cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jmccumber
Newcomer III

Egregious misuse of cyber security terminology

I am turning the tables and am going to ask all of YOU.

 

Post your examples of policies, regulations, articles, blogs, - basically anything written, that misuses key security terms like risk, threat, vulnerability, etc.....

 

This could be fun.

 

Mc

14 Replies
Badfilemagic
Contributor II

I think acronym overload is on the fault of computing as much as it is the press... try to debug layer two issues on an apple device without very specific google-fu due to MAC/Mac.

Or layer2 encryption MACsec, where both MAC addresses and cryptographic Message Authentication Codes (MACs) are actually relevant (makes searching a document more difficult)
-- wdf//CISSP, CSSLP
rslade
Influencer II

Since I (literally) "wrote the book" on security terminology, I'd love to join the game.

 

I'll start with "social engineering."  I mean, really, what we have here is just a fancy term for "lying" most of the time, isn't it?  As far as I'm concerned, we are giving the bad guys way too much credit for simple fibs.  (Yeah, I'm a teacher, and I know enough psychology and sociology to know that social engineering can be a lot more complicated, and useful, than that.  But it isn't the way we apply it to the bad guys.)

 

Another one the drives me up the wall is APT, or "Advanced Persistent Threat."  Just break it down: "Advanced" - we didn't think of this first.  "Persistent" - we didn't fix it, so they came back.  "Threat" - they did something bad.

 

Somebody has mentioned cloud.  Did you know cloud is actually an acronym?  Standing for "Could Lose Our Under Drawers"?  We had cloud for decades.  We called it time-sharing, or distributed computing, or thin client, etc.  It just means "using someone else's computer."

 

(I give you Slade's Law of Computer History - Those who fail to learn the lessons of computer history are doomed to buy it again--repackaged.)

 

Another whole category that bugs me is marketing terms.  One example: you know what IDS is, right?  Intrusion detection system.  No problem.  You know what IPS means?  Whatever the vendor says it means.  Search through the security literature and you will find all kinds of descriptions of intrusion prevention systems--no two alike.  Does it discard packets? Does it analyse packets? Does it block packets?  Depends on which vendor you ask, and what their "IPS" does.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

Sometimes it's not funny.

 

I was at a meeting the other day where the topic was "risk management."  That's central to what we do, but I realized that there wasn't much commonality to the definition of the term.

 

The meeting was sponsored by a business continuity group.  They were definitely thinking about risks on the "A" point of the CIA triad.  Most of us in information security tend to emphasize the confidentiality part.  (Actually, my background started in in malware research, and we were really keen on integrity--it's one of the three key means of virus detection.)  BC/DR people tend to lump confidentiality into a special corner of what they would call reputational risk.

 

There were some bankers there.  When the banks (or others from fintech) talk about risk, it means capital risk.  All of what we consider risk management they tend to put in a box called operational risk.

 

And then there is management.  I don't really understand why management shuts down every time we talk about risk.  If you are a manager, of anything, you manage two things: people, and risk.  Management is managing business risk every minute of every day--they just do it "by the seat of their pants" rather than using formal tools.

 

Very often we need to enlarge our concept of the terms we use ...


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Edd
Newcomer I

-

  I've found that it -sometimes- helps in the discussion on 'Risk Management' to break it down into 3 parts:

  1- Risk Identification:  Identifying and documenting a particular threat to an asset help set the stage;

  2- Risk Assessment:   After Identification, coming up with some way to quantify or rank risks helps;

  3- Risk Mitigation:       After the previous two steps, coming up with either a plan to lower the risk or to

                                     document the acceptance of the risk is essential.

 

  I'm basing this on my own experience of always insisting that risk is the likelihood of a threat to an asset manifesting. So this hinges upon the definitions of 'threats' and 'assets'.  Hopefully 'likelihood' is not a point of disagreement.

-

green20151
Newcomer III

I'd love to, but it's so prevalent I would have no time left for getting work done!