Glossary of InfoSec terms

Last updated: April 1, 2024
Audience: IT Staff / TechnicalAll UW

A – E

Arbitrary Code Execution
The ability of an attacker to execute any command they choose on a targeted device.
Access Controls
Access controls ensure that resources are only granted to those users who are entitled to them.
Access Control List (ACL)
A mechanism that implements access control for a system resource by listing the identities of the system entities that are permitted to access the resource.
The process to define which individuals are allowed access to an information system and what privileges are allowed for each individual.
The ability of University information and information systems to be accessible by authorized individuals.
Attack Surface
The set of points on the boundary of a system, a system component, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, component, or environment.
(From NIST SP 800-53 Rev. 5)
Autonomous System
One network or series of networks that are all under one administrative control. An autonomous system is also sometimes referred to as a routing domain. An autonomous system is assigned a globally unique number, sometimes called an Autonomous System Number (ASN).

A method by which authorized and unauthorized users bypass normal security measures to gain access to a computer system, software application, or network.
A botnet is a large number of compromised computers that are used to create and send spam or viruses or flood a network with messages as a denial of service attack.
Brute Force Attack
The act of combining and recombining keyboard characters until all possible combinations have been exhausted in order to guess or “crack” passwords.
Buffer Overflow
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information, which has to go somewhere, can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.
Command & Control (C&C, C2)
A server that is used by malicious hackers to communicate with an infected computer or device in order to infiltrate networks, steal data, carry out distributed denial of service (DDoS) attacks, and carry out other harmful activities.
Various forms of a scam attempting to leverage news about The Coronavirus Aid, Relief, and Economic Security (CARES) Act; these scams have been used to target UW students.
A cryptographic algorithm for encryption and decryption.
Ciphertext is the encrypted form of a message.
Cloaked Link
In emails generated by marketing platforms, by default each link is tracked. The tracking code “cloaks” the URL in a way that makes it unrecognizable.For example, a “cloaked” link may look like this:

But then it redirects to a different web page, such as

“Information, categorized and listed in the Controlled Unclassified Information (CUI) Registry, that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and U.S. government-wide policies but is not classified under U.S. Presidential Executive Order 13526 or the Atomic Energy Act, as amended.
Controlled Unclassified Information does not include classified information or information a contractor possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, a government agency or an entity acting for a government agency.”
This definition is from the NIST Glossary
Covered Defense Information
Controlled Unclassified Information that is:
Marked or otherwise identified in the contract, task order, or delivery order and provided to the University by or on behalf of the U.S. Department of Defense in support of the performance of the contract, or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. Covered Defense Information includes all unclassified information related to a classified contract that has not been approved for public release.
Source: Acquisition & Sustainment Office
Critical Business Functions
The critical operational and/or business support functions that could not be interrupted or unavailable for more than a mandated or predetermined time frame without significantly jeopardizing the organization.
Critical Information Asset
An information asset that supports a critical business function, or that stores or processes UW Confidential data. Also see Information Asset.
Cross-site scripting
A cross-site scripting (XSS) vulnerability allows an attacker to execute malicious JavaScript in a victim’s browser. In other words, if your site has an XSS vulnerability, an attacker can use your site to deliver malicious JavaScript to unsuspecting visitors.
Best Practices
OWASP definition
Unauthorized use of a computing device’s resources to mine for cryptocurrencies or steal cryptocurrency wallets owned by unsuspecting victims.See Crowdstrike’s Tales From the Cryptojacking Front Lines.
Data Classification
University data is classified into the following categories: UW Confidential, Restricted, Public and Special Categories of Personal Data.
For more information and definitions for each data classification category, see Data Classifications, or contact the UW Privacy Office.
Note that electronic passwords, including your UW NetID credentials, are considered UW Confidential data and should be protected as such.
Data at Rest
Data stored on computers, laptops, mobile devices, and in spreadsheets, databases and information systems.
Data in Transit/Motion
Transmitted via the Internet, email, or private or public networks.
Denial of Service Attack (DOS)
An attack that prevents or impairs the authorized use of information system resources or services.
Defense-In-Depth is the approach of using multiple layers of security to guard against failure of a single security component.
Distributed Denial of Service Attack (DDOS)
A denial of service technique that uses numerous hosts to perform the attack.
Dictionary Attack
An attack in which adversaries use words from the dictionary or lists of names and other key information about the user to guess or “crack” passwords.
Duo is UW’s two-factor authentication (2FA) system, which adds a second layer of security when you sign into Workday and other systems. Using 2FA prevents others from signing in as you, even if they know your password. More info
A free, encrypted WiFi service that provides additional security on wireless networks. More info
A type of malware that acts as a “Swiss Army Knife,” offering a wide variety of attackers a number of methods of infecting devices and networks. It is frequently used to carry out mass malicious email campaigns as well as highly targeted attacks.
Emotet report
Online Training
Process of encoding data or communications by using an algorithm to transform information from a readable form (plain text) into an unreadable form, or ciphertext.
Unauthorized copying or transfer of data from a computer or system to one controlled by malicious actors.
Export Controlled Information
Export Controlled Information includes information, proprietary data, trade secrets, and software related to export controlled items. Export Controlled Information does not include the results of “fundamental research” which is defined as basic and applied research results in science and engineering where the resulting information is ordinarily published, without sponsor or governmental approval, and shared broadly with the scientific community.
See the UW Privacy Office website for more information.

Back to top

F – J

Gift Card Scam
The goal of the criminal sending the message is to convince the recipient to buy gift cards, which are difficult to trace and easy to spend. The scammer may try to carry out the conversation via email or text message if the victim provides a cell phone number. Infographic
Husky OnNet
A virtual private network or VPN service providing an encrypted connection to the UW from remote locations, such as from home, coffee shop or at the airport. More info
Identity Theft
The illegal appropriation of another individual’s personal information. It is often used to carry out financial transactions, such as purchases, using a credit card number or taking out a loan, using a victim’s name, Social Security number and credit history.
Best Practices
Information Asset
Any University hardware, software, service, data, or other component of the environment that supports the organization’s mission and functions. An asset can be owned or controlled; it has intrinsic value or can be used to produce value.
Information Security Incident
An event which adversely impacts the confidentiality, integrity, or availability of University information, infrastructure technology, or information systems.
Information Security Risk
Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence. Note: Risk can be positive or negative, where positive risk may also be referred to as an opportunity.The likelihood that a threat will exploit a vulnerability and the impact that would have on information assets, the University mission, or business functions.
Source: ISO/IEC 27000:2014
Information Sharing and Analysis Center
Information Sharing and Analysis Centers help critical infrastructure operators and owners protect their customers, facilities, and personnel from cyber and physical security threats and other hazards. ISACs collect, analyze and disseminate actionable threat information to their members and provide members with tools to mitigate risks and enhance resiliency.
Source: National Council of ISACs
The University of Washington is a member of the Multi-State ISAC (MS-ISAC) and the Research and Education Networks ISAC (REN-ISAC).

Insider ThreatInsider threat is the potential for an insider to use their authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities.Source: CISA

IntegrityThe assurance that University information or information systems have not been altered or corrupted by chance or by malice.

Intrusion Detection System (IDS)A security management system for computers and networks. An IDS gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization).Intrusion Prevention System (IPS)Software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents.Source: NIST CSRC

Back to top

K – O

Lookalike domain
A malicious domain name that is sufficiently similar that users may believe it is the legitimate domain. See typosquat.
Malicious Code
Software (e.g., worm or Trojan) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic.
Malicious software used to disrupt a system’s normal operation or to help cyber thieves harvest valuable data. Infographic
Multi-Factor Authentication
Adds an additional layer of protection in addition to your password that requires the user to provide two or more verification factors to gain access to a resource.
National Security Classified Information
Official information, owned by the U.S. government or entrusted to the U.S. government by another country, that has been determined, pursuant to U.S. Presidential Executive Order 13526 or any predecessor order, to require protection against unauthorized disclosure in the interest of national security and which has been so designated. National Security Classified Information is information created or received by an agency of the federal government or a government contractor that would damage national security if improperly released. National Security Classified Information is designated to indicate its classified level. The three levels of classification defined by U.S. Presidential Executive Order 13526 are Confidential, Secret, and Top Secret.
See UW APS 2.4
See Executive Order 13526

Back to top

P – T

Password Manager
Used to create, store, and access complex passwords as you need them; it requires you to remember only one master password in order to access the others you have stored in the service. More info
Password Spray Attack
An attack in which an adversary uses a list of commonly used passwords and tests them on multiple users at an organization to guess or “crack” passwords.
Password Stuffing Attack
Password Stuffing Attack, also known as Credential Stuffing, is an attack in which the adversary strives to gain access to a protected account by using compromised credentials.
Patching and Patch Tuesday
Patching is the process of updating software to a different version. On the second Tuesday of each month, Microsoft and Adobe release security patches for their products. Wikipedia: Patch Tuesday
Gaining unauthorized access to sensitive data by circumventing a system’s protections; “penetration testing” is used to test the external perimeter security of a network or facility.
A form of Internet fraud in which cyber criminals attempt to entice victims into inadvertently surrendering UW NetIDs and passwords (credentials) and other personal information.
Phishing Examples
Risk Advisory
Principle of Least Privilege
The principle that a system should be designed so that users and services are granted the minimum resources and authorizations that they need to perform their function.
Principle of Separation of Duty
The principle that separates critical functions across different users to ensure that no one individual has enough information or privileges to damage or misuse the asset on their own.
Protected Health Information (PHI)
See Glossary of Terms for UW Medicine Privacy Policies.
A type of malware (malicious software) that locks up data and devices until a sum of money is paid to attackers. Online training
Remote Code Execution (RCE)
Remote Code Execution (RCE) is a method that allows attackers to gain unauthorized access to devices and launch attacks from a remote location.
Risk Assessment
A qualitative or quantitative evaluation of information security risk to a University information asset. The evaluation is based upon known vulnerabilities and threats, as well as the likelihood of the threats being realized and the potential impact to the University and its stakeholders.
Risk Management
The process of evaluating and responding to risks to University assets for the purpose of reducing those risks to acceptable levels. Risk management is inclusive of the risk assessment process and uses the result of a risk assessment to make decisions on the acceptance, avoidance, transfer, reduction, or mitigation of risks.
A type of ransomware, first discovered in August 2018, that is known for attacking large organizations, demanding high ransom payments, and for its unique disruptive capabilities, such as deleting shadow copies on endpoints to make it difficult to restore data after attacks.
Secret Shopper Job Scam
UW students are sometimes targeted with an email scam disguised as info about an “under-cover shopper” job opening. Potential victims are sent a fraudulent check and sometimes asked to buy gift cards and take screenshots of the numbers to send to scammers. Scam Alert
Separation of Duties
Separation of duties is the principle of splitting privileges among multiple individuals or systems.
State, Local, Territorial, Tribal
Cell phone text messages (SMS) that request personal information.
Antivirus software (free to the UW community) that is vital to mitigate the risk of malware infections on UW computers as well as your own personal computer.
Spear Phishing
Messages that specifically target a particular individual. Cyber-criminals may spend considerable time researching their target in order to craft a convincing message. Risk Advisory
Spectre Meltdown
Two major security vulnerabilities that affect the processing chips in almost every computer made in the last 20 years (including mobile phones, embedded devices, cloud computers, etc). These vulnerabilities could allow attackers to steal data, including passwords and other information previously thought to be inaccessible, from almost all types of computers and devices. See Spectre Meltdown post.
SQL Injection (SQLi)
SQL injection is a form of attack in which malicious SQL statements are inserted into a web page form field and executed. Web pages/applications vulnerable to SQL injection essentially place their entire databases at risk. Best Practices
OWASP definition
System of Record
An information system that holds University information or data designated as the most accurate representation of the meaning and context of University information or data elements, which are recorded as facts and used if/as needed to resolve discrepancies in information or data.
A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm.
Malware that was first developed to steal login credentials and banking information that has been adapted to gather data about devices and networks from infected systems.
Two-factor Authentication
An additional layer of security to your online accounts by requiring an additional login credential using something that belongs to you. See: Duo, Multi-factor authentication
Typosquat, typosquatting
A type of attack in which adversaries take advantage of common typographical errors made by users when then enter domain names. See lookalike domains.

Back to top

U – Z

University Information
All information which is created, received, maintained, or transmitted by the University. University information can be:

  • Contained in any form including but not limited to documents, databases, spreadsheets, email, or websites;
    Represented in any form including but not limited to letters, numbers, words, pictures, sounds, symbols, or any combination thereof;
  • Communicated in any form including but not limited to handwriting, printing, photocopying, photographing, or web publishing; and
  • Recorded upon any form including but not limited to papers, maps, films, prints, discs, drives, memory sticks, or other information systems.
A type of malware, used for data theft but capable of a variety of harmful behaviors, that is typically spread through infected attachments and malicious links in email.
Phone calls made to potential victims by criminals who pretend to be from a person, business or financial institution and ask for personal information. Voice over IP (VoIP) technology makes this technique nearly untraceable while exploiting the potential victim’s trust in traditional landline communication.
Virtual Routing and Forwarding
Virtual Routing and Forwarding (VRF) is a technology based on the operating principles of a physical router, allowing virtual routers to be run simultaneously as multiple instances on the same physical router where each instance uses its own routing and forwarding table.
See: Barracuda CloudGen Firewall
A unique form of ransomware that integrates older threats into a new type of attack, combining the effectiveness of a phishing email with the capability of a worm so that it can spread automatically across a network. It was used for a worldwide attack in May 2017.
Malware (malicious software) that can spread from system to system without user interaction.
World Backup Day
March 31 is a worldwide awareness day devoted to the importance of to backing up your data and devices frequently.

Back to top