cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
(ISC)² Team

Egregious misuse of cyber security terminology

I am turning the tables and am going to ask all of YOU.

 

Post your examples of policies, regulations, articles, blogs, - basically anything written, that misuses key security terms like risk, threat, vulnerability, etc.....

 

This could be fun.

 

Mc

14 Replies
Highlighted
Contributor II

Re: Egregious misuse of cyber security terminology

Maybe I'm old (or oldschool), but I don't like when:

  • Articles use the term "hacker" to refer to criminals who use a computer
  • Any criminal act or crime "on the internet" is automatically called "hacking" or "cyber crime"

Other than that, I generally find that the popular press is unable to understand the difference between a side-channel attack against a specific implementation of a cryptosystem and the cipher itself being "broken," - as in, mathematically proven to not provide the level of security that was thought. No one is "breaking AES in 30 seconds!" -- they're recovering key material by monitoring signals eminated from the implementation during operation and using that to reduce the problem space to recover the rest of the key. That's fundamentally different than showing AES is broken.

-- wdf//CISSP, CSSLP
Highlighted
Community Champion

Re: Egregious misuse of cyber security terminology

I came across one at work the where someone had basically conflated 'reducing' the attack surface with every other concept in cybersecurity by using it as a consumer durable in what was essentially a list of controls, that ended with 'and significantly reduces the attack surface.

 

Patches, MFA, using Linux, having a procedure, administrative controls... it all got it. Just try making your own controls up:

 

"We keep a rabid St Bernard in our server room that tries to kill everybody who enters. This makes the webservers less accessible to attackers because their fingers are chomped off and they can no longer easily introduce Disney themed mass produced comedy USB drives... thereby significantly reducing the attack surface."

 

As you can see, it lends a superior air of authenticity and authority!

Highlighted
Contributor II

Re: Egregious misuse of cyber security terminology

Also, calling virtualization, especially slim-line virtualization like jails/zones/containers a “security” technology induces a major dose “you keep using that word. I do not think it means what you think it means.”

That is not to say that compartmentalization doesn’t provide some security benefit, BUT relying solely on it is basically the same thing as doing nothing.
-- wdf//CISSP, CSSLP
Highlighted
Newcomer I

Re: Egregious misuse of cyber security terminology

I have one to kick it off. How about we start spelling "cybersecurity" properly as defined in both Oxford and Webster dictionaries. Then maybe we can get Microsoft to update their dictionary.