WIXLIB

Aperture Sciencearbitrary (adj.)A fictional research company from theOf the attacker’s choosing, as in “the userPortal series of video games.would be redirected to an arbitrary URL.”API, APIsArcherShort for application programmingAn animated spy TV show that inspired theinterface. How software interacts with othername of the Bishop Fox Danger Drone. It’ssoftware. Do not spell out.also the name of an RSA security product.app vs. applicationArduino (n.)Smart devices like phones and tablets haveapps, computers have applications. App canalso be a shortened form of application. ToPronounced “ar-dweeno.”ARMthe security industry, they are all computerShort for Architecture Reference Manual orprograms.it can refer to RISC architecture used inmicroprocessors. Define briefly on first useAppleto clarify your intended meaning.Related: FaceTime, FairPlay, iOS, iPhone,Lightning cables, MAC OSX,macOS-based, PowerBook, Siriartificial intelligence (AI)ASCIIPronounced “ask-ee.”applet (n.)ASLRApple TVAddress space layout randomization.application securitySpell out on first use.Alternate term for information security.ASP.NETAPTassetShort for application penetration testing.Also stands for advanced persistent threatAssets are systems, software, applications,or advanced packaging tool. Spell out onlibraries, personnel, equipment, or anythingfirst use in public-facing documents.else that clients value and want to protect.Related: criticality, EPT, IPT, pen testingASVApproved scanning vendors. Spell out onARAugmented reality.first use.Related: IoT, VR, VuforiaRelated: PCIBishop Fox 2018/02/1510

ATMautocorrect (n. or v.)Short for automated teller machine or “atA generic term for an application featurethe moment.” “ATM machine” is redundant.that fixes identified mistakes in typedRelated: PIN, SSNwords.at-rest (adj.), at restautofillAt-rest encryption. Data at rest.automationattack chainThe automatic operation of requiredRelated: elevation of privilegesprocesses.attacker-controlled (adj.)auto-renew (v.)attacker-owned (adj.)avatarattack surface (n.)AWSAmazon Web Services.attributeBA specification of a value. When writingabout a type of attribute, use normal font.When discussing a specific attribute, usetech font as in “a username attribute."backdoor (n. or v.)audio conference, audio conferencingRelated: videoconferencingback end (n.), back-end (adj.)audit trailsbackported (adj.), backporting (n. or v.)AUPAcceptable Use Policy. Spell out on first use.backtraceauthenticationRelated: tracebackauthorization bypassback up (v.), backup (n. or adj.)autocomplete (n. or v.)backwards compatibility (n.)A generic term for an application featurethat predicts the rest of the word or phraseas a user types.Bishop Fox backslash or \backwards compatible (adj.)2018/02/1511

BCC, BCC’d, BCCingbadputRelated: goodput, throughputBlind carbon copy. Do not spell out.Related: CC, emailbandwidthBCPThe speed of a data network. “Neverunderestimate the bandwidth of a stationBusiness continuity plan. Spell out on firstwagon full of tapes hurtling down theuse.highway.” – Andrew Tanenbaumbcryptbank dropsPronounced “bee-crypt.” A passwordhashing function.barcodeBECbar mitzvah attackBusiness email compromise. Spell out onAn SSL vulnerability. So named because itsfirst use.security implications were realized 13 yearsRelated: phishingafter it first appeared in the codebase.Base64-encoded (adj.),Base64 encoding (n.)-based (adj.)BeEF, BeEF hookingBrowser Exploitation Framework.BERBit error rate. Spell out on first use.Always hyphenate.Ex: host-based, logic-based, role-basedbest practicesBusiness jargon, use sparingly. Practicesbaselinethat align with compliance guidelines orindustry standards.BashBASICA programming language.bastion hostRelated: CIS 20beta (n. or adj.)BFAn informal name for Bishop Fox. Used veryA specially hardened host often used as asparingly in places where space is limited.gateway to pivot into other hosts.BBSBGPBorder Gateway Protocol. Spell out on firstBulletin board system.Bishop Fox use.2018/02/1512

Big BrotherbitcoinThe symbol of totalitarian surveillance fromDigital cryptocurrency.the novel Nineteen Eighty-Four. Big BrotherRelated: coins vs. tokens, cold wallet,is watching you.hot wallet, securitiesbig databit-flipped (adj.), bit-flipping (adj.)big-endian (adj.)BitLockerMicrosoft Windows disk encryptionBIG-IPsoftware.A load balancer. Pronounced “big-eye-pee.”bitstreambillion laughs attackBitTorrentRelated: DoSbinaryBlackBerryBase-2 number system. 0 or 1. Can alsoblack-box testingrefer to binary executable files.Related: big-endian, little-endianBlack HatA series of annual security conferences thatBINDhappen in the USA, Europe, and Asia.A DNS server.https://www.blackhat.com/birds of a feather (BoF)black hatAn informal discussion group.An attacker or malicious user.birth dateblacklist (v. or n.), blacklistingBishop FoxRelated: blocklistOur company.Related: foxes, Lucius Fox, Martin Bishopblack marketWe prefer this term in formal reports tobit (n.), -bit (adj.)describe unindexed illegal online activityAs in “a key length of at least 2048 bits” orhubs. Tor and I2P are colloquially known as“a 2048-bit RSA key.” When abbreviated, use“dark web” browsers.lowercase b for bits, uppercase B for bytes.Related: fullz, I2P, TorBitbucketbleeding edge (n. or adj.)An Atlassian product for Git.Bishop Fox 2018/02/1513

blind (adj.)BMP file, .bmp fileDuring a blind attack, the attacker is unableto view the outcome of an action.Short for bitmap.BomgarbloatwareAn IT support portal.Boolean operatorsBLOB or blobBinary large object.Useful AND precise.blockchain, block chainingboot chain (n.)Related: CBC, cryptocurrencyRelated: start upblocklist, blocklistingboot time (n.)A proposed alternative term for blacklisting.Not yet widespread.Related: safelistBoston DynamicsbotAn automated program like a chatbot orblog, blogrollTwitterbot.BloodhoundbotnetA pen testing tool.A network of bots sometimes used inBlowfishransomware attacks.An encryption algorithm.Brainfuckblue screen (v.)An esoteric programming language.Blue Screen of Death (BSOD)breadcrumbs, breadcrumb trailblue team, blue teaming (v.)breakpoint (n. or v.)Blue teams run scenarios to defend a targetor environment from potential attackers.brickThey reduce the attack surface, employInformal. An old heavy cell phone or a deadhardening strategies, and use honeypots.device.Related: red team, purple teambrick-and-mortar (adj.)Describes IRL places of business.BluetoothA unifying wireless system named after aNorwegian king, Harald Bluetooth.Blu-rayBishop Fox browsable (adj.)browser fingerprinting2018/02/1514

browser hijackingBYODBring your own device. Describesbrute-force (v. or n.), brute-forcing (n.)companies that allow employees to usetheir own computers and phones for work.BSDBerkeley Software Distribution.bypass (v. or n.)A Unix-derived operating system.byproductBSidesbytesA global series of security events.http://www.securitybsides.com/Kilobytes, megabytes, gigabytes, terabytes,petabytes. KB, MB, GB, TB, PB. No spacebucketbetween number and unit as in 64TB. UseWhen discussing a type of bucket, useuppercase B for bytes, lowercase b for bits.normal font. When discussing a specificRelated: MiB, units of measurementbucket by name, use tech font for the nameCas in “an oz-provision bucket."buffer overflowbug bountyC A programming language. Pronounced asBugcrowd“C sharp.”A crowdsourced bug bounty securityRelated: #, hashtagcompany.built-in (adj.)CACertificate or certification authority. Spellbulleted (adj.)out on first use.Related: CEH, CISSPbullet point (n.)Burp Suite, Burp CollaboratorA web application proxy.business impact analysis (BIA)Spell out on first use.cache (n. or v.)cache bustingcache poisoningCactusConBuzzFeedAn annual security conference in Arizona.http://www.cactuscon.com/Bishop Fox 2018/02/1515

callback (adj. or n.)CCCAs in “a crafted callback parameter.”Chaos Communication Congress. An annualsecurity conference in Germany.CAMCCTVComputer-aided manufacturing. Spell outon first use.Closed circuit television.Related: LMSCD, CD-R, CD-ROM, CD-RWcanary accountCDMARelated: honeypotCode division multiple access.canonicalization, canonicalizeCDNCAPTCHA, CAPTCHAsContent delivery network. Spell out on firstuse.The Completely Automated Public Turingtest to tell Computers and Humans Apart.CDPA challenge-response test.Clean desk policy. Spell out on first use.Related: computer vision, reCAPTCHACEHcarriage return character or \rCertified Ethical Hacker.An invisible character that makes the textgo back to the beginning of the line. It’s acell phoneskeuomorph that refers to the waytypewriters need to “return” a carriage to itsoriginal position.certificateCFOcase-by-case (adj.)Chief Financial Officer.cash-out guideCGIShort for computer-generated images or,catch (v.)less commonly, Common GatewayRelated: throwInterface. Define briefly on first use toclarify your intended meaning.The Cathedral and the Bazaar (CatB)challenge-response mechanismsCBCRobot-filtering tests like CAPTCHA.Cipher block chaining. Spell out on first use.Related: Turing TestCC, CC’d, CCingCarbon copy. Do not spell out.changelogRelated: BCC, emailBishop Fox 2018/02/1516

ChromecastcharactersWhen calling out specific characterschroot(keystrokes) that affect the meaning of aChange root. A Unix operation thatcode sequence, use tech font surroundedsimulates a directory on a filesystem as if itby square brackets in normal font as inwere the root of the filesystem. Pronounced“added a single quote [‘].” If the character’sas “C-H-root” or “chuh-root.”name is also its symbol, write it in tech font.Related: chattr, chmodIf the font difference is not visible, usequotation marks as in 30,000 “A” characters.Related: metacharacters, wildcardschroot directory or ChrootDirectoryAn SSH directory.chatroomchroot jailA way to isolate a process from the rest ofchattrthe system.Short for change attribute. Pronounced as“chatter.”CIARelated: chmod, chrootShort for the Central Intelligence Agency orthe triad of information security concerns:checkbox (n.)confidentiality, integrity, and availability.check out (v.), checkout (adj. or n.)CIOchecksum, checksumsChief information officer.Related: CFO, CISOchild abuse materialcipherThis is a more accurate term for childpornography. If you discover child abuseDon’t use “cypher.” Write the names ofmaterial in the context of your work, reportciphers in normal font as in Blowfish.it to a manager immediately. If you find itRelated: RSA, SHAonline outside of work, quickly contactNCMEC—The National Center for Missingand Exploited Children.chmodChange mode. Pronounced as “changecipher suiteciphertextsCIS 20The Center for Internet Security has a list ofmod,” “C-H-mod,” or “chuh-mod.”20 guidelines for securing organizations.Related: chattr, chrootChromeGoogle browser.Bishop Fox 517

CIS CSCclickjackingCIS Critical Security Controls.In formal writing, we refer to this finding asRelated: CIS 20“user interface (UI) redress.” It’s also called“cross-frame scripting.”CISOclick through (v.)Chief Information Security Officer.Pronounced “seeso.”clickthrough (adj. or n.)CISSPclient-side (adj.)A security certification. CertifiedInformation Security Systems Professional.classclip artClippyWhen discussing a specific class by name,Discontinued anthropomorphic paper clipuse tech font as in “a Time class."assistant in Microsoft Office.cleartext vs. plaintextclosed caption (n.), closed-caption (adj.)In common usage, these terms are usedinterchangeably. In our reports, cleartextmeans unencrypted content. Plaintext is athe cloudBusiness jargon. “The cloud” is just servers.more technical term that describes theinput to a cryptographic system (which itselfmay already be encrypted or hashed).Related: CPAcloud computingCloudFrontAn AWS content delivery network (CDN).clear web or Clear WebThis is used in contrast to the “dark web” or“dark net” parts of the internet. It refersCloudTrailAn AWS logging and monitoring service.vaguely to publicly accessible sites thathave been indexed by search engines.Do not use in formal writing.CLIShort for command-line interface orcluster (n.)As in “provision a cluster on each account.”CMDBContent management database. Spell outcommand language interpreter. Spell outon first use.on first use.clickbaitCMSContent management system. Spell out onfirst use.Bishop Fox 2018/02/1518

co-creatorcommodity hardwareOver-the-counter hacking tools that anyonecode (n. or v.)could get and use.codebasecompany-wide (adj.)Related: user basecompensating controlscodeccompile (v.)Code/decode.Codecademycompliance frameworkcode pathcomputer vision (n.)code shrinkingconfiguration driftcoins vs. tokensconnect-back shell (n.)These are units of worth in virtualconstants (n.)currencies. These terms are sometimesused interchangeably and sometimes usedPre-defined variables that are referenced invery differently. Define briefly on first use tolater code.clarify your intended meaning.Related: bitcoin, cryptocurrencycold-call (v.) cold call (n.)A social engineering strategy.cold storage (n.)cold walletOffline bitcoin storage.containerizationcontent injectioncontent spoofingcontent type, Content-type header-controlled (adj.)Always hyphenate.Related: hot walletcommand and control (C2) machinecommand line (n.), command-line (adj.)commercial-free (adj.)Ex: attacker-controlled, user-controlledcookie (n.)cookie poisoning, cookie securitycooperate (v.)coordinate (v.)Bishop Fox 2018/02/1519

copycat (adj. or v.)criticalityRelated: spoofA measure of the degree to which anorganization depends on the information orcorrupted (adj.)information system for the success of amission or of a business function.CORSCross-origin resource sharing. Spell out oncronfirst use.Cron is a utility.Cortanacron job (n.)Microsoft AI.cross-platform (adj.)Related: Alexa, Google Assistant, Siricountermeasure (n.)cross-site scripting (XSS)There are three kinds of XSS:coworking spacereflected, stored, and DOM-based.CPACrowbarChosen-plaintext attack. Spell out on firstA password-cracking tool.use.crowdfund (v.)CPUcrowdsource (v.), crowdsourcing (n.)Central processing unit. Do not spell out.crack (v.)CRUDCreate, read, update, destroy.crawl (v.)cryptanalysis (n.), cryptanalytic (adj.)credential reuse (n.)cryptocredentials (n.)Historically, this was short for cryptography.The information necessary to pass aNow, it can also mean cryptocurrency. Spellsecurity check—often a username andout on first use to clarify your intendedpassword. Sometimes an RFID badge.meaning.critical (adj.)cryptocurrencyDescribes a non-negotiable businessVirtual currency.function or a vulnerability with catastrophicRelated: bitcoin, blockchain, coins vs.consequences that is easily exploitable.tokens, salami slicing attack, securitiescryptographicallyBishop Fox 2018/02/1520

CSPCupertino effectShort for Content Security Policy. Spell outAn error in early Apple dictionaries thaton first use.corrected “cooperation” to “Cupertino”because of their limited word list.CSPRNGcURLShort for Cryptographically SecurePseudo-Random Number Generator. APronounced “curl.”secure way of generating random numbers.Related: WgetSpell out on first use.currencyCSRFOur reports rarely include specific valuesShort for cross-site request forgery. Abut we default to USD as in 1.50. Follow APcommon vulnerability. Spell out on first use.style for mixed currency situations.CSSThe HTML cascading style sheets feature.Do not spell out.C-suite (adj. or n.)cursor (n.)custom-written (adj.)cutting edge (n.), cutting-edge (adj.)Related: bleeding edgeHigh-level executives like CEOs and CIOs.CSV file, .csv fileCVECommon Vulnerabilities and Exposures.Comma-separated value(s).A system that catalogs publicly knownCSWSHvulnerabilities and exposures. CVEThe cross-site WebSocket hijacking vuln.references are written in normal font as inSpell out on first use.CVE-2014-6271.CTFCVSSCapture the flag. Spell out on first use inCommon Vulnerability Scoring System. Spellpublic-facing documents.out on first use.CTOCWChief Technology Officer.CTRContent warning.CWEShort for clickthrough rate or CounterCommon Weakness Enumeration. WriteMode. Spell out on first use.weaknesses in normal font as in CWE-565.Related: CVEBishop Fox 2018/02/1521

DcyberIndustry professionals don’t use this prefix,but it’s helpful when informing the public,as in the title of this document. For manyusers, “cyber” on its own invokes cybersex,not hacking. https://willusingtheprefixcyberdaemonPronounced as “demon.” Describes amakemelooklikeanidiot.com/background system process on a computer.Related: cybersecurityDanger DronecyberpunkA Bishop Fox creation. It’s a Raspberry Pi onA subgenre of science fiction.a drone that can access tall buildingsinconspicuously as a flying hacker laptop.cybersecurityDefense contractors and governmentofficials use this term or “infosec.” IndustryDAOShort for decentralized autonomousprofessionals do not prefer this term, but itorganization or Data Access Object.is used for clarity with the public, as in theSpell out on first use.title of this document. We prefer the terminformation security.dark net or Dark NetRelated: cyber-, infosecThis nebulous term, along with “dark web”and “deep web,” are written and usedcyborginconsistently to refer to online blackA hybrid organic being. Coined in 1960 tomarkets. Better to call it the black market ormean cybernetic organism.specify the site or service in formal writing.Related: Tor, I2PCycriptA reverse engineering tool for iOS devices.Dark ReadingA security industry publication.CydiaAn app found on jailbroken iOS devices.DARPADefense Advanced Research ProjectsCylonAgency.Fictional cyborgs in Battlestar Galactica.dataAlways write data in the singular as in“the data was recovered.”data://Use tech font for data URIs.Bishop Fox 2018/02/1522

databasedead codeOK in formal writing.data centerdead dropsdata filesDebiandata handling (adj. and n.)A Linux distribution. Pronounced“debb-ean.”data-only (adj.)debuggable (adj.)datesBe aware of possible day/month confusiondecap (v.), decapped (adj.)with global audiences.declare (v.)Related: mm/dd/yyTo tell a program that a function existsdatetimebefore the function has been defined.day-to-day (adj.)decommed (adj. or v.)As in “day-to-day activities.”Use “decommissioned” in formal writinginstead.DBShort for database. Spell out on fir

Open Sans in the style guide as the normal font. The secondary font is Source Code Pro, a monospace (fixed-width) font that we refer to throughout this guide as the tech font. The tech font makes technical terms stand out to the reader when they appear in and out of quoted code. We use the tech font for several reasons in several ways. Even .