies which mail servers are authorized to send email on behalf of a domain. SPF alone is insufficient — it only checks the envelope sender (MAIL FROM), not the header From: address. Must be combined with DKIM and DMARC.
SQL Injection — An attack that inserts malicious SQL code into application queries through unsanitized user input, potentially allowing unauthorized data access, modification, or deletion. The most reliable prevention is parameterized queries (prepared statements). Additional defenses include input validation, stored procedures, least-privilege database accounts, and WAFs.
SSRF (Server-Side Request Forgery) — An attack where the attacker induces a server-side application to make HTTP requests to arbitrary URLs, typically targeting internal services, cloud metadata endpoints (169.254.169.254), or other resources not directly accessible from the internet. Mitigated by URL validation, allowlists, network segmentation, and disabling cloud metadata access from application containers.
SSL (Secure Sockets Layer) — The predecessor to TLS. All SSL versions (1.0, 2.0, 3.0) are deprecated and cryptographically broken. The term "SSL" persists colloquially but should not be used for protocol configuration — always use TLS 1.2 or TLS 1.3. SSL 3.0 was broken by the POODLE attack (2014).
Supply Chain Attack — An attack that compromises a target by infiltrating a trusted third party in its supply chain — software vendors, open-source dependencies, build systems, hardware manufacturers, or managed service providers. The SolarWinds attack (2020) compromised the build pipeline of a widely used IT management tool, affecting thousands of organizations.
SYN Flood — A denial-of-service attack that exploits the TCP three-way handshake by sending a high volume of SYN packets without completing the handshake (never sending the final ACK). The target's connection table fills with half-open connections, preventing legitimate clients from connecting. Mitigated by SYN cookies, rate limiting, and DDoS protection services.
Symmetric Encryption — A cryptographic system where the same secret key is used for both encryption and decryption. Dramatically faster than asymmetric encryption. Examples include AES and ChaCha20. The key distribution problem (securely sharing the key) is solved by using asymmetric key exchange (DH, ECDHE) to establish the symmetric key.
T
Threat Hunting — The proactive, hypothesis-driven practice of searching for threats that have evaded automated detection. Threat hunters use knowledge of adversary TTPs, anomaly analysis, and data exploration to identify indicators of compromise or suspicious behavior that security tools missed. Requires access to rich log data and understanding of normal baselines.
TOTP (Time-based One-Time Password) — An algorithm (RFC 6238) that generates a short-lived numeric code from a shared secret and the current time. Used in authenticator apps (Google Authenticator, Authy) as a second authentication factor. Codes are valid for a short window (typically 30 seconds). More secure than SMS-based codes but vulnerable to phishing (unlike FIDO2).
Threat Modeling — A structured approach to identifying security risks during system design. Common frameworks include STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), PASTA (Process for Attack Simulation and Threat Analysis), and attack trees. Most effective when performed during the design phase, before code is written.
TLS (Transport Layer Security) — The cryptographic protocol providing confidentiality (encryption), integrity (MAC/AEAD), and authentication (certificates) for network communications. TLS 1.3 (RFC 8446, 2018) is the current version, offering a streamlined handshake (1-RTT, 0-RTT), mandatory PFS, and removal of legacy insecure algorithms. TLS is the successor to SSL.
TTPs (Tactics, Techniques, and Procedures) — The patterns of behavior used by threat actors, documented in frameworks like MITRE ATT&CK. Tactics describe the adversary's goal (e.g., initial access, persistence, exfiltration). Techniques describe how the goal is achieved (e.g., spearphishing, scheduled task). Procedures are the specific implementation details.
V
Virus — Malware that attaches itself to a legitimate program or file and replicates when the host file is executed. Unlike worms, viruses require user action (running the infected program) to propagate. Modern malware has largely moved beyond simple file viruses to fileless techniques, living-off-the-land binaries, and memory-only payloads.
VLAN (Virtual Local Area Network) — A logical segmentation of a physical network at Layer 2, creating separate broadcast domains. Traffic between VLANs must pass through a Layer 3 device (router or L3 switch) where access controls can be enforced. VLAN hopping attacks (double tagging, switch spoofing) can bypass VLAN isolation if switches are misconfigured.
VPN (Virtual Private Network) — A technology that creates an encrypted tunnel between endpoints, providing secure communication over untrusted networks. Types include IPsec VPN (site-to-site), SSL/TLS VPN (remote access), and WireGuard (modern, lightweight). A VPN shifts trust from the network path to the VPN provider — it does not provide anonymity.
Vulnerability — A weakness in a system, application, process, or human behavior that can be exploited by a threat actor. Vulnerabilities can be technical (software bugs, misconfigurations, design flaws) or human (susceptibility to social engineering). Managed through vulnerability scanning, patch management, secure development practices, and configuration hardening.
W
WAF (Web Application Firewall) — A security device or service that inspects HTTP/HTTPS traffic to and from a web application, blocking requests that match attack signatures or violate policies. WAFs protect against SQL injection, XSS, CSRF, file inclusion, and other OWASP Top 10 threats. Can operate in blocking mode or detection-only (monitoring) mode.
WireGuard — A modern, lightweight VPN protocol designed for simplicity and performance. WireGuard uses a fixed set of cryptographic primitives (Curve25519, ChaCha20-Poly1305, BLAKE2s) and has a minimal codebase (~4,000 lines of kernel code), making it easier to audit than IPsec or OpenVPN. Integrated into the Linux kernel since version 5.6.
Watering Hole Attack — An attack where the adversary compromises a website frequently visited by the target group, then serves malware or exploits to visitors. Named after predators waiting near water sources for prey. Used by APT groups to target specific industries, government agencies, or organizations.
WPA/WPA2/WPA3 (Wi-Fi Protected Access) — The security certification programs for wireless networks. WPA (TKIP) is deprecated and insecure. WPA2 (AES-CCMP) is widely deployed but vulnerable to KRACK and offline dictionary attacks against PSK mode. WPA3 introduces SAE for improved key exchange, forward secrecy, and 192-bit security suite for enterprise environments.
Worm — Self-replicating malware that propagates across networks without user interaction by exploiting vulnerabilities in network services. Unlike viruses, worms do not require a host file. Notable examples: Morris Worm (1988), SQL Slammer (2003), Conficker (2008), WannaCry (2017, exploiting EternalBlue/MS17-010).
X
XSS (Cross-Site Scripting) — An attack that injects malicious scripts into web pages viewed by other users. Three types: reflected XSS (malicious input returned in the immediate response), stored XSS (malicious input persisted in the database and served to other users), and DOM-based XSS (client-side JavaScript processes attacker-controlled data unsafely). Mitigated by context-aware output encoding, Content Security Policy, and input validation.
Y
YARA — A pattern-matching tool for identifying and classifying malware samples by defining rules that describe strings, byte sequences, and boolean conditions. YARA rules are used by malware researchers, incident responders, and threat intelligence platforms (VirusTotal) to detect known malware families and variants.
Z
Zero Day — A vulnerability unknown to the software vendor and for which no patch exists. Zero-day exploits target these vulnerabilities before they can be fixed. Zero-day attacks bypass signature-based detection entirely, making behavioral analysis, anomaly detection, and defense in depth the primary defenses.
Zero Trust — A security model based on the principle "never trust, always verify." Zero trust assumes threats exist both inside and outside the network perimeter. Every access request is fully authenticated, authorized, and encrypted regardless of the requester's network location. Key principles: verify explicitly, use least-privilege access, assume breach, enforce micro-segmentation, and monitor continuously.
ZTNA (Zero Trust Network Access) — A security framework that replaces traditional VPN by providing secure, per-application remote access based on identity verification and device posture assessment. Unlike VPN, ZTNA does not place users on the corporate network — it brokers access to specific applications only after verifying identity, device health, and policy compliance.