Facebook Twitter LinkedIn YouTube
East Midlands Chamber News

The A to Z of cyber security

Navigating the language of cyber security is a minefield that complicates the online safeguarding process for many businesses. Sarah Knowles, principal security consultant at Nexor, explains what some of the key terms.

Sarah Knowles, of Nexor

Authorise - The process of reviewing compliance to a standard, less formal than an audit

Assessment - The process of identifying risks to organisational operations (including mission, functions, image, reputation), organisational assets, individuals, other organisations, and the nation, resulting from the operation of an information system

Assurance - A process to make sure a product or system has been developed in a secure way

Accreditation - The process a business undertakes to provide assurance a solution is acceptable for a specific purpose

Availability - Ensuring timely and reliable access to and use of information

BS 10754 - "Information technology. Systems trustworthiness. Governance and management specification". This standard provides a specification for improving the trustworthiness of systems, software and services

Cyber Essentials - Cyber Essentials is a simple but effective, Government-backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber-attacks

Cross-domain - The act of manually and/or automatically accessing and/or transferring information between different security domains

Cross-domain desktop - A single desktop terminal with remote access to multiple lower trust domains

CAV – Connected and autonomous vehicles. These vehicles can replace the driver for some or all of the driving tasks

Data diode - A data diode (also referred to as a unidirectional gateway, deterministic one-way boundary device or unidirectional network) is a network appliance or device allowing data to travel only in one direction

Denial of service - When legitimate users are denied access to computer services (or resources), usually by overloading the service with requests

Encryption - A mathematical function that protects information by making it unreadable by everyone except those with the key to decoding it

Flow control - Ensure data only flows in the direction required to support the business process. Often delivered by a firewall (two-way data flow) or a data diode (one-way data flow)

Guard - Guards reduce the risk of malware getting into a network; of sensitive data leaking out, and ensure that appropriate controls are in place for the data to be released between networks

Gap assessment - Reviewing a system or process against a known baseline or standard, to see where the company might be deficient

GDPR - The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area

High domain - In security information exchange – the higher secure domain being protected

HardSec - Hardware security sits at the root of the physical part of a system, protecting its basic components. An example of this is a hardware security module (HSM) that can be used to provision cryptographic keys to encrypt, decrypt, or authenticate user identities

Information Exchange Gateway - An Information Exchange Gateway (IEG) is a system designed to facilitate secure communication between different security and management domains

Interoperability - The ability of one entity to communicate with another entity

ISO (27001, 21434, 24242) - (International Organisation for Standardisation) is an independent, non-governmental, international organisation that develops standards to ensure the quality, safety, and efficiency of products, services, and systems

IASME - (Information Assurance for Small and Medium Enterprises Consortium). The IASME Governance standard allows small companies in a supply chain to demonstrate their level of cyber security for a realistic cost and indicates that they are taking good steps to properly protect their customers' information

Incident management - The mitigation of violations of security policies and recommended practices

Identity management - Identity management, also known as identity and access management, is a framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to technology resources

Integrity - Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity

JSON - JSON stands for JavaScript Object Notation. JSON is a lightweight format for storing and transporting data

Keys - Used in cryptography to protect or gain access to protected data

Low domain - Opposite of high domain

Malware - Malicious software - a term that includes viruses, trojans, worms or any code or content that could have an adverse impact on organisations or individuals

NCSC – The National Cyber Security Centre (NCSC) provides cyber security guidance and support, helping to make the UK the safest place to live and work online

Network security - Network security combines multiple layers of defences at the edge and in the network. Each network security layer implements policies and controls. Authorised users gain access to network resources, but malicious actors are blocked from carrying out exploits and threats

Open systems - A system that allows entities from different enterprises to access information related to tags used in the system. Open systems use an inter-enterprise subsystem to share information between entities

Open source - Commonly refers to software that uses an open development process and is licensed to include the source code

Protocol break - Protocol break is the process of stripping and replacing the transport protocol headers from a network packet or stream to ensure that the transport protocol itself cannot be used to carry a covert channel

Phishing - Untargeted, mass emails sent to many people asking for sensitive information (such as bank details) or encouraging them to visit a fake website

Policy - Statements, rules or assertions that specify the correct or expected behavior of an entity. For example, an authorisation policy might specify the correct access control rules for a software component

Procedures - A set of instructions defining how to do something

Quantum cryptography - Also called quantum encryption. It applies principles of quantum mechanics to encrypt messages in a way that it is never read by anyone outside of the intended recipient

Resilience - The ability of an information system to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs

Risk assessment - The process of identifying risks to organisational operations (including mission, functions, image, reputation), organisational assets, individuals, other organisations, and the nation, resulting from the operation of an information system. Part of risk management incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

Security assessment - The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system

Security improvement plan - The security improvement plan is a working document and is intended to both guide the project team through the required actions and provide a means to track action ownership, resource estimates, priorities, target dates, current percent completion and appropriate status comments

SIXA® – Secure Information eXchange Architecture is an architectural approach to secure information exchange, utilising a number of configurable building blocks that follow best practice guidance patterns from the NCSC

Supply chain risk management - A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies to combat those threats, whether presented by the supplier, the supplies product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal)

Software security - Software security is an idea implemented to protect software against malicious attack and other hacker risks so that the software continues to function correctly under such potential risks

Transform - Modify the content or protocol for interoperability or security purposes. Sometimes referred to as a gateway

Threat actor - An individual or a group posing a threat

Threat assessment - Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat

Two-factor authentication - The use of two different components to verify a user's claimed identity. Also known as multi-factor authentication

Unauthorised access - A person gains logical or physical access without permission to a network, system, application, data, or other resource

Validate - The process to check a specification/system meets a business need

Verify - A method to demonstrate compliance to a set of rules/specification

Vulnerability - Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source

Web guard - This guard manages secure information exchange for web downloads and uploads

X.509 - A digital certificate that uses the widely accepted international X. 509 public key infrastructure (PKI) standard to verify that a public key belongs to the user, computer or service identity contained within the certificate

Y – Refers to Generation Y (or Millennials); those born between 1981 and 1996. There is a notion that this generation is a cyber criminal’s dream. While very tech savvy, professionals in this age range are mixing their personal and work information, which presents a cyber security risk. See more on this topic here

Zero-day - Recently discovered vulnerabilities (or bugs), not yet known to vendors or antivirus companies, that hackers can exploit

Zero trust - Zero trust is a security concept centered on the belief that organisations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access

Back