I am turning the tables and am going to ask all of YOU.
Post your examples of policies, regulations, articles, blogs, - basically anything written, that misuses key security terms like risk, threat, vulnerability, etc.....
This could be fun.
Maybe I'm old (or oldschool), but I don't like when:
Other than that, I generally find that the popular press is unable to understand the difference between a side-channel attack against a specific implementation of a cryptosystem and the cipher itself being "broken," - as in, mathematically proven to not provide the level of security that was thought. No one is "breaking AES in 30 seconds!" -- they're recovering key material by monitoring signals eminated from the implementation during operation and using that to reduce the problem space to recover the rest of the key. That's fundamentally different than showing AES is broken.
I came across one at work the where someone had basically conflated 'reducing' the attack surface with every other concept in cybersecurity by using it as a consumer durable in what was essentially a list of controls, that ended with 'and significantly reduces the attack surface.
Patches, MFA, using Linux, having a procedure, administrative controls... it all got it. Just try making your own controls up:
"We keep a rabid St Bernard in our server room that tries to kill everybody who enters. This makes the webservers less accessible to attackers because their fingers are chomped off and they can no longer easily introduce Disney themed mass produced comedy USB drives... thereby significantly reducing the attack surface."
As you can see, it lends a superior air of authenticity and authority!
I have one to kick it off. How about we start spelling "cybersecurity" properly as defined in both Oxford and Webster dictionaries. Then maybe we can get Microsoft to update their dictionary.
All issues related to Security today - IT Security , Information Security , Data Security are clubbed as Cyber security issues .
Suddenly everyone is only a Cyber security Professional .
It feels as if everything is now either in the cloud or virtual . !!!
- Articles use the term "hacker" to refer to criminals who use a computer
- Any criminal act or crime "on the internet" is automatically called "hacking" or "cyber crime"
I share this pet peeve. We should instead call these folks what they are - thieves, vandals, perverts. Instead, the media calls them "hackers," and it's like they're wizards and the Internet is Hogwarts. The terminology obfuscates the reality. In fairness, those of us on the technical end of things tend to get hung up more on terminology than meaning, too. I recall a meeting where are CEO was delicately dressed down for referring to something as SQL insertion rather than injection. Who cares? In this case the CEO understand the concept but butchered the words. We get too caught up as to whether something is "data" or "information" or we're willing to go to verbal war over "cybersecurity" or "information security." Arguably the challenge for both the technical and non-technical is prioritization - failing to understand how a vulnerability impacts an organization.
Fully agreed - Yeah...French isn't a 'Lingua Franca' because it was too precious about staying pure - or at least those in charge of it were.
'Cyber' and 'Hacker' are lost as they mean something very different now, so I wouldn't burn the energy - unless it's in the service of comedy I'd recommend looking at the concept of 'Globish' as this makes super good sense.
Unfortunately the security buzzword generator now seems to be hosting malware...
Recycling or reuse of TLAs (Three Letter Acronyms). IAM is a good one. Words too, 'Asset' means different things to executives versus IT folks. Can be the physical machines, or something much less tangle like reputation.
Also technical terms from other areas like 'Polyinstantiation' often cause misunderstandings. Often recycling activities or concepts, but simply replacing the name, or using a catchy nickname instead of a more descriptive (and often more accurate) name.