Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jmccumber
Newcomer III
‎01-23-2018 04:43 PM
‎01-23-2018 04:43 PM

Egregious misuse of cyber security terminology

I am turning the tables and am going to ask all of YOU.

 

Post your examples of policies, regulations, articles, blogs, - basically anything written, that misuses key security terms like risk, threat, vulnerability, etc.....

 

This could be fun.

 

Mc

Reply
14 Replies
Badfilemagic
Contributor II
‎01-25-2018 07:33 PM
‎01-25-2018 07:33 PM

I think acronym overload is on the fault of computing as much as it is the press... try to debug layer two issues on an apple device without very specific google-fu due to MAC/Mac.

Or layer2 encryption MACsec, where both MAC addresses and cryptographic Message Authentication Codes (MACs) are actually relevant (makes searching a document more difficult)
-- wdf//CISSP, CSSLP
Reply
0 Kudos
rslade
Influencer II
‎06-21-2018 01:58 PM
‎06-21-2018 01:58 PM

Since I (literally) "wrote the book" on security terminology, I'd love to join the game.

 

I'll start with "social engineering."  I mean, really, what we have here is just a fancy term for "lying" most of the time, isn't it?  As far as I'm concerned, we are giving the bad guys way too much credit for simple fibs.  (Yeah, I'm a teacher, and I know enough psychology and sociology to know that social engineering can be a lot more complicated, and useful, than that.  But it isn't the way we apply it to the bad guys.)

 

Another one the drives me up the wall is APT, or "Advanced Persistent Threat."  Just break it down: "Advanced" - we didn't think of this first.  "Persistent" - we didn't fix it, so they came back.  "Threat" - they did something bad.

 

Somebody has mentioned cloud.  Did you know cloud is actually an acronym?  Standing for "Could Lose Our Under Drawers"?  We had cloud for decades.  We called it time-sharing, or distributed computing, or thin client, etc.  It just means "using someone else's computer."

 

(I give you Slade's Law of Computer History - Those who fail to learn the lessons of computer history are doomed to buy it again--repackaged.)

 

Another whole category that bugs me is marketing terms.  One example: you know what IDS is, right?  Intrusion detection system.  No problem.  You know what IPS means?  Whatever the vendor says it means.  Search through the security literature and you will find all kinds of descriptions of intrusion prevention systems--no two alike.  Does it discard packets? Does it analyse packets? Does it block packets?  Depends on which vendor you ask, and what their "IPS" does.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Reply
rslade
Influencer II
‎06-22-2018 02:11 PM
‎06-22-2018 02:11 PM

Sometimes it's not funny.

 

I was at a meeting the other day where the topic was "risk management."  That's central to what we do, but I realized that there wasn't much commonality to the definition of the term.

 

The meeting was sponsored by a business continuity group.  They were definitely thinking about risks on the "A" point of the CIA triad.  Most of us in information security tend to emphasize the confidentiality part.  (Actually, my background started in in malware research, and we were really keen on integrity--it's one of the three key means of virus detection.)  BC/DR people tend to lump confidentiality into a special corner of what they would call reputational risk.

 

There were some bankers there.  When the banks (or others from fintech) talk about risk, it means capital risk.  All of what we consider risk management they tend to put in a box called operational risk.

 

And then there is management.  I don't really understand why management shuts down every time we talk about risk.  If you are a manager, of anything, you manage two things: people, and risk.  Management is managing business risk every minute of every day--they just do it "by the seat of their pants" rather than using formal tools.

 

Very often we need to enlarge our concept of the terms we use ...


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Reply
0 Kudos
Edd
Newcomer I
‎06-22-2018 02:42 PM
‎06-22-2018 02:42 PM

-

  I've found that it -sometimes- helps in the discussion on 'Risk Management' to break it down into 3 parts:

  1- Risk Identification:  Identifying and documenting a particular threat to an asset help set the stage;

  2- Risk Assessment:   After Identification, coming up with some way to quantify or rank risks helps;

  3- Risk Mitigation:       After the previous two steps, coming up with either a plan to lower the risk or to

                                     document the acceptance of the risk is essential.

 

  I'm basing this on my own experience of always insisting that risk is the likelihood of a threat to an asset manifesting. So this hinges upon the definitions of 'threats' and 'assets'.  Hopefully 'likelihood' is not a point of disagreement.

-

Reply
0 Kudos
green20151
Newcomer III
‎06-30-2018 01:28 PM
‎06-30-2018 01:28 PM

I'd love to, but it's so prevalent I would have no time left for getting work done!

Reply
0 Kudos