topic Re: Egregious misuse of cyber security terminology in Member Support

Egregious misuse of cyber security terminology

jmccumber — Tue, 23 Jan 2018 21:43:33 GMT

I am turning the tables and am going to ask all of YOU.

Post your examples of policies, regulations, articles, blogs, - basically anything written, that misuses key security terms like risk, threat, vulnerability, etc.....

This could be fun.

Re: Egregious misuse of cyber security terminology

Badfilemagic — Tue, 23 Jan 2018 23:54:14 GMT

Maybe I'm old (or oldschool), but I don't like when:

Articles use the term "hacker" to refer to criminals who use a computer
Any criminal act or crime "on the internet" is automatically called "hacking" or "cyber crime"

Other than that, I generally find that the popular press is unable to understand the difference between a side-channel attack against a specific implementation of a cryptosystem and the cipher itself being "broken," - as in, mathematically proven to not provide the level of security that was thought. No one is "breaking AES in 30 seconds!" -- they're recovering key material by monitoring signals eminated from the implementation during operation and using that to reduce the problem space to recover the rest of the key. That's fundamentally different than showing AES is broken.

Re: Egregious misuse of cyber security terminology

Early_Adopter — Wed, 24 Jan 2018 02:11:24 GMT

I came across one at work the where someone had basically conflated 'reducing' the attack surface with every other concept in cybersecurity by using it as a consumer durable in what was essentially a list of controls, that ended with 'and significantly reduces the attack surface.

Patches, MFA, using Linux, having a procedure, administrative controls... it all got it. Just try making your own controls up:

"We keep a rabid St Bernard in our server room that tries to kill everybody who enters. This makes the webservers less accessible to attackers because their fingers are chomped off and they can no longer easily introduce Disney themed mass produced comedy USB drives... thereby significantly reducing the attack surface."

As you can see, it lends a superior air of authenticity and authority!

Re: Egregious misuse of cyber security terminology

Badfilemagic — Wed, 24 Jan 2018 03:00:47 GMT

Also, calling virtualization, especially slim-line virtualization like jails/zones/containers a “security” technology induces a major dose “you keep using that word. I do not think it means what you think it means.”

That is not to say that compartmentalization doesn’t provide some security benefit, BUT relying solely on it is basically the same thing as doing nothing.

Re: Egregious misuse of cyber security terminology

SecurityDrew — Wed, 24 Jan 2018 11:29:59 GMT

I have one to kick it off. How about we start spelling "cybersecurity" properly as defined in both Oxford and Webster dictionaries. Then maybe we can get Microsoft to update their dictionary.

Re: Egregious misuse of cyber security terminology

rsequeira_b — Wed, 24 Jan 2018 11:36:56 GMT

All issues related to Security today - IT Security , Information Security , Data Security are clubbed as Cyber security issues .

Suddenly everyone is only a Cyber security Professional .

It feels as if everything is now either in the cloud or virtual . !!!

Re: Egregious misuse of cyber security terminology

Early_Adopter — Wed, 24 Jan 2018 15:04:54 GMT

I think we need some GIFs... How about it mods?

Re: Egregious misuse of cyber security terminology

JoePete — Wed, 24 Jan 2018 18:09:00 GMT

@Badfilemagic wrote:
Articles use the term "hacker" to refer to criminals who use a computer
Any criminal act or crime "on the internet" is automatically called "hacking" or "cyber crime"

I share this pet peeve. We should instead call these folks what they are - thieves, vandals, perverts. Instead, the media calls them "hackers," and it's like they're wizards and the Internet is Hogwarts. The terminology obfuscates the reality. In fairness, those of us on the technical end of things tend to get hung up more on terminology than meaning, too. I recall a meeting where are CEO was delicately dressed down for referring to something as SQL insertion rather than injection. Who cares? In this case the CEO understand the concept but butchered the words. We get too caught up as to whether something is "data" or "information" or we're willing to go to verbal war over "cybersecurity" or "information security." Arguably the challenge for both the technical and non-technical is prioritization - failing to understand how a vulnerability impacts an organization.

Re: Egregious misuse of cyber security terminology

Early_Adopter — Thu, 25 Jan 2018 05:39:32 GMT

Fully agreed - Yeah...French isn't a 'Lingua Franca' because it was too precious about staying pure - or at least those in charge of it were.

'Cyber' and 'Hacker' are lost as they mean something very different now, so I wouldn't burn the energy - unless it's in the service of comedy I'd recommend looking at the concept of 'Globish' as this makes super good sense.

Unfortunately the security buzzword generator now seems to be hosting malware...

Re: Egregious misuse of cyber security terminology

Edd — Thu, 25 Jan 2018 21:27:14 GMT

Recycling or reuse of TLAs (Three Letter Acronyms). IAM is a good one. Words too, 'Asset' means different things to executives versus IT folks. Can be the physical machines, or something much less tangle like reputation.
Also technical terms from other areas like 'Polyinstantiation' often cause misunderstandings. Often recycling activities or concepts, but simply replacing the name, or using a catchy nickname instead of a more descriptive (and often more accurate) name.

Re: Egregious misuse of cyber security terminology

Badfilemagic — Fri, 26 Jan 2018 00:33:06 GMT

I think acronym overload is on the fault of computing as much as it is the press... try to debug layer two issues on an apple device without very specific google-fu due to MAC/Mac.

Or layer2 encryption MACsec, where both MAC addresses and cryptographic Message Authentication Codes (MACs) are actually relevant (makes searching a document more difficult)

Re: Egregious misuse of cyber security terminology

rslade — Thu, 21 Jun 2018 17:58:36 GMT

Since I (literally) "wrote the book" on security terminology, I'd love to join the game.

I'll start with "social engineering." I mean, really, what we have here is just a fancy term for "lying" most of the time, isn't it? As far as I'm concerned, we are giving the bad guys way too much credit for simple fibs. (Yeah, I'm a teacher, and I know enough psychology and sociology to know that social engineering can be a lot more complicated, and useful, than that. But it isn't the way we apply it to the bad guys.)

Another one the drives me up the wall is APT, or "Advanced Persistent Threat." Just break it down: "Advanced" - we didn't think of this first. "Persistent" - we didn't fix it, so they came back. "Threat" - they did something bad.

Somebody has mentioned cloud. Did you know cloud is actually an acronym? Standing for "Could Lose Our Under Drawers"? We had cloud for decades. We called it time-sharing, or distributed computing, or thin client, etc. It just means "using someone else's computer."

(I give you Slade's Law of Computer History - Those who fail to learn the lessons of computer history are doomed to buy it again--repackaged.)

Another whole category that bugs me is marketing terms. One example: you know what IDS is, right? Intrusion detection system. No problem. You know what IPS means? Whatever the vendor says it means. Search through the security literature and you will find all kinds of descriptions of intrusion prevention systems--no two alike. Does it discard packets? Does it analyse packets? Does it block packets? Depends on which vendor you ask, and what their "IPS" does.

Re: Egregious misuse of cyber security terminology

rslade — Fri, 22 Jun 2018 18:11:53 GMT

Sometimes it's not funny.

I was at a meeting the other day where the topic was "risk management." That's central to what we do, but I realized that there wasn't much commonality to the definition of the term.

The meeting was sponsored by a business continuity group. They were definitely thinking about risks on the "A" point of the CIA triad. Most of us in information security tend to emphasize the confidentiality part. (Actually, my background started in in malware research, and we were really keen on integrity--it's one of the three key means of virus detection.) BC/DR people tend to lump confidentiality into a special corner of what they would call reputational risk.

There were some bankers there. When the banks (or others from fintech) talk about risk, it means capital risk. All of what we consider risk management they tend to put in a box called operational risk.

And then there is management. I don't really understand why management shuts down every time we talk about risk. If you are a manager, of anything, you manage two things: people, and risk. Management is managing business risk every minute of every day--they just do it "by the seat of their pants" rather than using formal tools.

Very often we need to enlarge our concept of the terms we use ...

Re: Egregious misuse of cyber security terminology ('Risk')

Edd — Fri, 22 Jun 2018 18:42:10 GMT

I've found that it -sometimes- helps in the discussion on 'Risk Management' to break it down into 3 parts:

1- Risk Identification: Identifying and documenting a particular threat to an asset help set the stage;

2- Risk Assessment: After Identification, coming up with some way to quantify or rank risks helps;

3- Risk Mitigation: After the previous two steps, coming up with either a plan to lower the risk or to

document the acceptance of the risk is essential.

I'm basing this on my own experience of always insisting that risk is the likelihood of a threat to an asset manifesting. So this hinges upon the definitions of 'threats' and 'assets'. Hopefully 'likelihood' is not a point of disagreement.

Re: Egregious misuse of cyber security terminology

green20151 — Sat, 30 Jun 2018 17:28:12 GMT

I'd love to, but it's so prevalent I would have no time left for getting work done!