Glossary

Asymmetric ciphers: Alternatively named public-key ciphers, use two keys, one for encryption and another for decryption.

Attack: A specific malicious action (e.g., ICMP flooding).

CFAA: Computer Fraud and Abuse Act.

Cipher: An algorithm that performs encryption/decryption. Sometimes, the term cryptosystem is used instead of cipher. There are two types of ciphers depending on the use of keys: symmetric and asymmetric.

Cryptanalysis: A study of techniques for “cracking” encryption ciphers, i.e., attacks on cryptosystems.

Encryption: A process of transforming simple text/data, called plaintext, into unintelligible form, named as ciphertext. Decryption is the inverse process of encryption.

Hashing algorithms: Involves taking an input of any length and outputting a fixed-length string, called a hash. Which can be used, for example, as signatures or for data-integrity purposes.

ISO 22301: The international standard for Business Continuity Management Systems (BCMS). It provides a framework for organizations to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system to protect against, reduce the likelihood of, and ensure recovery from disruptive incidents.

ISO/IEC 27001: An information security standard. It specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). Organizations with an ISMS that meet the standard's requirements can choose to have it certified by an accredited certification body following successful completion of an audit. ISO/IEC 27001 was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, with revisions in 2013 and 2022.

Key: A secret string of characters or symbols that is used for the encryption/decryption of plaintext/ciphertext.

NIST Cybersecurity Framework (CSF): A set of voluntary guidelines developed by the U.S. National Institute of Standards and Technology (NIST) designed to help organizations assess and improve their ability to prevent, detect, and respond to cybersecurity risks.

NIST Special Publication 800-37 Rev2 (Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy): A risk management framework for information systems developed by the Joint Task Force Transformation Initiative Working Group. The first revision aimed to transform the traditional Certification and Accreditation (C&A) process into the Risk Management Framework (RMF), and the second reversion addressed privacy controls in a more central manner, and added a preparatory step. The second step of the RMF is to select the appropriate subset of security controls from the control catalog in NIST Special Publication 800-53.

SSAE 16 (Statement on Standards for Attestation Engagements no. 16): An auditing standard for service organizations, produced by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board, which supersedes Statement on Auditing Standards no. 70 and has been superseded by SSAE No. 18.

Symmetric ciphers: Also referred as secret-key ciphers, use the same key for encryption and decryption. Symmetric cryptosystems are divided into two groups: block and stream ciphers. In block ciphers, operations of encryption/decryption are performed on blocks of bits or bytes, whereas stream ciphers operate on individual bits/bytes.

Threat Vector: The method used to deliver the attack (e.g., phishing emails for credential theft).