DBSecWorx Definitions


wwwlibrary
Home / Resources / Definitions
Much of the jargon used in Information Security appears to have been invented by marketers trying to differentiate their sphere from someone else's sphere by renaming it an orb. Everybody sells spheres but we trademarked the word "orb" so only we sell "orbs."

Far too often we use these terms and jargon in ways that create more miscommunication than clarity which is only of value to Account Execs working on commission. This page has been created in the hope that it will help clear up some of these  misunderstandings. Yes, the definitions are rants, a good rant is the best way to clarify the meaning of a word or phrase and replace fuzzy nonsense with clarity.

To help us make our point we are going to use the CISA's CyberSecurity Glossary as a foil: Sorry CISA.
https://niccs.cisa.gov/about-niccs/cybersecurity-glossary

We look forward to receiving emails to help us improve our definitions and to add new terms to the list.
 
Keyword or Phrase Definition
Attack Surface TBW (The set of ways in which an adversary can enter a system and potentially cause damage.)
Auditing TBW (An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity. / The intentional act of attempting to bypass one or more security services or controls of an information system.)
CIA Triange / CIA Triad TBW
Compliance TBW
Data Sovereignty TBW
Defense-In-Depth TBW
Exfiltrate / Exfiltration CISA defines exfiltration as "The unauthorized transfer of information from an information system."

Well yeah, sure, but that's not the larger issue in InfoSec so we are going to define it with precision.

Exfiltration, at
DBSecWorx, means the process and procedures used to remove data not just from the source (database) but outside of the physical and logical perimeter in which they are secured. Here are some specific examples.
  • In an Oracle Database UTL_SMTP was used to email query results to an internal email address
  • In an Oracle Database DBMS_XSLPROCESSOR was used to write PL/SQL source code to a file that was copied to a flash drive and walked out the door

CISA's definition covers both malicious and non-malicious data transfers. Our focus is on methods we know have been used to move extremely sensitive data across national borders.
Exploit At DBSecWorx we had a good laugh reading and discussing CISA's definition of this term. Here's thier definition: "A technique to breach the security of a network or information system in violation of security policy."

Ok, so if the technique used by the attacker is, for example, to leverage a grant to public in the Oracle Database that is not written up in a policy it isn't an exploit. Got me there CISA ... what is it?

At
DBSecWorx the word "exploit" means the process, procedure, or technology that was utilized singly, or in concert with other exploits to violate security.
Information Security TBW
Least Privilege / Minimum Privilege TBW
Non-Repudiation TBW (A property achieved through cryptographic methods to protect against an individual or entity falsely denying having performed a particular action related to data. / Provides the capability to determine whether a given individual took a particular action such as creating information, sending a message, approving information, and receiving a message.)
Remediation TBW
Security TBW
Separation of Duties TBW
Spillage From time-to-time there is discussion of the term "spillage" in White Papers posted on the web and they often contain verbiage such as this: "Synonym(s): data spill, data breach.*" It is not how we use the term spillage here at DBSecWorx . CISA is not wrong but they are muddying the waters and creating a lack of clarity because the word "breach" does not need yet another synonym.

When we use the term we try to be precise. What we mean is very specifically that data has been intentionally written to an unapproved physical location or device. The following example will help clarify our usage.

Assume you have 2 separate SANS. One contains business correspondence, event calendars, web servers and financial information. The other one contains specifications for a cruise missile guidance system. Certainly there is a need to keep the information on the first SAN secure because it contains PII, IP, and possibly PHI data. But, the second SAN needs to not just have a base level of auditing and security it requires that all data be fully encrypted.

When we use the term "spillage" we are not, as defined above by CISA talking about a breach. We are specifically describing a situation where data that should have been written to the second SAN was accidentally written to the less secure first SAN which does not have the highest level of encryption.
Trust But Verify Most people think "Trust But Verify" originated with US President Ronald Reagan but it goes back to a a Russian rhyming proverb. Unlike Zero Trust and other marketing jargon "Trust But Verify" is actionable. "Trust But Verify" in IT security does not mean violate the bedrock principles such as "Least Privilege" but rather refers takes for granted that reality requires the use of good judgment to access risks and make decisions. When we rely on "Trust But Verify" we keep the doors open, we purchase infrastructure and Cloud services, we deploy databases and applications ... BUT ... we invest in verifying that they cannot be breached, that data cannot be altered, that data cannot be exfiltrated.

Where our current IT security breaks down is not that admins are not well meaning and overwhelmingly honest. It breaks down in two different ways:
  1. Admins are untrained in security. Organizations invest $0 in technical security training, in part because such training does not exist
  2. Organization priorities are expressed in budget dollars. Most organizations have not prioritized real security. Their "security verification budget" is less than 0.1% of revenue.
Zero Trust According to Cisco "Zero trust is a strategic approach to security that centers on the concept of eliminating trust from an organization's network architecture." What total nonsense. How convenient for Cisco to produce a self-serving definition focusing solely on network architecture. But we shouldn't pick on Cisco ... they are just doing what everyone else is doing which is turning the phrase into, to quote Shakespeare, "full of sound and fury, signifying nothing." The phrase is absolutist nonsense and, taken literally, sets a standard that would require every organization to send its employees home, lock the doors, and have the office patrolled by packs of rabid dogs (assuming they were willing to trust the dogs).

Zero Trust, fully realized, means don't trust your server vendor, don't trust the chipset inside, don't trust the HBA and NIC cards, don't trust the Cisco, HP, Dell, Hitachi, Oracle, IBM, ... Don't trust Microsoft or Oracle ... which makes sense because we have certainly seen enough supply chain attacks such as SolarWinds. But why stop there ... don't trust your network, system, database and application admins. And definitely don't trust your CISO.

We recommend replacing the Zero Trust jargon with something actionable to look above for the definition of 'Trust But Verify."
 
DBSecWorx secures data and databases
 

 Copyright © 2019-2021
DBSecWorx All rights reserved.
 
  Privacy & Cookies Policy Legal