Beruflich Dokumente
Kultur Dokumente
Appendix H
Glossary
Advanced
persistent
threat (APT)
A well-resourced, sophisticated adversary that uses multiple attack vectors such as cyber, physical, and deception to achieve its objectives. An APT
pursues its objectives repeatedly over an extended period of time, adapts to
the defenders efforts to resist the APT, and is determined to maintain the
required interaction level to execute its objectives [291].
Adversary
Alert
An event or notification generated by a monitoring system (e.g., an IDS), usually with an assigned priority.
Asset
A major application, general support system, high-impact program, physical plant, mission-critical system, personnel, equipment, or a logically related
group of systems [42].
Attack
Any kind of malicious activity that attempts to collect, disrupt, deny, degrade,
or destroy information system resources or the information itself [42].
Artifact
The remnants of an intruder attack or incident activity. These could be software used by intruder(s), a collection of tools, malicious code, logs, files, output from tools, or status of a system after an attack or intrusion. Examples of
artifacts range from Trojan horse programs and computer viruses to programs that exploit (or check for the existence of) vulnerabilities or objects of
unknown type and purpose found on a compromised host [8].
Audit data
The data that comprises a security audit trail written by a host OS or application. (See Audit trail.)
Audit log
Audit review
The process whereby a human analyst uses manual and automated means
to inspect the details of a computer security audit trail for evidence of
potentially malicious or anomalous activity or other activity of concern.
Audit trail
11 It should be noted that this definition of a security audit trail portrays the ideal case for security
logs, not the reality. The reality is that audit logging functions in many programs record only a
portion of the information necessary to reconstruct the who, what, when, and where of activity;
or that they do so but in an obscured or hard-to-reconstruct fashion.
319
Glossary
Blue Team
The group responsible for defending an enterprises use of information systems by maintaining its security posture against a group of mock attackers (the Red Team). The Blue Team typically must defend against real or
simulated attacks (1) over a significant period of time, (2) in a representative
operation context such as part of an operational exercise, and (3) according
to rules established with the help of a neutral group that is moderating the
simulation or exercise [42].
Case
A written record of the details surrounding a potential or confirmed computer security incident.
Chief
information
officer (CIO)
Senior-level executive responsible for (1) providing advice and other assistance to the head of the executive organization and other senior management personnel of the organization to ensure that information systems are
acquired and information resources are managed in a manner that is consistent with laws, directives, policies, regulations, and priorities established by
the head of the organization; (2) developing, maintaining, and facilitating the
implementation of a sound and integrated information system architecture
for the organization; and (3) promoting the effective and efficient design and
operation of all major information resources management processes for the
organization, including improvements to work proce sses of the organization
(adapted from [42]).
Chief
information
security officer
(CISO)
The senior-level executive within an organization, responsible for management of the information security program for the entire organization (usually
subordinate to the CIO).
Computer
forensics
Computer
network
defense (CND)
The practice of defense against unauthorized activity within computer networks, including monitoring, detection, analysis (such as trend and pattern
analysis), and response and restoration activities [42].
Computer
security
incident
response team
(CSIRT)
Constituency
The group of users, sites, IT assets, networks, and organizations to which the
CSIRT provides services (adapted from [43]).
Correlation
320
Cracker
Cyberspace
A global domain within the information environment consisting of the interdependent network of information systems infrastructures, including the
Internet, telecommunications networks, computer systems, and embedded
processors and controllers [42].
Cyber
intelligence
report (cyber
intel)
Cyber
observable
Cybersecurity
Measures to provide information assurance, improve resilience to cyber incidents, and reduce cyber threats (adapted from [295]).
Cybersecurity
operations
center
Cyber
situational
awareness
Within a volume of time and space, the perception of an enterprises security posture and its threat environment, the comprehension/meaning of both
taken together (risk), and the projection of their status into the near future
[42].
Enclave
A collection of information systems connected by one or more internal networks under the control of a single authority and security policy. The systems may be structured by physical proximity or by function, independent of
location [42].
Event
Exfiltrate (exfil)
False positive
Host
Glossary
Host intrusion
detection
system (HIDS)
Incident
An assessed occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information
the system processes, stores, or transmits; or that constitutes a violation
or imminent threat of violation of security policies, security procedures, or
acceptable use policies [42].
Indicator
Information
assurance (IA)
Information
system security
manager (ISSM)
The individual responsible for the information assurance of a program, organization, system, or enclave [42].
Information
systems
security officer
(ISSO)
The individual assigned responsibility for maintaining the appropriate operational security posture for an information system or program [42].
Insider threat
An entity with authorized access (i.e., within the security domain) that has the
potential to harm an information system or enterprise through destruction,
disclosure, modification of data, and/or denial of service [42].
Inspector
General (IG)
Intrusion
Intrusion
detection
system (IDS)
Intrusion
prevention
system (IPS)
A system that can detect an intrusive activity and can also attempt to stop
the activity, ideally, before it reaches its targets [42].
322
Log
Malware
Malicious code
NetFlow
NetFlow data
Network
Information system(s) implemented with a collection of interconnected components including routers, hubs, cabling, telecommunications controllers, key
distribution centers, and technical control devices [42].
Network
intrusion
detection
system (NIDS)
IDSes that detect attacks by capturing and analyzing network packets. Listening on a network segment or switch, one network-based IDS can monitor
the network traffic affecting multiple hosts that are connected to the network segment [42].
Ops tempo
Packet capture
(PCAP)
Penetration
testing
A test methodology in which assessors (typically working under specific constraints) attempt to circumvent or defeat the security features of an information system [42].
Red Team
Remote access
tool
Programs that run on a remote host, providing an intruder with control over
the target system; often used by adversaries to maintain remote persistence
without the users knowledge or consent.
323
Glossary
Script kiddie
A would-be attacker who has a relatively low skill level, such as someone who
can download and execute scripts or other exploits, but is unable to create
their own attacks; a pejorative term usually in reference to a novice cracker
(adapted from [44]).
Security
operations
center (SOC)
Security
information
and event
management
(SIEM)
Situational
awareness (SA)
System
administrator
(sysadmin)
System owner
Tactics,
techniques,
and procedures
(TTPs)
Tier 1 CND
analysts
Members of the SOC who are responsible for real-time monitoring of sensor
and data feeds, triage of events of interest, and escalation to Tier 2.
Tier 2 CND
analysts
Members of the SOC who are responsible for collection and in-depth analysis of a wide variety of indicators and log data and coordination of incident
response activities.
Threat
Any circumstance or event that has the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation, through an
information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service [42].
Triage
The process of receiving, initial sorting, and prioritizing of information to facilitate its appropriate handling [8].
Virus
A computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus might corrupt or delete data on a
computer, use email programs to spread itself to other computers, or even
erase everything on a hard disk [42].
324
Vulnerability
assessment
325
List of Abbreviations
Appendix I
List of Abbreviations
ACL
AES
APT
ASCII
ASIC
ATM
AV
Antivirus
B2B
Business to Business
B2G
Business to Government
BIOS
BSD
BSOD
CBE
CEE
CEF
CEI
CEO
CERT
CI
Counterintelligence
CIDF
CIFS
CIO
CIRC
CIRT
CISO
CSIRT
CJCSI
CM
Configuration Management
CMMI
CNA
CND
CNE
CNSS
CONOPS
Concept of Operations
COO
COOP
Continuity of Operation
COTS
Commercial Off-the-Shelf
CPU
CRITs
CS
Computer Science
CSIRC
CSIRT
CSO
CSOC
CSV
Comma-Separated Values
CTAC
CTO
CUDA
CVE
CybOX
DASD
DHCP
DHS
DLP
DMVPN
DMZ
Demilitarized Zone
DoD
Department of Defense
DoJ
Department of Justice
DoS
Denial of Service
FAQ
FBI
FIRST
FOC
FOSS
FPGA
List of Abbreviations
FTE
FTP
G2G
Government to Government
GB
Gigabyte
GPGPU
GPO
gigE
Gigabit Ethernet
GRE
GUI
HIDS
HIPS
HOPE
HR
Human Resources
HTTP
IaaS
Infrastructure as a Service
I/O
Input/Output
IA
Information Assurance
ICMP
ID
Identity; Identification
IDPS
IDS
IG
Inspector General
IODEF
IP
Internet Protocol
IPS
ISAC
ISSE
ISSM
ISSO
IT
Information Technology
JDBC
KVM
LAN
LDAP
LE
Law Enforcement
LM
Log Management
MAC
Mb
Megabit
MD5
MOA
Memorandum of Agreement
MOU
Memorandum of Understanding
MPLS
MSSP
NAC
NAS
NAT
NICS
NIDS
NIPS
NIS
NIST
NMS
NOC
NOSC
O&M
OODA
OS
Operating System
OSI
OSSIM
PaaS
Platform as a Service
PCAP
Packet Capture
PCIe
PE
Portable Executable
PF
Packet Filter
PID
POC
Point of Contact
PoP
Point of Presence
329
List of Abbreviations
POP3
R&D
RAID
RAM
RAT
RDBMS
RSA
RT
Request Tracker
RTF
RX
Receiver
SA
Situational Awareness
SaaS
Software as a Service
SAN
SCADA
SDEE
SDK
SEI
SHA
SIEM
SLA
SMB
SMTP
SNMP
SOC
SONET
SOP
SPAN
SQL
SSD
SSH
Secure Shell
SSL
SSO
Single Sign-On
STE
STIX
STU
TA
Trusted Agent
TACACS
TAXII
TB
Terabyte
TCO
TCP
TLS
TPM
TTPs
TX
Transmit
UDP
URL
USB
VA/PT
VIP
VLAN
VM
Virtual Machine
VoIP
VPN
VRF
WAN
WELF
WINE
WOMBAT
XML
ZFS
Z File System
331