Because the cybersecurity field continuously ferments and evolves, it can be hard to keep up with the concepts and definitions that emerge to describe all the cyber-threats and intrusions, as well as the defenses devised to protect against them. Here are some of the most recent:
- Advanced persistent threat (APT) includes any of several types of would-be attacks that are typically more sophisticated and better-hidden than others. They usually originate with national states or state-sponsored groups, and can stay undetected in networks for longer periods of time.
- Data diodes (DD), or unidirectional network gateways, are hardware or software-enabled devices that only permit communications in one direction, typically outbound from production equipment or other sensitive areas, and don’t allow any communications back in.
- Demilitarized zone (DMZ) is an arrangement two Ethernet switches serving as firewalls to form a hardware or software-based subnetwork, which hosts and presents a user's outward-facing services to less-trusted networks such as the public Internet. One firewall only allows communication intended for the DMZ from external sources, while the second firewall only permits communications from the internal network to the DMZ.
- Generic, object-oriented, substation event (GOOSE) messaging is a Layer 2 protocol for sending messages between industrial electronic devices (IED) in an Ethernet network. It’s defined by the IEC 61850 standard, which includes IEC 62351-6 that shows how to secure IEC 61850 protocols and GOOSE messages by using reserved fields to add a security extension section to the message frames.
- Internet group management protocol (IGMP) runs between a host and nearby multicast routers on IPv4 networks to establish multicast group membership, which allows the network to direct multicast transmissions only to hosts that have requested them. Switches with IGMP snooping gain useful data by monitoring IGMP activity. Protocol-independent multicast (PIM) between local and remote multicast routers manage traffic from hosts relaying multicasts to hosts that registered via IGMP to get them.
- Intrusion detection system (IDS) and intrusion prevention system (IPS) use hardware and/or software to scan and examine networks for unauthorized activity, policy violations or potentially malicious actions, which are collected by a cybersecurity data and event management system and/or reported to an administrator.
- Message queuing telemetry transport (MQTT) is a publish-subscribe communications protocol that define a broker and clients to reach devices in remote locations or with limited bandwidth. It’s overseen by the Organization for the Advancement of Structured Information Standards’ (OASIS) MQTT technical committee. MQTT operates via transport protocols, usually TCP/IP, which delivers ordered, lossless, bidirectional connections, and uses TLS/SSL (see below) to secure communications between devices.
- Passive cyber-threats periodically check and scan networks for open ports and nodes or other vulnerabilities, usually to collect data for seeking future access. However, they typically monitor without interacting with their targets to avoid suspicion or trigger an investigation. This is different from active cyber-intrusions that attempt to alter networks or steal data. Similarly, passive detection systems (PDS) and software perform monitoring to identify anomalous activity on or near their networks, and generate alerts or more active defenses responses when they find it.
- Role-based access control (RBAC) is a method for limiting access to equipment, processes or networks, so they’re only available to authorized users based on their job descriptions and the functions they and their systems require of them to do specific tasks. RBAC can include role-based authentications and other mechanisms for restricting access only to approved users.
- Security information and event management (SIEM) is a class of software and services that aids cyber-threat detection and incident handling by collecting security data and presenting it using one interface. SIEM combines combine security information management (SIM) and security event management (SEM), and delivers real-time evaluation of alerts from network devices and software.
- Security operations center (SoC) is a “cybersecurity control room,” where inhouse users can monitor their company’s IT and OT networks, intrusion detection systems (IDS) and related infrastructure, and respond to incoming alerts. SoCs are also often operated by third-party contractors, who can do the same for multiple clients.
- Software-defined networking (SDN) is a simplified, standards-based and vendor-neutral network management method, which separates control and forwarding tasks. This allows network control to become directly programmable, and lets its foundational framework be abstracted from applications and network services. This enables users to quickly adjust network traffic, centrally manage network data in software-based SDN controllers to monitor their overall network, and configure, manage, secure and optimize network resources via dynamic, automated SDN programs they can write themselves because the programs don’t depend on proprietary software.
- Transport security layer (TLS), formerly secure socket layer (SSL), is a cryptographic protocol that provides secure communications, most notably for hypertext transfer protocol secure (HTTPS), by using public-key certificates between data processing applications. A public key can only be decrypted by its corresponding private key, while its certificate verifies the owner of the public key. If a device checking the certificate trusts its content and determines it has a valid signature, it can use the key to communicate securely with the certificate’s subject by using the public key to encrypt and send a message with the private key.
- Virtual private networks (VPN) use tunneling protocols to establish a secure, point-to-point, host-to-network link between remote data processing devices and an existing network, including private, wide-area networks (WAN), or site-to-site between two networks relying on less-secure formats such as the public Internet.
- Zero-trust framework, architecture (ZTA) or security model follow an always-verify procedure that reflexively distrusts all devices and users, even if they’re within the perimeter of a permitted network or were OK’d before. ZTA employs stringent identity verification, validates participant compliance before granting access, and allows least-privilege access only to explicitly authenticated resources.
